[Senate Hearing 116-593]
[From the U.S. Government Publishing Office]
S. Hrg. 116-593
CONSUMER PERSPECTIVES: POLICY PRINCIPLES
FOR A FEDERAL DATA PRIVACY FRAMEWORK
=======================================================================
HEARING
BEFORE THE
COMMITTEE ON COMMERCE,
SCIENCE, AND TRANSPORTATION
UNITED STATES SENATE
ONE HUNDRED SIXTEENTH CONGRESS
FIRST SESSION
__________
MAY 1, 2019
__________
Printed for the use of the Committee on Commerce, Science, and
Transportation
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
Available online: http://www.govinfo.gov
__________
U.S. GOVERNMENT PUBLISHING OFFICE
52-692 PDF WASHINGTON : 2023
-----------------------------------------------------------------------------------
SENATE COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION
ONE HUNDRED SIXTEENTH CONGRESS
FIRST SESSION
ROGER WICKER, Mississippi, Chairman
JOHN THUNE, South Dakota MARIA CANTWELL, Washington,
ROY BLUNT, Missouri Ranking
TED CRUZ, Texas AMY KLOBUCHAR, Minnesota
DEB FISCHER, Nebraska RICHARD BLUMENTHAL, Connecticut
JERRY MORAN, Kansas BRIAN SCHATZ, Hawaii
DAN SULLIVAN, Alaska EDWARD MARKEY, Massachusetts
CORY GARDNER, Colorado TOM UDALL, New Mexico
MARSHA BLACKBURN, Tennessee GARY PETERS, Michigan
SHELLEY MOORE CAPITO, West Virginia TAMMY BALDWIN, Wisconsin
MIKE LEE, Utah TAMMY DUCKWORTH, Illinois
RON JOHNSON, Wisconsin JON TESTER, Montana
TODD YOUNG, Indiana KYRSTEN SINEMA, Arizona
RICK SCOTT, Florida JACKY ROSEN, Nevada
John Keast, Staff Director
Crystal Tully, Deputy Staff Director
Steven Wall, General Counsel
Kim Lipsky, Democratic Staff Director
Chris Day, Democratic Deputy Staff Director
Renae Black, Senior Counsel
C O N T E N T S
----------
Page
Hearing held on May 1, 2019...................................... 1
Statement of Senator Wicker...................................... 1
Statement of Senator Cantwell.................................... 3
Statement of Senator Blunt....................................... 59
Statement of Senator Schatz...................................... 61
Statement of Senator Fischer..................................... 63
Statement of Senator Tester...................................... 65
Statement of Senator Blackburn................................... 67
Statement of Senator Peters...................................... 68
Statement of Senator Thune....................................... 70
Statement of Senator Markey...................................... 72
Statement of Senator Moran....................................... 75
Statement of Senator Rosen....................................... 76
Statement of Senator Blumenthal.................................. 78
Statement of Senator Sinema...................................... 80
Statement of Senator Sullivan.................................... 81
Statement of Senator Cruz........................................ 83
Witnesses
Helen Dixon, Commissioner, Data Protection Commission of Ireland. 5
Prepared statement........................................... 7
Jules Polonetsky, Chief Executive Officer, Future of Privacy
Forum.......................................................... 12
Prepared statement........................................... 13
James P. Steyer, Chief Executive Officer and Founder, Common
Sense Media.................................................... 26
Prepared statement........................................... 28
Neema Singh Guliani, Senior Legislative Counsel, Washington
Legislative Office, American Civil Liberties Union............. 31
Prepared statement........................................... 33
Appendix
Response to written questions submitted by Hon. Jerry Moran to:
Helen Dixon.................................................. 87
Jules Polonetsky............................................. 88
Neema Singh Guliani.......................................... 90
CONSUMER PERSPECTIVES:
POLICY PRINCIPLES FOR A FEDERAL
DATA PRIVACY FRAMEWORK
----------
WEDNESDAY, MAY 1, 2019
U.S. Senate,
Committee on Commerce, Science, and Transportation,
Washington, DC.
The Committee met, pursuant to notice, at 10 a.m. in room
SD-G50, Dirksen Senate Office Building, Hon. Roger Wicker,
Chairman of the Committee, presiding.
Present: Senators Wicker [presiding], Thune, Blunt, Cruz,
Fischer, Moran, Sullivan, Gardner, Blackburn, Capito, Scott,
Cantwell, Blumenthal, Schatz, Markey, Peters, Tester, Sinema,
and Rosen.
OPENING STATEMENT OF HON. ROGER WICKER,
U.S. SENATOR FROM MISSISSIPPI
The Chairman. Good morning.
Today, the Committee gathers for another hearing on
consumer data privacy.
I am glad to convene this hearing with my colleague,
Ranking Member Cantwell, and I welcome our witnesses and thank
them for appearing today: Ms. Helen Dixon, Ireland's Data
Protection Commissioner; Mr. Jules Polonetsky, CEO of the
Future of Privacy Forum; Mr. Jim Steyer, CEO and founder of
Common Sense Media; and Ms. Neema Singh Guliani, Senior
Legislative Counsel for the American Civil Liberties Union.
Welcome to all of you.
Consumers are the bedrock of our economy. Through the
consumption of goods and services, consumers drive economic
activity, power job creation, and create opportunities for
innovation and economic advancement in the United States and
around the world.
To foster relationships with consumers, businesses have
historically collected and used information about their
patrons. The collection of data about consumers' likes,
dislikes, and commercial interests has ultimately served to
benefit consumers in the form of more customized products and
services and more choices at reduced costs.
Consumer data has tremendous societal benefits as well. In
a world of ``big data'' where physical objects and processes
are digitized, there is an increased volume of consumer data
flowing throughout the economy. This data is advancing entire
economic sectors such as health care, transportation, and
manufacturing. Data enables these sectors to improve their
operations, target resources and services to underserved
populations and increase their competitiveness.
The consumer benefits of a data-driven economy are
undeniable. These benefits are what fuel the vibrancy and
dynamism of today's Internet marketplace. Despite these
benefits, however, near daily reports of data breaches and data
misuse underscore how privacy risks within the data-driven
economy can no longer be ignored.
The increased prevalence of privacy violations threatens to
undermine consumers' trust in the Internet marketplace. This
could reduce consumer engagement and jeopardize the long-term
sustainability and prosperity of the digital economy.
Consumer trust is essential. To maintain trust, a strong,
uniform Federal data privacy framework should adequately
protect consumer data from misuse and other unwanted data
collection and processing. When engaging in commerce, consumers
should rightly expect that their data will be protected.
So today, I hope our witnesses will address how a Federal
privacy law should provide consumers with more transparency,
choice, and control over their information to prevent harmful
data practices that reduce consumer confidence and stifle
economic engagement.
To provide consumers with more choice and control over
their information, both the European Union's General Data
Protection Regulation and the California Consumer Privacy Act
provide consumers with certain privacy rights. Some of these
rights include the right to be informed or the right to know;
the right of access; the right to erasure or deletion; the
right to data portability; and the right to nondiscrimination,
among others.
I hope our witnesses will address how to provide these
types of rights within a United States Federal framework
without unintentionally requiring companies to collect and
retain more consumer data. Provisioning certain privacy rights
to individuals without minimum controls may have the opposite
effect of increasing privacy risks for consumers.
In developing a Federal privacy law, the existing notice
and choice paradigm also has come under scrutiny. Under notice
and choice, businesses provide consumers with notice typically
through a lengthy and wordy privacy policy about their data
collection and processing practices. Consumers are then
expected to make a ``take it or leave it'' choice about whether
or not to purchase or use a product or service. But is this
really a choice?
I hope our witnesses will address how to ensure that
consumers have access to simplified notices that offer
meaningful choices about what information an organization
collects about them instead of a lengthy and confusing privacy
notice or terms of use that are often written in legalese and
bury an organization's data collection activities.
I also hope witnesses will speak to ways in which Congress
can provide additional tools and resources for consumers to
make informed privacy decisions about the products and services
they choose to use both online and offline.
Fundamental to providing truly meaningful privacy
protections for consumers is a strong, consistent Federal law.
This is critical to reducing consumer confusion about their
privacy rights and ensuring that consumers can maintain the
same privacy expectations across the country.
I look forward to a thoughtful discussion on these issues.
And again, welcome to all of our witnesses.
I now recognize my good friend and Ranking Member, Senator
Cantwell.
STATEMENT OF HON. MARIA CANTWELL,
U.S. SENATOR FROM WASHINGTON
Senator Cantwell. Thank you, Mr. Chairman.
And thank you to the witnesses for being here today on this
important hearing about how to develop a Federal data privacy
framework. It is essential that we give a front row seat to the
consumer advocate perspective, and that is what today's
conversation does.
When the dust settles after a data breach or a misuse of
data, consumers are the ones who are left harmed and
disillusioned. In the two months since our last Full Committee
hearing on privacy, consumer data has continued to be
mishandled. It is clear that companies have not adequately
learned from past failures, and at the expense of consumers, we
are seeing that self-regulation is insufficient.
Just days ago, cybersecurity researchers revealed the
existence of a massive cloud data breach left wide open and
unprotected, containing addresses, full names, dates of birth,
income, marital status on more than 80 million U.S. households.
This blatant disregard for security and privacy risks makes it
clear why we are here today.
Microsoft recently admitted that an undisclosed number of
consumer Web e-mail accounts were compromised. We learned more
about privacy lapses on Facebook and two more third party
Facebook apps exposed data on Facebook users revealing over 540
million records including comments, likes, account names, and
Facebook IDs.
So, Mr. Chairman, how do we create a culture of data
security that protects consumers and allows commerce to
continue to grow?
Consumers continue to be bombarded by threats to their
privacy. Cybersecurity adversaries become more sophisticated
and more organized day by day, and we really need to understand
privacy on a continuum of data security. We need to make a more
proactive approach to cybersecurity and make sure that we are
continuing to protect consumers.
This becomes especially important in the age of Internet of
Things. Yesterday, the Security Subcommittee considered this
issue at length. Billions of devices collecting data about
consumers at all times means there are billions of entry points
and large surface areas for cyber attack. We learned more about
new botnet attacks and now weaknesses almost daily.
And we face serious questions of how supply chain
vulnerability, which is reminding us about how security here in
the U.S. is dependent upon the health of our Internet
cybersecurity. Members on our side of the aisle even had a
secure briefing on the potential threats and impacts to our own
devices.
So it is important to remember that the Internet is a
global network. No matter how secure we make our networks, we
remain vulnerable to weaknesses abroad. This is why it is
essential that we have a national strategy to deal with these
threats.
We also need to work with our international partners to
form coalitions around cybersecurity standards and work toward
harmonizing privacy and cybersecurity regulations.
These latest privacy and security breaches and advancing
cyber threats show that this problem is accelerating, but as
you said, Mr. Chairman, there is also lots of opportunity for
great applications, services, and devices that we all like. So
it illustrates the complexity of the challenges we face.
Consumers are at the center of this and we cannot just
require them to have a deeper understanding of the risks
involved. We need to make sure that their devices and concerns
are not just about notice and consent, but we have strong
provisions here and a description that will help create a
better culture. The best plain language notices, the clearest
opt-in consent provisions, the most crystal clear transparency
does not do any good when companies are being careless or
willingly letting our data out the back door to third parties
that have no relationship to the consumers. While the benefits
of the online world are everywhere--and I truly mean that--
everywhere--so must be the protection of personal information
that is more than just a commodity. We need to make sure that
the culture of monetizing our personal data at every twist and
turn is countered with the protection of people's personal
data.
So Congress has to come to terms with this. I know that the
members of this committee are working very diligently on trying
to address that and that we are working to try to make sure
that the things that happened in the 2016 election cycle also
do not happen in the 2020 cycle. But these issues of
information being stolen or manipulated or trying to influence
or disrupt governments, even our own hacking of our employee
personal information account, show that we are vulnerable and
that we need to do more.
So the consistency of the hearings that we have had on this
issue--I appreciate both Chairman Thune and you having these
hearings about cybersecurity, about Equifax, about cyber
hygiene, and what we should be doing--these all I believe
should be part of the solution. Data security for Americans
means that we extend the protections and we make sure that the
online world is operating in a way that we see are helping to
protect consumers and individual information.
So, Mr. Chairman, I know that you remain very dedicated to
comprehensive legislation here. I do as well, even though the
challenge is high. We need to have the opportunity to craft
solutions that address security and privacy for the entire life
cycle of our data and collection to storage and to processing.
So hopefully today's hearing will give us more input as to the
way consumers look at this issue and what we can do to help us
move forward. Thank you.
The Chairman. Thank you very much, Senator Cantwell.
And again, we welcome our witnesses. Your entire statements
will be included in the record, and we ask each of you to
summarize your opening statements within five minutes. We will
begin down at this end of the table with Ms. Dixon. Welcome.
STATEMENT OF HELEN DIXON, COMMISSIONER, DATA PROTECTION
COMMISSION OF IRELAND
Ms. Dixon. Chairman Wicker, Ranking Member Cantwell, and
members of the Committee, thank you for inviting me to be here
today.
I am pleased to have the opportunity to share with the
Committee the experience of the Irish Data Protection
Commission in dealing with complaints from consumers under EU
data protection law and hope it will be of assistance in your
deliberations on a Federal privacy law.
As the Committee is aware, I submitted in advance a
slightly more expansive written statement to you than my five
minutes today will permit. So as suggested by the Chair, I will
cover all of its key points for you briefly now.
An important context in talking about EU data protection
law is the fact that the right to have one's personal data
protected exists as an explicit fundamental right of EU persons
under the EU Charter of Fundamental Rights. It is the case then
that the right to data protection in the EU exists in all
personal data processing contexts and not just in commercial
contexts.
The Committee is well aware I think at this stage of the
basic structure of the EU GDPR which sets out, firstly,
obligations on organizations, then rights for individuals, and
finally, provides for supervision and enforcement provisions to
be implemented by independent data protection authorities. As
an EU regulation, it has direct effect in every EU member
state.
The obligations on organizations processing information
that relates to an identified or identifiable person are set
down in a series of high-level technology-neutral principles,
so principles of lawfulness, fairness, transparency, purpose
limitation, data minimization, accuracy, storage limitation,
integrity, and confidentiality and accountability.
The GDPR contains some prescription around new
accountability provisions and, in particular, requirements in
certain cases to now appoint a data protection officer. In
addition there is an obligation to notify breaches of personal
data that give rise to risks for individuals to the data
protection authority within 72 hours of the organization
becoming aware of the breach.
In turn then, the individuals and consumers whose personal
data are processed have a series of enumerated rights under the
GDPR. These cover the right to transparent information, the
right to access to a copy of their personal data, the right to
rectification, the right to erasure, and so on. And each of
these rights has varying conditions pertaining to the
circumstances in which those rights can be exercised.
Finally, then the GDPR provides for independent and
adequately resourced data protection authorities in each EU
member state. As data protection authorities, we have a very
broad range of tasks that range from promoting awareness and
issuing guidance on data protection law, to encouraging
industry codes of conduct, to handling all valid complaints
from consumers, and then investigating significant
infringements of the GDPR.
The new one stop shop for multinationals under the GDPR
means that the Irish Data Protection Commission is the lead
supervisory authority in the EU for the vast majority of U.S.
global Internet companies such as Facebook, Twitter, WhatsApp,
Google, AirBnB, and Microsoft as these have their main
establishment in Ireland.
The GDPR has introduced a much harder enforcement edge to
EU data protection law with a range of corrective powers at the
disposal of data protection authorities in addition to a
capability to apply fines of up to 4 percent of the worldwide
turnover of multinationals.
In the 11 months since GDPR came into application, the
Irish Data Protection Commission has received in excess of
5,900 complaints from individuals. It is frequently a feature
of the complaints we handle from consumers that their interest
in their personal data is as a means of pursuing further
litigation or action. So, for example, former employees of
organizations often seek access to their personal data as part
of the pursuit of an unfair dismissals case. Consumers may seek
access to CCTV images in various different scenarios to pursue
personal injuries cases and so on.
Overall, the most complained-against sectors in a
commercial context are retail banks, telecommunications
companies, and Internet platforms. And my written statement has
provided you with some specific case studies and examples of
the complaints we have handled.
Equally worth mentioning is the complainants to my office
have rights to appeal and judicially review decisions of the
Data Protection Commission, and my office is involved in over
20 litigation cases currently before the Irish courts. And the
Committee might be interested to know that the vast majority of
decisions appealed to court from my office relate to disputes
between employers and employees and far fewer relate to
commercial contexts.
Aside then from handling complaints, the Data Protection
Commission has power to open investigations of its own
volition, and we have 51 large-scale investigations underway
covering the large tech platforms, amongst others.
So in conclusion, the EU data protection law places a very
strong emphasis on the individual in light of the fundamental
rights and strong emphasis on the exercise of the rights of the
individual, and accordingly, it mandates the handling of every
complaint from an individual by data protection authorities.
This means the EU data protection authorities play an important
dual role, on the one hand resolving high volumes of issues for
individuals and on the other, supervising companies to ensure
systemic issues of noncompliance are rectified and punished as
appropriate.
The GDPR is 11 months old at this point, and clarity and
consistency of standards will evolve in the coming years,
driving up overall the standards of protection for consumers in
every sector.
Thank you.
[The prepared statement of Ms. Dixon follows:]
Prepared Statement of Helen Dixon, Commissioner,
Data Protection Commission of Ireland
Introduction
Chairman Wicker, Ranking Member Cantwell and Members of the
Committee, thank you for inviting me to be here today.
I am pleased to have the opportunity to share with the Committee
the experience of the Irish Data Protection Commission in dealing with
complaints from consumers under the General Data Protection Regulation
or GDPR, applicable since 25th May 2018. Clearly, in a global context,
the GDPR represents one significant form of regulation of the
collection and processing of personal data and the Irish Data
Protection Commission's approach to monitoring and enforcing its
application provides an early insight into the types of issues raised
by consumers in complaints about how their personal data is handled.
It's useful for me to take a few minutes to set in context for you
the circumstances in which complaints from consumers are lodged with
the Data Protection Commission.
The right to have one's personal data protected exists as an
explicit fundamental right of EU persons under the EU Charter of
Fundamental Rights that came into legal force in 2009 and the right is
called out specifically in Article 16 of the Treaty on the Functioning
of the European Union--the ``Lisbon Treaty''. It is of course not an
absolute or unlimited right. It may be and often is subject to
conditions or limitations under EU and member state law but those
conditions cannot render it impossible for individuals to exercise core
elements of the right to data protection. The aim equally of a
consistent and harmonised data protection law across the EU is to
ensure a level-playing field for all businesses and a consistent
digital market in which consumers can have trust. While many may argue
that data privacy is now ``dead'' given the ubiquitous nature of data
collection in online environments, the Data Protection Commission can
nonetheless identify the clear benefits to consumers of having
exercisable and enforceable rights. (Dorraji, 2014)
The committee is well aware of the basic structure of the GDPR
which sets out a) obligations on organisations, b) rights for
individuals, and c) enforcement provisions. As an EU regulation, it has
direct effect in every EU member state but also has extra-territorial
reach in that it applies to any overseas company targeting goods or
services at European consumers.
Obligations
Under the GDPR, a series of obligations apply to any organisation
collecting and processing information that relates to an identified or
identifiable person. A broad definition of personal data is in play
with the GDPR specifying that identification numbers, location data and
online identifiers will be sufficient to bring data in scope. The
obligations on organisations are set down in a series of high-level,
technology neutral principles: lawfulness, fairness, transparency,
purpose limitation, data minimisation, accuracy, storage limitation,
integrity and confidentiality and accountability.
Rights
In turn, the individuals whose personal data are processed have a
series of enumerated rights under the GDPR. Incidentally, individuals
under the GDPR are referenced as ``data subjects'' which is a concept
far broader than consumers given that the GDPR concerns itself with any
personal data processing and not merely that which occurs in commercial
contexts. However, I understand for the purposes of this committee,
that it is the subset of data subjects that are consumers and service
users that is of particular interest. The rights of consumers under the
GDPR are set out in Chapter 3 and cover the right to transparent
information, the right of access to a copy of their personal data, the
right to rectification, the right to erasure, the right to restriction
of data processing, to object to certain processing and the right to
data portability with varying conditions pertaining to the
circumstances in which those rights can be exercised. And I will revert
to these rights shortly when I outline for the committee a profile of
the complaints from consumers the Data Protection Commission is
handling where consumers allege those rights are not being delivered on
by companies.
Enforcement Provisions
Finally, the GDPR provides for independent and adequately resourced
data protection authorities in each EU Member State to monitor the
application of the GDPR and to enforce it (these authorities are
separate and distinct from the consumer protection and anti-trust
authorities in the Member States). In this context, data protection
authorities have a very broad range of tasks from promoting awareness,
to encouraging industry codes of conduct to receiving notifications of
the appointment of Data Protection Officers in companies to handling
complaints from consumers and investigating potential infringements of
the GDPR.
In general terms, the individual EU member state data protection
authorities are obliged to handle every valid complaint from any
individual in their member state and to supervise establishments in
their territory. However, because of a new ``one-stop-shop'' innovation
in the GDPR, multinational organisations operating across the EU can be
supervised by one lead supervisory authority in the EU member state
where that multinational has its ``main-establishment''. Equally, any
individual across the EU may lodge a complaint with the data protection
authority in the member state of the main establishment of the company
concerned. As a result, the Irish Data Protection Commission is the
lead supervisory authority in the EU for the vast majority of U.S.
global Internet companies such as Facebook, Twitter, WhatsApp, Google,
AirBnB, Microsoft and Oath as they have their main establishments in
Ireland. Equally, complaints are lodged with the Irish Commission from
complainants across the EU either directly or via the supervisory
authority in their own member state.
This may seem like a difficult computation given that there are
potentially up to half a billion consumers in the EU. How can a data
protection authority with currently 135 staff deal with complaints from
across the EU and supervise so many large companies? Part of the answer
lies in the orientation of the GDPR itself which places accountability
to consumers directly on the shoulders of companies themselves.
Companies must in many cases appoint Data Protection Officers; they
must publish contact details for those officers and they must
administer systems to allow them effectively handle requests from
consumers to exercise their data protection rights. It's therefore now
the case that many issues arising for consumers are being resolved
directly through the intervention of the mandatorily appointed Data
Protection Officer in the company before there's a need to file a
complaint with the data protection authority. Many companies we
supervise report to us that that have had a steep rise in consumer
requests to exercise rights since the application of the GDPR in May
2018. Equally, EU data protection authorities can conduct joint
operations where an authority like the Irish Commission can leverage
specific expertise in another EU data protection authority in
conducting an investigation. Further, multiple consumers may often
raise the same issue as one another which may lead the Data Protection
Commission to open an investigation of its ``own volition'' in order to
resolve what may be a systemic matter. Finally, the threat of very
significant administrative fines hangs over companies that fail to
implement the principles of GDPR and/or deliver on consumer rights
under the law with 4 percent of global turnover representing the outer
but significant limit of fine that may be imposed.
Clearer Standards
Much of the success over the coming years of the GDPR will derive
from the evolution of clearer, objective standards to which
organisations must adhere. These standards will evolve in a number of
ways:
Through the embedding of new features of the GDPR such as
Codes of Conduct, Certification and Seals that will drive up
specific standards in certain sectors. Typically, codes of
conduct that industry sectors prepare for the approval of EU
data protection authorities will have an independent body
appointed by the industry sector to monitor compliance with the
code thereby driving up standards of protection and means by
which consumers can exercise their rights.
Through enforcement actions by the Data Protection
Commission where the outcome, while specific to the facts of
the case examined, will be of precedential value for other
organisations. The Data Protection Commission currently has 50
large scale investigations running which, as they conclude in
the coming months, will serve to set the mark for what is
expected of organisations under the principles of transparency,
fairness, security and accountability
Through case law in the national and EU courts, where data
protection authority decisions are appealed or in circumstances
where individuals use their right of action under the GDPR to
claim compensation for any material or non-material damage they
have suffered arising from an infringement of the GDPR.
Through the provision of further guidance to organisations
on specific data processing scenarios particularly through
published case studies of individual complaints the Data
Protection Commission has handled. Equally, guidance will be
published off the back of consultations with all stakeholders
on how to implement principles in complex scenarios such as
those involving children where specific protections and
consideration of the evolving capacities of the child need to
be factored in.
Consumer Complaints
In the 11 months since GDPR came into application, the Data
Protection Commission has received 5839 complaints from individuals. It
is frequently a feature of complaints we handle from consumers that
their interest in their personal data is as a means of pursuing further
litigation or action. For example, former employees of organisations
often seek access to their personal data as part of the pursuit of an
unfair dismissals case; consumers seek access to CCTV images in
different scenarios to pursue personal injuries cases and so on.
Overall, the most complained against sectors in a commercial
context are retail banks, telecommunications companies and Internet
platforms.
In the cases of the retail banks and telecommunications providers,
the main issues arising relate to consumer accounts, over-charging,
failure to keep personal data accurate and up-to-date resulting in mis-
directing of bank or account statements, processing of financial
information for the purposes of charging after the consumer has
exercised their right to opt-out during the cooling-off period. While
you might argue that these are clearly predominantly customer service
and general consumer issues, it is the processing of their personal
data and in particular deductions from their bank accounts that bring
consumers to the door of the Data Protection Commission.
In terms of the Internet platforms, individuals, as well as Not-
for-profit organisations on their behalf that specialise in data
protection, raise complaints about the validity of consent collected
for processing on sign-up to an app or service, the transparency and
adequacy of the information provided and frequently about non-responses
from the platforms when they seek to exercise their rights or raise a
concern. Further, the Data Protection Commission has received several
complaints about the inability of individuals to procure a full copy of
their personal data when they request it from a platform. This can
arise in scenarios where platforms have instituted automated tools to
allow users by self-service to download their personal data but
elements of data are not available through the tool. In one such
complaint we are handling, the user complains that significant personal
data is held in a data warehouse by a platform and used to enrich the
user's profile. The platform argues that access to the data is not
possible because it's stored by date and not individual identifier and
further that the data would be unintelligible to a consumer because of
the way it's stored. The Data Protection Commission must resolve
whether this is personal data to which a right of access applies.
Other cases dealt with this year by the office relate to financial
lenders required to notify details to the Irish Central Bank of credit
given to individual consumers. Certain lenders notified the details
twice resulting in adverse credit ratings for the individuals as they
appeared to have 2 or 3 times the number of loans as compared to what
they actually had. In another case, a multinational agent dealing by
web chat with a service user about a customer service complaint took
note, according to the complaint received by the office, of the
consumer's personal details including mobile `phone number she used to
verify her account and contacted the user asking her on a date. That
didn't turn out to be a happily-ever-after story when independently of
the investigation of my office, the agent was removed from his job!
A further complaint dealt with was lodged by an individual who had
suffered a family bereavement. A tombstone company issued immediate
correspondence to her family advertising cheap headstones in respect of
the dead relative. The tombstone company had taken data from an online
death notice website and recreated the full address from multiple other
sources. The actions of the company were not only distasteful but in
breach of the purpose limitation requirements of data protection law.
A particularly concerning case was reported to the office six
months ago concerning a mobile `phone user whose ex-partner had managed
to verify identity with her mobile telephone provider by masquerading
as the individual herself and gained control of her telephone number.
He did this by contacting the telco via web chat and when asked to
identify himself, he provided her name and mobile `phone number. He
then told the customer service agent at the telco that he (masquerading
as her) had lost his mobile `phone, had now purchased a new SIM card
and requested that the `phone number be ported over to the new SIM he
had bought. The agent asked the imposter the following verification
questions:
What is your full address? Answered correctly
What are 3 frequently dialled numbers? Could not answer
Can you tell me your last top-up date? Could not answer
Can you tell me your last top-up amount? Answered correctly
Despite the imposter not answering all of the questions, the agent
accepted this as valid authentication, and ported the complainant's
number onto the imposter's newly bought SIM card. This gave access to
any future texts and calls coming to the complainant's phone number.
This would allow for example the imposter to bypass the `phone number
factor for authentication with her online banking account. In this
case, the telco had failed to adhere to its own standards for
verification of identity with very unfortunate consequences.
Parallel but overlapping laws to the GDPR specific to E-Privacy are
equally enforced by the Data Protection Commission and annually the
office prosecutes a range of companies for multiple offences. In the
majority of cases, these relate to targeting of mobile `phone users
with marketing SMS messages without their consent and/or without
providing the user with an OPT OUT from the marketing messages.
Equally, a number of companies are prosecuted annually where they offer
an OPT OUT but fail to apply it on their database resulting in the user
continuing to receive SMS messages without their consent. As a result
of several years of consistent high-profile prosecutions in this area,
the Data Protection Commission considers the rate of compliance appears
to be improving.
Considerable resources of the office have been applied in recent
years to a series of investigations into the ``Private Investigator''
sector. The Data Protection Commission received complaints from
individuals who had lodged claims with their insurance providers and
later became concerned about how their insurance company had sourced
particular information about them and used it to deny their claims. The
Data Protection Commission uncovered a broad-ranging national ``scam''
involving a considerable number of private investigator or tracing
companies that had been either bribing or blagging government officials
and utility company staff in some cases to procure a range of pieces of
personal information about the claimants. 5 companies and 4 company
directors were successfully prosecuted by the Data Protection
Commission for these data protection offences over the last 4 to 5
years.
The final case I'll mention in a commercial context is the case of
an individual who suffered an accident giving rise to a leg injury.
When her claim to her insurance company was denied, she sought access
to a copy of her personal data that had been used by the company to
deny her claim as she was surprised at the reasons given. She
discovered on receipt of her personal data, that her family doctor had,
instead of sending a report detailing information about the nature of
her leg injury suffered in the recent accident, sent the entire file of
30 plus years of consultations between him and the patient to the
insurance company. The company used very sensitive information about
another condition the woman had suffered from years previously to deny
the claim. Aside from the denial of the claim, the complainant suffered
considerable distress at the thought of a very sensitive and irrelevant
set of information about her having been disclosed and then processed
in this matter. This office found the family doctor had infringed data
protection law in disclosing excessive personal data including
sensitive personal data. Ultimately, this complainant pursued a civil
claim for compensation in the courts and the case settled on the steps
of the court.
Outside of these commercial contexts, a large volume of complaints
that come to the Commission relate to, for example, employees
complaining about their employers using excessive CCTV to monitor them
or unauthorised access and excessive processing of their image if the
employer uses CCTV as part of disciplinary proceedings. Each of these
cases has to be examined on its specific facts with consideration given
to the proportionality of processing in the given circumstances.
The most frequent category of complaint relates to access requests
where an individual considers they have been denied access to a copy of
the personal data they requested from an organisation. In the majority
of cases, the Data Protection Commission amicably resolves these cases
which in an access request scenario means we ensure the individual
receives all of the personal data to which they're entitled. This may
of course be less than they sought as an organisation may legitimately
apply exemptions where it is lawful to do so.
The Committee will be well aware of various academic studies on the
so-called ``privacy paradox'' where discrepancies between our attitudes
as online users and our behaviours are apparent. This is a complex area
of study but I raise it by way of pointing out that consumer complaints
alone may not give us a very complete picture of what concerns
consumers or what elements of the controls provided by platforms are
useful to them. The platforms don't publish data on user engagement
with their privacy control dashboards and the frequency with which
users complete ``privacy checkup'' routines prompted by the platforms
but based on data they have shared with the Data Protection Commission,
the number of users seeking to engage with and control their settings
is significant. Of course, this leads us then to the issues raised by
Dr Zeynef Tufecki in the recent New York Times privacy series on
whether being ``discreet'' online protects users and where she
concludes that powerful computational inferences make it unlikely
discretion is of much assistance. (Tufekci, 2019) Academic Woodrow
Hartzog equally argues against idealising a concept of control as a
goal of data protection. (Hartzog, 2018)
Large-scale Investigations
This brings me then to the important work of the Data Protection
Commission outside of the role in handling complaints from individuals.
In many ways, effective implementation of principles of fairness,
transparency, data minimisation and privacy by design will negate the
need for users and consumers to have the responsibility for ensuring
their own protection thrust entirely upon them through making decisions
about whether to ``consent'' or not.
The Data Protection Commission has powers to open an investigation
of its own volition or may opt to open an investigation into a
complaint from an individual that discloses what appears to be a
systemic issue that potentially affects hundreds of millions of users.
The Data Protection Commission has currently 51 large-scale
investigations underway. 17 relate to the large tech platforms and span
the services of Apple, Facebook, LinkedIn, Twitter, WhatsApp and
Instagram. Because the GDPR is principles-based and doesn't explicitly
prohibit any commercial forms of personal data processing, each case
must be proved by tracing the application of the principles in the GDPR
to the processing scenario at issue and demonstrating the basis upon
which the Commission alleges there is a gap between the standard we say
the GDPR anticipates and that which the company has implemented. The
first sets of investigations will conclude over the summer of 2019.
Redress
EU data protection authorities resolve complaints of individuals
amicably for the most part and where amicable resolution is not
possible, the action of the authority is directed against the
processing organisation. Authorities do not order redress in the form
of payment of damages to individuals whose rights have been infringed.
In order to secure damages, individuals have a right of action
under Article 82 GDPR where they or a not-for-profit representing them
can bring a case through the courts to seek compensation for material
or non-material damage they allege they have suffered as a result of
infringements of the GDPR. Such Article 82 actions for compensation by
individuals in the Irish courts have not yet been heard but when these
are, they will represent further clarifications on how the courts view
the GDPR and its application.
No class action system exists in Ireland and in general this is not
a feature of the EU landscape. While there are some reports emanating
particularly from the UK that representative actions are being lined up
by some law firms on a ``no win no fee'' basis post large-scale
breaches being notified, nothing of significance has materialised in
this regard. (Osborne Clarke--GDPR one year on: how are EU regulators
flexing their muscles and what should you be thinking about now?)
Conclusion
EU data protection law places a strong emphasis on the individual
and the exercise of their rights and accordingly mandates the handling
of every complaint from an individual by data protection authorities.
This means EU data protection authorities play an important dual role--
on the one hand, resolving high volumes of issues for individuals and
on the other supervising companies to ensure systemic issues of non-
compliance are rectified and punished as appropriate. The GDPR is 11
months old and clarity and consistency of standards will evolve in the
coming years driving up standards of data protection for consumers in
every sector.
References
Dorraji, S. E. (2014). Privacy in Digital Age: Dead or Alive?!
Regarding the New EU Data Protection Regulations. SOCIALINES
TECHNOLOGIJOS SOCIAL TECHNOLOGIES 2014, 4(2), 306-317.
Hartzog, W. (2018, Volume 4 Issue 4). The Case Against Idealising
Control. European Data Protection Law Review .
(n.d.). Osborne Clarke--GDPR one year on: how are EU regulators
flexing their muscles and what should you be thinking about now? 2019
Lexology: daily subscriber feed.
Tufekci, Z. (2019, April 21). Think You're Discreet Online? Think
Again. New York Times.
The Chairman. Thank you very much, Ms. Dixon.
Mr. Polonetsky.
STATEMENT OF JULES POLONETSKY, CHIEF EXECUTIVE OFFICER, FUTURE
OF PRIVACY FORUM
Mr. Polonetsky. Thank you, Chairman Wicker, Ranking Member
Cantwell, Committee members.
Eighteen years ago, I left my job as the New York Consumer
Affairs Commissioner to become one of the first wave of Chief
Privacy Officers when that was yet a novel title. Today as CEO
of FPF, I work with the CPOs of more than 150 companies, with
academics, with civil society, and with leading foundations on
the privacy challenges posed by tech innovations.
I first testified before this Committee almost 20 years ago
to address privacy concerns around behavioral advertising. And
almost every day since, we have seen those reports of new
intrusions, new risks, new boundaries crossed. Sometimes it is
simply a company being creepy. Sometimes it is a practice that
raises serious risks to civil liberties or our sense of
autonomy.
It is long past time to put a privacy law in place that can
support that trust that Americans should have when they use
their phones, when they surf the Internet, when they shop
online, all of the activities of daily life. Every day we
delay, it becomes harder. New businesses launch. New
technologies are developed and become entrenched.
At the same time, we are, of course, benefiting from many
of these technologies, as you both mentioned, companies
reinventing mobility and making transportation safer. Machine
learning has been built into so many of the products and
services, health care diagnosis, education tech providers
working on personalized learning. Every one of these holds
great promise. Every one of them also brings new perils.
It is a global challenge, of course, and almost every
leading economy, not just our European colleagues, have put
comprehensive laws in place. Japan. We should take special note
perhaps of the APEC CBPRs, the Asia-Pacific region where the
U.S. has played a long role and which we have recently
committed to in the proposed treaty for trade between U.S.,
Mexico, and Canada. We should not be left behind as the
standards that are actually defining technologies today and the
terms of trade for a decade to come are being established. Even
small businesses do business globally today via the Web and
need that guidance.
So a baseline law should have strong protections matching
and exceeding the key rights of California's privacy law:
transparency, access, deletion, the right to object,
protections for minors, the right to object to sales of data.
But we also need to add some of the other core privacy
principles that are not included in CCPA. Compatible use,
contexts, special restrictions on sensitive data, the full
range of fair information practices, as they have been
reflected in so many of the national and international models,
and many which originated back in the 1970s in the U.S. should
be in our law.
In drafting, we should be clear about what is covered. If
we do not know what is personal, we do not know what is in and
what is out. But I would argue that this is not a binary in or
out decision. Information is not either completely explicitly
personal and it is probably never completely anonymous. There
are stages of data, and a law that is careful would nuance
different levels of rights and restrictions based on whether
data is fully anonymous, whether it is pseudonymous. The actual
different stages in the lifestyle are the best way to match the
corresponding requirements.
Research has not always been handled well in a number of
the legislative models around the world. We want to, I think,
encourage beneficial research if it is being carried out in a
way that supports privacy, fairness, equity, the integrity of
the scientific process. We should encourage legitimate research
when the appropriate ethical reviews are in place.
And at the end of the day, internal accountability
mechanisms are how organizations actually make sure they follow
the law. We do not want just privacy in the law. We want it on
the ground. We want privacy by design, and that means employees
that are trained. That means tools and systems that support
responsible data stewardship. So laws should encourage
comprehensive programs, and whenever possible, we should
incentivize PETs, privacy enhancing technologies, that deliver
us perhaps the benefits of data while making sure that we have
strong mathematical proofs that we have minimized any risks.
And of course, any law is going to impact the sectoral
State privacy laws that have been passed in recent decades. We
certainly should avoid a framework where a website operator or
a small business should have to deal with a complexity of
inconsistent State mandates on many of the day-to-day issues of
operating a business. But these concerns can be reasonably
avoided with carefully crafted Federal preemption. There are
clearly core State privacy laws that can and must exist,
student privacy laws and others, and that I think is an
important challenge for the Committee.
But laws are only as good as enforcement. The FTC should
have not only the civil penalties, not only the careful
targeted rulemaking, but it also should have education and
outreach so that new businesses understand, can get their
questions answered. The FTC needs both the carrot and the
stick.
And of course, State AGs, who have been such critical
partners to our Federal leaders, should continue to have a
role.
Thank you for the chance to share those thoughts with you
today.
[The prepared statement of Mr. Polonetsky follows:]
Prepared Statement of Jules Polonetsky, Chief Executive Officer,
Future of Privacy Forum
Thank you for inviting me to speak today. The Future of Privacy
Forum is a non-profit organization that serves as a catalyst for
privacy leadership and scholarship, advancing principled data practices
in support of emerging technologies. We are supported by leading
foundations, as well as by more than 150 companies, with an advisory
board representing academics, industry, and civil society.\1\ We bring
together privacy officers, academics, consumer advocates, and other
thought leaders to explore the challenges posed by technological
innovation and develop privacy protections, ethical norms, and workable
business practices.
---------------------------------------------------------------------------
\1\ The views herein do not necessarily reflect those of our
supporters or our Advisory Board. See Future of Privacy Forum, Advisory
Board, https://fpf.org/about/advisory-board/; Supporters, https://
fpf.org/about/supporters/.
---------------------------------------------------------------------------
I speak to you today with a sense of urgency. Congress should
advance a baseline, comprehensive Federal privacy law because the
impact of data-intensive technologies on individuals and vulnerable
communities is increasing every day as the pace of innovation
accelerates. Each day's news brings reports of a new intrusion, new
risk, new harm, another boundary crossed. Sometimes it's a company
doing something that consumers or critics regard as ``creepy;''
sometimes it is a practice that raises serious risks to our human
rights, or civil liberties, or our sense of autonomy. There is a
growing public awareness of how data-driven systems can reflect or
reinforce discrimination and bias, even inadvertently.\2\
---------------------------------------------------------------------------
\2\ Virginia Eubanks, Automating Inequality: How High-Tech Tools
Profile, Police, and Punish the Poor (2018).
---------------------------------------------------------------------------
For many people, personal privacy is a deeply emotional issue, and
a real or perceived absence of privacy may leave them feeling
vulnerable, exposed, or deprived of control. For others, concrete
financial or other harm may occur; a loss of autonomy, a stifling of
creativity due to feeling surveilled, or the public disclosure of
highly sensitive information like individuals' financial data or
disability status are just some potential consequences of technology
misuse, poor data security policies, or insufficient privacy
controls.\3\
---------------------------------------------------------------------------
\3\ Lauren Smith, Unfairness By Algorithm: Distilling the Harms of
Automated Decision-Making (Dec 11, 2017), Future of Privacy Forum,
https://fpf.org/2017/12/11/unfairness-by-algorithm-distilling-the-
harms-of-automated-decision-making/.
---------------------------------------------------------------------------
At the same time, individuals and society are benefitting from new
technologies and novel uses of data. Companies reinventing mobility are
making transportation safer and more accessible; healthcare providers
are using real-world evidence to advance research; and education
technology providers can empower students and teachers to enhance and
personalize learning.\4\ In much the same way that electricity faded
from novelty to background during the industrialization of modern life
100 years ago, we see artificial intelligence and machine learning
becoming the foundation of commonly available products and services,
like voice-activated digital assistants, traffic routing, and accurate
healthcare diagnoses.\5\
---------------------------------------------------------------------------
\4\ Future of Privacy Forum, Policymaker's Guide to Student Data
Privacy, (April 4, 2019), FERPA/Sherpa, https://ferpasherpa.org/
policymakersguide/.
\5\ Brenda Leong & Maria Navin, Artificial Intelligence: Privacy
Promise or Peril? (February 20, 2019), Future of Privacy Forum, https:/
/fpf.org/2019/02/20/artificial-intelligence-privacy-promise-or-peril.
---------------------------------------------------------------------------
Each of these examples holds the promise of improving our lives but
each one also poses the risk of new and sometimes unforeseen harms. It
is in the best interests of individuals and organizations for national
lawmakers speak in a united, bipartisan voice to create uniform
protections that help rebuild trust. Congress has the opportunity now
to pass a law that will shape these developments to maximize the
benefits of data for society while mitigating risks. Delaying
Congressional action means that businesses will inevitably continue to
develop new models, build infrastructure, and deploy technologies,
without the guidance and clear limits that only Congress can set forth.
This is a global challenge, and other countries have responded. The
European Union (EU) has substantially updated its data protection
framework, the General Data Protection Regulation (GDPR),\6\ and Japan
has made substantial updates to its data protection law, the Act on
Protection of Personal Information (APPI).\7\ The EU and Japan have
also announced a trade agreement that includes a reciprocal data
adequacy determination, creating the world's largest exchange of safe
data flows and boosting digital trade between the two zones.\8\ Other
nations, from India \9\ to Brazil,\10\ are passing privacy laws or
updating existing data protection regimes.\11\
---------------------------------------------------------------------------
\6\ Regulation (EU) 2016/679 of the European Parliament and of the
Council of 27 April 2016 on the protection of natural persons with
regard to the processing of personal data and on the free movement of
such data, and repealing Directive 95/46/EC (General Data Protection
Regulation), https://eur-lex.europa.eu/eli/reg/2016/679/oj
\7\ Japanese Act on Protection of Personal Information (Act No. 57/
2003).
\8\ Press Release: European Commission adopts adequacy decision on
Japan, creating the world's largest area of safe data flows, European
Commission (Jan. 23 2019), http://europa.eu/rapid/press-release_IP-19-
421_en.htm
\9\ Mayuran Palanisamy and Ravin Nandle, Understanding India's
Draft Data Protection Bill (Sep 13, 2018), IAPP Privacy Tracker,
https://iapp.org/news/a/understanding-indias-draft-
data-protection-bill.
\10\ Lei 13.709/18, Lei Geral de Protecao de Dados Pessoais (Brazil
General Data Protection Law).
\11\ Data Privacy Law: The Top Global Developments in 2018 and What
2019 May Bring, DLA Piper (Feb. 23 2019), https://www.dlapiper.com/en/
us/insights/publications/2019/02/data-privacy-law-2018-2019/
---------------------------------------------------------------------------
Current business practices along with new technologies are being
shaped by laws around the world, while the U.S. approach to data
protection remains outdated and insufficient. The continuation of
cross-border data flows, which are crucial to the United States'
leadership role in the global digital economy, are under stress. This
may put U.S. companies, from financial institutions to cloud providers,
at a disadvantage due to the perception that our laws are inadequate.
Congress must ensure that the U.S. is not left behind as the rest of
the world establishes trade and privacy frameworks that will de facto
define the terms of international information and technology transfers
for decades to come.
The United States currently does not have a baseline set of legal
protections that apply to all commercial data about individuals
regardless of the particular industry, technology, or user base. For
the past decades, we have taken a sectoral approach to privacy that has
led to the creation of Federal laws that provide strong protections
only in certain sectors such as surveillance,\12\ healthcare,\13\ video
rentals,\14\ education records,\15\ and children's privacy.\16\ As a
result, U.S. Federal laws currently provide strong privacy and security
protection for information that is often particularly sensitive about
individuals but it leaves other ‒ sometimes similar ‒
data largely unregulated aside from the FTC's Section 5 authority to
enforce against deceptive or unfair business practices.\17\ For
example, health records held by hospitals and covered by the Health
Insurance Portability and Accountability Act (HIPAA)\18\ are subject to
strong privacy and security rules, but health-related or fitness data
held by app developers or online advertising companies is not covered
by HIPAA and is largely unregulated. Student data held by schools and
covered by the Family Educational Rights and Privacy Act (FERPA)\19\ is
subject to Federal privacy safeguards, but similar data held by
educational apps unaffiliated with schools is not subject to special
protections. The Fair Credit Reporting Act (FCRA)\20\ helps ensure the
accuracy of third-party information used to grant or deny loans, but
FCRA's accuracy requirements do not apply to similar third-party
reviews used to generate user reputation scores on online services.
---------------------------------------------------------------------------
\12\ Electronic Communications Privacy Act (ECPA), 18 U.S.C.
Sec. 2510-22.
\13\ Health Insurance Portability and Accountability Act of 1996
(HIPAA), P.L. No. 104-191, 110 Stat. 1938 (1996).
\14\ Video Privacy Protection Act of 1988 (VPPA), 18 U.S.C.
Sec. 2710.
\15\ Family Educational Rights and Privacy Act (FERPA), 20 U.S.C.
Sec. 1232g.
\16\ Children's Online Privacy Protection Act of 1998 (COPPA), 15
U.S.C. Sec. Sec. 6501-6506.
\17\ Section 5 of the Federal Trade Commission Act, 15 U.S.C.
Sec. 45(a).
\18\ Health Insurance Portability and Accountability Act of 1996
(HIPAA), 45 CFR Sec. 164.524.
\19\ Family Educational Rights and Privacy Act (FERPA), 20 U.S.C.
Sec. 1232g.
\20\ Fair Credit Reporting Act (FCRA), 15 U.S.C. Sec. 1681.
---------------------------------------------------------------------------
The U.S. has not always lagged behind its major trade partners in
privacy and data protection policymaking. In fact, the central
universal tenets of data protection have U.S. roots. In 1972, the
Department of Health, Education, and Welfare formed an Advisory
Committee on Automated Data Systems, which released a report setting
forth a code of Fair Information Practices.\21\ These principles,
widely known as the Fair Information Practice Principles (FIPPs), are
the foundation of not only existing U.S. laws but also many
international frameworks and laws, including GDPR.\22\ And while GDPR
is the most recent major international legislative effort, the U.S.
should look for interoperability with and insights from the OECD
Privacy Guidelines \23\ and the Asia-Pacific Economic Cooperation
(APEC) framework and Cross-Border Privacy Rules (CBPRs).\24\
---------------------------------------------------------------------------
\21\ Records, Computer, and the Rights of Citizens: Report of the
Secretary's Advisory Committee on Automated Personal Data Systems, U.S.
Dept. of Health & Human Services (1973), https://aspe.hhs.gov/report/
records-computers-and-rights-citizens.
\22\ Regulation (EU) 2016/679 of the European Parliament and of the
Council of 27 April 2016 on the protection of natural persons with
regard to the processing of personal data and on the free movement of
such data, and repealing Directive 95/46/EC (General Data Protection
Regulation), https://eur-lex.europa.eu/eli/reg/2016/679/oj.
\23\ Organization for Economic Co-operation and Development,
Privacy Guidelines, https://www.oecd.org/internet/ieconomy/privacy-
guidelines.htm
\24\ APEC has 21 members comprising nearly all of the Asian-Pacific
economies, including the United States, China and Russia. The CBPR
system--endorsed by APEC member economies in 2011 and updated in 2015
attempts to create a regional solution across 21 member economies,
whose governments are at different stages of compliance with the APEC
Privacy Framework. In the United States, the Federal Trade Commission
has agreed to enforce the CBPRs. Eight APEC countries have formally
joined the CBPR system--United States, Canada, Mexico, Japan,
Singapore, Taiwan, Australia and the Republic of Korea. In the recent
United States-Mexico-Canada Agreement (USMCA), which Congress is
reviewing as it considers ratification, the three countries promote
cross-border data flows by recognizing the CBPR system as a valid data
privacy compliance mechanism for data-transfers between the countries.
See Cross-Border Privacy Rules System, http://cbprs.org/ (last visited
Apr. 28, 2019). Also relevant for the Committee's reference is
Convention 108 of the Council of Europe, an international data
protection treaty that has been signed by 54 countries to date, not
including the United States.
---------------------------------------------------------------------------
As privacy concerns continue to escalate, states around the U.S.
are charging ahead, proposing, passing, or updating consumer privacy
laws.\25\ Many of these laws are serious, nuanced efforts to provide
individuals with meaningful privacy rights and give companies clarity
regarding their compliance obligations. At the same time, multiple,
inconsistent state law requirements risk creating a conflicting
patchwork of laws that create uncertainty for organizations that handle
personal information. Individuals deserve consistent privacy
protections regardless of the state they happen to reside in.
---------------------------------------------------------------------------
\25\ See Mitchell Noordyke, U.S. State Comprehensive Privacy Law
Comparison, IAPP (April 18, 2019), https://iapp.org/news/a/us-state-
comprehensive-privacy-law-comparison/.
---------------------------------------------------------------------------
The U.S. has a shrinking window of opportunity to regain momentum
at both the national and international level. If we wait too long, more
countries and states will act, which will have an immediate impact on
new technologies and business initiatives and ultimately reduce the
impact of any Federal law.
There are key points that need to be addressed with particular care
in any Federal consumer privacy law. A baseline Federal privacy law
should offer strong protections.\26\ This, in turn, will bolster trust
in privacy and security practices. The law will regulate a substantial
share of the U.S. economy, and must therefore be drafted with careful
attention to its effects on every sector as well as a wide range of
communities, stakeholders, and individuals.
---------------------------------------------------------------------------
\26\ Leading scholars and advocates have expressed skepticism about
market-based responses to privacy and security concerns. Common
criticisms of a purely market-driven approach include: consumers' lack
of technical sophistication with respect to data security (See, e.g.,
Aaron Smith, What the Public Knows About Cybersecurity, Pew Research
Center (Mar. 22, 2017), http://www.pewinternet.org/2017/03/22/what-the-
public-knows-about-cybersecurity/ (last accessed on Nov. 9, 2018); the
typical length and substance of modern privacy notices (See e.g.,
Aleecia M. McDonald and Lorrie Faith Cranor, The Cost of Reading
Privacy Policies, I/S: A Journal of Law and Policy for the Information
Society, at 8-10, (2008)); research suggesting that most individuals do
not adequately value future risks (See e.g., Chris Jay Hoofnagle &
Jennifer M. Urban, Alan Westin's Privacy Homo Economicus, 49 Wake
Forest L. Rev. 261, 303-05 (2014)); the design of user interfaces to
encourage decisions that are not aligned with users' best interests
(See Woodrow Hartzog, Privacy's Blueprint: The Battle to Control the
Design of New Technologies (2018)); and a lack of sufficient
protections for privacy as an economic externality or ``public good''
(Joshua A. T. Fairfield and Christoph Engel, Privacy As A Public Good,
65 Duke L.J. 385, 423-25 (2015)).
---------------------------------------------------------------------------
Eighteen years ago, I left my job as the New York City Consumer
Affairs Commissioner to become one of the first company chief privacy
officers (CPO) in the U.S. Working for eight years in privacy and
consumer protection roles at major tech companies helped me understand
that it takes people, systems, and tools to manage data protection
compliance. I have also served as a state legislator and a
Congressional staffer, and today at FPF work with companies,
foundations, academics, regulators, and civil society to seek practical
solutions to privacy problems. With this perspective, gained from my
experience with key stakeholder groups and ongoing focus on the
protection of privacy of individuals and consumers, I offer the
following views.
1. Covered Data and Personal Information Under a Federal Privacy Law
In drafting baseline Federal privacy legislation, the most
important decision is one of scope: how should the law define the
``personal information'' that is to be protected? Laws that adopt an
overly broad standard are forced to include numerous exceptions in
order to accommodate necessary or routine business activities, such as
fraud detection, security, or compliance with legal obligations; or to
anticipate future uses of data, such as scientific research or machine
learning. Conversely, laws that define personal information too
narrowly risk creating gaps that allow risky uses of data to go
unregulated.
Leading government and industry guidelines recognize that data has
a range of linkability where it can potentially be used to identify or
contact an individual or to customize content to an individual person
or device.\27\ A Federal privacy law should avoid classifying covered
data in a binary manner as either ``personal'' or ``anonymous.''
Instead, it should draw distinctions between different states of data
given their materially different privacy risks. Context matters.
Personal data that is intended to be made public should be regulated
differently than personal data that will be kept confidential by an
organization.\28\ Similarly, data that is out in the wild should not be
treated the same as data that is subject to technical deidentification
controls (such as redacting identifiers, adding random noise, or
aggregating records) as well as to effective legal and administrative
safeguards (such as commitments not to attempt to re-identify
individuals or institutional access limitations).
---------------------------------------------------------------------------
\27\ According to the Federal Trade Commission (FTC), data are not
``reasonably linkable'' to individual identity to the extent that a
company: (1) takes reasonable measures to ensure that the data are
deidentified; (2) publicly commits not to try to re-identify the data;
and (3) contractually prohibits downstream recipients from trying to
re-identify the data (the ``Three-Part Test''). Federal Trade
Commission, Protection Consumer Privacy In An Era of Rapid Change
(2012), at 21, https://www.ftc.gov/sites/default/files/documents/
reports/federal-trade-commission-report-protecting-consumerprivacy-era-
rapid-change-recommendations/120326privacyreport.pdf. According to the
National Institute of Sciences and Technology (NIST), ``all data exist
on an identifiability spectrum. At one end (the left) are data that are
not related to individuals (for example, historical weather records)
and therefore pose no privacy risk. At the other end (the right) are
data that are linked directly to specific individuals. Between these
two endpoints are data that can be linked with effort, that can only be
linked to groups of people, and that are based on individuals but
cannot be linked back.'' Simson L. Garfinkel, NISTIR 8053, De-
Identification of Personal Information (Oct. 2015), at 5, http://
nvlpubs.nist.gov/nistpubs/ir/2015/NIST.IR.8053.pdf. Leading industry
associations provide similar guidelines. See, e.g., Digital Advertising
Alliance, Self-Regulatory Principles for Multi-Site Data (Nov 2011), at
8, available at http://www.aboutads.info/resource/download/Multi-Site-
Data-Principles.pdf (considering data to be deidentified ``when an
entity has taken reasonable steps to ensure that the data cannot
reasonably be re-associated or connected to an individual or connected
to or be associated with a particular computer or device.'').
\28\ See, e.g., Netflix Prize, Netflix, https://
www.netflixprize.com/ (last accessed April 28, 2019) (releasing data
publicly as part of a contest to improve user recommendations); Arvind
Narayanan & Vitaly Shmatikov, Robust De-anonymization of Large Sparse
Datasets (2018), https://www.cs.utexas.edu/�shmat/
shmat_oak08netflix.pdf (re-identifying records of known Netflix users).
---------------------------------------------------------------------------
FPF has crafted modular draft statutory language that attempts to
capture these distinctions.\29\ We believe, in broad terms, that
categories of data that are exposed to individual privacy and security
risks, yet materially different in their potential uses and impact,
include:\30\
---------------------------------------------------------------------------
\29\ See Appendix D.
\30\ See generally, Jules Polonetsky, Omer Tene, & Kelsey Finch,
Shades of Gray: Seeing the Full Spectrum of Practical Data De-
identification, Santa Clara L. Rev. (2016); A Visual Guide to Practical
De-identification, Future of Privacy Forum, https://fpf.org/2016/04/25/
a-visual-guide-to-practical-data-de-identification/.
Identified data: information explicitly linked to a known
---------------------------------------------------------------------------
individual.
Identifiable data: information that is not explicitly linked
to a known individual but can practicably be linked by the data
holder or others who may lawfully access the information.
Pseudonymous data: information that cannot be linked to a
known individual without additional information kept
separately.
deidentified data: (i) data from which direct and indirect
identifiers \31\ have been permanently removed; (ii) data that
has been perturbed to the degree that the risk of re-
identification is small, given the context of the data set; or
(iii) data that an expert has confirmed poses a very small risk
that information can be used by an anticipated recipient to
identify an individual.
---------------------------------------------------------------------------
\31\ Direct identifiers are data that directly identifies a single
individual, for example names, social security numbers, and e-mail
addresses. Indirect identifiers are data that by themselves do not
identify a specific individual but that can be aggregated and
``linked'' with other information to identify data subjects, for
example birth dates, ZIP codes, and demographic information. Simson L.
Garfinkel, NISTIR 8053, De-Identification of Personal Information (Oct.
2015), at 15, 19, http://nvlpubs.nist.gov/nistpubs/ir/2015/
NIST.IR.8053.pdf.
By recognizing such distinctions, Federal privacy legislation would
craft tiers of safeguards that are commensurate to privacy risks while
at the same time allowing for greater flexibility where it is
warranted. For example, on the one hand, appropriate regulatory
requirements for deidentified data might mandate that companies cannot
make such data public or share it with third parties without technical,
administrative, and/or legal controls that reasonably prevent re-
identification. But it may be appropriate to exempt deidentified data
from other requirements, such as providing users with access or
portability rights or the right to object to or opt-out of a company's
use of deidentified data, since by definition it is not technically
feasible to link deidentified data to a particular, verifiable
individual. On the other hand, for pseudonymous or identifiable data
that can be reasonably linked to a known individual, it may be more
fitting to provide individuals with access and portability rights, or
the ability to opt-in or opt-out of certain uses of that data, as
appropriate.
In many cases, the ability to reduce the identifiability of
personal data through technical, legal, and administrative measures
will allow a company to retain some utility of data (e.g., for
research, as we discuss below),\32\ while significantly reducing
privacy risks. New advances in deidentification and related privacy-
enhancing technologies (PETs) (discussed below at number 5) are
continuing to emerge.\33\ As a result, it is wise for lawmakers to take
account of the many states of data and to provide incentives for
companies to use technical measures and effective controls reduce the
identifiability of personal data wherever appropriate.
---------------------------------------------------------------------------
\32\ See section 3 below.
\33\ See section 5 below.
---------------------------------------------------------------------------
2. Sensitive Data
The term sensitive data is used to refer to certain categories of
personal data that require additional protections due to the greater
risks for harm posed by processing or disclosing this data. While
individuals should generally be able to exercise reasonable control
over their personal information, those controls should be stronger with
respect to sensitive data. Thus, a Federal privacy law should provide
heightened protections for the collection, use, storage, and disclosure
of users' sensitive personal information or personal information used
in sensitive contexts. FPF has crafted modular draft statutory language
that proposes a practical approach to regulating sensitive data that is
consistent with current norms and best practices.\34\ The Federal Trade
Commission has defined sensitive data to include, at a minimum, data
about children, financial and health information, Social Security
numbers, and precise geolocation data.\35\ The GDPR defines sensitive
data more broadly by recognizing special categories of personal data as
``personal data revealing racial or ethnic origin, political opinions,
religious or philosophical beliefs, or trade union membership, and the
processing of genetic data, biometric data for the purpose of uniquely
identifying a natural person, data concerning health or data concerning
a natural person's sex life or sexual orientation.'' \36\ Under GDPR,
the legal grounds for processing these special categories of data are
more restricted.\37\
---------------------------------------------------------------------------
\34\ See Appendix D.
\35\ Federal Trade Commission, Protection Consumer Privacy In An
Era of Rapid Change (2012), at 8, 58-60. https://www.ftc.gov/sites/
default/files/documents/reports/federal-trade-commission-report-
protecting-consumer-privacy-era-rapid-change-recommendations/
120326privacyreport
.pdf.
\36\ GDPR, Article 9.
\37\ GDPR, Article 9, Recital 51-52.
---------------------------------------------------------------------------
In addition to opt-in controls, Federal legislation should include
additional requirements--such as purpose limitation and respect for
context--for certain sensitive categories of data. For example, if
information such as a user's precise geolocation or health information
is collected with affirmative consent for one purpose (such as
providing a location-based ridesharing service, or a fitness tracking
app), a law should restrict sharing that sensitive, identifiable
information with third parties for materially different purposes
without user consent. This is consistent with the choice principle in
the FTC's 2012 Report, which urged companies to offer the choice at the
point in time, and in a context, in which a consumer is making a
decision about his or her data.\38\ There may be instances where
sensitive data will require consent, and where such consent will be
impossible to obtain.\39\ The law should provide for the creation of a
transparent, independent ethical review process that can assess such
cases and provide a basis for a decision that a use of data is
beneficial and will not result in harm.
---------------------------------------------------------------------------
\38\ Federal Trade Commission, Protection Consumer Privacy In An
Era of Rapid Change (2012), at 60. https://www.ftc.gov/sites/default/
files/documents/reports/federal-trade-commission-report-protecting-
consumer-privacy-era-rapid-change-recommendations/
120326privacyreport.pdf.
\39\ For example, recruiting individuals for rare disease drug
trials.
---------------------------------------------------------------------------
3. Research
It is vital that a national privacy law be crafted in a way that
does not unduly restrict socially beneficial research, and that
policymakers at the local, state, and Federal levels continue to have
the information they need to make evidence-based decisions. Today, in
addition to the entities governed by the HIPAA Rule and legal mandates
around human subject research,\40\ many private companies also conduct
research, or work in partnerships with academic researchers, to gain
important insights from the data they hold.
---------------------------------------------------------------------------
\40\ 45 CFR 46 (amended 2018). Currently, 20 U.S. agencies and
departments intend to follow the revised Common Rule and their CFR
numbers. See U.S. Department of Health & Human Services, Federal Policy
for the Protection of Human Subject (`Common Rule') https://
www.hhs.gov/ohrp/regulations-and-policy/regulations/common-rule/
index.html (last visited Mar. 8, 2019).
---------------------------------------------------------------------------
While obtaining individuals' informed consent may be feasible in
controlled research settings, it is often impossible or impractical for
researchers studying databases that contain the footprints of millions,
or indeed billions, of data subjects. For example, when researchers are
studying the effectiveness of personalized learning tools or evaluating
disparate impacts of automated systems, they can benefit from access to
large datasets. Legal mandates that require data holders to obtain
continual permission from individuals for future uses of data--while
appropriate in many commercial contexts--may create undue burdens for
researchers who rely on datasets that contain information about
individuals who cannot be contacted or who have been deidentified,
particularly if researchers do not know, at the point of collection,
what insights future studies may reveal.
This does not mean that data-based research should be exempted from
a Federal privacy law. The use of private commercial data for socially
beneficial research should remain subject to strict standards for
privacy, security, scientific validity, and ethical integrity.\41\
However, we recommend that legal frameworks contain flexible provisions
for research, such as enforceable voluntary compliance with Federal
Common Rule for human subject research; carefully tailored exceptions
to the right of deletion for less readily identifiable information; or
the creation of independent ethical review boards to oversee and
approve beneficial research using personal information.
---------------------------------------------------------------------------
\41\ In the words of danah boyd and Kate Crawford, ``It may be
unreasonable to ask researchers to obtain consent from every person who
posts a tweet, but it is problematic for researchers to justify their
actions as ethical simply because the data are accessible. Future of
Privacy Forum, Conference Proceedings: Beyond IRBS: Designing Ethical
Review Processes for Big Data Research (Dec. 20, 2016), page 4, https:/
/fpf.org/wp-content/uploads/2017/01/Beyond-IRBs-Conference-
Proceedings_12-20-16.pdf, citing danah boyd & Kate Crawford, Critical
Questions for Big Data, 15(5) INFO. COMM. & SOC. 662 (2012).
---------------------------------------------------------------------------
This balance between facilitating data research and evidence-based
decision-making while maintaining privacy and ethical safeguards aligns
with the 2017 report of the bipartisan Commission on Evidence-Based
Policymaking and the 2018 Foundations for Evidence-Based Policymaking
Act.\42\ The Commission noted that increasing access to confidential
data need not necessarily increase privacy risk. Rather, ``steps that
can be taken to improve data security and privacy protections beyond
what exists today, while increasing the production of evidence.'' \43\
---------------------------------------------------------------------------
\42\ Foundations for Evidence-Based Policymaking Act of 2018, Pub.
L. No. 115-435, 132 Stat. 5529 (2019).
\43\ Report of the Commission on Evidence-Based Policymaking, 8
(September 2017) https://www.cep.gov/report/cep-final-report.pdf.
---------------------------------------------------------------------------
In short, companies that conduct research or partner with academic
institutions must do so in a way that protects privacy, fairness,
equity, and the integrity of the scientific process, and a Federal
privacy law should encourage, rather than place undue burdens on,
legitimate research when appropriate ethical reviews take place.
4. Internal Accountability and Oversight
A Federal baseline privacy law should incentivize companies to
employ meaningful internal accountability mechanisms, including privacy
and security programs, which are managed by a privacy workforce.
Ultimately, to implement privacy principles on the ground, including
not just legal compliance but also privacy by design and privacy
engineering, organizations will need to devote qualified and adequately
trained employees. Indeed, over the past two decades, a privacy
workforce has developed that combines the fields of law, public policy,
technology, and business management. This workforce's professional
association, the International Association of Privacy Professionals
(IAPP), has doubled its membership in just the past 18 months.\44\ The
IAPP provides training and professional certification, demonstrating
the heightened demand among organizations for professionals who manage
data privacy risks.
---------------------------------------------------------------------------
\44\ See IAPP-EY Annual Governance Report (2018), https://iapp.org/
media/pdf/resource_cen
ter/IAPP-EY-Gov_Report_2018-FINAL.pdf.
---------------------------------------------------------------------------
In their book Privacy on the Ground, Kenneth Bamberger and Deirdre
Mulligan stress ``the importance of the professionalization of privacy
officers as a force for transmission of consumer expectation notions of
privacy from diverse external stakeholders, and related `best
practices,' between firms.'' \45\
---------------------------------------------------------------------------
\45\ Kenneth A. Bamberger & Deirdre K. Mulligan, Privacy on the
Books and on the Ground, 63 Stan. L. Rev. 247, 252 (2010).
---------------------------------------------------------------------------
Accordingly, today, data privacy management should no longer be
regarded as a role that employees in legal or HR departments fulfill as
a small piece of their larger job. Rather, it must be a new
professional role with standards, best practices, and norms, which are
widely agreed upon not only nationally but also across geographical
borders. Responsible practices for personal data management are not
common knowledge or intuitive, any more than accounting rules. They
require training, continuous education, and verifiable methods for
identifying and recognizing acceptable norms. Put simply, the digital
economy needs privacy professionals. Encouraging organizations to
implement internal governance programs that employ such professionals
will ensure higher professional standards and more responsible data
use, regardless of the specific rules ultimately chosen for data
collection, processing, or use.
Federal legislation could provide a safe harbor or other incentives
for development, documentation, and implementation of comprehensive
data privacy programs; execution of ongoing, documented privacy and
security risk assessments, including for risks arising from automated
decision-making; and implementation of robust accountability programs
with internal staffing and oversight by senior management. For example,
GDPR requires companies to document their compliance measures,\46\
appoint Data Protection Officers,\47\ and create data protection impact
assessments,\48\ among other requirements. Another way to increase
internal expertise is to incentivize employee training through
recognized programs.
---------------------------------------------------------------------------
\46\ GDPR, Art. 24, 40.
\47\ GDPR, Art. 37-39.
\48\ GDPR, Art. 35.
---------------------------------------------------------------------------
External certification processes act as objective validators to
help companies, particularly those with limited resources, navigate
complex legal requirements. Similarly, incentivizing companies or
industry sectors to create ``red teams'' to proactively identify
privacy abuses or to cooperate with watchdog entities or independent
monitors to support additional oversight, such as through safe harbors
or other methods, would create an additional layer of privacy
safeguards.
5. Incentives for Technical Solutions
Federal privacy legislation should promote the use of technical
solutions, including privacy-enhancing technologies (PETS). The ``holy
grail'' for data protection is utilizing technology that can achieve
strong and provable privacy guarantees while still supporting
beneficial uses. Legislation should create specific incentives for the
use of existing privacy-enhancing technologies and for the development
of new PETS. Following are ten PETS or technological trends that may
become increasingly useful tools to manage privacy risks:
Advances in Cryptography
a. Zero Knowledge Proofs--Zero knowledge proof (ZKPs) are
cryptographic methods by which one party can prove to another
party that they know something to be true without conveying any
additional information (like how or why the mathematical
statement is true). ZKPs can be used in identity verification
contexts, e.g., to prove that someone is over a certain age
without revealing their exact date of birth. ZKPs help with
data minimization and data protection and promote privacy by
design and default.
b. Homomorphic Encryption--Homomorphic encryption is a process that
enables privacy-preserving data analysis by allowing some types
of analytical functions and computations to be performed on
encrypted data without first needing to decrypt the data.\49\
It is especially useful in applications that retain encrypted
data in cloud storage for central access.
---------------------------------------------------------------------------
\49\ See David Wu, University of Virginia Computer Science
Department, available at https://www.cs.virginia.edu/dwu4/fhe-
project.html.
c. Secure Multi-Party Computation--Secure multi-party computation
(SMPC) is a distributed computing system or technique that
provides the ability to compute values of interest from
multiple encrypted data sources without any party having to
reveal their private data to the others. A common example is
secret sharing, whereby data from each party is divided and
distributed as random, encrypted ``shares'' among the parties,
and when ultimately combined can provide the desired
statistical result.\50\ If any one share is compromised, the
remaining data is still safe. SMPC holds particular promise for
sharing or managing access to sensitive data such as health
records.
---------------------------------------------------------------------------
\50\ See Christopher Sadler, Protecting Privacy with Secure Multi-
Party Computation, New America (Jan. 11, 2018), https://
www.newamerica.org/oti/blog/protecting-privacy-secure-multi-party-
computation/.
d. Differential Privacy--Differential privacy (DP) is a rigorous
mathematical definition of privacy that quantifies the risk
that an individual is included in a data set. It leverages
anonymization techniques that involves the addition of
statistical ``noise'' to data sets before calculations are
computed and results released. DP can be global or local.\51\
Global DP is server-side anonymization or deidentification
(where trust resides in the service provider); local DP is
applied on the client or user's device. There are now
differentially private versions of algorithms in machine
learning, game theory and economic mechanism design,
statistical estimation, and streaming. Differential privacy
works better on larger databases because as the number of
individuals in a database grows, the effect of any single
individual on a given aggregate statistic diminishes.
---------------------------------------------------------------------------
\51\ Evaluation of Privacy-Preserving Technologies for Machine
Learning, Outlier Ventures Research (Nov. 2018), https://
outlierventures.io/research/evaluation-of-privacy-preserving-
technologies-for-machine-learning/.
---------------------------------------------------------------------------
Localization of Processing
e. Edge computing and Local Processing--For devices where speed is
of the essence or connectivity is not constant, applications,
data, and services are increasingly run away from centralized
nodes at the end points of a network. Such local processing
helps with data minimization by reducing the amount of data
that must be collected (accessible) by the service provider, or
retained on a centralized service or in cloud storage.
f. Device-Level Machine Learning--New machine learning focused
semiconductor components and algorithms--along with the speedy,
low-cost local storage and local processing capabilities of
edge computing--are allowing tasks that use to require the
computing horsepower of the cloud to be done in a more refined
and more focused way on edge devices.
g. Identity Management--Many identity management solutions under
consideration or development leverage a variety of platforms,
including distributed ledger technology (described above), and
local processing, that capitalize on device-level machine
learning to provide the ability for individuals to verify and
certify their identify. This enables people without Internet
access beyond smartphones or other simple devices to form
secure connections, exchange identity-related credentials (such
as transcripts or voting records) without going through a
centralized intermediary. Verified personal data can be
accessed from the user's device and shared via secure,
encrypted channels to third parties, with data limited to the
basic facts necessary for the relying party (e.g., that the
individual is over 21, or does in fact qualify for a specific
government service) on an as-needed basis. Depending on the
implementation and standards, identity management can create
privacy risks or can be deployed to support data minimization
and privacy by design and default.
Advances in Artificial Intelligence (AI) & Machine Learning (ML)
h. ``Small Data''--Small data AI and machine learning systems use
significantly less, or even no real data, via techniques such
as data augmentation (manipulating existing data sets),
transfer learning (importing learnings from a preexisting
model), synthetic data sets (see below), and others.\52\ With
small data techniques, the future forms of AI might be able to
operate without needing the tremendous amounts of training data
currently required for many applications.\53\ This capability
can greatly reduce the complexity and privacy risks associated
with AI and ML systems.
---------------------------------------------------------------------------
\52\ Harsha Angeri, Small Data & Deep Learning (AI): A Data
Reduction Framework, Medium (Apr. 1, 2018), https://medium.com/
datadriveninvestor/small-data-deep-learning-ai-a-data-reduction-
framework-9772c7273992.
\53\ H. James Wilson, Paul R. Daugherty, Chase Davenport, The
Future of AI Will Be About Less Data, Not More, Harvard Business Review
(Jan. 14, 2019), https://hbr.org/2019/01/the-future-of-ai-will-be-
about-less-data-not-more.
i. Synthetic Data Sets--Synthetic data sets are sets of artificial
data created to replicate the patterns and analytic potential
of real data about real individuals or events by replicating
the important statistical properties of real data.\54\ They can
be created at a vast scale and reduce the need for large
training or test data sets, particularly for AI and ML
applications, and thus support reduced data sharing or
secondary use concerns.
---------------------------------------------------------------------------
\54\ Applied AI, Synthetic Data: An Introduction & 10 Tools, (June
2018 update), https://blog.appliedai.com/synthetic-data/.
j. Generative Adversarial Networks--Generative Adversarial Networks
(GANs) are a type of artificial intelligence, where algorithms
are created in pairs (one to ``learn,'' and the other to
``judge''). Used in unsupervised machine learning, two neural
networks contest with each other in a framework to produce
better and better simulations of real data (creating faces of
people, or handwriting). One valuable use: generating synthetic
data sets.\55\
---------------------------------------------------------------------------
\55\ Dan Yin and Qing Yang, GANs Based Density Distribution
Privacy-Preservation on Mobility Data, Security and Communication
Networks, vol. 2018, Article ID 9203076, (Dec. 2, 2018), https://
doi.org/10.1155/2018/9203076.
These tools and resources can potentially help mitigate data
protection concerns posed by future technologies. Federal legislation
could incentivize the growth and development of new PETS. The market
for compliance tools for privacy and security professionals also
continues to accelerate. Services that discover, map, and categorize
data for organizations, wizards that help manage and complete privacy
impact assessments, programs that handle data subject access requests
and consent management, and deidentification services are already
supporting privacy and security professionals at leading organizations
as well as attracting investor interest.\56\ Data protection resources
entering the marketing are increasingly central to building systems
that allow professionals to manage the challenges that accompany the
expanded data collection and the multiplying uses that shape modern
business practices.
---------------------------------------------------------------------------
\56\ IAPP Privacy Tech Vendor Report (2018), https://iapp.org/
resources/article/2018-privacy-tech-vendor-report/
---------------------------------------------------------------------------
6. Machine Learning
A Federal privacy law should also promote beneficial uses of
artificial intelligence (AI) and machine learning. Many device
manufacturers are making strides to minimize data collection by
conducting data processing on-device (locally) rather than sending data
back to a remote server. However, AI and machine learning technologies
typically require large and representative data sets to power new
models, to ensure accuracy, and to avoid bias. A U.S. framework would
be wise to ensure that uses of data for machine learning are supported
when conducted responsibly. To assess such responsible uses, we again
recommend the development of a serious ethics review process. The
academic IRB is well established as a necessary way for federally
funded human subject research to be vetted.\57\ Counterparts for
corporate data will be important, if structured to provide expertise,
confidentiality, independance, transparency of process, speed, and
expertise.\58\
---------------------------------------------------------------------------
\57\ Protection of Human Subjects, 45 C.F.R. Sec. Sec. 46.103,
46.108 (2012).
\58\ See Future of Privacy Forum, Conference Proceedings: Beyond
IRBS: Designing Ethical Review Processes for Big Data Research (Dec.
20, 2016), https://fpf.org/wp-content/uploads/2017/01/Beyond-IRBs-
Conference-Proceedings_12-20-16.pdf.
---------------------------------------------------------------------------
7. Interaction with Existing Legal Frameworks
A Federal baseline privacy law should take into consideration
existing legal frameworks, by preempting certain state laws where they
create conflicting or inconsistent requirements, and superseding or
filling gaps between existing Federal sectoral laws. While recognizing
the United States' unique global privacy leadership, a Federal privacy
law should also address issues of interoperability with GDPR and other
global legal regimes. At a minimum, it is important for the U.S. to
protect cross-border data flows by not creating obligations that
directly conflict with other existing international frameworks.
A. Interaction with State Laws
The drafting of a Federal privacy law in the United States will
necessarily impact the range of state and local privacy laws that have
been passed in recent decades or are currently being drafted. The
question of preemption is at the forefront of many conversations
regarding a Federal privacy bill. Stakeholders from government,
industry, civil society, and academia have expressed strong and
sometimes conflicting views. At a minimum, we should seek to avoid a
framework where website operators are expected to comply with multiple
inconsistent state mandates on the many day-to-day issues at the core
of the digital economy, ranging from signing users up for e-mail lists,
implementing website analytics, or conducting e-commerce. These
concerns can reasonably be avoided with carefully crafted Federal
preemption, so long as the law also ensures a strong level of uniform
privacy protections, certainly meeting and exceeding the core
protections of the California Consumer Privacy Act (CCPA).
It is important to recognize that lawmakers' options are not
binary. The choice is not between a preemptive Federal law and a non-
preemptive Federal law. Rather, lawmakers must grapple with a range of
state authorities and choose which to preempt and which to
preserve.\59\ I provide further context below. My core recommendations
are that Congress: (1) preserve state Unfair and Deceptive Acts and
Practices (UDAP) laws, which regulate a wide range of commercial
conduct, from fair pricing to honest advertising, when they do not
specifically target privacy or security requirements; (2) preempt
generally applicable consumer privacy laws, like the California
Consumer Privacy Act (CCPA); and (3) be thoughtful about which state
sectoral privacy laws to preempt or preserve.
---------------------------------------------------------------------------
\59\ Peter Swire, U.S. Federal privacy preemption part 1: History
of Federal preemption of stricter state laws (Jan 9, 2019), IAPP
Privacy Tracker, https://iapp.org/news/a/us-federal-privacy-preemption-
part-1-history-of-federal-preemption-of-stricter-state-laws/.
---------------------------------------------------------------------------
For example, to the extent that a Federal law contains provisions
that conflict with state common law or statutes, the latter will be
preempted by default.\60\ Congress may, to the extent it wishes, take
further steps to prevent states or local governments from drafting
further new, different, or more protective laws, through express or
implied ``field preemption.'' Within this range, there is great
flexibility in the extent to which a Federal law can have preemptive
effect.\61\
---------------------------------------------------------------------------
\60\ Supremacy Clause, U.S. CONST. art. VI, cl. 2.
\61\ See generally, Paul M. Schwartz, Preemption and Privacy, 118
Yale L.J. 902 (2008), available at https://
scholarship.law.berkeley.edu/cgi/
viewcontent.cgi?article=1071&context=facpubs.
---------------------------------------------------------------------------
As this Committee considers the appropriate balance of Federal and
state intervention in the field of information privacy, it should
carefully consider how a Federal privacy law will impact certain key
aspects of current state regulation:
State UDAP Laws. Every state has broadly applicable Unfair
and Deceptive Acts and Practices (UDAP) laws that prohibit
deceptive commercial practices or unfair or unconscionable
business practices.\62\ State enforcement authorities have
increasingly applied UDAP laws to data-driven business
practices such as mobile apps and platform providers.\63\ In
general, states should maintain the freedom to enforce broadly
applicable commercial fairness principles in a technology-
neutral manner, to the extent that they do not specifically
regulate the collection and processing of personal information
addressed in the Federal law.
---------------------------------------------------------------------------
\62\ National Consumer Law Center, Consumer Protection in the
States: A 50-State Evaluation of Unfair and Deceptive Practices Laws,
(Mar. 2018), http://www.nclc.org/images/pdf/udap/udap-report.pdf.
\63\ See e.g. Federal Trade Commission, Privacy & Data Security
Update: 2017, https://www.ftc.gov/system/files/documents/reports/
privacy-data-security-update-2017-overview-commissions-enforcement-
policy-initiatives-consumer/privacy_and_data_security_update_2017.pdf.
(As one of the examples of state enforcement actions, the FTC and 32
State Attorneys General alleged that Lenovo engaged in an unfair and
deceptive practice by selling consumer laptops with a preinstalled
software program that accessed consumer's sensitive personal
information transmitted over the Internet without the consumer's
knowledge or consent.)
State Constitutions. Eleven states have enumerated
constitutional rights to privacy, most of which were created
through constitutional amendments in the last 50 years.\64\ In
addition to governing law enforcement access to information,
some states have chosen to express a free-standing fundamental
right to privacy.\65\ These amendments to state constitutions
reflect the states' explicit intention to extend--or clarify--
the fundamental rights of their own residents beyond the
existing status quo of Federal legal protections.
---------------------------------------------------------------------------
\64\ See National Conference of State Legislatures, Privacy
Protections in State Constitutions (Nov. 7, 2018), http://www.ncsl.org/
research/telecommunications-and-information-technology/privacy-
protections-in-state-constitutions.aspx.; Gerald B. Cope, Jr., Toward a
Right of Privacy as a Matter of State Constitutional Law, 5 Fla. St. U.
L. Rev. 631, 690-710 (2014).
\65\ See e.g. Cal. Const., art. I, Sec. 1; Haw. Const., art. I,
Sec. Sec. 6-7; Alaska Const., art. I, Sec. 22.
State Sector-Specific Laws. Comprehensive state efforts to
regulate consumer privacy and security, such as generally
applicable data breach laws or the recent California Consumer
Privacy Act, are likely to be partially or fully preempted by a
Federal law that meaningfully addresses the same issues and
creates similar substantive legal protections. However, a
Federal law should also carefully anticipate its effect on
sectoral state efforts, such as those regulating
biometrics,\66\ drones/UAV,\67\ or employer or school ability
to ask for social media credentials.\68\ For example, in the
field of student privacy, more than 120 state laws have passed
since 2013 regulating local and state education agencies and
education technology companies,\69\ and replacing those laws
with a general consumer privacy law could eliminate important
nuances that those laws incorporated; for example, a consumer
privacy law would likely allow for users to delete their data,
but, in the education context, students obviously should not
have the ability to delete a homework assignment or test
scores. Further complicating these matters, states retain a
constitutional right to regulate the core behavior of their own
governmental entities, including the regulation of school
districts.\70\
---------------------------------------------------------------------------
\66\ Biometric Information Privacy Act (BIPA), 740 ILCS/14 (2008).
\67\ National Council of State Legislatures, Current Unmanned
Aircraft State Law Landscape (Sept. 10, 2018). http://www.ncsl.org/
research/transportation/current-unmanned-aircraft-state-law-
landscape.aspx.
\68\ National Council of State Legislatures, State Social Media
Privacy Laws (Nov. 6, 2018). http://www.ncsl.org/research/
telecommunications-and-information-technology/state-laws-prohibiting-
access-to-social-media-usernames-and-passwords.aspx.
\69\ State Student Privacy Laws, FERPA/Sherpa (April 23, 2019),
https://ferpasherpa.org/state-laws.
\70\ See U.S. CONST. art. X; Sonja Ralston Elder, Enforcing Public
Educational Rights Via a Private Right of Action, 1 Duke Forum For L. &
Soc. Change 137, 154 (2009).
---------------------------------------------------------------------------
B. Interaction with Federal Sectoral Laws
In some cases, it may be appropriate for a baseline, comprehensive
Federal privacy law to supersede and replace existing sectoral Federal
laws where a consistent baseline set of obligations would be
beneficial. In other cases, the wide range of existing sectoral laws,
including privacy laws and anti-discrimination laws, may be well suited
to address concerns around automated decision-making or unfair uses of
data.
C. Interaction with Global Privacy Frameworks
The U.S. has an opportunity to demonstrate leadership, protect
consumers, and facilitate commerce by crafting a Federal privacy law
that ensures interoperability with international data protection laws.
Just as the U.S. is currently confronting challenges posed by an
assortment of privacy-focused state laws, disparate privacy regimes
with varying degrees of privacy protections and controls are
proliferating internationally. These laws and the corresponding
multiplicity of compliance obligations adversely affect cross-border
data flows and the multinational businesses that rely on such flows to
remain competitive.
Legislation should consider and address, as much as possible,
interoperability with other nations' privacy frameworks.\71\ For
example, legislation should promote interoperability with the most
well-known example of a comprehensive privacy law, GDPR, which provides
an extensive framework for the collection and use of personal data. The
basic principles of GDPR should provide a reference for policymakers
during the legislative process, with an understanding that the U.S.
approach to privacy and other constitutional values may diverge in many
areas, such as breadth of data subject rights, recognition of First
Amendment rights, and the need for minimization requirements that may
impact data use for AI and machine learning purposes. Also important
for comparison are the OECD privacy guidelines and the APEC CBPS,
particularly since the proposed United States-Mexico-Canada Agreement
(USMCA), which Congress is reviewing as it considers ratification,
recognizes the CBPR system as a valid data privacy compliance mechanism
for data-transfers between the countries.
---------------------------------------------------------------------------
\71\ Per a McKinsey report, ``Cross-border data flows are the
hallmarks of 21st-century globalization. Not only do they transmit
valuable streams of information and ideas in their own right, but they
also enable other flows of goods, services, finance, and people.''
McKinsey Global Institute, Digital Globalization: The New Era of Global
Flows, (March 2016) at 30, https://www.mckinsey.com/�/media/McKinsey/
Business%20Functions/McKinsey%20Digital/Our%20
Insights/
Digital%20globalization%20The%20new%20era%20of%20global%20flows/MGI-
Digital-globalization-Full-report.ashx.
---------------------------------------------------------------------------
A Federal baseline privacy law should also promote cross-border
data flows by avoiding the creation of obligations that directly
conflict with other international laws. For example, an emergence of
recent data localization laws have expressly prohibited data transfers
or mandated highly-restrictive regulatory environments, resulting in
inefficient and burdensome requirements for activities including: data
storage, management, processing, and analytics. Countries that erect
these barriers to data flows often cite concerns about cybersecurity,
national security, and privacy.\72\ Localization detrimentally impacts
businesses,\73\ consumers who benefit from free flows of data, and
potentially data security. Thoughtful data governance and oversight
policies with data subject rights and other protections can address
data protection issues without resorting to a regulatory environment
that employs localization as a solution.
---------------------------------------------------------------------------
\72\ The U.S. International Trade Commission and Department of
Commerce have considered these concerns in a series of convenings and
reports over the past several years. See e.g., U.S. Dept. of Commerce,
Measuring the Value of Cross-Border Data, (Sept. 30, 2016), https://www
.commerce.gov/news/fact-sheets/2016/09/measuring-value-cross-border-
data-flows; U.S. Intl. Trade Comm'n, Global Digital Trade 1: Market
Opportunities and Key Foreign Trade Restrictions, (Aug. 2017), https://
www.usitc.gov/publications/332/pub4716_0.pdf.
\73\ For example, a U.S. International Trade Commission report
notes that there are cost, speed, and security advantages to cloud-
based technologies. U.S. Intl. Trade Comm'n, Global Digital Trade 1:
Market Opportunities and Key Foreign Trade Restrictions, (Aug. 2017) at
20, https://www.usitc.gov/publications/332/pub4716_0.pdf. A 2016
McKinsey report found a 10.1 percent rise in GDP over 10 years is
attributable to cross-border flows. McKinsey Global Institute, Digital
Globalization: The New Era of Global Flows, (Mar. 2016) at 30, https://
www.mckinsey.com/�/media/McKinsey/Business%20Functions/
McKinsey%20Digital/Our%20Insights/Digital%20
globalization%20The%20new%20era%20of%20global%20flows/MGI-Digital-
globalization-Full-report.ashx.
---------------------------------------------------------------------------
8. Rulemaking, Civil Penalties, and Enforcement
No matter how well crafted, a privacy law will almost certainly
require a well-resourced administrative mechanism to clarify certain
terms and standards. In Europe, the GDPR contemplates that guidance
from Data Protection Authorities will clarify key concepts and
requirements. In California, the CCPA tasks the state attorney general
with promulgating rules on complicated aspects of the statute. Under
Federal law, Congress provided for the FTC to issue regulations under
the COPPA statute that have helped define key provisions and enable the
law's safe-harbor program for the collection and use of children's
data.
A comprehensive Federal privacy law is no different. I urge the
Committee to carefully consider what aspects of a Federal law might
benefit from regulatory clarity or guidance over time. And I urge
legislative drafters to empower the FTC to provide such clarity, with
specific parameters and considerations to take into account and subject
to reasonable guardrails on the agency's authority. The Commission and
other stakeholders have agreed, and noted that additional investigatory
resources would be welcome.\74\ The Commission receives many consumer
complaints and would benefit from the ability to hire more technology
and legal experts. Enhanced resources, and the deeper understanding of
technology and business practices they bring to the Commission, can
lead to fairer outcomes for both individuals and companies.
---------------------------------------------------------------------------
\74\ FTC Staff, FTC Staff Comment to the NTIA: Developing the
Administration's Approach to Consumer Privacy, Docket No. 180821780-
8780-01 (November 9, 2019) https://www.ftc.gov/system/files/documents/
advocacy_documents/ftc-staff-comment-ntia-developing-administrations-
approach-consumer-privacy/p195400_ftc_comment_to_ntia_112018.pdf.
---------------------------------------------------------------------------
The authority to bring civil penalties is another key aspect of the
FTC's current oversight of global technology firms. But today, the FTC
can only fully exercise this oversight regarding companies with whom
the Commission has entered into settlement agreements. Civil penalty
authority in the first instance would enable to FTC to bring its
oversight to bear on all companies that handle personal data,
protecting individuals and consumers and leveling the playing field.
It is also vital that technical assistance be provided if a new law
is passed, particularly for small businesses. The FTC can help fulfill
this role. A potential model for this is the U.S. Department of
Education's Privacy Technical Assistance Center (PTAC), which has
played a vital role in providing guidance, technical assistance, and
best practices to states, districts, companies, and privacy
advocates.\75\
---------------------------------------------------------------------------
\75\ U.S. Department of Education, Privacy Technical Assistance
Center, https://studentpri
vacy.ed.gov.
---------------------------------------------------------------------------
Finally, there has also been a growing recognition of the important
role of state attorneys general in the creation and protection of
evolving privacy norms.\76\ State attorneys general have brought
enforcement actions that meaningfully push forward legal protections in
many areas.\77\ As officials with a broad scope of authority and the
freedom to respond to rapidly evolving privacy challenges, they should
remain key partners in the enforcement of a baseline Federal
information privacy law.
---------------------------------------------------------------------------
\76\ Danielle Keats Citron, The Privacy Policymaking of State
Attorneys General, 92 Notre Dame L. Rev. 747, 785-91 (2016), http://
ndlawreview.org/wp-content/uploads/2017/02/NDL205.pdf.
\77\ Id.
---------------------------------------------------------------------------
Conclusion
This is a critical juncture for U.S. policymaking. Privacy
regulation is charging ahead in the EU and in the states. Now is the
time for the United States as a nation to reassert its policy
leadership, which stretches from Warren and Brandeis' 1890 treatise on
The Right to Privacy,\78\ through William Prosser's explication of the
privacy torts in 1960,\79\ to the Department of Health, Education, and
Welfare's report first outlining the fair information practices in
1972,\80\ which are the cornerstone for every data protection framework
from OECD to GDPR.
---------------------------------------------------------------------------
\78\ Samuel D. Warren & Louis D. Brandeis, The Right to Privacy, 4
Harvard L. Rev. 193 (1890), https://www.cs.cornell.edu/�shmat/courses/
cs5436/warren-brandeis.pdf.
\79\ William L. Prosser, Privacy, 48 Calif. L. Rev. 383 (1960),
https://doi.org/10.15779/Z383J3C.
\80\ Records, Computer, and the Rights of Citizens: Report of the
Secretary's Advisory Committee on Automated Personal Data Systems, U.S.
Dept. of Health & Human Services (1973), https://aspe.hhs.gov/report/
records-computers-and-rights-citizens.
---------------------------------------------------------------------------
Federal legislation should empower the FTC to rulemake and enforce
and allow state AGs to retain enforcement powers. It should recognize
broad spectrum of identifiability in definition of PII. It should
provide heightened protection for sensitive data or contexts. It should
not unduly restrict socially beneficial research find a way to enable
crucial data-driven research. It should incentivize and recognize the
privacy profession and PETs.
In my view, the best approach would be for Congress to draft and
pass a baseline, non-sectoral Federal information privacy law. Although
I have flagged specific considerations related to such a law's content
and its interaction with existing legal frameworks, I overall believe
that a strong Federal law remains the best approach to guaranteeing
clear, consistent, and meaningful privacy and security protections in
the United States.
APPENDED:
A. Future of Privacy Forum, Infographic, Personal Data and the
Organization: Stewardship and Strategy
B. Future of Privacy Forum, Infographic, A VIsual Guide to
Practical De-Identification
C. Future of Privacy Forum Infographic, Financial Data
Localization: Conflicts and Consequences
D. Future of Privacy Forum, Draft Legislative Language: ``Covered
Data''
E. Future of Privacy Forum, Unfairness by Algorithm: Distilling the
Harms of Automated Decision-making (December 2017)
F. Future of Privacy Forum & Anti-Defamation League, Big Data: A
Tool for Fighting Discrimination and Empowering Groups
The Chairman. And thank you very much, sir.
Mr. Steyer.
STATEMENT OF JAMES P. STEYER, CHIEF EXECUTIVE OFFICER AND
FOUNDER, COMMON SENSE MEDIA
Mr. Steyer. Thank you, Chairman Wicker, Ranking Member
Cantwell, and the distinguished members of this Committee. It
is great to be here.
I am Jim Steyer. I am the Founder and CEO of Common Sense
Media. We are the leading kids' media and tech group in the
United States. We launched about 15 years ago. Just for a
little background, we have 110 million unique users every year
on our consumer platform. We created an award-winning digital
citizenship curriculum that is in most of the schools in your
guys' states. And we have 75,000 member schools across the
world, most of which are in the U.S., teaching kids about not
just their privacy rights but the safe, responsible use of
tech.
I am also a prof at Stanford where I have taught
constitutional law for the last 30 years.
The one thing I would sort of say in general today is that
as someone who has been a child advocate for 30 years--I am a
father of four. I have got a 15-year-old. That is our youngest
now. I think this is a major moment in time on these issues. It
has been literally almost 20 years since the U.S. Congress did
anything meaningful in the area of privacy. And right now, even
though there are tens of millions of American families who are
worried about privacy issues for themselves, but most of all
for their children, there is only one state, the state that I
live in, California, that has a comprehensive privacy law. And
in fact, it was us at Common Sense Media who spearheaded that
law last year, the CCPA that has been referred to.
I just think it is this great moment in time where this
body has to act. I always say when I get up in front of parents
that 20 years ago Mark Zuckerberg was barely out of diapers.
Google was a concept in sort of obscure math ideas. And this
device did not even exist. But it is all here now and our kids
are living on it and we are all living on it. And so during
this time of extraordinary growth in the tech economy, we have
got to come up with a comprehensive, smart, common sense
privacy law that is going to protect all of us, all of our
families, and most of all, our kids.
Right now, there essentially are no guardrails when it
comes to privacy federally. We have one law, the California law
that we passed last year. It goes into effect in January. And
then we have GDPR, which Ms. Dixon referred to. So it is high
time that Congress and this august body stepped up to the plate
and protected the fundamental privacy rights of every citizen
in this country.
The one thing that we saw very much in California when we
passed the law is that it is a totally bipartisan issue. This
is something that everybody ought to be able to agree on
because we all are both the beneficiaries of the extraordinary
aspects of the tech industry, but we are also the victims when
privacy rights are violated, whether it is individually or
whether it involves interference with our electoral process. So
overwhelming majorities of Americans agree with us. The
California law passed unanimously. And so I would just urge you
to really work, as you do, as a bipartisan group to support
comprehensive privacy laws now.
Four big points that I would say to you.
One, the California law is a floor, not a ceiling. Anything
that should come out of this committee and this Senate should
be stronger than the California law. I know. We negotiated it.
We gave up a number of rights in order to get it passed. We
worked with companies like Microsoft, Apple, and SalesForce to
get it done. But this body should be looking at California as
an absolute floor rather than as a ceiling.
The second thing I would say is that kids and teens are the
most vulnerable. They deserve special protection. As our good
friend, Senator Markey, knows as well as anyone, kids need
extremely important and unique protections. So as you consider
the law, we hope you will put kids first and include teens in
this law as well.
Third, there needs to be ongoing public education, a public
awareness campaign. The average American, I would argue the
average Senator, is not a computer wizard or tech wizard. So
once we have a law, we need to explain it to the public how to
use it. That is a big thing we are going to start doing in
California in 2020. But I would urge you to think about that,
how do you make it simple, easy, and easily understandable for
a luddite like me and some of you.
And last but not least, I do want to raise the other thing.
In the wake of the live streaming of mass shootings on Facebook
a few weeks ago, and the inability of YouTube and other
platforms to pull some of that extraordinarily inappropriate
content for anyone, let alone children, down, we would urge you
to think about it separately, the concept of section 230 in the
safe harbor provision and what kind of regulations there ought
to be, for kids in particular, of inappropriate content on the
Web.
At the end of the day, I think the bottom line is clear.
This is your folks' moment to do something great for everybody
in America on a bipartisan basis, and we are happy to help.
Thank you very much for having me.
[The prepared statement of Mr. Steyer follows:]
Prepared Statement of James P. Steyer, Chief Executive Officer and
Founder, Common Sense Media
Good morning Chairman Wicker, Ranking Member Cantwell, and
distinguished Committee Members. Thank you for the opportunity to
appear before you, and for your willingness to engage with the
complicated--but critically important--issue of consumer privacy.
My name is James P. Steyer and I am the founder and CEO of Common
Sense Media. Common Sense is America's leading organization dedicated
to helping kids and families thrive in a rapidly changing digital
world. We help parents, teachers, and policymakers by providing
unbiased information, trusted advice, and innovative tools to help them
harness the power of media and technology as a positive force in all
kids' lives. Since launching 15 years ago, Common Sense has helped
millions of families and kids think critically and make smart,
responsible choices about the media they create and consume. Common
Sense has over 108 million users and our award winning Digital
Citizenship Curriculum is the most comprehensive K-12 offering of its
kind in the education field; we have over 700,000 registered educators
using our resources in over half of U.S. schools. Common Sense was a
sponsor of California's precedent-setting consumer privacy law, the
California Consumer Privacy Act (CCPA). We have also sponsored and
supported privacy laws across the country and at the Federal level,
including California's landmark Student Online Privacy Information
Protection Act (SOPIPA) and the recently introduced bipartisan COPPA
2.0.
Children And Teens Are Particularly Vulnerable
When we started Common Sense a decade and a half ago, privacy was
not a major concern for kids and families. But it has grown
significantly as an issue over the past several years, to the point
where we find ourselves today. Privacy concerns are particularly acute
for kids: Ninety-eight percent of children under 8 in America have
access to a mobile device at home.\1\ American teens consume an average
of 9 hours a day of media,\2\ and half of teens report feeling addicted
to their devices. Children today face surveillance unlike any other
generation--their every movement online and off can be tracked by
potentially dozens of different companies and organizations. Further,
kids are prone to sharing and impulsive behavior, are more susceptible
to advertising, and are less able to understand what may happen to
their personal information.\3\
---------------------------------------------------------------------------
\1\ Common Sense: Technology Addiction: Concern, Controversy, and
Finding Balance (2016)
\2\ Ibid
\3\ Children, Adolescents, and Advertising (2006)
---------------------------------------------------------------------------
Unfortunately, too many companies are not protecting children's and
their families' privacy. A recent analysis found that more than half of
6,000 free children's apps may serve kids ads that violate COPPA.\4\ 60
percent of connected devices don't provide proper information on how
they collect, use and disclose users' personal information.\5\ Millions
of kids and parents have had sensitive information--including family
chats--exposed by connected toys.\6\ Data brokers are selling profiles
of children as young as two (and identity theft can occur before a
child's first birthday).\7\
---------------------------------------------------------------------------
\4\ Reyes et. al, ``Won't Somebody Think of the Children?''
Examining COPPA Compliance at Scale. Proceedings on Privacy Enhancing
Technologies (2018)
\5\ GPEN Privacy Sweep on Internet of Things (2016)
\6\ Jensen, Data Breach Involving CloudPets ``Smart'' Toys Raises
Internet-of-Things Security Concerns, Data Privacy + Security Insider
(2017); and Real-World Reasons Parents Should Care About Kids and
Online Privacy (2018)
\7\ Ibid
---------------------------------------------------------------------------
A growing lack of privacy and distrust of the online and tech world
impacts every family, and could significantly impact the personal
development of young people. At Common Sense, we believe kids need the
freedom to make mistakes, try new things, and find their voices without
the looming threat of a permanent digital record that could be used
against them.
It is our goal to help our millions of American members improve the
digital wellbeing of their families--and while in many instances that
means teaching parents, teachers, and kids good digital citizenship
practices and privacy skills, it also means ensuring there are baseline
protections in place. Even savvy digital citizens are powerless if they
do not know what companies are doing with their information, if they
cannot access, delete, or move their information, or if they have no
choices with respect to the use and disclosure of their information.
Families' Privacy Expectations And Desires
What do families want in privacy protections? According to our
research: More than 9 in 10 parents and teens think it's important that
websites clearly label what data they collect and how it will be
used.\8\ Those same numbers--more than 9 in 10--think it is important
that sites ask permission before selling or sharing data.\9\ And almost
9 in 10, or 88 percent, think it is important to control whether data
is used to target ads across devices.\10\ Speaking of devices, 93
percent of parents believe that with smart devices it is important to
control what information is collected about them and to know when their
voices are being recorded.\11\
---------------------------------------------------------------------------
\8\ Privacy Matters: Protecting Digital Privacy for Parents and
Kids (2018)
\9\ Ibid
\10\ Ibid
\11\ Ibid
---------------------------------------------------------------------------
These views and data points informed the values--including consent,
transparency, control, plus special protections for young people--that
guided our approach to the privacy work we did in California.
The California Consumer Privacy Act (CCPA)
The CCPA is the first generally applicable consumer privacy law in
America--not limited to financial or health information, or any
specific entity--that recognizes that Americans have privacy rights in
all of their information, no matter who holds it. Importantly, the
California privacy law protects everyone, not just kids or students.
This is born of our belief that, while children and teens need special
safeguards, the best way to protect them is to have baseline
protections for everyone: (1) so families are protected and (2) so
businesses cannot pretend they are not dealing with kids.
In California, a statewide ballot initiative focused on notice and
saying no to sales of data was the catalyst that led to larger
discussions to develop more comprehensive privacy legislation. At
Common Sense, we worked hard to expand substantive rights under the
law--including opt-in rights (which we achieved for minors under 16),
and new access, deletion, and portability rights. The CCPA ultimately
passed unanimously through both houses of the California legislature.
The law goes into effect in 2020, and will allow California
residents to access the personal information companies collect about
them--as well as port their data to another platform, or demand the
deletion of their data (with exceptions) if they wish. Californians
will be empowered to tell companies to stop selling their personal
information. And kids under 16 or their parents must actively consent
before their data is ever sold. The Attorney General is charged with
enforcing violations of the law--with a private right of action for
certain data breaches--and the law applies equally to service
providers, edge companies, and brick and mortar entities.
Any Federal Law Should Build Upon California
Like the CCPA, any Federal law must go beyond ``consent'', and
include rights to access, port, and delete information. It must enable
consumers to say no to the sharing of their information, and it would
be even better if the law required that consumers say yes before their
information is sold or shared--families would be better served if the
rule for all people, not just minors under 16, was that companies could
not sell information without opt-in approval. Indeed, the California
law is a huge step forward, but it is not perfect and it does not offer
consumers all of the protections they deserve. As this committee
considers bipartisan Federal legislation, additional protections
families want and deserve include: the rights to limit companies' own
use of consumer information; the ability for consumers to enforce their
own rights in court; and the assurance that companies are building
default privacy protections (privacy by design) and practicing data
minimization. Certain practices should be off limits, and individuals,
especially children, should not be able to consent to them (such as,
for example, manipulative user designs that subvert user autonomy, or
behaviorally targeted marketing to kids).
Privacy protections must be strong across the board, but they must
recognize the unique vulnerabilities of children and teenagers. The
bipartisan COPPA 2.0 offers an excellent example of the protections
young people need: in addition to putting families in the driver's seat
regarding information collection, use, and disclosure, COPPA 2.0
contains additional safeguards (and, for young children, flat
prohibitions) around targeted and behavioral marketing; it would
enhance the privacy and security of vulnerable connected devices
families are bringing inside their homes; and it offers new resources
and authority to the Federal Trade Commission to focus on examining the
industry and enforcing these protections.
Any law Congress passes should be at least as strong, if not
stronger, than California's CCPA. The CCPA will go into effect next
year, and it is clear from polling that vast majorities of Californians
from all parties support it.\12\ What's more, it is also clear from
other states that individuals and state legislators are not going to
accept laws that are weak on privacy.
---------------------------------------------------------------------------
\12\ California Voters Overwhelmingly Support Stronger Consumer
Privacy Protections (2019); and Privacy Matters: Protecting Digital
Privacy for Parents and Kids (2018)
---------------------------------------------------------------------------
And, as with past Federal privacy laws, national legislation should
ensure that there are baseline protections in place, but provide room
and space for states to continue to innovate. A weak preemptive law
would be a travesty of justice and take away rights from millions of
consumers, not just the eighth of the country that lives in California
but the many individuals who live in other states with strong privacy
laws such as Illinois, with its biometric law, or Vermont, with its
data broker registry.
States have always been the first line of defense to protect
individual citizens from scams and unfair business practices, and state
tort law has protected the privacy of homes and persons. State
innovation in the privacy sphere has brought us data security rules,
laws applying directly to ed tech vendors, laws protecting the privacy
of our bodies, and laws shining light on data brokers. The speed of
technology is lighting fast, and states are in a position to act nimbly
and innovate, just like businesses. States are true laboratories of
democracy, and in the past few decades they have been engaging on
privacy and working with consumers and businesses to determine workable
new protections and safeguards.
Any Law Must Be Coupled With Consumer Education
It is critical that any new law be coupled with effective consumer
education. From our research at Common Sense, we know that families
crave better privacy protections. We also know that some are taking
measures to try and protect themselves--for example, 86 percent of
parents and 79 percent of teens have adjusted privacy settings on
social media sites.\13\ But in many instances, families have the desire
but lack the knowledge. In discussing connected devices with parents,
we learned 71 percent would like to limit data collection, but a full
third do not know how.\14\
---------------------------------------------------------------------------
\13\ Privacy Matters: Protecting Digital Privacy for Parents and
Kids (2018)
\14\ Ibid
---------------------------------------------------------------------------
This is why it is important to have companies build products,
platforms and services with the most protective privacy defaults
possible. It is also why kids and adults need to know how to exercise
their privacy rights. Education is imperative in this regard. As I
mentioned, Common Sense is committed to giving parents and teachers the
information they need to make informed choices about the apps they use
with their children at home and the learning tools they use with
students in the classroom. We provide expert advice articles and
privacy evaluations for parents to learn more about how they can
protect their kids' privacy and we empower schools and districts to
thoroughly assess technology products used in K-12 classrooms. We
collaborate with hundreds of school and district partners and provide
assistance to software developers to make sure their privacy practices
are transparent and comprehensive and created with kids' best interests
in mind. We also provide a high-quality Digital Citizenship Curriculum
for school communities that supports teachers with improved classroom
tools, and prepares kids to take ownership of their digital lives.
At present, across the country, opportunities to empower
individuals to make real decisions or protect their privacy are few and
far between. Companies offer a ``take it or leave it'' framework that,
because of jobs, school requirements, or an interest in participating
in democratic life, individuals feel forced to accept. We must ensure
consumers have default protections in place, and we must also work to
educate them about additional, or alternative, choices. Digital
citizenship education should be a part of school curriculums, and
requires more support and funding.
What's more, privacy protections are just one piece of the puzzle.
As young people live more and more of their lives online, they face an
ever expanding array of opportunities and risks. In addition to
protecting children and families' privacy, we must endeavor to provide
all kids with access to high quality content, and protect them from
being exposed to the worst of humanity with the click of a button,
scroll of a feed, or failure to stop a new video from autoplaying. We
must consider, as a country, whether laws like Section 230 are serving
the best interest of our children, and what we can do to improve the
entirety of their digital experience.
Conclusion
Thank you again for your bipartisan efforts to address consumer
privacy. It's critical that we teach individuals how to protect
themselves, but the burden should not fall entirely on consumers,
especially on kids and families. We have seen many businesses will not
protect consumer privacy on their own. We need a strong Federal
baseline privacy law, that offers everyone protections and recognizes
the special vulnerabilities of children and teens.
The Chairman. Thank you very much, Mr. Steyer.
Ms. Guliani.
STATEMENT OF NEEMA SINGH GULIANI, SENIOR LEGISLATIVE COUNSEL,
WASHINGTON LEGISLATIVE OFFICE, AMERICAN CIVIL LIBERTIES UNION
Ms. Guliani. Thank you for the opportunity to testify today
on behalf of the ACLU.
We are all here because the current privacy regime is
broken and it is failing consumers. Lack of privacy affects
everyday life. It can increase unfair discrimination,
exacerbate economic inequality, and even threaten physical
safety.
For example, studies have documented how some retailers
charge customers different prices based on things like their
Zip code or their browsing habits. In many cases, consumers are
not even aware their information is being collected, much less
how they can protect themselves against these types of uses.
In another study, online mortgage lenders charge black and
Latin borrowers more and higher rates for their loans,
replicating the types of discrimination that Federal laws like
the Equal Credit Opportunity Act were designed to prevent.
The ACLU strongly supports Federal privacy legislation to
address problems like these. There are many elements that such
legislation should include, but I want to highlight four areas
in particular that are of concern.
The first is any Federal law should be a floor, not a
ceiling. Some industry representatives have urged you to
broadly preempt State laws as part of any Federal legislation.
I want to be crystal clear here. This would be a bad deal for
consumers. If Congress uses Federal privacy legislation as an
opportunity to broadly preempt State laws, it will cause more
harm than good.
As an organization with affiliates in every state, the ACLU
has been at the forefront of many efforts to pass strong State
privacy laws. We know firsthand that in many cases it has been
states, not Congress, that have led efforts to protect
consumers. California was the first State in the Nation to
require companies to notify customers of a data breach, and
just last year it passed a broader consumer privacy bill that
you all are familiar with.
Illinois has set important limits on the commercial
collection and storage of biometric information, and nearly all
states regulate unfair and deceptive trade practices,
complementing the FTC's authority in this area.
These states have acted as laboratories. They have
experimented and innovated with new ways to protect consumers.
We should be wary of the Federal Government stepping in and
with one stroke of a pen wiping out dozens of State laws
already on the books and preventing future ones.
Broad preemption, in fact, would represent a shift in the
approach taken by many Federal laws. HIPAA allows states to
enact more stringent privacy protections for health
information, and Federal civil rights laws have historically
allowed states to pass higher standards. This is one of the
reasons we have State laws that protect against discrimination
on the basis of sexual orientation, despite the gaps in Federal
law.
Federal legislation must certainly account for cases where
it would be impossible to comply with both a State and Federal
law. But that can be accomplished through a narrow and clear
preemption provision that addresses conflicts and explicitly
preserves the rights of states to pass stronger laws and to
enforce those laws.
Two, any privacy legislation should allow consumers to sue
companies that violate their rights. The FTC undoubtedly needs
more power and more resources. But even if its size were
doubled or even tripled, there would be giant enforcement gaps.
This is part of the reason that the California Attorney General
recently supported legislation to strengthen California's law
with a privacy right of action. In discussing the legislation,
he said, quote, we need to have some help. He highlighted that
individuals should be able to enforce their rights in cases
where the government was not able to take action. Polling in
California has found that 94 percent of consumers support being
able to take a company to court if their privacy rights are
violated.
Three, legislation should protect against discrimination.
There must be the resources and the technical expertise to
enforce existing Federal laws that prohibit discrimination in
the housing, credit, and employment context.
In addition, however, Federal law must be strengthened to
prohibit advertisers from offering different price, services,
and opportunities to individuals based on protected
characteristics like race and gender.
And consumers must also have the tools to address
algorithms or machine learning tools that disparately impact
individuals on the basis of such protected characteristics.
Finally, there should be guardrails on how data can be
collected, stored, and used. For example, use of information
should be limited to the purpose for which it was collected
unless there is additional informed consent. And we should also
prohibit so-called pay for privacy schemes that threaten to
create privacy haves and have-nots and risk causing disastrous
consequences for people who are already struggling financially.
Without these protections a new Federal law risks being a
step backward, not forward.
I look forward to answering your questions.
[The prepared statement of Ms. Guliani follows:]
Prepared Statement of Neema Singh Guliani, Senior Legislative Counsel,
Washington Legislative Office, American Civil Liberties Union
Chairman Thune, Ranking Member Cantwell, and Members of the
Committee,
Thank you for the opportunity to testify on behalf of the American
Civil Liberties Union (ACLU)\1\ and for holding this hearing on,
``Consumer Perspectives: Policy Principles for a Federal Data Privacy
Framework.''
---------------------------------------------------------------------------
\1\ For nearly 100 years, the ACLU has been our Nation's guardian
of liberty, working in courts, legislatures, and communities to defend
and preserve the individual rights and liberties that the Constitution
and laws of the United States guarantee everyone in this country. With
more than three million members, activists, and supporters, the ACLU is
a nationwide organization that fights tirelessly in all 50 states,
Puerto Rico and Washington, D.C., to preserve American democracy and an
open government.
---------------------------------------------------------------------------
Privacy impacts virtually every facet of modern life. Personal
information can be exploited to unfairly discriminate, exacerbate
economic inequality, or undermine security. Unfortunately, our existing
laws have not kept pace with technology, leaving consumers with little
ability to control their own personal information or recourse in cases
where their rights are violated. And, as numerous examples illustrate,
consumers are paying the price. Studies have documented how several
retailers charged consumers different prices by exploiting information
related to their digital habits inferred from people's web-browsing
history.\2\ Some online mortgage lenders have charged Latino and Black
borrowers more for loans, potentially by determining loan rates based
on machine learning and patterns in big data.\3\ And, sensitive data
about the location and staffing of U.S. military bases abroad was
reportedly revealed inadvertently by a fitness app that posted the
location information of users online.\4\
---------------------------------------------------------------------------
\2\ Aniko Hannak, et al., Measuring Price Discrimination and
Steering on E-commerce Web Sites, PROCEEDINGS OF THE 2014 CONFERENCE ON
INTERNET MEASUREMENT CONFERENCE, 2014, at 305-318, http://doi.acm.org/
10.1145/2663716.2663744.
\3\ ROBERT BARTLETT, ADAIR MORSE, RICHARD STANTON & NANCY WALLACE,
CONSUMER-LENDING DISCRIMINATION IN THE ERA OF FINTECH 4 (2018), http://
faculty
.haas.berkeley.edu/morse/research/papers/
discrim.pdf?_ga=2.121311752.1273672289.15563249
69-25127549.1556324969.
\4\ Alex Hern, Fitness Tracking App Strava Gives Away Location of
Secret U.S. Army Bases, THE GUARDIAN (Jan. 28, 2018), https://
www.theguardian.com/world/2018/jan/28/fitness-tracking-app-gives-away-
location-of-secret-us-army-bases.
---------------------------------------------------------------------------
The current privacy landscape is untenable for consumers. The ACLU
supports strong baseline Federal legislation to protect consumer
privacy. I would like to emphasize several issues that are of
particular concern to the ACLU and our members. The ACLU strongly urges
Congress to ensure that any Federal privacy legislation, at a minimum,
(1) sets a floor, not a ceiling, for state level protections; (2)
contains robust enforcement mechanisms, including a private right of
action; (3) prevents data from being used to improperly discriminate on
the basis of race, sexual orientation, or other protected
characteristics; and (4) creates clear and strong ground rules for the
use, collection, and retention of consumers' personal data, which does
not rest solely on the flawed notice and consent model.
I. Federal legislation should not prevent states from putting in place
stronger consumer protections or taking enforcement action
Any Federal privacy standards should be a floor--not a ceiling--for
consumer protections. The ACLU strongly opposes legislation that would,
as some industry groups have urged, preempt stronger state laws.\5\
Such an approach would put existing consumer protections, many of which
are state-led, on the chopping block and prevent additional consumer
privacy protections from ever seeing the light of day. We also oppose
efforts to limit the ability of state Attorneys General or other
regulators from suing, fining, or taking other actions against
companies that violate their laws.
---------------------------------------------------------------------------
\5\ See U.S. Chamber of Commerce, U.S. Chamber Privacy Principles,
(Sept. 6, 2018), available at https://www.uschamber.com/issue-brief/us-
chamber-privacy-principles; Internet Association, Privacy Principles,
available at https://internetassociation.org/positions/privacy/.
---------------------------------------------------------------------------
There are multiple examples of states leading the charge to pass
laws to protect consumer privacy from new and emerging threats. For
example, California was the first state in the Nation to require that
companies notify consumers \6\ of a data breach (all states have since
followed suit),\7\ the first to mandate that companies disclose through
a conspicuous privacy policy the types of information they collect and
share with third parties,\8\ and among the first to recognize data
privacy rights for children.\9\ The state's recently passed California
Consumer Privacy Act of 2018, which goes into effect next year, is also
the first in the Nation to apply consumer protections to a broad range
of businesses, including provisions that limit the sale of personal
information, give consumers the right to delete and obtain information
about how their data is being used, and provide a narrow private right
of action for some instances of data breach.
---------------------------------------------------------------------------
\6\ See California Civil Code s.1798.25-1798.29.
\7\ See National Conference of State Legislatures, Security Breach
Notification Laws, (Sept. 29, 2018), available at http://www.ncsl.org/
research/telecommunications-and-information-technology/security-breach-
notification-laws.aspx.
\8\ See California Code, Business and Professions Code--BPC
Sec. 22575.
\9\ See California Code, Business and Professions Code--
BPCSec. 22582.
---------------------------------------------------------------------------
Similarly, Illinois has set important limits on the commercial
collection and storage of biometric information, such as fingerprints
and face prints.\10\ Idaho, West Virginia, Oklahoma, and other states
have passed laws to protect student privacy.\11\ Nevada and Minnesota
require Internet service providers to keep certain information about
their customers private and to prevent disclosure of personally
identifying information.\12\ Arkansas and Vermont have enacted
legislation to prevent employers from requesting passwords to personal
Internet accounts to get or keep a job. At least 34 states also require
private or governmental entities to conduct data minimization and/or
disposal of personal information,\13\ and 22 have laws implementing
data security measures.\14\
---------------------------------------------------------------------------
\10\ See Biometric Information Privacy Act, 740 ILCS 14/, http://
www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=3004&ChapterID=57.
\11\ See Center for Democracy and Technology, State Student Privacy
Law Compendium (Oct. 2016), available at https://cdt.org/files/2016/10/
CDT-Stu-Priv-Compendium-FNL.pdf.
\12\ See National Conference of State Legislatures, Privacy
Legislation Related to Internet Service Providers-2018 (Oct. 15, 2018),
available at http://www.ncsl.org/research/telecommunications-and-
information-technology/privacy-legislation-related-to-internet-service-
providers-2018
.aspx.
\13\ See National Conference of State Legislatures, Data Disposal
Laws, available at http://www.ncsl.org/research/telecommunications-and-
information-technology/data-disposal-laws
.aspx.
\14\ See National Conference of State Legislatures, Data Security
Laws (Oct. 15, 2018), available at http://www.ncsl.org/research/
telecommunications-and-information-technology/data-security-laws.aspx.
---------------------------------------------------------------------------
Historically, states have also served a critical enforcement role
in the consumer space, as illustrated by the recent Equifax breach. As
a result of that breach, the data of over 140 million consumers were
exposed due to what some members of Congress referred to as
``malfeasance'' on the part of the company.\15\ Despite this, the
company posted record profits the following year, and consumers have
still have not been fully compensated for the cost of credit freezes
the breach made necessary. While the FTC has an ongoing investigation,
it has yet to take action. In the meantime, the Massachusetts attorney
general is currently suing Equifax seeking damages in an attempt to
obtain compensation for individuals impacted by the breach. In
addition, several state regulators have entered into a consent decree
with the company that puts in place new requirements.\16\
---------------------------------------------------------------------------
\15\ Kevin Liles, Hack Will Lead to Little, if Any, Punishment for
Equifax, N.Y. TIMES (Sept. 20, 2017), available at https://
www.nytimes.com/2017/09/20/business/equifax-hack-penalties.html.
\16\ Kate Fazzini, Equifax Gets New To-do List, But No Fines or
Penalties, CNBC (Jun. 27, 2018), https://www.cnbc.com/2018/06/27/
equifax-breach-consent-order-issued.html.
---------------------------------------------------------------------------
States have been and will continue to be well-positioned to respond
to emerging privacy challenges in our digital ecosystem. New technology
will likely require additional protections and experimenting with
different solutions, and states can serve as laboratories for testing
these solutions. Thus, we should avoid preemption that could lock in
place Federal standards that may soon be obsolete or prevent states
from fully utilizing their enforcement capabilities.
Preemption would not only be bad for consumers, it would represent
a shift in the approach taken by many of our existing laws. For
example, the Telecommunications Act explicitly allows states to enforce
additional oversight and regulatory systems for telephone equipment,
provided they do not interfere Federal law; it also permits states to
regulate additional terms and conditions for mobile phone services.
Title I of the Affordable Care Act permits states to put in place
additional consumer protections related to coverage of health insurance
plans, and HIPPA similarly allows states to enact more stringent
protections for health information.
In addition, all 50 states in some way regulate unfair or deceptive
trade practices, an area also governed by section 5 of the FTC Act.\17\
While the strength of these state laws vary, they are harmonious with
the FTC's mandate and are integral to manageable privacy regulation
enforcement. Such coordination has historically allowed states to fill
gaps that Federal regulators simply do not have the resources or
expertise to address. (An Appendix of additional state privacy laws is
attached to this testimony.)
---------------------------------------------------------------------------
\17\ Carolyn Carter, Consumer Protection in the States: A 0-State
Report on Unfair and Deceptive Acts and Practices Statutes, National
Consumer Law Center, (Feb. 2019), available at https://www.nclc.org/
images/pdf/udap/report_50_states.pdf.
---------------------------------------------------------------------------
We recognize that any Federal legislation must account for
conflicts in cases where it would be impossible for an entity to comply
with both Federal and state laws. However, this can be accomplished
through a clear, narrow conflict-preemption provision, which explicitly
preserves stronger state laws that do not undermine Federal standards,
maintains state enforcement capabilities, and retains state consumer
remedies.
II. Federal legislation must contain strong enforcement mechanisms,
including a private right of action
Federal privacy legislation will mean little without robust
enforcement. Thus, any legislation should grant greater resources and
enforcement capabilities to the FTC and permit state and local
authorities to fully enforce Federal law. To fill the inevitable
government enforcement gaps, however, the ACLU urges Congress to ensure
that Federal legislation also grants consumers the right to sue
companies for privacy violations.
The FTC has a long history of protecting consumer privacy in the
United States. But, alone and with current resources and authorities,
it cannot effectively police privacy alone. In the last 20 years, the
number of employees at the FTC has grown only slightly.\18\ And the
number of employees in the Division of Privacy and Identity Protection
(DPIP) and the Division of Enforcement, which are responsible for the
agency's privacy and data security work, stands at approximately 50 and
44 people, respectively.\19\ To put this in perspective, this is
smaller than the Washington, D.C. offices of many large technology
companies alone. Both the FTC as a whole and DPIP require additional
resources and employees to address the outsize risks to privacy facing
consumers.
---------------------------------------------------------------------------
\18\ FTC Fiscal Year 2019 Budget, p. 4, https://www.ftc.gov/system/
files/documents/reports/fy-2019-congressional-budget-justification/
ftc_congressional_budget_justification_fy_2019.pdf
\19\ Id. at 18.
---------------------------------------------------------------------------
And for the agency's investigations and enforcement actions to have
meaningful deterrent effect, the FTC should be given authority to levy
significant civil penalties in consumer protection actions for the
first violation, rather than only in cases where a company is already
under a consent decree.\20\ It was recently announced that Facebook has
set aside 3 to 5 billion dollars to pay a potential fine to the FTC for
its mishandling of personal information, including conduct related to
Cambridge Analytica.\21\ Following this announcement, Facebook's stock
value surged nonetheless, suggesting that the FTC's current enforcement
powers are woefully lacking when measured against the earning potential
of the largest online businesses.
---------------------------------------------------------------------------
\20\ See Testimony of FTC Chairman Joseph Simons Before the House
Committee on Energy and Commerce, 6 (``Section 5 does not provide for
civil penalties, reducing the Commission's deterrent capability''),
available at https://www.ftc.gov/system/files/documents/
public_statements
/1394526/p180101_ftc_testimony_re_oversight_house_07182018.pdf.
\21\ Elizabeth Dwoskin and Tony Romm, Facebook Sets Aside Billions
of Dollars for Potential FTC Fine, Washington Post (April 24, 2019),
https://www.washingtonpost.com/technology/2019/04/24/facebook-sets-
aside-billions-dollars-potential-ftc-fine/?utm_term=.b09f3d5a6bbd
---------------------------------------------------------------------------
To augment the limited Federal enforcement resources, state and
local enforcement entities should also be given the power to
investigate and enforce Federal privacy law. This aligns with the
approach taken by other laws, including the Fair Debt Collection
Practices Act, which is enforceable by state Attorneys General as well
as through a private right of action.\22\
---------------------------------------------------------------------------
\22\ Letter from Attorneys General of Twenty-One States to House
and Senate Leadership, April 19, 2018, https://ag.ny.gov/sites/default/
files/hr_5082_multistate_letter.pdf.
---------------------------------------------------------------------------
Even with these reforms, however, the scale and scope of potential
harm associated with poor privacy practices are too extensive to be
left to regulators.\23\ Government enforcement will inevitably have
gaps. Thus, providing consumers a private right of action is also
critical from an enforcement standpoint--a concept reflected in several
state approaches. For example, the Illinois Biometric Information
Privacy Act permits aggrieved individuals whose rights are violated to
file suit to seek damages.\24\ The Illinois Supreme Court has
interpreted the law as providing a private right of action to
individuals who allege a statutory violation of the law.\25\ Similarly,
recently, the California Attorney General supported legislation that
would provide a private right of action to consumers in the privacy
context, noting ``We need to have some help. And that's why giving
[consumers] their own private right to defend themselves in court if
the Department of Justice decides it's not acting--for whatever number
of good reasons--that's important to be able to truly say. . .you have
rights.'' \26\
---------------------------------------------------------------------------
\23\ See Letter from California Attorney General Xavier Becerra to
California Assemblymember Ed Chau and Senator Robert Hertzberg, August
22, 2018 (``The lack of a private right of action, which would provide
a critical adjunct to governmental enforcement, will substantially
increase the [Attorney General's Office's] need for new enforcement
resources. I urge you to provide consumers with a private right of
action under the [California Consumer Privacy Act].''), available at
https://digitalcommons.law.scu.edu/cgi/
viewcontent.cgi?article=2801&context=historical.
\24\ Biometric Information Privacy Act, supra note 10, 740 ILCS 14/
, Section 20.
\25\ Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186
(2019).
\26\ Cheryl Miller, Becerra Backs Bill Giving Consumers Power to
Sue for Data Privacy Violations, LAW.COM: THE RECORDER (Feb. 25, 2019),
https://www.law.com/therecorder/2019/02/25/becerra-backs-bill-giving-
consumers-power-to-sue-for-data-privacy-violations/.
---------------------------------------------------------------------------
In order to be effective, a private right of action should have two
key protections for consumers. First, it should specify statutory
damages for all violations of privacy rights, not just instances where
a consumer has offered conclusive proof of tangible damages. When
conduct is potentially harmful, statutory damages offer a compelling
solution. In copyright infringement, for example, statutory damages can
range from $750 to $30,000 per work infringed.\27\ Similarly, the Fair
Debt Collection Practices Act provides for statutory damages of up to
$1,000 per violation.\28\ These statutory-damage provisions encourage
rigorous compliance by establishing that violations carry a significant
penalty. Privacy law should do the same.
---------------------------------------------------------------------------
\27\ 17 U.S.C. Sec. 504(c)(2).
\28\ 15 USC 1692k.
---------------------------------------------------------------------------
Second, consumers should be protected against mandatory arbitration
clauses buried in terms of service that restrict their rights to have a
court hear their claims and undermine the ability of class actions to
collectively redress privacy violations.\29\ One Federal judge called
these arbitration clauses ``a totally coerced waiver of both the right
to a jury and the right of access to the courts'' that are ``based on
nothing but factual and legal fictions.'' \30\ Similarly, in a dissent
in this term's Lamps Plus case, Justice Ginsburg noted, ``mandatory
individual arbitration continues to thwart `effective access to
justice' for those encountering diverse violations of their legal
rights.'' \31\ Privacy law should neither tolerate such waivers nor
indulge the legal and factual fictions that underlie them.
---------------------------------------------------------------------------
\29\ Jessica Silver-Greenberg & Robert Gebeloff, Arbitration
Everywhere, Stacking the Deck of Justice, N.Y. Times, October 31, 2015,
https://www.nytimes.com/2015/11/01/business/deal
book/arbitration-everywhere-stacking-the-deck-of-justice.html.
\30\ Meyer v. Kalanick, 291 F. Supp. 3d 526, 529 (S.D.N.Y. 2018).
\31\ Lamps Plus v. Varela, 587 U.S. __(2019)(Ginsburg, R.,
dissenting).
---------------------------------------------------------------------------
III. Federal legislation should guard against discrimination in the
digital ecosystem
Existing Federal laws prohibit discrimination in the credit,
employment, and housing context. Any Federal privacy legislation should
ensure such prohibitions apply fully in the digital ecosystem and are
robustly enforced. In addition, we urge Congress to strengthen existing
laws to guard against unfair discrimination, including in cases where
it may stem from algorithmic bias.
Many online providers have been slow to fully comply with Federal
antidiscrimination laws. The rise of big data and personalized
marketing has enabled new forms of discrimination that run afoul of
existing Federal laws, including Title VII of the Civil Rights Act, the
Age Discrimination in Employment Act, the Fair Housing Act, and the
Equal Credit Opportunity Act. For example, Facebook recently settled a
lawsuit brought by ACLU and other civil rights organizations amid
allegations that it discriminated on the basis of gender and age in
targeting ads for housing and employment.\32\ The lawsuit followed
repeated failures by the company to fully respond to studies
demonstrating that the platform improperly permitted ad targeting based
on prohibited characteristics, like race, or proxies for such
characteristics. The company is also now the subject of charges brought
by the Department of Housing and Urban Development (HUD), which
includes similar allegations.\33\
---------------------------------------------------------------------------
\32\ ACLU, Facebook Agrees to Sweeping Reforms to Curb
Discriminatory Ad Targeting Practices (Mar. 19, 2019), https://
www.aclu.org/news/facebook-agrees-sweeping-reforms-curb-discriminatory-
ad-targeting-practices.
\33\ Complaint of Discrimination Against Facebook, FHEO No. 01-18-
032308, https://www
.hud.gov/sites/dfiles/Main/documents/HUD_v_Facebook.pdf.
---------------------------------------------------------------------------
Outside the credit, employment, and housing contexts,
discriminatory targeting and marketing may also raise civil rights
concerns. For example, commercial advertisers should not be permitted
to offer different prices, services, or opportunities to individuals,
or to exclude them from receiving ads offering certain commercial
benefits, based on characteristics like their gender or race. And
regulators and consumers should be given information and tools to
address algorithms or machine learning models that disparately impact
individuals on the basis of protected characteristics.
Federal law must be strengthened to address these challenges.
First, Federal privacy law should make clear that existing
antidiscrimination laws apply fully in the online ecosystem, including
in online marketing and advertising. Federal agencies that enforce
these laws, like HUD, the EEOC, and the Consumer Financial Protection
Bureau, should be fully resourced and given the technical capabilities
to vigorously enforce the law in the context of these new forms of
digital discrimination. In addition, companies should be required to
audit their data processing practices for bias and privacy risks, and
such audits should be made available to regulators and disclosed
publicly, with redactions if necessary to protect proprietary
information. Finally, researchers should be permitted to independently
audit platforms for bias, and Congress should not permit enforcement of
terms of service that interfere with such testing.
IV. Federal privacy legislation must place limits on how personal
information can be collected, used, and retained
Legislation must include real protections that consider the modern
reality of how people's personal information is collected, retained,
and used. The law should limit the purposes for which consumer data can
be used, require purging of data after permissible uses have completed,
prevent coercive conditioning of services on waiving privacy rights,
and limit so-called ``pay for privacy'' schemes. Otherwise, we risk
ending up in the same place we began--with consumers simply checking
boxes to consent with no real understanding of or control over how
their data will be used.
This current broken privacy regime has largely been built around
the concept of ``notice and consent'': as long as a company includes a
description of what it is doing somewhere in a lengthy fine-print
click-through ``agreement,'' and the consumer ``agrees'' (which they
must do to utilize a service), then the company is broadly regarded as
having met its privacy obligations. And legally, a company is most
vulnerable if it violates specific promises in those click-through
agreements or other advertisements.\34\ An ecosystem of widespread
privacy invasions has grown out of the impossible legal fiction that
consumers read and understand such agreements.\35\ The truth is that
consumers do not have real transparency into how their data is being
used and abused, and they do not have meaningful control over how their
data is used once it leaves their hands.
---------------------------------------------------------------------------
\34\ Dave Perrerra, FTC privacy enforcement focuses on deception,
not unfairness, Mlex Market Insight, February 22, 2019, available at
https://mlexmarketinsight.com/insights-center/editors-picks/Data-
Protection-Privacy-and-Security/north-america/ftc-privacy-enforcement-
focuses-on-deception,-not-unfairness.
\35\ See Alex Madrigal, Reading the Privacy Policies You Encounter
in a Year Would Take 76 Work Days, THE ATLANTIC (Mar 1. 2012),
available at https://www.theatlantic.com/technology/archive/2012/03/
reading-the-privacy-policies-you-encounter-in-a-year-would-take-76-
work-days/253851/.
---------------------------------------------------------------------------
Worse, technologists and academics have found that advertising
companies ``innovate'' in online tracking technologies to resist
consumers' attempts to defeat that tracking. This is done by, for
example, using multiple identifiers that replicate each other, virus-
like, when users attempt to delete them. Technical circumvention of
privacy protections is sufficiently commonplace that data brokers are
even offering what is effectively re-identification as a service,
promising the ability to ``reach customers, not cookies.'' \36\
Advertisers, the experts conclude, ``use new, relatively unknown
technologies to track people, specifically because consumers have not
heard of these techniques. Furthermore, these technologies obviate
choice mechanisms that consumers exercise.'' \37\
---------------------------------------------------------------------------
\36\ Reach Customers, Not Just Cookies, LiveRamp Blog, September
10, 2015 (available at https://liveramp.com/blog/reach-customers-not-
just-cookies/) (``Cookies are like an anonymous ID that cannot identify
you as a person.'').
\37\ Chris Jay Hoofnagle, et al, Behavioral Advertising: The Offer
You Cannot Refuse, 6 Harvard Law & Policy Review (Aug. 2010), available
at https://papers.ssrn.com/sol3/papers.cfm?
abstract_id=2137601.
---------------------------------------------------------------------------
In short, not only have consumers lost control over how and when
they are monitored online, companies are actively working to defeat
efforts to resist that monitoring. Currently, individuals who want
privacy must attempt to win a technological arms race with the multi-
billion dollar Internet-advertising industry. American consumers are
not content with this state of affairs. Numerous polls show that the
current online ecosystem makes people profoundly uncomfortable.\38\
Similarly, recent polling released by the ACLU of California showed
overwhelming support for measures adding strong privacy protections to
the law, including requiring that companies get permission before
sharing people's personal information.\39\
---------------------------------------------------------------------------
\38\ See, e.g., Marc Fisher & Craig Timberg, American Uneasy About
Surveillance but Often Use Snooping Tools, Post Poll Finds, Wash. Post
(Dec. 21, 2013), https://www.washingtonpost.com/world/national-
security/americans-uneasy-about-surveillance-but-often-use-snooping-
tools-post-poll-finds/2013/12/21/ca15e990-67f9-11e3-ae56-
22de072140a2_story.html; Edward Baig, Internet Users Say, Don't Track
Me, U.S.A. Today (Dec. 14, 2010), http://usatoday30.usatoday.com/money/
advertising/2010-12-14-donottrackpoll14_ST_N.htm; Joseph Turow et. al.,
Contrary to What Marketers Say, Americans Reject Tailored Advertising
and Three Activities that Enable It (2009), https://www.nytimes.com/
packages/pdf/business/20090929-Tailored_Advertising.pdf.
\39\ California Voters Overwhelmingly Support Stronger Consumer
Privacy Protections, New Data Shows, ACLU of Northern California,
available at https://www.aclunc.org/news/california-voters-
overwhelmingly-support-stronger-consumer-privacy-protections-new-data-
shows.
---------------------------------------------------------------------------
To address these deficiencies, privacy legislation should include a
meaningful ``opt-in'' baseline rule for the collection and sharing of
personal information. To be meaningful, protections must not allow
businesses to force consumers, in order to participate fully in
society, to ``agree'' to arcane lengthy, agreements that they cannot
understand. Legislation should also support technological opt-in
mechanisms such as ``do not track'' flags in web browsers by requiring
that companies honor those flags. In addition to this, Federal
legislation should approach the collection (and especially use) of
personal information that is not necessary for the provision of a
service with skepticism.
Moreover, the law should reject so-called ``pay-for-privacy''
schemes, which allow companies to offer a more expensive or lower
quality product to people who exercise privacy rights. These kinds of
schemes discourage everyone from exercising their privacy rights, and
risk causing disastrous follow-on consequences for people who are
already financially struggling.\40\ Privacy is a right that everyone
should have, not just people with the ability to pay for it.
---------------------------------------------------------------------------
\40\ Mary Madden, The Devastating Consequences of Being Poor in the
Digital Age, The New York Times, April 25, 2019 (``When those who
influence policy and technology design have a lower perception of
privacy risk themselves, it contributes to a lack of investment in the
kind of safeguards and protections that vulnerable communities both
want and urgently need.'') (available at https://www.nytimes.com/2019/
04/25/opinion/privacy-poverty.html).
---------------------------------------------------------------------------
V. Conclusion
The current Federal privacy framework is failing consumers. But, in
enacting Federal privacy legislation, Congress must ensure that it does
not do more harm than good by preempting existing and future state laws
that protect consumers. Moreover, it must ensure that its reforms
amount to more than just a fig leaf. Consumers do not need another box
to check; they need limits on how companies can treat their data, the
ability to enforce their privacy rights in court, and protection
against digital discrimination. These reforms and others are necessary
to prevent exploitation of data from being used to exacerbate
inequality, unfairly discriminate, and undermine security.
Appendix. State Privacy Laws
The chart below provides a list of some existing state privacy
laws. This is not an exhaustive list of all state consumer privacy
laws, nor does it include all general laws that may be relevant in the
consumer privacy context.
------------------------------------------------------------------------
Summary and/or Relevant
State Provisions Source
------------------------------------------------------------------------
Alabama 8Data security. Requires business Ala. Code 1975
entities and government to Sec. 8-38-1 to
provide notice to certain 12 (``Alabama
persons upon a breach of Data Breach
security that results in the Notification Act
unauthorized acquisition of of 2018'')0
sensitive personally identifying
information. Provides standards
of reasonable security measures
and investigations into
breaches.
Deceptive Trade Practices Act. Ala. Code Sec.
Broadly prohibits unfair, Sec. 8-19-1 to
deceptive, or unconscionable 15
acts. Creates a private right of
action and gives Attorney
General and district attorneys
power to enforce statute.
------------------------------------------------------------------------
Alaska 8Breach notification law that Alaska Stat. Ann.
provides for: (1) notice Sec. 45.48.010
requirement when a breach of (``Alaska
security concerning personal Personal
information has occurred; (2) Information
ability to place a security Act'')0
freeze on a consumer credit
report; (3) various restrictions
on the use of personal
information and credit
information; (4) disposal of
records containing personal
information; (5) allowing a
victim of identity theft to
petition the court for a
determination of factual
innocence; and (6) truncation of
credit card information. The SSN
section also states that no one
can require disclosure of a SSN
to access a product or service.
State constitution: ``The right Alaska Const.
of the people to privacy is art. I, Sec. 22
recognized and shall not be
infringed. The legislature shall
implement this section.''
8Unfair Trade Practices and Alaska Stat. Sec.
Consumer Protection Act. Broadly Sec. 45.50.471
prohibits unfair, deceptive, or to .5610
unconscionable acts. Creates a
private right of action and
gives Attorney General and
district attorneys power to
enforce statute.
When disposing of records that Alaska Stat. Sec.
contain personal information, a 45.48.500
business and a governmental
agency shall take all reasonable
measures necessary to protect
against unauthorized access to
or use of the records.
------------------------------------------------------------------------
Arizona 8Provides that public library or Ariz. Rev. Stat.
library systems shall not allow Sec. 41-151.220
disclosure of records or other
information which identifies a
user of library services as
requesting or obtaining specific
materials or services or as
otherwise using the library.
State constitution: ``No person Ariz. Const. art.
shall be disturbed in his II Sec. 8
private affairs, or his home
invaded, without authority of
law.''
8Consumer Fraud Act. Broadly Ariz. Rev. Stat.
prohibits unfair, deceptive, or Ann. Sec. Sec.
unconscionable acts. Gives 44-1521 through
Attorney General power to 44-15340
enforce statute.
Entity must discard and dispose Ariz. Rev. Stat.
of records containing personal Sec. 44-7601
identifying information.
Enforceable by attorney general
or a county attorney.
------------------------------------------------------------------------
Arkansas 8Requires government websites or Ark. Code Ann.
state portals to establish Sec. 25-1-1140
privacy policies and procedures
and incorporate machine-readable
privacy policies into their
websites
Data security law that applies to Ark. Code Sec. 4-
a person or business that 110-101 to -10
acquires, owns, or licenses (Personal
personal information. Requires Information
implementation and maintenance Protection Act)
of reasonable security amended in 2019
procedures and practices Arkansas Law Act
appropriate to the nature of the 1030 (H.B. 1943)
information. Amended to include
biometric data.
8Prevents employers from Ark. Code Ann.
requesting passwords to personal Sec. 11-2-1240
Internet accounts to get or keep
a job.
Prohibits use of Automated Ark. Code Sec.
License Plate Readers (ALPRs) by Sec. 12-12-1801
individuals, partnerships, to 12-12-1808
companies, associations or state (``Automatic
agencies. Provides exceptions License Plate
for limited use by law Reader System
enforcement, by parking Act'')
enforcement entities, or for
controlling access to secure
areas. Prohibits data from being
preserved for more than 150
days.
8Deceptive Trade Practices Act. Ark. Code Ann.
Broadly prohibits deceptive and Sec. Sec. 4-88-
unconscionable trade practices. 101 through 4-88-
Makes it a misdemeanor to 2070
knowingly and willfully commit
unlawful practice under the law
and gives attorney general power
of civil enforcement and to
create a Consumer Advisory
Board.
------------------------------------------------------------------------
California Gives consumers right to request Cal. Civ. Code
a business to disclose the Sec. 1798.100
categories and specific pieces to .198 (``The
of personal information that the California
business has collected about the Consumer Privacy
consumers and the source of that Act of 2018'')
information and business purpose
for collecting the information.
Consumers may request that a
business delete personal
information that the business
collected from the consumers.
Consumers have the right to opt
out of a business's sale of
their personal information, and
a business may not discriminate
against consumers who opt out.
Applies to California residents.
Effective Jan. 1, 2020.
8State constitution: ``All people Cal. Const. art.
are by nature free and I Sec. Sec. 1,
independent and have inalienable 230
rights. Among these are enjoying
and defending life and liberty,
acquiring, possessing, and
protecting property, and
pursuing and obtaining safety,
happiness, and privacy.''
8``Every natural person has the
right to be let alone and free
from governmental intrusion into
the person's private life except
as otherwise provided herein.
This section shall not be
construed to limit the public's
right of access to public
records and meetings as provided
by law.''0
Require government websites or Cal. Govt. Code
state portals to establish and Sec. 11019.9
publish privacy policies and
procedures
8Permits minors to remove, or to Cal. Bus. & Prof.
request and obtain removal of, Code Sec. Sec.
content or information posted on 22580-22582
website, online service, online (``California's
application, or mobile Privacy Rights
application. Prohibits operator for California
of a website or online service Minors in the
directed to minors from Digital World
marketing or advertising Act'')0
specified products or services
that minors are legally
prohibited from buying.
Prohibits marketing or
advertising products based on
personal information specific to
a minor or knowingly using,
disclosing, compiling, or
allowing a third party to do so.
Protects a library patron's use Cal. Govt. Code
records, such as written records Sec. 6267
or electronic transaction that
identifies a patron's borrowing
information or use of library
information resources,
including, but not limited to,
database search records,
borrowing records, class
records, and any other
personally identifiable uses of
library resources information
requests, or inquiries
8Protects information about the Cal. Civil Code
books Californians browse, read Sec. 1798.90
or purchase from electronic (``Reader
services and online booksellers Privacy Act'')0
who may have access to detailed
information about readers, such
as specific pages browsed.
Requires a search warrant, court
order, or the user's affirmative
consent before such a business
can disclose the personal
information of its users related
to their use of a book, with
specified exceptions, including
an imminent danger of death or
serious injury.
Operator of a commercial website Cal. Bus. & Prof.
or online service must disclose Code Sec. 22575
in its privacy policy how it
responds to a web browser 'do
not track' signal or similar
mechanisms providing consumers
with the ability to exercise
choice about online tracking of
their personal information
across sites or services and
over time. Operator must
disclose whether third parties
are or may be conducting such
tracking on the operator's site
or service.
8Operator, defined as a person or Calif. Bus. &
entity that collects personally Prof. Code Sec.
identifiable information from 22575-22578
California residents through an (CalOPPA)0
Internet website or online
service for commercial purposes,
must post a conspicuous privacy
policy on its website or online
service (which may include
mobile apps) and to comply with
that policy. The privacy policy
must identify the categories of
personally identifiable
information that the operator
collects about individual
consumers who use or visit its
website or online service and
third parties with whom the
operator may share the
information.
Prohibits a person or entity from Cal. Bus. & Prof.
providing the operation of a Code Sec.
voice recognition feature in 22948.20
California without prominently
informing, during the initial
setup or installation of a
connected television, either the
user or the person designated by
the user to perform the initial
setup or installation of the
connected television. Prohibits
manufacturers or third-party
contractors from collecting any
actual recordings of spoken word
for the purpose of improving the
voice recognition feature.
Prohibits a person or entity
from compelling a manufacturer
or other entity providing the
operation of voice recognition
to build specific features to
allow an investigative or law
enforcement officer to monitor
communications through that
feature.
8Requires private nonprofit or Cal. Educ. Code
for-profit postsecondary Sec. 991220
educational institutions to post
a social media privacy policy on
the institution's website
Requires all nonfinancial Cal. Civ. Code
businesses to disclose to Sec. Sec. 1798.
customers the types of personal 83 to .84
information the business shares
with or sells to a third party
for direct marketing purposes or
for compensation. Businesses may
post a privacy statement that
gives customers the opportunity
to choose not to share
information at no cost.
8Breach notification requirements Cal. Civ. Code
when unencrypted personal Sec. Sec. 1798.
information, or encrypted 29, 1798.820
personal information and the
security credentials, was or
reasonably believed to have been
acquired by an unauthorized
person. Applies to agencies and
businesses.
Data security. Applies to a Cal Civ. Code
business that owns, licenses, or Sec. 1798.81.5
maintains personal information &
third-party contractors. Must
implement and maintain
reasonable security procedures
and practices appropriate to the
nature of the information.
8Provides that the California Cal. Vehicle Code
Highway Patrol (CHP) may retain Sec. 24130
data from a license plate reader
for no more than 60 days, unless
the data is being used as
evidence in felony cases.
Prohibits selling or making
available ALPR data to non-law
enforcement officers or
agencies. Requires CHP to report
to the legislature how ALPR data
is being used.
Establishes regulations on the Cal. Civ. Code
privacy and usage of automatic Sec. Sec. 1798.
license plate recognition (ALPR) 90.50 to .55
data and expands the meaning of
``personal information'' to
include information or data
collected through the use or
operation of an ALPR system.
Imposes privacy protection
requirements on entities that
use ALPR information, as
defined; prohibit public
agencies from selling or sharing
ALPR information, except to
another public agency, as
specified; and require operators
of ALPR systems to use that
information only for authorized
purposes. Establishes private
right of action.
8Prohibits unfair competition, Cal. Bus. & Prof.
which includes any unlawful, Code Sec. Sec.
unfair, or fraudulent business 17200 through
act or practice. 175940
Prohibits unfair methods of Cal. Civ. Code
competition and unfair or Sec. Sec. 1750
deceptive acts or practices through 1785
undertaken by any person in a (``Consumer
transaction intended to result Legal Remedies
or that results in the sale or Act'')
lease of goods or services to a
consumer. Provides a private
right of action.
------------------------------------------------------------------------
Colorado 8Requires the state or any Colo. Rev. Stat.
agency, institution, or Sec. 24-72-204.
political subdivision that 50
operates or maintains an
electronic mail communications
system to adopt a written policy
on any monitoring of electronic
mail communications and the
circumstances under which it
will be conducted. The policy
shall include a statement that
correspondence of the employee
in the form of electronic mail
may be a public record under the
public records law and may be
subject to public inspection
under this part.
Requires government websites or Colo. Rev. Stat.
state portals to establish and Sec. 24-72-501
publish privacy policies and to -502
procedures
8Data security. Applies to any Colo. Rev. Stat.
private entity that maintains, Sec. 6-1-713,
owns, or licenses personal Sec. 6-1-7160
identifying information in the
course of the person's business
or occupation. Must develop
written policies for proper
disposal of personal information
once such information is no
longer needed. Implement and
maintain reasonable security
practices and procedures to
protect personal identifying
information from unauthorized
access.
Requires that video or still Colo. Rev. Stat.
images obtained by ``passive Sec. 24-72-113
surveillance'' by governmental
entities, such as images from
monitoring cameras, must be
destroyed within three years
after the recording of the
images. Specifies that the
custodian of a passive
surveillance record may only
access the record beyond the
first anniversary after the date
of creation of the record if
there has been a notice of claim
filed, or an accident or other
specific incident that may cause
the passive surveillance record
to become evidence in any civil,
labor, administrative, or felony
criminal proceeding. Creates
exceptions allowing retention of
passive surveillance records of
any correctional facility, local
jail, or private contract prison
and passive surveillance records
made or maintained as required
under Federal law
8Prohibits deceptive trade Colo. Rev. Stat.
practices. Attorney generals and Sec. Sec. 6-1-1
district attorneys enforce 01 through 6-1-
statute. 1150
------------------------------------------------------------------------
Connecticut Requires any person who collects Conn. Gen. Stat.
Social Security numbers in the Sec. 42-471
course of business to create a
privacy protection policy. The
policy must be ``publicly
displayed'' by posting on a web
page and the policy must (1)
protect the confidentiality, (2)
prohibit unlawful disclosure,
and (3) limit access to Social
Security numbers.
8Employers who engage in any type Conn. Gen. Stat.
of electronic monitoring must Sec. 31-48d0
give prior written notice to all
employees, informing them of the
types of monitoring which may
occur. If employer has
reasonable grounds to believe
that employees are engaged in
illegal conduct and electronic
monitoring may produce evidence
of this misconduct, the employer
may conduct monitoring without
giving prior written notice.
Labor Commissioner may levy
civil penalties against a
violator who fails to give
notice of monitoring.
Health data security law that Conn. Gen. Stat.
applies to any health insurer, Sec. 38a-999b
health care center or other
entity licensed to do health
insurance business in the state.
Requires them to implement and
maintain a comprehensive
information security program to
safeguard the personal
information of insureds and
enrollees that is compiled or
maintained by such company.
8Data security law that applies Conn. Gen. Stat.
to contractors, defined as an Sec. 4e-700
individual, business or other
entity that is receiving
confidential information from a
state contracting agency or
agent of the state pursuant to a
written agreement to provide
goods or services to the state.
Must implement and maintain a
comprehensive data-security
program, including encryption of
all sensitive personal data
transmitted wirelessly or via a
public Internet connection, or
contained on portable electronic
devices.
Prohibits unfair or deceptive Conn. Gen. Stat.
acts or practices in the conduct Sec. Sec. 42-11
of any trade or commerce. 0a through 42-
Commissioner enforces. Creates 110q
private right of action.
------------------------------------------------------------------------
Delaware 8Prohibits operators of websites, Del. Code Ann.
online or cloud computing tit. 6, Sec.
services, online applications, 1204C0
or mobile applications directed
at children from marketing or
advertising on its Internet
service specified products or
services. When the marketing is
provided by an advertising
service, the operator of
Prohibits disclosing a child's
personally identifiable
information if it is known that
the child's personally
identifiable information will be
used to market those products or
services to the child.
Requires an operator of a Del. Code Ann.
commercial Internet website, tit. 6, Sec.
online or cloud computing 1205C
service, online application, or
mobile application that collects
personally identifiable
information through the Internet
about individual users residing
in Delaware to make its privacy
policy conspicuously available.
An operator shall be in
violation of this subsection
only if the operator fails to
make its privacy policy
conspicuously available within
30 days after being notified of
noncompliance.
8Prohibits a commercial entity Del. Code Ann.
which provides a book service tit. 6, Sec.
from disclosing users' personal 1206C0
information to law enforcement
entities, governmental entities,
or other persons, except under
specified circumstances. Allows
immediate disclosure of a user's
book service information to law
enforcement entities when there
is an imminent danger of death
or serious physical. Requires a
book service provider to prepare
and post online an annual report
on its disclosures of personal
information, unless exempted
from doing so. The Consumer
Protection Unit of the
Department of Justice has the
authority to investigate and
prosecute violations of the
acts.
Prohibits employers from Del. Code Ann.
monitoring or intercepting tit. 19, Sec.
electronic mail or Internet 705
access or usage of an employee
unless the employer has first
given a one-time notice to the
employee. Provides exceptions
for processes that are performed
solely for the purpose of
computer system maintenance and/
or protection, and for court
ordered actions. Provides for a
civil penalty of $100 for each
violation.
8Require government websites or Del. Code tit. 29
state portals to establish and Sec. 9018C0
publish privacy policies and
procedures
Prohibits deceptive acts in Del. Code Ann.
connection with the sale, lease, tit. 6, Sec.
or advertisement of any Sec. 2511
merchandise. Gives investigative through 2527,
power to attorney general and 2580 through
creates a private right of 2584 (``Consumer
action. Fraud Act'')
8Any person who conducts business Del. Code Sec.
in the state and owns, licenses, 12B-1000
or maintains personal
information must implement and
maintain reasonable procedures
and practices to prevent the
unauthorized acquisition, use,
modification, disclosure, or
destruction of personal
information collected or
maintained in the regular course
of business.
------------------------------------------------------------------------
District of Prohibits unfair or deceptive D.C. Code Sec.
Columbia trade practices involving any Sec. 28-3901
and all parts of economic output through 28-3913
of society.
------------------------------------------------------------------------
Florida 8State constitution: The right of Fla. Const. art.
the people to be secure in their I Sec. 120
persons, houses, papers, and
effects against unreasonable
searches and seizures, and
against the unreasonable
interception of private
communications by any means,
shall not be violated
Data security law that applies to Fla. Stat. Ann.
commercial entities and third- Sec. 501.171
party agents (entity that has
been contracted to maintain,
store, or process personal
information on behalf of a
covered entity or governmental
entity). Requires reasonable
measures to protect and secure
data in electronic form
containing personal information.
8Creates a public records Fla. Stat. Ann.
exemption for certain images and Sec. 316.07770
data obtained through the use of
an automated license plate
recognition system and personal
identifying information of an
individual in data generated
from such images. Provides that
images and data containing
personal information obtained
from automated license plate
recognition systems are
confidential. Allows for
disclosure to criminal justice
agencies and to individuals to
whom the license plate is
registered in certain
circumstances.
Prohibits unfair or deceptive Fla. Stat. Sec.
acts or practices in the conduct Sec. 501.201
of any trade of commerce, through 501.213
defined as advertising, ('' Deceptive
soliciting, providing, offering, and Unfair Trade
or distributing commodity or Practices Act'')
thing of value. Creates private
right of action.
------------------------------------------------------------------------
Georgia 8License plate data may be Ga. Code Ann.
collected and accessed only for Sec. 35-1-220
a law enforcement purpose. The
data must be destroyed no later
than 30 months after it was
originally collected unless the
data are the subject matter of a
toll violation or for law
enforcement. Allows sharing of
captured license plate data
among law enforcement agencies.
Law enforcement agencies
deploying an automated license
plate recognition system must
maintain policies for the use
and operation of the system,
including but not limited to
policies for the training of law
enforcement officers in the use
of captured license plate data
Broadly prohibits unfair and Ga. Code Ann.
deceptive practices in the Sec. Sec. 10-1-
conduct of consumer 390 through 10-1-
transactions, defined as the 407 (``Fair
sale, purchase, lease, or rental Business
of goods, services, or property. Practices Act'')
Creates private right of action.
------------------------------------------------------------------------
Hawaii 8Any business or government Haw. Stat. Sec.
agency that collects personal 487N-1 to N-70
information shall provide notice
upon discovery of a security
breach. Establishes a council
that will identify best privacy
practices.
State constitution: ``The right Haw. Const. art.
of the people to privacy is I Sec. Sec. 6,
recognized and shall not be 7
infringed without the showing of
a compelling state interest. The
legislature shall take
affirmative steps to implement
this right.''
``The right of the people to be
secure in their persons, houses,
papers and effects against
unreasonable searches, seizures
and invasions of privacy shall
not be violated; and no warrants
shall issue but upon probable
cause, supported by oath or
affirmation, and particularly
describing the place to be
searched and the persons or
things to be seized or the
communications sought to be
intercepted.''
8Prohibits unfair competition Haw. Rev. Stat.
against any person and unfair or Sec. 480-20
deceptive acts or practices,
enforceable by any consumer.
Applies to the conduct of any
trade or commerce.
------------------------------------------------------------------------
Idaho Prohibits use of drones to Idaho Code Sec.
capture images of people or 21-213
gather information about
individuals in the absence of a
warrant or written consent.
8Imposes regulations on Idaho Code Sec.
individual student data, 33-1330
restricts secondary uses of such
data, and provides for data
destruction
Broadly prohibits unfair or Idaho Code Ann.
deceptive acts and practices in Sec. Sec. 48-60
the conduct of any trade or 1 through 48-619
commerce. An unconscionable act (``Consumer
is a violation whether it occurs Protection
before, during, or after the Act'')
transaction.
------------------------------------------------------------------------
Illinois 8Prohibits state agency websites Ill. Rev. Stat.
to use cookies or other invasive ch. 5 Sec. 177/
tracking programs to monitor 100
viewing habits
Limits on collection and storage 740 Ill. Comp.
of biometric data. Prohibits Stat. 14/1
private entity from capturing or (Biometric
obtaining biometric information Information
without notice and consent. Privacy Act)
Creates private right of action
8State constitution: ``The people Ill. Const. art.
shall have the right to be I, Sec. 60
secure in their persons, houses,
papers and other possessions
against unreasonable searches,
seizures, invasions of privacy
or interceptions of
communications by eavesdropping
devices or other means. No
warrant shall issue without
probable cause, supported by
affidavit particularly
describing the place to be
searched and the persons or
things to be seized.
Makes it unlawful for an employer 820 Ill. Comp.
or prospective employer to Stat. 55/10
request or require an employee (Right to
or applicant to authenticate or Privacy in the
access a personal online account Workplace Act)
in the presence of the employer,
to request or require that an
employee or applicant invite the
employer to join a certain
group, or join an online account
established by the employer;
prohibits retaliation against an
employee or applicant.
8Broadly prohibits unfair methods 815 Ill. Comp.
of competition and unfair or Stat. 505/1
deceptive acts or practice in through 505/120
the conduct of any trade or
commerce.
------------------------------------------------------------------------
Indiana Data Security. Applies to Ind. Code Sec.
database owner, defined as a 24-4.9-3-3.5
person that owns or licenses
computerized data that includes
personal information. Must
implement and maintain
reasonable procedures, including
taking any appropriate
corrective action for breaches.
8Prohibits unfair, abusive, or Ind. Code Sec.
deceptive act, omission, or Sec. 24-5-0.5-1
practice in connection with a to -12
consumer transaction. Creates (``Deceptive
private right of action for a Consumer Sales
person relying upon an uncured Act'')0
or incurable deceptive act.
------------------------------------------------------------------------
Iowa Require government Websites or Iowa Code Sec.
state portals to establish and 22.11
publish privacy policies and
procedures.
8Prohibits unfair and deceptive Iowa Code Sec.
acts in connection with the Sec. 714.16
lease, sale, or advertisement of through 714.16A0
any merchandise. Enforceable
only by the Attorney General,
unless there was intent to cause
reliance upon the act in which
case consumers can enforce the
prohibition.
------------------------------------------------------------------------
Kansas Defines breach of privacy such as K.S. Stat Sec.
intercepting phone calls and 21-6101
private messages, use of
recording devices inside or
outside of a place without prior
consent, use of video recording
without prior consent. Does not
apply to utility companies where
recording communications is
necessary in order to provide
the service/utility requested.
8Data security. Applies to a K.S. Sec. 50-
holder of personal information 6,139b0
(a person who, in the ordinary
course of business, collects,
maintains or possesses, or
causes to be collected,
maintained or possessed, the
personal information of any
other person.) Must implement
and maintain reasonable
procedures and practices
appropriate to the nature of the
information, and exercise
reasonable care to protect the
personal information from
unauthorized access, use,
modification or disclosure.
Prohibits deceptive and Kan. Stat. Ann.
unconscionable acts in Sec. Sec. 50-62
connection with a consumer 3 through 50-640
transaction, regardless of and 50-675a
whether the act occurs before, through 50-679a
during, or after the
transaction. Creates private
right of action.
------------------------------------------------------------------------
Kentucky 8Notification to affected persons Ky. Rev. Stat.
of computer security breach Ann. 365.7320
involving their unencrypted
personally identifiable
information.
Personal information security and Ky. Rev. Stat.
breach investigation procedures Ann. 61.932
and practices for certain public
agencies and nonaffiliated third
parties.
8Prohibited uses of personally Ky. Rev. Stat.
identifiable student information Ann. 365.7340
by cloud computing service
provider
Department procedures and Ky. Rev. Stat.
regulations, including Ann. 171.450
appropriate procedures to
protect against unauthorized
access to or use of personal
information
8Prohibits unfair, deceptive, and Ky. Rev. Stat.
unconscionable acts relating to Ann. Sec. Sec.
trade or commerce. Private cause 367.110 through
of action only to person who 367.990
purchases or leases goods or (``Consumer
services. Protection
Act'')0
------------------------------------------------------------------------
Louisiana Data security law applies to any La. Rev. Stat.
person that conducts business in 51:3071 to :3077
the state or that owns or (``Database
licenses computerized data that Security Breach
includes personal information. Notification
Must implement and maintain Law'')
reasonable security procedures
and practices appropriate to the
nature of the information to
protect the personal information
from unauthorized access,
destruction, use, modification,
or disclosure. Personal
information includes name, SSN,
driver's license or state ID
number, account numbers,
passport numbers, or biometric
data, but excludes information
lawfully made public from
federal, state, or local
government records.
8State constitution: ``Every La. Const. art. I
person shall be secure in his Sec. 50
person, property,
communications, houses, papers,
and effects against unreasonable
searches, seizures, or invasions
of privacy. No warrant shall
issue without probable cause
supported by oath or
affirmation, and particularly
describing the place to be
searched, the persons or things
to be seized, and the lawful
purpose or reason for the
search. Any person adversely
affected by a search or seizure
conducted in violation of this
Section shall have standing to
raise its illegality in the
appropriate court.''
Prohibits unfair or deceptive La. Rev. Stat.
acts and practices in the Ann. Sec. Sec.
conduct of any trade or 51:1401 to :1420
commerce, including advertising.
Creates private right of action.
------------------------------------------------------------------------
Maine 8Require government websites or 1 M.R.S.A. Sec.
state portals to establish and 5420
publish privacy policies and
procedures
Prohibits the use of automatic 29-A M.R.S.A.
license plate recognition Sec. 2117-A
systems except for certain
public safety purposes. Provides
that data collected is
confidential and may be used
only for law enforcement
purposes. Data collected may not
be stored more than 21 days.
8Prohibits unfair or deceptive Me. Rev. Stat.
practice in the conduct of any Ann. tit. 5,
trade or commerce, including Sec. Sec. 205A
advertising. Creates private to 214 (``Unfair
right of action for any person Trade Practices
who purchases or leases goods, Act'')0
services, or property as a
result of an unlawful practice
or act under the law.
------------------------------------------------------------------------
Maryland Data security provisions apply to Md. Code Com Law
businesses and nonaffiliated Sec. Sec. 14-35
third party/service provider. 01 to -3503
Must implement and maintain
reasonable security procedures
and practices appropriate to the
nature of the personal
information owned or licensed
and the nature and size of the
business and its operations.
Personal information includes
name, SSN, driver's license or
state ID number, account
numbers, TIN, passport number,
health information, biometric
data, user name or e-mail
address in combination with
password or security question.
8Specifies the procedures and Md. Public Safety
protocols that a law enforcement Code Sec. 3-
agency must follow in connection 5090
with the operation of an
``automatic license plate reader
system'' and ``captured plate
data.'' Requires the State
Police to adopt procedures to
address who has access to the
data, training, and create an
audit process. Data gathered by
an automatic license plate
reader system are not subject to
disclosure under the Public
Information Act.
Prohibits unfair, abusive, or Md. Code Ann.,
deceptive trade practices, Com. Law Sec.
regardless of whether the Sec. 13-101 to
consumer was in fact misled, 501 (``Consumer
deceived, or damage as a result Protection
of the practice. Consumer can Act'')
file a complaint, which the
agency will investigate and
potentially refer to the FTC
------------------------------------------------------------------------
Massachusetts 8A person shall have a right Mass. Gen. Laws
against unreasonable, Ch. 214 Sec.
substantial or serious 1B0
interference with his privacy.
The superior court shall have
jurisdiction in equity to
enforce such right and in
connection therewith to award
damages.
Data security law applies to any Mass. Gen. Laws
person that owns or licenses Ch. 93H Sec.
personal information. Authorizes 2(a)
regulations to ensure security
and confidentiality of customer
information in a manner fully
consistent with industry
standards. The regulations shall
take into account the person's
size, scope and type of
business, resources available,
amount of stored data, and the
need for security and
confidentiality of both consumer
and employee information.
8Broadly prohibits unfair and Mass. Gen. Laws
deceptive acts and practice sin Ann. ch. 93A,
the conduct of any trade or Sec. Sec. 1 to
commerce. Creates private right 110
of action.
------------------------------------------------------------------------
Michigan Preserve personal privacy with Mich. Comp. Laws
respect to the purchase, rental, Ann. Sec.
or borrowing of certain 445.1712
materials. Provides penalties
and remedies
8Prohibits unfair, Mich. Comp. Laws
unconscionable, or deceptive Sec. Sec. 445.9
methods, acts, or practices in 01 to .9220
the conduct of trade or
commerce. Creates private right
of action.
------------------------------------------------------------------------
Minnesota Requires Internet Service Minn. Stat. Sec.
Providers to keep private Sec. 325M.01 to
certain information concerning .09
their customers, unless the
customer gives permission to
disclose the information.
Prohibit disclosure of
personally identifying
information, and requires ISPs
to get permission from
subscribers before disclosing
information about the
subscribers' online surfing
habits and Internet sites
visited.
8Require government websites or Minn. Stat. Sec.
state portals to establish and 13.150
publish privacy policies and
procedures.
Makes a misdemeanor to publish or Minn. Stat. Ann.
disseminate of advertisements Sec. 325F.67
which contain any material
assertion, representation, or
statement of fact which is
untrue, deceptive, or misleading
8Prohibits act, use, or Minn. Stat. Sec.
employment by any person of any Sec. 325F.680
fraud, false pretense,
misleading statement, or
deceptive practice, with the
intent that others rely on it in
the sale of any merchandise
------------------------------------------------------------------------
Mississippi Data security law that applies to Miss. Code Ann.
any person who conducts business Sec. 75-24-29
in the state and in the ordinary
course of business. Personal
information includes name, SSN,
driver's license or state ID
number, or financial account
numbers
8Broadly prohibits unfair and Miss. Code Ann.
deceptive practices as long as Sec. Sec. 75-24
they are in or affecting -1 to -270
commerce. Only attorney general
can enforce the prohibitions.
------------------------------------------------------------------------
Missouri Defines ``E-book'' and ``digital Mo. Rev. Stat.
resource or material'' and adds Sec. 182.815,
them to the items specified in 182.817
the definition of ``library
material'' that a library patron
may use, borrow, or request.
Provides that any third party
contracted by a library that
receives, transmits, maintains,
or stores a library record may
not release or disclose all or a
portion of a library record to
anyone except the person
identified in the record or by a
court order.
8Prohibits unfair or deceptive Mo. Rev. Stat.
trade practices or omissions in Sec. Sec. 407.0
connection with the sale or 10 to -.307
advertisement of merchandise in (``Merchandising
trade or commerce, whether the Practices
act was committed before, Act'')0
during, or after the sale,
advertisement, or solicitation.
Any person who purchases or
leases merchandise and suffers
loss as a result of the unlawful
act may bring a civil action
Montana Require government website or Mont. Code Ann.
state portals to establish and Sec. 2-17-550
publish privacy policies and to -553
procedures. Allows sale and
disclosure to third parties,
provided notice and consent.
8State constitution: The right of Mont. Const. art.
individual privacy is essential II Sec. 100
to the well-being of a free
society and shall not be
infringed without the showing of
a compelling state interest.
Prohibits methods of competition Mont. Code Ann.
and unfair or deceptive acts or Sec. Sec. 30-14
practices in the conduct of any -101 to -142
trade or commerce.
------------------------------------------------------------------------
Nebraska 8Data security law applies to any Neb. Rev. Stat.
individual or commercial entity Sec. Sec. 87-80
that conducts business in 1 to -8070
Nebraska and maintains personal
information about Nebraska
residents. Must establish and
maintain reasonable security
processes and practices
appropriate to the nature of the
personal information maintained.
Ensure that all third parties to
whom the entity provides
sensitive personal information
establish and maintain
reasonable security processes
and practices appropriate to the
nature of the personal
information maintained.
Prohibits employers from Neb. Rev. Stat.
accessing an applicant or an Sec. Sec. 48-35
employee's personal Internet 01 to 48-3511
accounts and taking adverse (Workplace
action against an employee or Privacy Act)
applicant for failure to provide
any information related to the
account; prohibits retaliation
against an employee who files a
complaint under the Act;
prohibits an employee from
downloading or transferring any
private proprietary information
or financial data to a personal
Internet account without
authorization.
8Requires any governmental entity Neb. Rev. Stat.
that uses an automatic license Sec. 60-3201 to
plate reader (ALPR) system to 32090
adopt a policy governing use of
the system. Governmental
entities also must adopt a
privacy policy to ensure that
captured plate data is not
shared in violation of this act
or any other law. The policies
must be posted on the Internet
or at the entity's main office.
Requires annual reports to the
Nebraska Commission on Law
Enforcement and Criminal Justice
on ALPR practices and usage.
Provides that captured plate
data is not considered a public
record.
Broadly prohibits unfair or Neb. Rev. Stat.
deceptive trade practices in the Sec. Sec. 59-16
conduct of any trade or 01 to -1623
commerce. Creates private right
of action.
------------------------------------------------------------------------
Nevada 8Requires operators of Internet Nev. Rev. Stat.
websites or online services that Sec. 603A.3400
collect personally identifiable
information from residents of
the state to notify consumers
about how that information is
used.
Require Internet Service Nev. Rev. Stat.
Providers to keep private Sec. 205.498
certain information concerning
their customers, unless the
customer gives permission to
disclose the information.
8Data security. Applies to data Nev. Rev. Stat.
collector that maintains records Sec. Sec. 603A.
which contain personal 210, 603A.2150
information and third parties to
whom they disclose. Must
implement and maintain
reasonable security measures
Prohibits deceptive trade Nev. Rev. Stat.
practices, including knowingly Sec. Sec. 598.0
making any other false 903 to .0999
representation in the course of
a business or occupation. Also
prohibits failing to disclose
material fact in connection with
sale or lease of goods or
services. Private right of
action created under Nev. Rev.
Stat. Sec. 41.600.
------------------------------------------------------------------------
New Hampshire 8Prohibits government officials N.H. Rev. Stat.
from obtaining access to Sec. 359-C:40
customer financial or credit
records, or the information they
contain, held by financial
institutions or creditors
without the customer's
authorization, an administrative
subpoena, a search warrant, or a
judicial subpoena
Makes a crime to willfully N.H. Rev. Stat.
intercept any telecommunication Sec. 570-A:2 to
or oral communication without A:2-a
the consent of all parties to
the communication. It is
unlawful to willfully use an
electronic, mechanical, or other
device to intercept an oral
communication or to disclose the
contents of an intercepted
communication. Law enforcement
needs warrant, exception to
warrant, or consent to use cell
site simulators.
8State constitution: An N.H. Const. Pt.
individual's right to live free 1, art. II0
from governmental intrusion in
private or personal information
is natural, essential, and
inherent.
Broadly prohibits unfair method N.H. Rev. Stat.
of competition or any unfair or Sec. Sec. 358-A
deceptive practice in the :1 to -A:13
conduct of any trade or commerce
within the state. Creates
private right of action.
------------------------------------------------------------------------
New Jersey 8Prohibits act, use, or N.J. Stat. Ann.
employment by any person of any Sec. Sec. 56:8-
unconscionable commercial 1 to -910
practice, deception, fraud,
misrepresentation, or the
knowing concealment,
suppression, or omission of any
material fact with the intent
that others rely upon it in
connection with the sale or
advertisement of any merchandise
or real estate. Creates private
right of action.
------------------------------------------------------------------------
New Mexico Data security law applies to a N.M. Stat. Sec.
person that owns or licenses 57-12C-4, to 12C-
personal identifying information 5
of a New Mexico resident. Must
implement and maintain
reasonable security procedures
and practices appropriate to the
nature of the information to
protect the personal identifying
information from unauthorized
access, destruction, use,
modification or disclosure.
8Prohibits unfair, N.M. Stat. Sec.
unconscionable, and deceptive Sec. 57-12-1 to
practices involving goods, -22 (``Unfair
services, credit, or debt Practices
collection, made in the course Act'')0
of the person's trade or
commerce. Private right of
action.
------------------------------------------------------------------------
New York Require government Websites or N.Y. State Tech.
state portals to establish and Law Sec. 201 to
publish privacy policies and 207
procedures
8Prohibits deceptive acts in the N.Y. Exec. Law
conduct of any business, trade, Sec. 63(12);
or commerce or service. Only N.Y. Gen. Bus.
attorney general can enforce Law Sec. Sec.
prohibitions on repeated 349 and 3500
fraudulent acts or
unconscionable contract
provisions
------------------------------------------------------------------------
North Carolina Requires state or local law N.C. Gen. Stat.
enforcement agencies to adopt a Sec. Sec. 20-18
written policy governing the use 3.30 to .32
of an ALPR system that addresses
databases used to compare data
obtained by the system, data
retention and sharing of data
with other law enforcement
agencies, system operator
training, supervision of system
use, and data security and
access. Requires audits and
reports of system use and
effectiveness. Limits retention
of ALPR data to no more than 90
days, except in specified
circumstances. Provides that
data obtained by the system is
confidential and not a public
record.
8Prohibits unfair methods of N.C. Gen. Stat.
competition, and unfair or Sec. Sec. 75-1.
deceptive acts or practices in 1 to -350
or affecting business
activities. Creates private
right of action
------------------------------------------------------------------------
North Dakota Prohibits an act, use, or N.D. Cent. Code
employment of any deceptive act Sec. Sec. 51-15
or practice, fraud, or -01 to -11
misrepresentation, with the
intent that others rely thereon
in connection with the sale or
advertisement of any
merchandise. Acts or
advertisements which causes or
is likely to cause substantial
injury to a person and not
reasonably avoidable by the
injured person and not
outweighed by countervailing
benefits to consumers or to
competition, is declared to be
an unlawful practice. Creates
private right of action.
------------------------------------------------------------------------
Ohio 8Data security law that applies Ohio Rev. Code
to Business or nonprofit entity Ann. Sec.
that accesses, maintains, 1354.01 to
communicates, or handles 1354.050
personal information or
restricted information. To
qualify for an affirmative
defense to a cause of action
alleging a failure to implement
reasonable information security
controls resulting in a data
breach, an entity must create,
maintain, and comply with a
written cybersecurity program
that contains administrative,
technical, and physical
safeguards for the protection of
personal information
Prohibits unfair, unconscionable, Ohio Rev. Code
or deceptive trade practices in Ann. Sec. Sec.
connection with a consumer 1345.01 to .13
transaction, regardless of
whether the act occurs before,
during, or after the
transaction.
------------------------------------------------------------------------
Oklahoma 8Requires public reporting of 70 Okl. Stat.
which student data are collected Ann. Sec. 3-168
by the state, mandates creation (Student Data
of a statewide student data Accessibility,
security plan, and limits the Transparency and
data that can be collected on Accountability
individual students and how that Act)0
data can be shared. It
establishes new limits on the
transfer of student data to
federal, state, or local
agencies and organizations
outside Oklahoma
------------------------------------------------------------------------
Oregon Data security law that applies to Or. Rev. Stat
any person that owns, maintains, Sec. 646A.622
or otherwise possesses data that
includes a consumer's personal
information that is used in the
course of the person's business,
vocation, occupation or
volunteer activities. Must
develop, implement, and maintain
reasonable safeguards to protect
the security, confidentiality,
and integrity of the personal
information, including disposal
of the data
8Prohibits unconscionable tactics Or. Rev. Stat.
and other unfair or deceptive Sec. Sec. 646.6
conduct in trade commerce. 05 through
Consumer can challenge unfair or 646.6560
deceptive conduct only after the
Attorney General has first
established a rule declaring
that conduct to be unfair or
deceptive.
------------------------------------------------------------------------
Pennsylvania Prohibits unfair or deceptive 73 Pa. Stat. Ann.
practices in the conduct of any Sec. Sec. 201-1
trade or commerce. Creates through 201-9.3
private right of action.
------------------------------------------------------------------------
Rhode Island 8Data security measure applies to R.I. Gen. Laws
a business that owns or licenses Sec. 11-49.3-20
computerized unencrypted
personal information & a
nonaffiliated third-party
contractor. Must implement and
maintain a risk-based
information security program
with reasonable security
procedures and practices
appropriate to the nature of the
information.
Prohibits unfair or deceptive R.I. Gen. Laws
practices in the conduct of any Sec. Sec. 6-13.
trade or commerce. Creates 1-1 through 6-
private right of action. 13.1-27
------------------------------------------------------------------------
South Carolina 8Requires government Websites or S.C. Code Ann.
state portals to establish and Sec. 30-2-400
publish privacy policies and
procedures
Data security law that applies to S.C. Code Sec.
a person licensed, authorized to 38-99-10 to -
operate, or registered, or 100.
required to be licensed,
authorized, or registered
pursuant to the insurance laws
of the state. Requires a
licensee to develop, implement
and maintain a comprehensive
information security program
based on the licensee's risk
assessment. Establishes
requirements for the security
program, such as implementing an
incident response plan and other
details
8State constitution: The right of S.C. Const. art.
the people to be secure in their I, Sec. 100
persons, houses, papers, and
effects against unreasonable
searches and seizures and
unreasonable invasions of
privacy shall not be violated,
and no warrants shall issue but
upon probable cause, supported
by oath or affirmation, and
particularly describing the
place to be searched, the person
or thing to be seized, and the
information to be obtained.
Prohibits unfair or deceptive S.C. Code Ann.
practices in the conduct of any Sec. Sec. 39-5-
trade or commerce. Creates 10 through 39-5-
private right of action. 160
------------------------------------------------------------------------
South Dakota 8Prohibits knowing and S.D. Codified
intentional deceptive acts in Laws Sec. Sec.
connection with the sale or 37-24-1 through
advertisement of merchandise 37-24-35,
amended by 2019
South Dakota
Laws Ch. 177 (SB
20)0
------------------------------------------------------------------------
Tennessee Requires the state or any agency, Tenn. Code Sec.
institution, or political 10-7-512
subdivision thereof that
operates or maintains an
electronic mail communications
system to adopt a written policy
on any monitoring of electronic
mail communications and the
circumstances under which it
will be conducted. The policy
shall include a statement that
correspondence may be a public
record under the public records
law and may be subject to public
inspection under this part.
8Provides that any captured Tenn. Code Sec.
automatic license plate data 55-10-3020
collected by a government entity
may not be stored for more than
90 days unless they are part of
an ongoing investigation, and in
that case provides for data to
be destroyed after the
conclusion of the investigation.
Prohibits specific unfair or Tenn. Code Ann.
deceptive acts or practices Sec. Sec. 47-18
limited to those enumerated -101 through 47-
which affect the conduct of any 18-125
trade or commerce. Only attorney
general can bring an enforcement
action.
------------------------------------------------------------------------
Texas 8Data security measure that Tex. Bus. & Com.
applies to a business or Code Sec.
association that collects or 521.0520
maintains sensitive personal
information. (Does not apply to
financial institutions).
Requires implementation of
reasonable procedures, including
taking any appropriate
corrective action.
Prohibits false, unconscionable Tex. Bus. & Com.
and deceptive acts in the Code Ann. Sec.
conduct of any trade or Sec. 17.41
commerce. Consumer protection through 17.63
division can enforce
------------------------------------------------------------------------
Utah 8Require all nonfinancial Utah Code Ann.
businesses to disclose to Sec. Sec. 13-37
customers, in writing or by -201 to -2030
electronic mail, the types of
personal information the
business shares with or sells to
a third party for direct
marketing purposes or for
compensation. Provides a private
right of action
Requires government websites or Utah Code Ann.
state portals to establish Sec. 63D-2-101,
privacy policies and procedures to -104
8Data security. Applies to any Utah Code Ann.
person who conducts business in Sec. Sec. 13-44
the state and maintains personal -101, -201, 3010
information. Must implement and
maintain reasonable procedures.
Amended in 2019 to define is
subject to a civil penalty
Captured license plate data are a Utah Code Ann.
protected record if the captured Sec. Sec. 41-6a-
plate data are maintained by a 2001 to -2005
governmental entity. Provides
that captured plate data may
only be shared for specified
purposes, may only be preserved
for a certain time, and may only
be disclosed pursuant to
specific circumstances such as a
disclosure order or a warrant.
Government entities may not use
privately held captured plate
data without a warrant or court
order, unless the private
provider retains captured plate
data for 30 days or fewer.
8Prohibits deceptive and Utah Code Ann.
unconscionable acts or practices Sec. Sec. 13-11
by suppliers in connection with -1 through 13-11-
a consumer transaction, 230
regardless of whether it occurs
before, during, or after the
transaction. Private right of
action.
------------------------------------------------------------------------
Vermont Prevents employers from 21 V.S.A. Sec.
requesting passwords to personal 495
Internet accounts to get or keep
a job.
8Data security. Applies to Data 9 V.S.A Sec.
brokers--businesses that 2446-24470
knowingly collect and license
the personal information of
consumers with whom such
businesses do not have a direct
relationship. Must implement and
maintain a written information
security program containing
administrative, technical, and
physical safeguards to protect
personally identifiable
information.
Broadly prohibits unfair or 9 V.S.A. Sec.
deceptive acts or practices in Sec. 2451 to
commerce 2480g
------------------------------------------------------------------------
Virginia 8Require government websites or Va. Code Sec.
state portals to establish and 2.2-38000
publish privacy policies and
procedures
Prohibits specified fraudulent Va. Code Ann.
and deceptive acts and practices Sec. Sec. 59.1-
committed by a supplier in 196 through 59.1-
connection with a consumer 207
transaction.
------------------------------------------------------------------------
Washington 8State constitution: No person Wash. Const. art.
shall be disturbed in his I, Sec. 70
private affairs, or his home
invaded, without authority of
law
Prohibits unfair methods of Wash. Rev. Code
competition and unfair or Sec. Sec. 19.86
deceptive acts or practices in .010 through
the conduct of any trade or 19.86.920
commerce. Private right of
action.
------------------------------------------------------------------------
West Virginia 8Student data law governing use W. Va. Code, Sec.
sharing of student privacy 18-2-5h0
rights, and notification of
transfer of confidential
information.
Prohibits unfair methods of W. Va. Code Sec.
competition and unfair or Sec. 46A-6-101
deceptive acts or practices in through 46A-6-
the conduct of any trade or 110
commerce. Private right of
action.
------------------------------------------------------------------------
The Chairman. Well, thank you very, very much.
And we will now proceed to questions. Mr. Polonetsky, let
me begin with you. And I referred to this in my opening
statement.
Both the GDPR and the CCPA are written to give consumers
more control over their data by establishing certain rights.
These rights include the right to access, right to erasure or
deletion, right to data portability, and others.
I mentioned in my opening statement a concern that these
rights may inadvertently decrease privacy for consumers because
companies may be compelled to retain, track, or re-identify
data that they would otherwise have discarded. So if you would
comment about that and then I will ask the others if they have
got any observations.
Mr. Polonetsky. I think we can effectively provide people
strong rights of access and deletion if we carefully make it
clear that we are not going to be requiring companies to do
more tracking in order to be able to provide that data.
Certainly GDPR goes in that direction. I think it is solvable
by making it clear that you need to know who you are providing
data to. You need to clearly verify so that you are providing
the data to the person and not creating an opportunity for data
breaches. But I think carefully crafting the right in a way
that gives us those protections is quite feasible.
The Chairman. Is that a problem that has been experienced
under GDPR? I just did not understand exactly what you were
saying there.
Mr. Polonetsky. GDPR certainly makes it clear that you are
not obligated to do extra tracking in order to have the data to
provide back to people. I think there have been some concerns,
since the CCPA is new, in exactly what it means to verify
somebody is not quite clear. So people are looking for
guidance. I think one of the reasons I argue this committee
should act and, indeed, override CCPA is we can fix some of
those areas where there is clarity so that people have a strong
right of access and we do not create any over-disclosure by
providing those deletion rights that we want to provide.
The Chairman. OK.
Mr. Steyer.
Mr. Steyer. So thanks, Mr. Chairman. A couple of things.
One, in California a few years ago, we passed a bill called
The Eraser Button, and the point was you could erase---kids
under 18 could have erased any content that they had foolishly
posted without thinking about it. We think that that idea is
something that should also be part of a broader Federal law.
The issue has actually been the enforcement. So my
colleague on my left mentioned the enforcement issues. That has
been the biggest issue around the erasure issue. And actually I
am sure that Ms. Dixon knows that because there is a right in
Europe to be forgotten. So this is a very important thing that
the Committee should do.
The second thing I would mention off of what Jules just
said is that data minimization, which for, again, a luddite,
simpleminded person like me means that you only should use the
data for what you really need it for, you should not be able to
use data broadly for multiple purposes, is another critically
important element of what a Federal privacy law should have.
And that was the toughest part for us to actually hold onto in
California. That is the piece of the CCPA that if you could do
it over again or make it stronger, you would have stronger data
minimization.
So those are the two items I would mention, Mr. Chairman.
The Chairman. Ms. Guliani.
Ms. Guliani. I mean, I think absolutely. I mean, the
average consumer does not know what data is being collected on
them and does not necessarily know how to make sure that that
data is accurate or to request deletion. So that is something
that can certainly be accomplished while accommodating, I
think, the interests of not wanting to encourage businesses to
retain more information.
I will note that the right to be forgotten is not something
that we would want to be adopted identically in the U.S. There
are potential First Amendment considerations. For example, we
would not want an individual to be able to request that a
newspaper published an article about them that was disparaging
take down that content. So there might need to be some
modifications from GDPR to be consistent with the U.S.
Constitution.
The Chairman. Thank you.
Ms. Dixon, let me shift just in the few moments I have
left. There is information that after the GDPR went into
effect, a number of small businesses had to shut down because
they simply could not afford to comply. Is that a concern, and
what do you say to that? And what advice do you have for this
Congress?
Ms. Dixon. I mentioned earlier, Chairman, that the tasks of
data protection authorities in the EU are broad, and one of our
key tasks in advance of GDPR was to prepare industry and in
particular SMEs and micro-enterprises. And in doing so, we
heard a lot of concerns from smaller companies about their
ability to comply with what is a vast and sometimes technical
and complex law.
However, through the awareness campaign that we rolled out
and the very specific guidance we were able to issue to smaller
enterprises, we were able to clarify the risk-based approach
that the GDPR endorses, in other words, that organizations only
need to implement what are called the organizational and
technical measures appropriate to the levels of risk in the
scale of personal data processing that they are undertaking.
So, in fact, the GDPR does consider smaller enterprises.
Some very specific articles in the GDPR, like article 30, the
requirement to document data processing operations--it
recognizes that smaller scale enterprises do not need to
conduct that particular exercise.
So I think for every organization, the GDPR is a win-win
when it is implemented. It engenders the trust of consumers. It
protects organizations. And we have not seen any direct
evidence of organizations having to shut down because they
could not meet the compliance burden once they understood how
they could practically implement it.
The Chairman. Thank you.
Senator Cantwell.
Senator Cantwell. Thank you, Mr. Chairman.
Again, thank you, everybody, for your testimony.
Ms. Guliani, it is good to hear from you and Mr. Steyer
about the California law and its need for improvements. I can
guarantee you one of the first calls I made when taking over
this spot was to Attorney General Becerra, a former colleague,
to ask him about the California law. And he said basically what
you articulated, Ms. Guliani, that it needs improvement and
that he sought to seek that.
So I wondered--Ms. Guliani, you were very clear on the
discriminatory practices in housing and employment, race and
gender issues that are being deployed. To your point of people
not even knowing how the information is used and collected, who
do you think is the repository for all of these violations that
are existing today? Do you think we get that from you, the AGs?
Like who do you think has the running list of duplicitous
actions that are being used against people with their data?
Ms. Guliani. I do not think anybody has a running list,
which is why I think it is so important that we have robust
enforcement on multiple levels. So we need the FTC to be
resourced and have the technical expertise. They should also be
able to level civil penalties.
But at the same time, I think we want to take advantage of
State attorneys general and regulatory agencies who have a long
history of protecting consumers.
And finally, I think consumers have to have the right to go
to court themselves. I mean, there may be many cases where
either State or Federal authorities do not have the resources
and so, for good reason, cannot follow up on a privacy
violation.
I think without a multi-pronged approach from an
enforcement standpoint what you will effectively have are gaps
and gaps that can be exploited.
Senator Cantwell. Well, I think to the issues that you
mentioned, these are things that we batted down in other areas
of the law. So to see them pop up online would be really just
an undermining of current Federal law. So that is why it is so
important that we fight against it to make sure that the online
world meets the same standard as broadcasters have to meet in
the broadcast world or health care officials have to meet in
other forms of health care. We do not allow those things to pop
up.
I think the one thing that we learned from the Facebook
hearing or Facebook writ large is just that anytime you see a
survey online, chances are that information is just a data
collection source so that some information can be used against
you. Or when you have that familiar do you want a call back
from somebody on the service is really a can I sell your name
to someone else who is going to then try to solicit something
from you.
So I think it is very important that we get a handle on
these current privacy violations so that the public has a
better understanding.
To this point about the erasing of data, one thing that we
have learned from our privacy law that we passed through this
Committee on clearing your good name, which was a tool by which
we gave those who were victims of identity theft the ability to
get a claim through the FTC and basically present that to law
enforcement that they were the victim, not the perpetrator of
the crime. How do you see enforcement working on something like
that? Because to me, it is a very big challenge to have--you
know, the standard which we are operating now is basically
people call attorney generals and attorney generals basically
prosecute these people and get them shut down. Really, that is
what happens. Consumers call in and complain.
And so in this case, there is a lot data and information
being used and they do not even know how it is being used and
they do not even know that they are, as you said, on housing or
loans being discriminated against.
Ms. Guliani. Yes. I mean, I think that you really touch an
important point, and one is that it is hard to figure out when
a privacy violation has occurred or discriminatory conduct has
occurred. I mean, just think about discriminatory advertising.
I do not know the ads I have not seen, and so how do I know
that I have been denied the opportunity for, let us say, an
employment opportunity because I am a woman or a person of
color. And so I think that it is really important that, one,
the standards be clear so that companies know the rules of the
road and, two, that the enforcement entities need to be looking
at those companies, following up on those complaints when they
get phone calls, having the resources to do that.
But I think another thing that we also should look at is
especially with algorithms and machine learning, more
transparency, you know, companies allowing outside researchers
to look at their algorithms and say, hey, this is having a
disparate impact or this is having a discriminatory effect. And
so we should really be encouraging those types of behaviors and
encouraging companies to do risk assessments to measure
potential discrimination.
Senator Cantwell. But just to be clear, you think that
these companies should face the same penalties as other
companies who have violated the law that is already in
existence?
Ms. Guliani. Exactly. Self-regulation is not working and
there should be robust enforcement.
Senator Cantwell. Thank you.
The Chairman. Thank you very much.
Senator Blunt.
STATEMENT OF HON. ROY BLUNT,
U.S. SENATOR FROM MISSOURI
Senator Blunt. Thank you, Chairman.
Ms. Dixon, you mentioned in your testimony that the Irish
Data Protection Commission is the lead supervisory authority in
the EU for a significant number of U.S. companies because of
domicile and other things. I do not want you to name companies,
but are there U.S. companies, 11 months now into the
implementation of this, that are noncompliant with the GDPR?
Ms. Dixon. Thank you, Senator.
In the 11 months since the GDPR came into application, we
have opened 17 significant investigations into potential
infringement by the large U.S. tech companies. So we have
reason to believe then clearly that there are potential
infringements of the GDPR arising. And we are significantly
advanced in a number of those investigations and intend to
bring a decision and an outcome on those investigations----
Senator Blunt. Do you have similar investigations with EU-
based companies?
Ms. Dixon. We do. So overall, we have 51 significant
investigations underway currently. So a subset relate to the
U.S. tech companies. We supervise government and public sector
also in Ireland in addition to commercial enterprises. So it is
across the board.
Senator Blunt. So it is safe to assume that in the regime
that has been put in place, that U.S. companies do not have a
more difficult time or an easier time, either one, than EU
companies in complying?
Ms. Dixon. I think it is not a case of a more difficult or
easier compliance approach. It is a risk-based approach that
the GDPR endorses. And so when you have platforms that have
billions of users in some cases and certainly hundreds of
millions of EU persons as users, the risks are potentially
higher in terms of the issues that arise around breaches and
noncompliance with the principles.
Senator Blunt. And both EU companies and U.S. companies are
being fined for noncompliance?
Ms. Dixon. We will have to conclude the investigations
and----
Senator Blunt. Before the penalty?
So have you issued any fines up till now?
Ms. Dixon. The investigations have not yet concluded, the
first tranche that we have underway.
Senator Blunt. All right. Thank you.
Mr. Polonetsky, Senator Schatz and I have some legislation
on facial recognition, thinking that also is a significant data
that uniquely recognizes people, obviously. I think we both
agree that that information collected through facial
recognition needs to be treated like all other personal data.
Can you share your perspective on how Congress should
define personally identified information, whether that should
include facial recognition and how we would treat that in a way
similar or unlike other commercially collected data?
Mr. Polonetsky. I would argue that a bill should recognize
that there are special categories, sensitive categories of
information, and the typical default for collecting, using,
sharing that information should be a strong consent-based
model. There may be places where we can see opt out or default.
But certainly when it comes to sensitive data, biometric data,
DNA, facial prints, fingerprints are clearly sensitive data and
should be subject to a stronger consent-based standard.
Senator Blunt. Are there best practices out there yet?
Mr. Polonetsky. We have done a fairly detailed set of best
practices as we have seen these technologies in the market.
What we try to do is differentiate between facial recognition,
which I think we all know, recognizing my unique ID, creating a
template, and then perhaps facial detection. How many heads are
in this space? How many male or female heads? I certainly can
see potential for discrimination if I treat people differently,
but I do not have a unique identification. And so in our
structure, we set up a tier. If a business just wants to know
how many people are in the room, unique numbers of people, that
might be a notice and a way to opt out, but if I am going to
identify you by your name, the default ought to be that I need
your permission.
Senator Blunt. And, Mr. Steyer, I think you were at the
meeting the other day the Senator and I had on the CAMRA Act.
Mr. Steyer. Right.
Senator Blunt. Is there a facial recognition element there
or concern about kids on screens?
Mr. Steyer. There should be.
And by the way, thank you very much for supporting the
CAMRA Act because I think this is really an issue that is a big
deal for everybody because we get it. Your personally
identifiable information is really, really important.
The one thing I would say I differ with Mr. Polonetsky on
is the California law basically does not differentiate between
types of data. It just says all data deserve strong protection.
And one thing I would urge the Committee to think about is look
how California treated data. We did not actually distinguish.
And Mr. Polonetsky wrote thoughtful comments for this hearing.
But we think basically all data that is your personal data is
really important. Obviously, stuff like facial recognition
matters a lot to all of us because we understand it. We think
all data matters.
Senator Blunt. Thank you, and Senator Markey and I are
working on the screen time, face time element of that
particularly as it relates to kids.
Mr. Steyer. And thank you for doing that very much.
Senator Blunt. Thank you, Chairman.
The Chairman. And thank you.
Senator Schatz.
STATEMENT OF HON. BRIAN SCHATZ,
U.S. SENATOR FROM HAWAII
Senator Schatz. Thank you, Mr. Chairman.
Thank you for the testimonies. We have had a constructive
conversation.
I want to start with the FTC. My view is that any law ought
to have--and this is for Mr. Steyer and Ms. Guliani--first fine
authority and APA rulemaking authority. And I just want to get
your view on whether you agree with that? Mr. Steyer.
Mr. Steyer. I completely agree with that. I mean, if you
really look at it in a practical common sense way--and Attorney
General Becerra you guys were referring to who was angry at me
because we passed a law--because he is my law school classmate
and friend said, ``Oh, my God, now I became the Chief Privacy
Officer in California.''
The big issue is resources for enforcement. You could speak
to Attorney General Becerra.
Senator Schatz. I will get to that, sir. It is a yes.
Mr. Steyer. Yes, definitely to your question.
Ms. Guliani. Yes, definitely.
Senator Schatz. And let us talk about resources for
enforcement. So the Ireland DPA has 135 employees. They are
about one and a half percent of the U.S. population. The FTC
has, obviously, more employees, but as it relates to--full-time
privacy staff has 40.
Do we need more human beings at the FTC devoted to privacy?
Mr. Steyer. Yes, absolutely. No brainer.
Ms. Guliani. Yes, absolutely and increase technical
expertise. I think as you note, the size of the FTC is probably
smaller than the DC office of a lot of major tech companies.
Senator Schatz. That is a fair point. OK.
Let me go back to transparency and control. I have been
banging this drum for a while. I am great with transparency and
control. I just do not think it is enough. And as we think
about Senator Blunt and I working on facial recognition, you
are going to walk into a mall and this idea that there will be
sensors everywhere and they will be pinging off of your face.
And then let us say we pass a pretty robust transparency and
control regime. I am not sure how you can effectuate a
transparency and control regime if your phone is not constantly
giving you a notification and having you make individual micro-
decisions about whether Banana Republic is going to send you a
message or the Apple store or whatever. Or, heaven forbid, but
what happens if you did not bring your phone into the mall? How
do you even say no to some of this data collection?
It seems to me that we do need belt and suspenders, that we
ought to be able to turn the dials on some of these decisions.
But we also need to recognize the impracticability in an IoT
universe of transparency and control of giving any real
control. I mean, to Chairman Wicker's point in his opening
statement, is that really a choice.
I am wondering, Mr. Steyer and then Ms. Guliani, how much
of this do you think can be accomplished through transparency
and control, and how much of this do you think ought to be
backed up with a principle of, listen, we are going to
configure a statute best we can, but in order to future-proof
this and in order to back this thing up, we have to have a
basic principle in the law which says you may not harm people
with the data that you collect? Mr. Steyer.
Mr. Steyer. I completely agree with you. You could have
written my remarks. I agree with you. Transparency and control
are important, but they are simply not enough by themselves.
And we talked about the rights to access, to delete, to
port your information. And certain acts should be completely
off limits like behavioral ads targeting kids. So transparency
and control are important, but they are simply not enough.
Notice and consent, sort of broad terms like that, just are not
enough. We have to go farther. And we think that the public
would love you to do that.
Senator Schatz. Ms. Guliani.
Ms. Guliani. I think you are absolutely right. Notice and
consent is not enough in part because in a lot cases people do
not have meaningful choices. If the option is between not
having a service at all or turning over massive amounts of
data, a lot of consumers consent, but it is not really consent.
So I think that the law should place strict guardrails on what
companies can and cannot do. For example, if I have a
flashlight app, is it really reasonable for that app to require
me to turn over all of my location data or my financial data
just as a condition of using that app? I would say no.
And in the face recognition context, you know, if I want to
go to the grocery store to buy food, is it really reasonable
that the only option I have is a sign that notifies me that
face recognition technology is being used? I do not think that
that is really the control and the right that consumers want.
And so absolutely we have to go beyond notice and consent to
get at sort of terms that really take advantage of people's
privacy and exploit their lack of choice.
Senator Schatz. My final question--and this will be for the
record and for the entire panel--is whether or not we are
missing anything in terms of essential elements of a Federal
data privacy law? And I will take that for the record. Thank
you.
The Chairman. That is a very good question, and so I hope
all of our panelists will take that for the record and you have
a few days to respond. That would be very helpful.
Senator Fischer.
STATEMENT OF HON. DEB FISCHER,
U.S. SENATOR FROM NEBRASKA
Senator Fischer. Thank you, Mr. Chairman.
One core part of the GDPR is to protect consumer data by
requiring freely given, specific and informed consent. However,
we already are seeing user interface workarounds that we can
consent by confusing user choice. Ms. Guliani, you just spoke
to that in the answer to Senator Schatz's question.
In these circumstances, users see a false choice or a
simple escape route through the ``I agree'' button or ``okay''
button that pops up on our screen. And this can hide what the
action actually does, such as accessing your contacts, your
messages, Web activity, or location. Users searching for the
privacy friendly option, if it exists there at all, often must
click through a much longer process and many screens.
Mr. Steyer, is clear, easy to understand user interface
design a critical component of achieving informed consent and
preserving any rights to consumer data privacy?
Mr. Steyer. That is a great question, Senator Fischer, and
it is. It really is. I think the truth is if we all think about
ourselves--maybe there are one or two wizards up here, but I am
not and I run a large organization that helps write privacy
laws.
So I think clear, easy-to-use information is absolutely
critical. That is why I mentioned it in my opening remarks.
This is complex stuff, and so we need to make it very easy for
consumers to understand what their rights are and then how to
exercise them. It is like having a privacy policy at the end of
your phone, 80 pages on your phone, which no one ever reads.
They just check here. So I think that is a really important
element of what this committee and the Senate could do is make
it simple and easy to understand for the consumer. If it is
easy to understand for you folks, it will be fair to the
consumer would be what I would say.
Senator Fischer. I hope that is an endorsement.
[Laughter.]
Mr. Steyer. That is an endorsement, but it is also
recognizing the complexity of this. It actually goes to the
question Senator Schatz was asking. But it is really an
important element of doing this right.
Senator Fischer. Right.
I appreciated Common Sense Media's endorsement of the bill
that I have with Senator Warner, the DETOUR Act, and I believe
that is going to guard against the manipulative user interfaces
that are out there. Those are also known as dark patterns.
Can a privacy framework that involves consent function
properly if it does not also ensure that user interface design
presents that fair and transparent options to manage our
personal data setting, sir?
Mr. Steyer. Is that directed to me?
Senator Fischer. Yes, please.
Mr. Steyer. You are absolutely right on that.
By the way, the other point I would make is the fact that
you and Senator Warner are working on the dark patterns, the
fact that Senator Blunt is working with Senator Markey and
others on bipartisan legislation, this is an area where--I keep
saying it. This is common sense for everybody, and I really do
believe that this committee, acting this way in a bipartisan
fashion, is critical.
But, yes, we have got to keep it simple and easy. Even
though it is complex, you have got to make it simple and easy
for the average user.
Senator Fischer. Thank you.
Ms. Dixon, as the GDPR has been implemented, have you seen
any trends for companies that have taken steps toward focusing
on user-centered design or others that are avoiding it on
purpose?
Ms. Dixon. We certainly, in the run-up to the GDPR, saw a
lot of attempts in particular by the platforms to redesign
their user engagement flow and to reexamine whether the
consents they were collecting met the threshold articulated in
the GDPR. But some of the investigations that we now have
underway are looking at whether the ways in which in particular
the transparent information is being delivered to users really
meets the standards anticipated by the GDPR.
So, for example, a lot of organizations have implemented
layered privacy notices, which is something generally that we
recommend to avoid the need to have a 100-page privacy notice.
But on the other hand, there can be issues of inconsistency
between the layers, too many layers for a user to go through to
get basic information.
So through the investigations that we have ongoing at the
moment, we are examining whether the standards anticipated by
the GDPR are being met and in what circumstances we say they
are not being met. So there should be further clarification on
that in the coming months.
Senator Fischer. So as Mr. Steyer was saying, keep it
simple.
Ms. Dixon. Keeping it simple is always good.
Senator Fischer. As we look to draft Federal data privacy
policy, it is important that we do look at preventing
irresponsible data use from the start. Ms. Dixon, you actually
noted the complaint of someone who had been contacted by a
headstone company after a family member passed away, generated
by combining obituary data and public address data. And I am
going to ask all of you the same question that I asked the
previous industry panel, and hopefully you can respond in
writing to the question since I am out of time.
But I would just really appreciate if you could give one
example of an unreasonable data practice to us. I think that
would be helpful when we do look at trying to keep this simple
and what is going to be needed. So thank you very much.
Thank you, Mr. Chairman.
The Chairman. Can each of you do that for us on the record?
We would appreciate it if you would.
Senator Tester.
STATEMENT OF HON. JON TESTER,
U.S. SENATOR FROM MONTANA
Senator Tester. Thank you, Mr. Chairman.
Thank you all for being here. I know you all came to talk
about production ag today, so I am going to ask some questions
about it.
I have been farming for about the last 40 years, and one of
the big advances in agriculture that has happened pretty
recently is called precision ag where you get computers on your
tractor that measure just about everything you do, from the
amount of fertilizer you put down to the kind of seeds you put
in the ground, to the number of acres you cover. You name it.
So I have got this information. It is obviously connected
up with a higher God. Is it possible for folks or do you know
if they can use that information right now, if they can gather
that information to try to influence my buying decisions? Do
you understand what I am saying? I am saying we have got
technology on the tractor that measures just about everything
you do. Is that information gatherable? Just somebody taking
that information and sweeping it up. Is it possible for them to
do it? Can anybody answer that?
Ms. Guliani. So I cannot answer specifically. I think with
agriculture and some of, I think, the new technologies, I do
think that a big problem is secondary uses. Right? Think about
if I buy eggs from a grocery store and I give somebody my
address to deliver those eggs, I expect that they are going to
use my address to get the eggs to me. What I do not expect is
that they are going to tell an insurance company that I bought
eggs and they should charge me a higher rate.
Senator Tester. OK. So what gives them the right to do
that? What gives them the right to share that information? It
looks to me like why should it not all be off the books unless
I say, you know, what, go ahead and give it to my doc, give it
to my insurance company, give it to a guy I am going to buy a
car from, I do not care, go ahead and do it. Otherwise, if I do
not do that, no sharing information. Period. What I do is my
business and nobody can share it. It is against the law.
Ms. Guliani. I mean, I would agree. And I think that what
functionally happens sometimes is that there is a 30-page
privacy policy. Somebody does not understand what is in it, nor
do they have the time to read it.
Senator Tester. So it looks to me like it does not have to
be 30 pages. Does it? Could it not be just a simple question:
Can we use your information, yes or no?
Ms. Guliani. Yes. And I do not believe that there should be
secondary uses and secondary sharing unless the person knows
what is happening and has provided specific consent for it.
Senator Tester. OK. So the lady from Dublin, would the GDPR
stop the collection that I just talked about? And by the way,
that is a scenario I use for agriculture, but you could use it
on anything. Would they stop it? Would your rules stop it?
Ms. Dixon. Thank you, Senator. It is a very interesting
question.
As I mentioned in my written statement, the GDPR is high-
level, principles-based, technology-neutral, and it does not
prohibit any specific forms of personal data processing. It
provides that any form of personal data processing could be
legitimized.
So in this case, what we would have to do is trace through
the various actions of the company and look at whether the
principles of the GDPR are being met, in particular in this
case around purpose limitation, transparency to you as a user
in terms of sharing the data with third parties and the
purposes for which it would be used. And to the extent that
consent is legitimizing the processing, whether you had
granular options to consent or not to consent. And so it is
possible that the GDPR would prohibit it depending on how it is
being done, but it would involve the specific parsing against
the principles.
Senator Tester. A previous question asked you about fines,
and you said none have been levied yet because your
investigations have not been done. You have been in effect for
11 months since it was put into effect?
Ms. Dixon. It is 11 months since the GDPR came into
application. Some of the investigations have been open more
recently, but we have one or two that are open since May.
Senator Tester. Since May. So we are coming on a year for
the investigations?
Ms. Dixon. That is right.
Senator Tester. How quickly are they to a point where you
can--are these investigations so complicated that we are
looking at another year or is it weeks?
Ms. Dixon. No. I think in the coming months over the
summer, we will conclude decisions on some of them. They are
complex investigations. There are also significant procedural
safeguards that we have to apply because the sanctions are
significant. So we do have to allow the party's right to be
heard at various junctures in the investigation and
decisionmaking.
In addition, because of the form of a one stop shop we have
in the EU, other procedural issues arise.
Senator Tester. And very quickly because my time has run
out. How are the fines levied? How do you determine the fine?
Is that dictated in the GDPR or do you do it on the size of the
company?
Ms. Dixon. So article 83 of the GDPR sets out the limits on
the fines and provides details of aggravating and----
Senator Tester. Can you give me an idea of what the largest
fines are under the GDPR?
Ms. Dixon. The largest fine would be 4 percent of the
global turnover for the preceding year of an undertaking.
Senator Tester. Thank you.
The Chairman. Thank you, Senator Tester.
Senator Blackburn.
STATEMENT OF HON. MARSHA BLACKBURN,
U.S. SENATOR FROM TENNESSEE
Senator Blackburn. Thank you, Mr. Chairman.
And thank you to each of you for being here today. And, Mr.
Steyer, good to see you.
Mr. Steyer. Nice to see you.
Senator Blackburn. We have been talking privacy for quite a
while.
Mr. Steyer. We have.
Senator Blackburn. Ms. Guliani, I am certain you know this,
and to our friends who have joined us today, I think that for
so long what we heard on Capitol Hill from people is do not do
anything that is going to harm the golden goose. Leave it
alone. And this is why I introduced the BROWSER Act several
years ago, bipartisan in the House, and why I have long held
that consumers need to possess the toolbox to protect, as I
term it, their virtual you, which is you and your presence
online. And this is vitally important as Americans move more of
their transactional life online.
And, Ms. Guliani, you said it well. There should not be a
secondary use for other companies to know what credit cards we
use, what time of month we pay our bills, the sites we search,
the products we order. And for that to be data-mined and then
repackaged and sold specific not to our name or physical
address maybe, but to our IP address, which is our virtual you.
So that is why the BROWSER does a few things very well. It
says opt in for sensitive data, opt out for non-sensitive data,
and one set of rules for the entire Internet ecosystem with one
regulator.
And I think when we look at an individual's privacy, that
we ought to focus on doing a few things well, to do it
understandably, and as we have discussed in the past, Mr.
Steyer, to make certain that the protections are there for
children and that their information is protected online.
And I am delighted that the chairman is bringing this issue
forward. Privacy and data security are essential because this
transactional life that we live online underpins every single
industrial sector of our nation's economy.
And, Ms. Dixon, I want to ask you about the difference, let
us say, for Ireland with having an EU-wide regime on privacy as
opposed to an Ireland-specific. Preemption I think is vitally
important, and I would like to hear from you what the
difference has been by having the ability to have it EU-wide
versus just for Ireland.
Ms. Dixon. So, Senator Blackburn, the GDPR, as you note, is
a direct effect regulation of the EU as opposed to a directive
which requires transposition into member state law, which was
the previous regime we had prior to last May. But, in fact, as
a regulation, the GDPR is still something of a hybrid because
each EU member state, nonetheless, had to implement a national
law to give further effect to the GDPR.
Senator Blackburn. It underpins.
Ms. Dixon. It underpins and gives further effect to the
GDPR and implements some choices that were left to each
individual member state under the GDPR.
So what we have is actually a hybrid where we have a 2018
Irish Data Protection Act that guides us in terms of the
operation of our investigations and the procedures we must
follow and around aspects such as the age of digital consent
for children, which is set at 16 in Ireland, and then we have
the GDPR. In the case of any conflict, which there should not
be, the GDPR reigns supreme under the doctrine of supremacy of
the EU law. So it is something of a hybrid, and there are still
member state flavors in terms of choices made under the GDPR.
Senator Blackburn. Thank you. I appreciated a visit with
your EU Privacy Commissioner a few weeks ago and then this week
visited with the Commissioner from New Zealand. And I think it
is instructive to us that whether it is GDPR, as it comes
through its first year of enactment, or other countries that
are looking at enacting privacy policy, that it is important to
our citizens that we do something and that we do it right the
first time. So I appreciate your participation and look forward
to continuing the conversation.
I yield back my time.
The Chairman. Ms. Dixon, the GDPR directs European member
states to make certain decisions, for example, the age of
consent. Is that what you are saying?
Ms. Dixon. So under certain articles of the GDPR, such as
article 8, the age of consent for children accessing
information, society services was set at 16, but it gave member
states the choice to implement as low as 13 under their member
state laws. So, in fact, what you find is that the majority of
EU member states went ahead and implemented an age of 13. So
there are a number of articles like that where member state
choice was implementable.
The Chairman. Maybe we could search that ourselves. But if
you would help us by supplementing your testimony and giving us
some examples of that, I would appreciate it. Thank you.
Senator Peters.
STATEMENT OF HON. GARY PETERS,
U.S. SENATOR FROM MICHIGAN
Senator Peters. Thank you, Mr. Chairman.
And thank you to each of our witnesses. It has been really
a fascinating discussion.
And, Mr. Steyer, I do believe you are right that this is an
important issue that the time is now. In fact, I think the
issue of privacy, given the explosion of data and technologies
with the power to collect a lot of data are continuing to
expand. This could be one of the defining issues of this decade
as to how we deal with it because with data comes power, and
that power is based on data collected from us each
individually. So we have to be leaning into this very heavily.
So I agree with that.
My first question, though, for you, Ms. Guliani, is an
example of some concerns that I have. There is a popular
pregnancy tracking app Ovia that tracks medications, mood,
bodily functions, and more and even use it to track newborn
medical information for women that use this app. You may be
familiar with it. The app has come under scrutiny because it
allows employers to actually pay to gain access to the details
about their workers' personal lives. Your testimony--you were
very clear and others have mentioned about how Federal law
should limit purposes for which consumer data can be used.
So my question, though, is what should be included in a
Federal privacy standard to ensure that employers, in
particular, cannot have access to their employees' medical
information from an app such as Ovia?
Ms. Guliani. I mean, I would say first that that is
information that should not be given to an employer absent the
consent of the individual using the app, and they should not be
denied using it if they say, look, I do not want my employer to
know that but I would still like you to measure these things.
So I think that those are sort of two sides of the same coin.
And what I worry with apps like these is, again, these long
privacy policies that individuals do not have time to read or
understand that effectively require them to sign away all these
rights just to use a service.
Senator Peters. Well, to follow up on that comment, in Ovia
they have a 6,000-word consent form. The company is granted,
quote, a royalty-free, perpetual, and irrevocable license
throughout the universe to utilize and exploit their de-
identified personal information. The company is allowed to
sell, lease, or lend aggregated personal information to third
parties. This basically means that all of the information that
was gathered--a package can be sold to whoever they want
whenever as long is it does not meet their de-identified
criteria.
But how difficult is it for a company to re-identify
somebody if there is enough data about them? Let us say a
smaller company that may only have one woman who is pregnant--
could you identify that person probably even with de-identified
data?
Ms. Guliani. Yes. I mean, re-identification I think is
becoming easier, and there are companies that are innovating
around that. So, for example, there have been MIT studies that
found that de-identified data could be re-identified 95 percent
of the time with accuracy. So I think it is really important
that when we talk about de-identified data, we are really clear
on what that means and making sure that it is, in fact, de-
identified.
Senator Peters. Right.
Mr. Polonetsky, an example. If I go to the doctor and I get
prescribed an allergy medicine and then I put that information
on an app that I have to keep track of the number of doses I
have to take of medicine or whatever it may be, how do you
envision a Federal privacy law, working with existing laws such
as HIPAA, to ensure that my medical information is indeed
protected after I put it on my own app?
Mr. Polonetsky. Yes. This is increasingly going to be an
important issue because patients are increasingly downloading
their medical records, and there is obviously great value in
people being able to see that data, maybe take it to a
different doctor, analyze it themselves. But they may not
appreciate that once they have downloaded it from their HIPAA-
covered entity, that is is now in their hands, it is in their
app.
Legislation should recognize that there are sensitive
categories of data that are going to be subject to much
stricter and tougher controls. I may want to share that with
another doctor. I may have a friend who is a doctor. I may want
to show it to my spouse. And so I certainly should be able to
share it, but it ought to be very clear and very practical, and
I ought to be able to revoke that consent.
It is not likely to be covered by HIPAA, but we
increasingly have data that is outside of the regulatory world
where we need to make sure that the consent standard in any
proposed legislation is indeed balanced.
Senator Peters. In March, it was reported that a data
broker tried to sell the names, addresses, high schools, and
hobbies of 1.2 million children. This was uncovered through the
violation of Vermont's recently enacted law to regulate data
brokers.
Mr. Polonetsky, as you know, the Vermont law requires data
brokers to register with the state annually and gives us some
transparency as to who is actually out there, who is actually
collecting all this information.
Understanding that the law was just recently implemented,
do you have an early assessment of the law, and should we look
at that law in guiding some of our work at the Federal level?
Mr. Polonetsky. I do not have enough information to know
how it is playing out, but it is clear that people today have a
limited idea of the number of places their data goes when they
are online or when they can transact. And providing a simpler
way for them to get to those endpoints so they do not have to
go to multiple places so they can say no once or they can go to
one place and effectively take their data out I think is
valuable.
Frankly, I think it is valuable for companies too, the
people who really do not want to be getting catalogs in the
mail or do not want to be marketed to. It is costly to send
some of that out, and I would like to believe that at the end
of the day, there is a win-win by giving people more control
over what they receive from a whole range of third parties.
Senator Peters. Thank you. Appreciate it.
The Chairman. I think there are a lot of win-wins out
there.
Senator Thune.
STATEMENT OF HON. JOHN THUNE,
U.S. SENATOR FROM SOUTH DAKOTA
Senator Thune. Thank you, Mr. Chairman.
Ms. Dixon, in your testimony you touch on industry codes of
conduct. Can you elaborate on how industry codes of conduct are
intended to operate under the GDPR and whether you think such
codes of conduct enhance compliance with the law?
Ms. Dixon. So codes of conduct are a new feature of EU data
protection law, and we do believe that they are going to pay
dividends once they get off the ground. The European Data
Protection Board has recently issued guidance on how it is
intended that codes of conduct would work. And in the first
instance, it is up to industry groupings to bring forward
proposed codes of conduct that they would agree to implement.
They have the benefits of creating a level playing field within
industry sectors and driving up standards.
Another key feature of codes of conduct under the GDPR is
that it is intended that there would be an independent
monitoring body paid for by the industry sector that would
monitor compliance with the code of conduct and ensure that
complaints from individuals--that the exercise of their rights,
for example, is not being adhered to--are dealt with
efficiently. So this is an area of the GDPR that we look
forward to rolling out over the coming years.
Senator Thune. Let me just direct this to everybody, and it
is more of a general question. But Mr. Polonetsky, Mr. Steyer,
and Ms. Guliani, with respect to privacy expectations of our
consumers here in the United States, do you think the status
quo is working? Yes or no?
Mr. Steyer. No, but I would tell you that there has been a
sea change in awareness in the last year. I think one of the
most encouraging things that we have seen, other than the
bipartisanship, I think, in understanding these very issues
that affect everybody, is that the public is finally coming to
understand that privacy really matters. Remember, it is a
fundamental right, but people have forgotten that. I have four
kids, and I remember talking to my kids about this a few years
ago, about do you even understand what privacy is.
So I think we are at a watersheds moment, which I think the
work of this Committee and the broader Senate and Congress will
drive forward. The public is finally understanding this is
really my own personal information. It is really important, and
I have the right to control it. So I think we are at a great
moment, and I think that honestly, Senator Thune, if this
Committee moves forward and the Senate moves forward, I think
it will be incredibly important not just legally and from an
enforcement and accountability standard for behavior, but
public awareness. So I think we are at a really important
tipping point that you all can drive forward in a very
important way.
Mr. Polonetsky. Senator, my 17-year-old son is sitting
behind me and I have got a 15-year-old daughter, and it has
been fascinating to see how they have been using technology and
I do not think they think about it in terms of privacy. All
they know is that their Instagram page should not have all of
their photos. It should have the ones they curate. And they
have another account they use a little more flexibility, a
little more sloppily.
My son is a big SnapChat user, and he is not thinking about
it, oh, my pictures disappear. I am just saying hi. Why should
that be around forever?
And so I am optimistic that the technology is finally
capturing the actual reality of how people act. Somehow when
some of these sites launched, the notion was the more you
share, the more people click on it, the more people see your
stuff. And there is a place for that, for activism, for
outreach. But that is not the default for the way most of us
live. We want to talk to friends and family and small groups
and alumni groups and the like. And somehow the engineering
answer was, sorry, if it is on the Internet and it is public,
it is public for everybody.
So these are not perfect. You know, it is not perfect
privacy when your photo disappears. It is probably somewhere.
But it gave me a level of obscurity that actually ends up being
critical and nuanced.
So I would like to see us nudge companies to solve some of
these problems by having technology reflect the way humans act.
Right? It is supposed to be in service of our needs, not in
service solely of advertising and marketing. I see that
pushback happening. I would like to think it is because of
privacy pressure, but I actually think it is because of what
the younger generation actually wants. And they do not call it
privacy. They call it this is the way I think about my
relationships.
Senator Thune. But the answer is no, the status quo is not
working.
Mr. Polonetsky. The status quo is not working.
Senator Thune. Ms. Guliani, yes or no. I have another
question I need to ask here.
Ms. Guliani. Yes. The status quo is not working, and I just
want to highlight that I think we are increasingly
understanding that that status quo is hurting vulnerable
populations in some cases the most, you know, exacerbating
economic inequality and some of those issues. And so I think
the law should reflect the special harm that is being placed on
consumers.
Senator Thune. And I agree the status quo is not working,
which is exactly why this committee began to lay the groundwork
for privacy legislation in the last Congress and we are
building on that. I believe it is one of the issues that
Congress should be able to work on together on a bipartisan
basis, and I look forward to working with Chairman Wicker and
other members of this Committee to find consensus on this very
important issue.
One very quick final question, and that, again, I think can
be yes or no. But on principle, would any of you oppose any
Federal law with preemption in it? Yes or no.
Ms. Guliani. We would have serious concerns with broad
Federal preemption.
Mr. Steyer. I have serious concerns with broad Federal
preemption.
Mr. Polonetsky. I think preemption can be done carefully so
that it preempts the inconsistencies that make compliance hard
but preserve the rights and protections that I think we want to
preserve.
Senator Thune. I would be interested--and I guess we can
take this for the record, Mr. Chairman--in your thoughts. You
all referred to a Federal law as strong as California and just
to maybe speak specifically to what you mean by that.
Thank you.
The Chairman. Thank you.
And, Senator Thune, you questioned long enough for Senator
Markey to get back in his seat. So Senator Markey is next.
STATEMENT OF HON. EDWARD MARKEY,
U.S. SENATOR FROM MASSACHUSETTS
Senator Markey. Thank you, Mr. Chairman, very much. And
thank you, Senator Thune.
I have long advocated for privacy protections that include
the principles of notice and consent, but a Federal privacy
bill must build on that framework by explicitly prohibiting
certain types of data use. Today companies amass troves of
consumers' data and then repurpose that information to target
ads in discriminatory ways.
And that is why I recently introduced the Privacy Bill of
Rights Act, comprehensive privacy legislation that bans
discriminatory uses of consumers' private information. This
legislation explicitly prohibits companies from using
Americans? data to target employment, housing, health care,
education, or financial opportunities in harmful,
discriminatory ways.
Ms. Guliani, can you provide one example of how a company
currently uses consumers' personal data to target individuals
of particular genders or socioeconomic groups in ways that
threaten Americans' civil rights?
Ms. Guliani. Sure. I mean, I can give you a recent
settlement in an ACLU case. You know, over the last several
years, there were multiple charges that Facebook was
facilitating discriminatory advertising, particularly in the
housing, credit, and employment contexts where Federal law
prohibits discrimination. So, for example, allowing targeting
of ads based on factors like race or gender or things that
would be proxies for that.
Over the years, complaints were made. The company said that
they were going to resolve the problem but were slow to do so.
And so the ACLU and other civil rights organizations filed a
lawsuit, and the company, to its credit, has settled that
lawsuit.
But I think what this does is speak to a broader concern,
and that is a question of how in this new online ecosystem are
advertisers and others exacerbating discrimination, charging
different prices for, let us say, a bus ticket, not allowing
African Americans or women to see employment or housing
opportunities.
Senator Markey. So let me just follow up on that. Do each
of the rest of you agree with Ms. Guliani that it should be
illegal for companies to use consumers? personal data in these
harmful discriminatory ways? Ms. Dixon.
Ms. Dixon. So, Senator Markey, I think in terms of
legislation prohibiting certain uses, as I have outlined, the
GDPR is set up as principles-based and does not specifically
prohibit uses but principles of fair processing, as an example,
will go some way to tackling the issues that you have outlined.
I think in terms of the issue of discrimination--and there
is some complexity to the issue----
Senator Markey. But in general, do you agree with Ms.
Guliani? In general on discrimination?
Ms. Dixon. In general, discrimination----
Senator Markey. OK.
Mr. Polonetsky.
Mr. Polonetsky. In general, yes.
Senator Markey. Mr. Steyer.
Mr. Steyer. Absolutely I agree.
Senator Markey. Thank you all.
So let us move to children's privacy. I will go to you, Mr.
Steyer. Children are a unique, vulnerable group online. That is
why earlier this Congress I introduced bipartisan legislation
with Senator Hawley to protect kids' and teens' privacy. This
legislation is an update to the Children's Online Privacy
Protection Act, a law which I authored back in 1997.
This law creates critical new safeguards for young people.
The legislation would extend protections to 13, 14, and 15-
year-olds by requiring consent before collecting personal
information about them, ban targeted ads to children, create an
eraser button for parents and children to allow them to
eliminate publicly available personal information submitted by
the child or teen, and establish a youth privacy and marketing
division at the Federal Trade Commission, which will be
responsible specifically for addressing the privacy of children
and minors in our country and marketing directly at children
and minors in our country. We know we have a crisis in the
country in terms of the targeting of children in our country by
these online companies.
So, Mr. Steyer, why is it critical that any comprehensive
privacy law include these heightened protections for children
and teens?
Mr. Steyer. We totally support the law, and we are glad it
is bipartisan. We just believe you should fold the COPPA 2.0
law into this broader law that you are doing.
The truth is--we all know this as parents and
grandparents--kids do not understand stuff. They may be more
technically literate in a way, but they just do not understand
it. So they deserve special protections, and the COPPA 2.0 law
that you all have introduced is absolutely spot on, and I would
urge everybody on this committee and all 100 Senators to
support it.
Senator Markey. Do you each agree that special protections
have to be built in for children? Ms. Guliani.
Ms. Guliani. Yes.
Senator Markey. Mr. Polonetsky.
Mr. Polonetsky. Yes.
Senator Markey. Ms. Dixon.
Mr. Steyer. And teens. COPPA stops at 12, and we all know
what teenagers are like. They need special protections too.
Senator Markey. So this bill would lift it up to 16.
Mr. Steyer. Correct.
Senator Markey. And that is kind of, I think, a reasonable
place to put it. I wish I could make it higher, but I think at
least at 16, kids are just unaware even though you are saying
technically sophisticated, but their judgment in terms of what
it might mean for themselves in the long run just has not been
well thought out.
Mr. Steyer. And California goes to 16. We took it up to 16
in the CCPA.
Senator Markey. And in Europe?
Ms. Dixon. 16 in Ireland, 13 in other member states.
Senator Markey. Yes. I am Irish.
[Laughter.]
Senator Markey. We like our privacy.
Thank you, Mr. Chairman.
The Chairman. Thank you, Senator Markey.
Senator Moran.
STATEMENT OF HON. JERRY MORAN,
U.S. SENATOR FROM KANSAS
Senator Moran. Chairman, thank you.
Thank you four for joining us today on this important
topic.
Let me start with Mr. Polonetsky. The terms of a Federal
consumer privacy bill. Consumers I believe would benefit if
Congress provides clear and measurable requirements in a
statutory text while also including a level of flexibility in
the form of narrow and specific rulemaking authorities
presumably to the FTC. That would help account for evolving
technological developments.
My questions are how should this committee approach
providing the FTC with rulemaking authority, and do you see
value in what some of us have been calling strong guardrails
around that rulemaking authority to preserve certainty to
consumers that we aim to protect?
Mr. Polonetsky. I think our proposed legislation--the
Committee's proposed legislation, which hopefully will come
forward should put as much detail as we can put in the bill
because I think there are going to be key issues to negotiate.
But clearly there are going to be areas that are going to need
more time, where progress of time is going to require perhaps
updates and nuance, and the FTC certainly needs APA rulemaking
authority to fill those gaps. But I do think setting the
parameters so that the considerations that the FTC should look
at can be spelled out so that businesses can anticipate so that
commission heads, no matter what party is in leading and so
forth, in the right direction I think is going to be critical.
Senator Moran. This is not exactly the right words I do not
think, but the theory that I have is that we have to provide
lots of certainty but not too much certainty. Where do we find
that sweet spot that allows this to work well today and into
the future?
Ms. Dixon, you indicated in your testimony--I think I am
quoting this about right--the aim equally of a consistent and
harmonized data protection law across the EU is to ensure a
level playing field for all businesses and a consistent digital
market in which consumers can have trust.
Would you be concerned that EU consumers' trust in the
digital market would be undermined if the EU lacked a
harmonized approach to privacy? And related to that is, do you
think the GDPR has provided clearer privacy requirements to
companies than if each EU country adopted a different privacy
requirement?
Ms. Dixon. So I think certainly it would be the case that
EU service users' trust would be undermined if we do not give
full effect to this harmonized regulation now in the EU, and
it's more a case of companies, rather than consumers, at the
moment arguing that some of the harmonization is not coming
into effect as anticipated because of member state choices that
have been made. So the European Data Protection Board is a
grouping of all of the EU national supervisory authorities, and
we are working very hard to give effect to a harmonized
implementation through guidance that we issue, but also through
cooperation and consistency mechanisms that mean, when I
conclude the investigations I referenced earlier, I will have
to bring my decision to the European Data Protection Board and
take utmost account of the views of the other EU 27 in
finalizing my decision. So I think the harmonization is
extremely important not just in terms of a level playing field,
but in terms of the consumer trust.
Senator Moran. Thank you.
Part of the conversation here has been things are getting
better. People are more interested in privacy. But we have also
talked about how difficult it is to--what you are thinking
about when you opt in and opt out, where the responsibility
lies.
Are consumers currently considering privacy practices when
choosing between an online service provider? Are there enough
companies using privacy as a competitive advantage? Any
consumer paying attention to this and there is now an economic
reward for privacy protections?
Mr. Steyer. I would like to speak to that. I think when we
passed the California bill last year, we were working with
Satya Nadella at Microsoft, Tim Cook at Apple, Mark Benioff at
SalesForce. They absolutely know that--there is no way that
Apple and Microsoft do not see that as a competitive advantage
now which, Senator Moran, I think is a very healthy thing.
But that alone is not enough. That is why I said in my
earlier comments about how important it is for the Senate and
for the Congress to pass comprehensive, strong Federal privacy
protections.
But there is no question. Just look at Apple's marketing
campaign that is out there right now. They are all over
privacy. We meet with them at the top levels all the time. They
have decided this is both the right thing to do and also the
right thing to do for their business. And so has Microsoft. So
the wave is coming.
Senator Moran. What a great blend that will be if we do our
jobs correctly and the consumer demands this from their
providers.
Mr. Steyer. Agreed.
Senator Moran. Let me ask a final question. Just a yes or
no answer. If Congress were to enact what we hope is meaningful
privacy legislation, would you each support the attorney
general of our various states having enforcement capabilities?
Ms. Guliani. Yes. I would strongly encourage that, as well
as State enforcement agencies.
Mr. Steyer. Completely agree. Absolutely I think State AGs
are critical, and a private right of action is a good idea too.
Mr. Polonetsky. AGs have a key role.
Senator Moran. Thank you all very much.
Thank you, Mr. Chairman.
The Chairman. Thank you.
Senator Rosen.
STATEMENT OF HON. JACKY ROSEN,
U.S. SENATOR FROM NEVADA
Senator Rosen. Thank you.
This is an amazing hearing and I have so many questions.
I am going to first start with some vulnerable population
questions. One of our most vulnerable populations are seniors,
our disabled veterans, our hearing, our deaf community. I have
over 38,000 deaf and hard of hearing people in the state of
Nevada. They rely on IP captioned telephone service to
communicate. We all know what that is. As privacy concerns,
what are we doing to protect those vulnerable populations who
are using the telephone, using these other services because of
a disability?
Ms. Guliani. So I think that this is one of the reasons
that having a privacy framework is so important. I mean, you
mentioned the disabled population. Low income individuals rely
on their phones more for Internet access and to do other day-
to-day activities. And what we do not want is a system where as
a condition of using these things that are critical to everyday
living, people have to hand over their personal data and that
personal data can have downstream consequences.
And so I think that as part of any framework, we have to
consider, number one, limiting the extent to which somebody can
require you to give consent just as a condition of using a
service. And we also have to be really skeptical and outlaw
sort of what has been called pay for privacy schemes where I am
just going to charge you more if you choose to exert your
privacy rights.
Mr. Polonetsky. Senator, I would urge the Committee to hear
from the disability community because I think there is actually
a really nuanced set of views. Certainly the community--and I
will not speak for them although we have done some joint work
recently--is worried about new ways that they can be
discriminated against, but they are also passionate about the
ways assisted technology and data--they want a smart home
speaker to be able to control devices if they cannot use the
traditional UI. They do not want their data sold, but getting
that balance right so the data they do want can support them is
certainly important.
Senator Rosen. So as I have been sitting here listening--
and I get the pleasure of being one of the last questioners--is
that it seems to me that there are two issues about your data.
It is kind of the who, what, where, when, and how. The who is
your personal data. It is your name, your birth date, your
Social Security number, whatever. You own that. Right? Your
baseline definition. Then you have your recorded behavior, if
you will, your usage, your active usage, your passive usage.
What is caught on recording and geolocation, that is your what,
when, and how.
So the real issue is who owns your behavior. Right? I mean,
there are new safety issues, security for your personal
birthday and all those kinds of things. So who owns your
behavior is the issue, and what do they do with it? And the
real value and the real threat is the monetization of your
usage data. That is where it is. It is economics. Let us just
put it right there.
So how do you think that we can tailor some legislation
that protects your usage information? We are trying to get
better about protecting that personal identify, the who, but
what about the what, where, when, and how that happens outside
of you, where you shop, where you drive by, where you record on
your voicemail?
Mr. Steyer. So, Senator Rosen, I mean, it is a very
important question. It is a very good question. I think the
truth is we should broadly protect--allow the individual to
control not just their own data but their behavior. I used the
term earlier, ``data minimization.'' It was one of the big
issues in the California law and in GDPR, and it is a company
should only be able to use the data for a necessary business
purpose, not a secondary purpose. When Senator Tester was
asking the question about the farm implements, why should that
be sold----
Senator Rosen. Or the pregnancy, the same thing.
Mr. Steyer. Right, or the pregnancy.
So I think very strict and clear limits and guardrails
around that are absolutely critical to a strong privacy law. I
think everybody on both sides of the aisle would agree with
that. And again, the more you guys can make that clear to your
colleagues but also to the public, the more we will all win.
Senator Rosen. And would you think since there is such a
strong economic benefit to the monetization of your data, that
there should be strong economic sanctions if violations occur?
Mr. Steyer. I would. And the only thing I would just say is
the big thing to simplify it is the business model is
everything. So if you really want to understand how the
companies behave--because remember, the technology industry is
not monolithic--you really have to take them company by
company. It is all about the business model. So if their
business model is based on monetizing your personal information
through ads, you are going to have to restrict those companies
much more.
Senator Rosen. What about using new technology? So you have
a smart car. You are going to drive by a certain coffee shop or
grocery store every day. Do they say, well, this person drives
by there? That is kind of your location. That is your passive
usage----
Mr. Steyer. If I opt in. If I opt into that, but give the
consumer the right to opt in, not force them to opt out.
Senator Rosen. Thank you. I appreciate it and yield back my
time.
The Chairman. Thank you very much.
Senator Blumenthal.
STATEMENT OF HON. RICHARD BLUMENTHAL,
U.S. SENATOR FROM CONNECTICUT
Senator Blumenthal. Thank you, Mr. Chairman. And thank you
for having this hearing with these very expert and
knowledgeable witnesses.
I have heard a lot of worries about the ongoing effort, and
I am a part of it in the Congress to frame Federal standards
that will protect privacy. I have asked one panel after another
whether the people of the United States should have less
privacy protection than California. Nobody believes they
should. And I assume nobody on this panel thinks that the
people of the United States deserve less privacy protection
than the people of California. Correct?
Mr. Steyer. Correct.
Mr. Polonetsky. Correct.
Senator Blumenthal. Thank you.
At the same time, there is a legitimate fear that we would
either advertently or maybe inadvertently undermine State
protections. I think that is a real danger, and I would oppose
any effort that preempts State laws so as to weaken protection
for consumers. And I think we are all--or we should be--on
guard against that danger.
I know that businesses want a common definition and
consistent rules. I also understand some of the criticisms of
the California law. Some of that criticism smacks of opposition
to the protections and the substance of those safeguards for
consumer protection. Federal rules simply cannot be an
opportunity to weaken a strong framework that industry resists
or opposes. We can learn from California. We have to provide at
least the same standards. In fact, I believe they ought to be
even more rigorous and more protective.
So let me ask particularly Mr. Steyer and Ms. Guliani if
Congress fails to act now, are other states likely to
successfully pass similar bills in the near term. What is on
the horizon?
Mr. Steyer. So I can speak to that. I would say I believe
Senator Cantwell knows the State of Washington just considered
a fairly--it was a different version of the bill and it died.
It is the only one that is on the table right now.
So barring action by the Congress, the California law goes
into effect in January 2020. It will essentially become the law
of the land, and I believe that the tech companies understand
that. When we were writing it, we were aware of that. I do not
think you are going to see this hodgepodge, mishmash.
And to your point, Senator Blumenthal, the people who are
really pushing preemption are primarily certain tech companies
that want to weaken the California law. So your point of view
of that as a floor that we should build upon for a strong,
comprehensive Federal law is I think a very good framework.
Senator Blumenthal. A floor, not a ceiling.
Mr. Steyer. It is absolutely a floor, not a ceiling. And I
think there are some very smart folks on this Committee who can
build an even better law.
Senator Blumenthal. First do no harm.
Mr. Steyer. Exactly.
Ms. Guliani. And if I could just speak to that point
specifically. I mean, I think particularly in the area of
technology, we are talking about rapid changes, and states have
shown themselves to be more nimble and adapt to responding to
those rapid changes. So what I really fear is a Federal regime
that ties State hands, and when new technologies pop up, new
problems pop up, we see gaps in a Federal framework that they
are not able to address those problems. And I think
particularly in an area where when it comes to consumer rights
and consumer privacy, states have a long history of expertise
and a long history of leading on these issues.
Senator Blumenthal. Well, I share your predilections about
the importance of State action, having been State official for
about three decades and including two decades as State Attorney
General in Connecticut. And both in terms of being more nimble
and also closer to their constituents and sharing the effects--
we share the real life effects of privacy invasion--I think
State officials are a ready and willing source of wisdom on
this topic. And so I think we need to be very, very careful in
what we do here that may in any way supplant what they are
doing.
Thank you, Mr. Chairman.
The Chairman. Thank you, Senator Blumenthal.
Senator Sinema.
STATEMENT OF HON. KYRSTEN SINEMA,
U.S. SENATOR FROM ARIZONA
Senator Sinema. Well, thank you, Mr. Chairman, for holding
this hearing.
Data privacy is an important topic for all Americans, and I
am glad the Committee continues to explore this complicated
issue from all angles. Every day we learn about new misuses of
Americans' private data on the Internet, including recent
examples in the past month of millions of social media
passwords being stored in an unencrypted format.
So this issue requires bipartisan solutions that protect
the privacy and security of Arizonans while allowing
innovation, creativity, and investment to flow into new and
emerging technologies and businesses.
I am particularly pleased this hearing focuses on the
impact of data privacy legislation on consumers. They are the
ones whose lives get upended if passwords get hacked or
identities get stolen. And consumers should have the right to
control their own private information.
A particularly vulnerable population to privacy abuses and
identity theft are elderly Americans. The United States has
COPPA, a specialized privacy law to protect children, but our
seniors also experience elevated risks of having their data
misused. Elderly Americans sometimes struggle to navigate the
complexities of privacy policies, and they are often the
targets of fraud. I want to make sure that any Federal privacy
law gives seniors in Arizona and across the country the tools
they need to thrive in the digital economy and the protections
they need to enjoy a productive and secure retirement.
My first question is for Mr. Steyer, but I welcome the
perspective of all of our witnesses. So thank you for your
focus on children and the particular concerns they face. I
think the consumer education piece is a critical aspect of any
data privacy legislation. As you state in your testimony, many
people who want to limit data collection by websites do not
know how to do it, which is an issue of both transparency and
digital literacy.
Can you give a brief overview of your digital citizenship
curriculum and discuss whether you think any of these tools are
appropriate or could be adapted to educate older Americans?
Mr. Steyer. Yes. I think that is a great question, Senator
Sinema.
So our digital literacy citizenship curriculum--75,000
members schools now--is basically driver's ed for the Internet
and cell phones. It is sort of the basic rules of the road. I
think your point about seniors is a great one because they did
not grow up with the technology. It is hard for teenagers who
are first generation native technology users to understand some
of this stuff. So why should a senior citizen?
So I think the importance of consumer education in simple
clear ways to understand what your rights are and then how to
exercise them--it is basically digital literacy. And if you
guys put this into the bill, we will create a curriculum for
you for all age ranges in the country.
Mr. Polonetsky. Senator, I would love to see the FTC really
taking a lead role. They have a business outreach department.
We do a lot of work in Europe. The challenge, frankly, has been
the huge number of small businesses that are sending questions,
that are sending e-mails that they do not need to send to ask
for permission. It has been a big transition. And if we are
going to pass a new law--and I hope we do--we should be ready
to help the teacher who is creating an app because she thinks
it is a better way to teach her kids so that she does not have
to hire outside counsel. And I think the FTC, certainly Common
Sense, and other groups, but I think the FTC, in addition to
giving them those enforcement staff, giving them those
education, outreach is critical.
Ms. Guliani. I would just like to make a point. I think
that the onus should not be on the individual. Right? I think
your question sort of speaks to a larger problem which is the
complexities and difficulties that not just elderly Americans
but everybody faces. And I think that that is one of the
reasons that we have supported an opt-in framework instead of
an opt-out. When you talk about technical literacy, the
difficulty someone may have in figuring out not only all of the
apps they do business with, all of the entities that might have
their data, but how to navigate the complex framework of opting
out is just too much of a stress to put on consumers. That is
why we have supported opt in.
Senator Sinema. Thank you.
Ms. Dixon. I would agree that you should not put too much
emphasis in terms of the responsibility of the individual
solely to protect themselves, but I think consumer education is
very important. The Data Protection Commission in Ireland has
just closed a consultation in relation to children and the
exercise of their rights under the GDPR, and we consulted
directly with children through schools. We developed lesson
plans, which was in part an education of children around the
uses of their personal data. So we very much believe in active
communication to consumers through our website, through the
promotion of case studies promoted by the media. And I think
this is an important part of the jigsaw as well.
Senator Sinema. Thank you.
Thank you, Mr. Chairman.
The Chairman. Thank you very much.
Senator Sullivan.
STATEMENT OF HON. DAN SULLIVAN,
U.S. SENATOR FROM ALASKA
Senator Sullivan. Thank you, Mr. Chairman.
And I apologize to the witnesses for my late arrival, but I
wanted to make sure I was able to ask at least a few questions
on very important topic. And what I want to do--and again, if
this has been covered, I apologize, but I wanted to focus a
little bit more on the international aspects.
We had a hearing, actually a subcommittee hearing, that I
chaired yesterday with Senator Markey after our leader here set
up a really important new subcommittee on economics and
security. And the idea was kind of international standards and
where we have typically led in this area--the United States--
the NIST Director was there and a number of other witnesses at
the subcommittee hearing.
But how are we suppose to think through as we look at these
privacy standards and the different standards internationally?
Obviously, there is what is going on in Europe. But there are
also concerns that I have even more broadly than just what is
happening in Europe is that when you have kind of the 5G race
that is happening globally and Huawei in some ways leading
that, that you might have a de facto leadership that relates to
standards coming from China that, to be honest, in the world of
privacy is a real concern. I think even a bigger concern than
the European regulatory framework.
So how should we be thinking about this and trying to help
make sure that what we are doing with our allies is the
standard that we think is appropriate for countries like ours
that are democratic capitalist countries?
Mr. Steyer. Senator Sullivan, if I may, just two points.
Senator Sullivan. Please and I open this up to all.
Mr. Steyer. A couple of points.
One, when we wrote the California law last year, the CCPA,
which we have been talking about in the hearing, we met the
folks who wrote GDPR, and we realized that the values of the
U.S. are in many ways similar to folks in the EU, but they are
different in certain areas. So we were very careful--and I
think that this could be done here at the Federal level as
well--to think about how there are certain areas like the First
Amendment--we were talking about this earlier--that may mean
that a privacy law in the United States would be slightly
different than GDPR. But most of the protections are universal.
That said, you can modify----
Senator Sullivan. Universal relative to liberal
democracies?
Mr. Steyer. That is what I was going to say.
And the second thing is I would be willing to bet you a
large sum of money that Huawei will not dominate the 5G
universe, and I mean that.
Senator Sullivan. Why? I am glad you are so optimistic.
Mr. Steyer. Because the technology in the United States and
the companies in the United States have brought this world
extraordinary advances. That does not mean we do not need to be
aware of this, but sacrificing important privacy protections
for consumers just because China might do that would not be a
smart strategy. And I think at the end of the day, a strong
Federal privacy protection where the California law is the
floor and where you really take into consideration the fact
that most of the companies that matter are here in the United
States will give us the protections that we need.
Senator Sullivan. Other thoughts?
Ms. Guliani. I was going to say, I mean, I think that we
can take some good lessons from GDPR. Regulation in the U.S. is
not going to look exactly the same as Europe. There are
concerns with the right to be forgotten and changes that would
need to be made to be consistent with the U.S. Constitution.
The enforcement framework will look different. And also in the
U.S., we have State-level actors, attorneys general, agencies,
legislatures, and I think the last thing we want to do is
weaken the ability of those actors who have a long history of
working on these issues of sort of having a seat at the table
and being able to enforce and create good laws.
But having said that, there are positive elements of GDPR
that we should take and learn from, the extent to which it
places rights in the hands of consumers and increases standards
around consent, and limits on how----
Senator Sullivan. Let me just real quick and then I would
like to hear the rest. But none of you are advocating for a
state-by-state approach to this. Are you?
Mr. Steyer. No, but we were very clear we have deep
skepticism about preemption if there was going to be a watered-
down Federal law that would, say, lessen the protections you
have at the baseline of California. So that was the discussion
we had earlier.
Mr. Polonetsky. Just to look to the Asia-Pacific allies
that we do have. So we have had a leadership role in the APEC
process where we have worked with Japan, Korea, a number of the
major economies who similarly want to cooperate with data
protection flows. You will be considering the new NAFTA treaty.
We committed to use the APEC CBPRs, the APEC process to move
data across North America. So GDPR, obviously, is an important
place-setter, but we have been a leader in OECD, which has an
important set of privacy frameworks, and we have been very
active throughout many administrations in the APEC process, and
those are two regimes we should look to for global cooperation.
Senator Sullivan. Great.
Thank you, Mr. Chairman.
The Chairman. Thank you, Senator Sullivan.
There is a vote on. Senator Cruz is recognized and will
preside for a time. Senator Cruz.
STATEMENT OF HON. TED CRUZ,
U.S. SENATOR FROM TEXAS
Senator Cruz [presiding]. Thank you, Mr. Chairman.
Thank you to each of the witnesses for being here.
There is no doubt that protecting privacy is critically
important, and how we should do so, what government regulation
should be in place concerning privacy is going to be a policy
question that I suspect will be with us a very, very long time.
At the same time that we want to protect privacy, we also
want to avoid a regulatory system that imposes unnecessary
burdens and that threatens jobs. And I think there are lessons
that we can draw based on the experience we have seen
elsewhere.
There has been considerable discussion here about the
European Union's General Data Protection Regulation, GDPR. In
November 2018, the National Bureau of Economic Research found
that, quote, the negative effects of GDPR on technology
investment appear particularly pervasive for nascent 0 to 3-
year-old ventures, which may have cost European startups as
many as 39,000 tech jobs.
Even more alarming, the report goes on to state, quote, the
potential for job losses may well extend and intensify past our
four months post-GDPR dataset period, in which case the effects
on jobs is understated.
In the wake of GDPR, California enacted its own law, the
California Consumer Privacy Act of 2018. And according to the
International Association of Privacy Professionals, the
California Privacy Act will affect more than 500,000 U.S.
companies, the vast majority of which are small to medium sized
enterprises.
What lessons should this committee or should Congress take
from the experience with GDPR and the experience with the
California Privacy Act?
Mr. Steyer. So, Senator Cruz, I am Jim Steyer and we
basically wrote the California privacy law with the legislature
there.
I would tell you the bottom line lesson is that privacy is
good for business. We wrote that law really with some of the
most important tech companies in the United States, Apple,
Microsoft, SalesForce. But I run a small business with several
hundred employees. We have to comply with the California law
and GDPR. And so I run a small business and know the fact that
it does matter.
But in the long run, I think what you saw was you had
unanimous bipartisan support in California among all the
Republican legislators, as well as Democratic legislators to
support it.
So I would just say well crafted, strong privacy
protections are in the best interest of business. And I think
that the record speaks for itself in that regard, and you
should feel confident that a smart Congress, just like a smart
California legislature, will find the right balance on that.
Senator Cruz. So let me focus for a second on the GDPR
piece. Do the witnesses agree that the GDPR regulation is
having or had a significant negative effect on jobs? And are
there lessons that we should derive from that?
Mr. Polonetsky. I think, Senator, one easy lesson that we
can take and improve on, as we look how to legislate in the
GDPR, the European Data Protection Board is issuing quickly--
but frankly, it is a year in--opinions on some of the core
protections of the GDPR. There is an opinion out now that is
not yet final on what can be in a contract. And obviously, that
is a core thing. Lots of companies are doing their business
based on contract. And we will not have final guidance and it
is a year out.
So the more we can do to give clarity--here are the rules,
and yes, there is room for rulemaking in the areas that are
complex and they have not been figured out. But I should be
able to comply the day the law passes. There is a real overhang
of uncertainty in a number of areas where the board has yet to
issue opinions so people actually know what the rules are.
Ms. Guliani. And I do not think it is necessary that a
privacy law is going to hurt small businesses. I do think that
a law should reflect the realities of small businesses. So, for
example, penalties. You might want to have different penalties
based on the size of a business or the amount of data they
hold.
And I do think there are some rumors and myths around the
extent to which GDPR harms some businesses. I will give you a
good example that has been reported. Following GDPR, the ``New
York Times'' reportedly stopped doing targeted advertising in
Europe and did contextual advertising. They did not find that
their advertising dollars went down. They went up. And so I do
think that there are ways that businesses can respect privacy
and make a profit. And we are starting to see businesses that
are innovating around that. DuckDuckGo, who is trying to create
an alternative to Google that respects privacy. So this is also
an industry to, I think, promote privacy and create rights-
respecting products.
Mr. Steyer. And, Senator Cruz, I would tell you that we
have been spending a fair amount of time talking about the
incredible importance to your family, my family, and everybody
in this room's family, and ourselves about the protections.
Living in the state where most of the big and small tech
companies are based and working with them, I think they have
now come to the conclusion that while there may be some
modifications that need to be made, which is the normal
legislative rulemaking process, in the long run this is good
for business and it is good for consumers. It is good for
everybody.
So I agree with Ms. Guliani that I think some of the
statements about job losses have been overstated and that the
value of a quality privacy regime for the Cruz family, the
Steyer family, and everybody else is totally worth it.
Ms. Dixon. Senator, equally at the Irish Data Protection
Commission, we are not aware of evidence that the GDPR is
affecting jobs adversely. I spoke earlier about the risk-based
approach that the GDPR endorses, and it does give a nod to
smaller and micro-enterprises and it provides for
implementation only of the organizational and technical
measures that are appropriate and proportionate to the risks of
the personal data processing operations in question and to the
scale of the organization. So I think approached and
implemented as it is intended, it should do the opposite of
affect jobs. It should engender better consumer trust and a
more sustainable business model.
Senator Cruz. Well, I want to thank each of the witnesses
for your testimony. This testimony has been helpful.
The hearing record will remain open for two weeks. During
that time, Senators are asked to submit any questions for the
record. And upon receipt, the witnesses are requested to submit
their written answers to the Committee as soon as possible, but
no later than Wednesday, May 15, 2019.
With that, I thank each of the witnesses for testifying,
and the hearing is adjourned.
[Whereupon, at 12:05 p.m., the hearing was adjourned.]
A P P E N D I X
Response to Written Questions Submitted by Hon. Jerry Moran to
Helen Dixon
Question 1. Your testimony highlighted obligations placed on
organizations operating under the GDPR as a ``series of high-level,
technology neutral principles,'' such as lawfulness, fairness, and
transparency, among many others. Would you please explain the
significance of any future regulatory privacy framework maintaining a
technology neutral approach?
Answer. The significance of a technology-neutral approach in any
future regulatory privacy framework is that the law would remain
adaptable to govern any type of personal data processing scenario and
in any context. Equally, the law would not require frequent updating to
keep pace with technology and terminology changes in addition to
obsolescence that cannot easily be anticipated in advance.
The flip-side of this capability of the law to remain adaptive to
new technologies is that, in enforcing the law, supervisory authorities
cannot start from a point where they are applying a very prescriptive
and context-specific standard set down in the law. Rather, enforcers
must go back to first principles and examine the technological features
and context of any given set of personal data processing operations and
decide whether there is compliance with the principles. So, for
example, facial recognition as a technology is not referenced directly
in the GDPR and nor are any use cases involving facial recognition
prohibited. The enforcer in examining a complaint about facial
recognition would have to examine whether the requirements and
conditions for processing of special categories of data (biometric data
is a special category under GDPR) are met in each very specific
implementation context. This means investigations of issues require the
time for in-context analysis prior to any enforcement action.
Question 2. Your testimony briefly described the ``rights of
consumers'' set out in Chapter 3 of GDPR, and you specifically
mentioned the ``varying conditions pertaining to the circumstances. .
.[that] those rights can be exercised.'' Based on your interpretation
of the right to data portability, are there unique circumstances or
factors that determine when this particular right should be exercised?
Are there certain circumstances in which portability requests are not
appropriate to execute?
a. Given relevant competition concerns inherent in the portability
requirement, are there special considerations taken into account for
compliance determinations in regards to the right?
Answer. The reference to the varying conditions under which the
right to portability can be exercised was a reference to the fact that
it applies only to data which has been collected under the legal bases
of consent or contract. It applies only to the personal data provided
directly by the user or to observed data flowing from the user actions.
It does not apply to inferred data. I attach for the Senator's
information an opinion of the European Data Protection Board
interpreting and clarifying the right to portability which may be
useful.
An aim of the right is that it will ultimately lead to the
fostering of more consumer services and choice for users. Any scenario
where an organisation asserts a commercial or confidentiality
sensitivity or a risk of prejudicing of third party rights in
delivering portability would be examined on its merits by the Data
Protection Commission.
We are certainly in the early days with regard to full
implementation of this right. Early initiatives such as this one
implemented by some of the major platforms shows the direction of
travel to-date with online service providers:
https://datatransferproject.dev/
Question 3. In March, my Subcommittee on Consumer Protection held a
hearing focused on the specific concerns of small and new businesses
that operate in different sectors and how they utilize and protect
consumer information in their operations. These businesses have fewer
resources in handling the complexities of increased regulatory privacy
compliance and associated costs. Additionally, not all businesses are
the same, and consumer data offers different uses, challenges and, in
some cases, liabilities, across the various models of small businesses
and start-ups. How does the Irish Data Protection Commission account
for small and new businesses in its enforcement actions aligned with
GDPR?
Answer. SMEs (Small and Medium Enterprises) make up over 99 percent
of businesses in Ireland with a significant proportion of that figure
being categorised as micro enterprises. It was therefore a considerable
focus of the Irish Data Protection Commission in the run-up to the
application of the GDPR in May 2018 to ensure that small business
concerns were addressed and that they was clarity in terms of what was
anticipated regarding their implementation of GDPR.
A year prior application (May 2017), the Data Protection Commission
procured an independent survey of small businesses to assess their
level of awareness and understanding of the new law. This allowed us
focus our support initiatives in specific ways. We engaged extensively
with representative bodies of small businesses and worked with them on
drawing up and publishing and promoting simple ``12 Step Guides'' on
how to commence preparations. We developed a micro site (now removed)
www.gdprandyou.ie which we populated with guidance materials. We
engaged with specific sectors directly through seminars and workshops
clarifying the risk-based approach endorsed by the GDPR. The Data
Protection Commission rolled out an extensive media campaign that also
covered cinemas in Ireland to promote awareness and to direct small
business owners to our micro website. We increased staffing on our
caller helpline in order to be available to answer queries from small
businesses directly.
When we re-ran the survey with SMEs in March 2018, awareness levels
had jumped significantly and small business confidence in preparation
for the new law had increased considerably.
In terms of the fact that small businesses vary greatly from one
another as conerns their types of data use, we communicated heavily
that the approach that needs to be taken starts with a risk-assessment
and ultimately implements organisational and technical measures
appropriate to the risk. Several of the provisions of the GDPR in many
cases do not apply to small businesses: for example, the Article 30
requirement to document data processing activities or the Article 37
requirement to appoint a Data Protection Officer may equally not apply.
In terms of enforcement, the Irish Data Protection Commission
mirrors the risk-based approach of the GDPR and targets enforcement
activity at the areas of highest risk and which impact the most users.
In the majority of cases currently involving smaller businesses, we
will seek to mediate between a complainant and the business to amicably
resolve any complaints about data protection we receive, ensuring as we
do to educate the small business on where its compliance efforts may
need to be stepped up.
______
Response to Written Questions Submitted by Hon. Jerry Moran to
Jules Polonetsky
Question 1. Are you concerned that overly broad purpose limitations
could negatively impact research, including research related to
artificial intelligence?
a. Do you have similar concerns about overly broad consumer
deletion rights?
Answer. Thank you for considering the many beneficial opportunities
to use some types of data for research purposes. General agreement on
use limitations commonly allows for the inclusion of research for
product improvement and related product development as ``reasonable
expectations,'' which in recent years may include research, training or
testing on machine learning models. We see this at an increasing rate
as more and more products, services, features, and new technological
capabilities are built on AI and ML systems.
Research conducted to develop or improve entirely new or unrelated
products is arguably not expected in this sense, and could be beyond
the scope of what a consumer intended when originally providing the
data. This might be particularly true for data processed using machine
learning, as it may not be possible to identify sufficiently broad
secondary use cases at the time of collection. In some cases, data may
be de-identified, but in other situations this may not be feasible. In
some circumstances, the new use creates no risk to individuals and
should not be of concern. This is where an ethics review process,
recognized by law, would be valuable. For example, for researchers
subject to the Common Rule, this use of data for academic human subject
search would go through review by an Institutional Review Board, where
informed consent might be required as well as other protections. Or the
Board might waive consent, after weighing the risks, benefits, and
ethical concerns. FPF and other leading scholars have called for the
creation of such review processes, which can be used by companies and
academics conducting research on data that is outside the Common Rule
IRB framework. We believe such a trusted process will be essential for
assessing uses of data when informed consent is not feasible.
Thank you for asking about an important aspect of many privacy laws
and bills, which provide consumers with the opportunity to delete their
data in appropriate contexts. In some cases, this is not an option.
Based on existing regulatory requirements, a bank customer cannot
request deletion of his bank records, even if he closes his account.
Likewise, academic, medical, and other business related records may
have independent requirements that limit a consumer's right in this
area. When this is the case, sufficient leeway should limit the
deletion rights to allow necessary retention. In other cases, for
example, engagement with social media, or other discretionary
interactions with individual organizations, an individual should
reasonably be able to delete her information and rely on that erasure.
To the extent that such data has already been included in aggregated or
de-identified datasets, there should be no conflict between the
deletion of personal data, and the retention of those datasets for
further analysis or use to train machine learning models. In addition,
the requirements for sufficient breadth and diversity of data in these
training datasets might be impacted (that is, they may become
unacceptably biased, or insufficiently representative) if individual
records are required to be removed. In cases of particularly sensitive
data where removal of an individual's record might be desired or
required, additional strategies could be employed to ensure the
validity of the dataset is retained. An example would be applying
differential privacy strategies, which allow evaluation of a dataset
both with, and without, an individual record, to ensure that analysis
on that dataset remains consistent.
Question 2. Your testimony thoroughly describes ten privacy-
enhancing technologies, or PETs, that can ``achieve strong and provable
privacy guarantees while still supporting beneficial uses'' of data. Do
you have specific recommendations for this Committee as to how Federal
legislation could incentivize the growth and development of new PETs?
Answer. Thank you for asking about the benefits of privacy-
enhancing technologies (PETs). Providing organizations with incentives
to implement PETs is one of the most important things a Federal privacy
law can do to improve consumer privacy while promoting beneficial uses
of data. There are several legislative tools that could provide
incentives for organizations to employ PETs.
FPF has proposed that legislation recognize several tiers of
personal information and tailor resulting rights and obligations based
on the identifiability of the data, given the technical and legal
controls that are applied. We propose a strong standard for covered
data that would include a broad range of data that is linked or can
practicably by linked to an individual. Within this range, we propose
that lawmakers can provide for a degree of latitude for compatible uses
when data is pseudonymized and non-sensitive. When data is
pseudonymized and sensitive, we suggest that there be some but less
latitude. Finally, we recognize that some technical methods can result
in data being considered de-identified. These tiers would provide
incentives for companies to apply technical de-identification to data,
as opposed to binary proposals that treat data as either included or
excluded from regulation.
In addition to nuanced legislative definitions, a Federal privacy
law can provide other direct incentives to employ PETs:
A law could create safe harbors for certain PETs-protected
activities. For example, a law could designate some data as
``not identifiable'' (and thus subject to few or no consent
obligations) when the organization employs on-device
differential privacy to ensure that aggregate data about user
behavior cannot be reliably linked to individuals.
A law could create rebuttable presumptions regarding data
safeguarded by PETs. For example, a law could establish a
presumption that an organization meets the law's security
requirements with regard to data that is encrypted using robust
cryptography and also protected by a comprehensive data
security program.
A law could reduce some legal obligations in order to
promote practical privacy protections. For example, a law could
reduce transparency or choice requirements when organizations
use homomorphic encryption to reduce or eliminate third
parties' ability to identify individuals during routine
commercial transactions like retail purchases, online
advertising, or marketing attribution.
In addition to providing the FTC with greater enforcement
resources, a Federal law can direct additional funding to the FTC's
Office of Technology Research and Investigation. As a key part of the
FTC's education efforts for legal compliance, especially for small
businesses, the FTC should also research emerging de-identification
technologies in order to be aware of their strengths and weaknesses,
and hold workshops that provide opportunities for discussion and debate
over the efficacy of emerging PETs.
______
Response to Written Question Submitted by Hon. Jerry Moran to
Neema Singh Guliani
Question. Similar to what your testimony stated, I have heard from
many interested parties that the FTC currently lacks the resources
needed to effectively enforce consumer privacy under its current
Section 5 authorities. As a member of the Senate Appropriations
Subcommittee with jurisdiction over the FTC, I am particularly
interested in understanding the resource needs of the agency based on
its current authorities, particularly before providing additional
authorities. Do you have specific resource-based recommendations for
this committee to ensure that the FTC has the appropriations it needs
to execute its current enforcement mission?
Answer. The FTC needs additional resources for enforcement to
enable it to act as an effective watchdog. In the last 20 years, the
number of employees at the FTC has grown only slightly. And the number
of employees in the Division of Privacy and Identity Protection (DPIP)
and the Division of Enforcement, which are responsible for the agency's
privacy and data security work, stands at approximately 50 and 44
people, respectively. In addition, the FTC needs additional technical
expertise, so that it can adapt to changes in technology. For example,
technologists and academics have found that advertising companies
``innovate'' in online tracking technologies to resist consumers'
attempts to defeat that tracking, frequently using new, relatively
unknown technologies. It is unclear whether the agency has the
technical capacity to keep pace with such innovations. A more detailed
review of how the commission is currently allocating its existing
resources is needed to assess whether there are additional areas where
existing resources should be augmented.
[all]