On May 1, 2019, the Senate Commerce Committee held a hearing on “Consumer Perspectives: Policy Principles for a Federal Data Privacy Framework”—the Committee’s third hearing during this session discussing principles for comprehensive federal privacy legislation. You can read our reports on the earlier hearings here and here. A full transcript of the most recent hearing is available here.

The witnesses were:

In his opening statement, Chairman Roger Wicker (R-MS) focused on consumer trust, which he argued has been undermined by the growing frequency of major data breaches and incidents of data misuse. While collection of personal information can benefit many sectors of the economy, he contended, the status quo is jeopardizing the long-term prosperity of the digital economy. Ranking Member Maria Cantwell (D-WA) echoed the Senator Wicker’s statements and added that self-regulation has proved insufficient. She stressed the importance of Congress’s taking action promptly.

In their opening statements, the witnesses focused on the effects of California’s Consumer Privacy Act (CCPA) and the European Union’s General Data Protection Regulation (GDPR), referring to these as benchmarks for potential federal legislation. They argued that consumers must be given effective mechanisms to control how their personal information is used without sacrificing access to important online services.

The following issues generated significant discussion:

Consumer Choice and Trust

Many members of the committee and witnesses agreed that privacy policies are often too long and difficult to understand. Mr. Polonetsky stated that it is critical that consumers receive information about companies’ data-handling practices that is clear and easy to understand.

Senator Brian Schatz (D-HI) asked whether notice and consent is enough. Mr. Steyer stated that more is needed; the right to access, delete, or transfer one’s information is also vital, and certain practices (such as the collection of children’s data) should prohibited altogether. Ms. Guliani agreed, noting that consumers lack a meaningful choice when their only option is to consent or lose access to a particular service. She urged that websites should be prohibited from charging users more if they opt out of (or refuse to opt in to) data collection.

CCPA and Federal Preemption

The witnesses expressed skepticism about federal preemption and argued that any new federal law should treat the CCPA’s requirements as a floor. Ms. Guliani suggested that federal legislation should provide for preemption only when a state law is in direct conflict. Mr. Steyer later added, in response to Senator Richard Blumenthal (D-CT), that advocates for federal preemption want to undercut the CCPA. Nonetheless, when Senator Dan Sullivan (R-AK) asked whether any witness would support a state-by-state approach, Mr. Polonetsky responded that he would advocate for that only if a potential federal law provided weak protections.

FTC Authority

The Senators and witnesses agreed that a federal law should provide the FTC with more resources and authority in this arena, though Ms. Guliani added that state attorneys general and state regulatory agencies have been leaders in protecting consumers’ privacy rights. She also contended that a federal law should provide consumers with a private right of action against companies that violate their privacy rights.

Potential for Discrimination

Ms. Guliani, supported by other witnesses, contended that it is often difficult for consumers—or indeed, enforcement agencies—to detect discriminatory uses of personal information. Echoing proposals in bills recently introduced in the Senate and House, she argued for third-party examinations of algorithms and machine-learning technology to identify biases.

GDPR Enforcement

Senator Roy Blunt (R-MO) asked Commissioner Dixon about the Irish Data Protection Commission’s ongoing investigations into U.S. companies. She responded that out of a total of 51 “significant investigations,” 12 target American companies. She expects a number of them to conclude this summer.

GDPR and Small Businesses

Chairman Wicker and Senator Ted Cruz (R-TX) asked the witnesses whether the GDPR has hurt small businesses, which may have trouble complying with its extensive requirements. Commissioner Dixon replied that she has not seen direct evidence of this purported trend and that her office is working to help small and medium-sized businesses with implementation.

Facial Recognition

Senator Blunt raised legislation he introduced with Senator Schatz, which would prohibit commercial users of facial recognition technology from identifying or tracking consumers without their consent. The witnesses agreed that commercial uses of facial recognition and other biometric data should be regulated but disagreed over whether it deserved tougher control than other categories of personal information.