Senate Hearings Call for Creation of New Data Privacy Bureau
On Wednesday, September 29, the Senate Committee on Commerce, Science and Transportation held a hearing on data privacy titled, “Protecting Consumer Privacy.” The issue of data privacy is of particular interest to Sen. Maria Cantwell (D-WA), the Committee Chair, who introduced the Consumer Online Privacy Rights Act (COPRA) in 2019.
Much of the testimony revolved around the Federal Trade Commission’s (FTC) lack of resources. Professor Vladeck, the former Director of the FTC’s Bureau of Consumer Protection, noted in his written testimony that the FTC currently only has 61 staffers dedicated to protecting the privacy of over 330 million Americans, while Ireland’s Data Protection Commission has 145 staff members for a country of 5 million. Vladeck’s testimony called for the creation of a new Bureau for privacy, data security, and technology, a key aspect of Sen. Cantwell’s legislation which has been included in House Democrats’ social spending package.
The witnesses all confirmed a need to hire more technologists to the attorney-dominated agency. Ashkan Soltani, former Chief Technologist at the FTC and a CCPA architect, also testified that, as the digital economy grows, so too does a need for diverse hires–including statisticians, designers, social scientists, and behavioral researchers–who understand the complex issues the agency is tasked with enforcing.
Though the FTC is one of few government agencies that runs at a surplus, it operates with a paltry budget. The Committee’s Ranking Member, Senator Roger Wicker (R-MS) proposed an additional $100 million through his SAFE DATA Act, a number which Mr. Vladeck called “a good start but not the end.” However, many of Sen. Wicker’s Republican colleagues pushed back on increased funding for the FTC without accompanying national privacy legislation. Senator Debra Fischer (R-NE) said that, “without the right legal tools provided by legislation I’m afraid that this funding would waste taxpayer money.”
Broad agreement amongst elected officials, privacy advocates, and the American people on the need for comprehensive privacy legislation will not necessarily ease the passage of a bill. There are several competing proposals in both chambers and highly contested issues that remain to be resolved–including a private right of action.
In his opening statement, Sen. Wicker said he “remains open to the idea” of a private right of action, but wants to ensure that including the highly-contested legal avenue, “could be constructed without stifling innovation and marketplace competition or leading to unjustified financial windfalls for plaintiff attorneys.”
But that is a fine line to walk. While the witnesses at Wednesday’s hearing spoke positively on the enforcement power of a private right of action, its abuses were also noted. Maureen Ohlhausen, former Acting Chair of the FTC, warned of the dangers of a private right of action with statutory or punitive damages. In her submitted statement Olhausen wrote that, “these approaches often result in class actions that primarily benefit attorneys, while providing little, if any, relief to those who are harmed.”
A broad private right of action can be a windfall for litigators, but a nightmare for small businesses according to Morgan Reed, President of the App Association which is the leading trade group representing companies that produce small mobile software and connected devices. Mr. Reed said that a private right of action can hoist frivolous lawsuits onto his members who are forced to choose between costly court cases and costly settlements. Still, he said, “there is support for a private right of action, but there need to be guardrails,” adding that the intent of a defendant company should be considered, and that violators should be afforded a cure period.
One popular compromise borrows from existing statutes. The Federal Privacy Act has a private right of action that only permits actual damages, and the Equal Justice Act curbs the amount of attorney fees that can be recovered.
Congressional motivation for enacting national privacy legislation may come from a desire to clarify the FTC’s rulemaking authority. Currently, the FTC derives its powers from Section 5 of the FTC, which gives it the authority to prevent “unfair or deceptive acts or practices in or affecting commerce” (UDAP). The FTC has used its UDAP powers to police certain privacy and data security practices, but any agency rulemaking lacks the guidance and permanence of a federal statute. Earlier this month, a group of Democratic senators called on the FTC to begin a rulemaking process to “protect consumer privacy, promote civil rights, and set clear safeguards on the collection and use of personal data in the digital economy.”
The rulemaking debate did not stop there. One of the starker disagreements amongst the witnesses came on the topic of preemption. Ms. Ohlhausen stated her view that FTC rulemaking cannot preempt state law, a point with which Mr. Vladeck disagreed. However, all agreed that a comprehensive federal law would alleviate the disagreements over the FTC’s rulemaking role.
The typical question of preemption – whether or not a federal privacy law supersedes state laws, like those passed in California, Colorado, and Virginia – was not without debate. Mr. Soltani, one of the key authors of California’s privacy laws, said that states should retain the right to enact higher standards than a federal law.
Comprehensive national privacy legislation may present too many hurdles for Congress to overcome this session, but that does not mean that all privacy action is doomed. Senators also took time to probe their witnesses on proposals that tackle individual issues.
Take, for example, reporting by the Wall Street Journal earlier this month, which detailed the corrosive effect of Instagram on teenage girls. Apps like Facebook and Instagram collect children and teens’ personal information, and uses it to create “filter bubbles” that keep users engaged. The Children’s Online Privacy Protection Act (COPPA), protects children’s online privacy, but only applies to websites directed towards children under 13 possessing ‘actual knowledge’ that children under 13 are providing the information. Mr. Vladeck said that the 1998 rule needs a revision because, “the hardest problem for the FTC is the actual knowledge standard,” adding that, “there needs to be a rethink of the age limit.”
Senator Ed Markey (D-MA) who sponsored COPPA when it was first passed, has introduced an updated bill with Senator Bill Cassidy (R-LA) titled, The Children and Teens’ Online Privacy Protection Act. The act would require websites to obtain consent before collecting personal information from teens under 16. It would also update the ‘actual knowledge’ standard to ‘constructive knowledge,’ a move that would curtail companies’ ability to compile digital dossiers on children.
The concept of “dark patterns” arose in conversation as well, with Sen. Fischer pledging to “reintroduce the DETOUR Act with Senator Warner prohibiting the use of dark patterns.” The DETOUR Act, introduced in 2019, prohibits dark patterns, which is a practice online operators use to trick consumers into providing personal information, giving consent, or even purchasing a product. You can read more about dark patterns here.
The growth of artificial intelligence and machine learning may also prompt congressional action. AI has drawn concern for a number of its uses, including charging customers different prices based on their proximity to competitors, and perpetuating discrimination in hiring and housing practices. When questioned by Senator Ralph Warnock (D-GA), who raised particular concern with AI biases, Soltani testified that AI often reflects the existing biases of its creators and reinforces inequities and discrimination. That’s why Soltani suggests creating an office of civil rights at the FTC, reinforcing his original call to hire staff with a range of professional expertise.
Immediate congressional priorities–including the debt ceiling, government funding, infrastructure, and a budget reconciliation package–could prevent immediate progress on consumer privacy. However, Wednesday’s hearing–which reflected universal recognition of the need for comprehensive privacy legislation and concrete bipartisan momentum across a number of more narrow issues–should encourage privacy advocates.