[Senate Hearing 116-593] [From the U.S. Government Publishing Office] S. Hrg. 116-593 CONSUMER PERSPECTIVES: POLICY PRINCIPLES FOR A FEDERAL DATA PRIVACY FRAMEWORK ======================================================================= HEARING BEFORE THE COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION UNITED STATES SENATE ONE HUNDRED SIXTEENTH CONGRESS FIRST SESSION __________ MAY 1, 2019 __________ Printed for the use of the Committee on Commerce, Science, and Transportation [GRAPHIC NOT AVAILABLE IN TIFF FORMAT] Available online: http://www.govinfo.gov __________ U.S. GOVERNMENT PUBLISHING OFFICE 52-692 PDF WASHINGTON : 2023 ----------------------------------------------------------------------------------- SENATE COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION ONE HUNDRED SIXTEENTH CONGRESS FIRST SESSION ROGER WICKER, Mississippi, Chairman JOHN THUNE, South Dakota MARIA CANTWELL, Washington, ROY BLUNT, Missouri Ranking TED CRUZ, Texas AMY KLOBUCHAR, Minnesota DEB FISCHER, Nebraska RICHARD BLUMENTHAL, Connecticut JERRY MORAN, Kansas BRIAN SCHATZ, Hawaii DAN SULLIVAN, Alaska EDWARD MARKEY, Massachusetts CORY GARDNER, Colorado TOM UDALL, New Mexico MARSHA BLACKBURN, Tennessee GARY PETERS, Michigan SHELLEY MOORE CAPITO, West Virginia TAMMY BALDWIN, Wisconsin MIKE LEE, Utah TAMMY DUCKWORTH, Illinois RON JOHNSON, Wisconsin JON TESTER, Montana TODD YOUNG, Indiana KYRSTEN SINEMA, Arizona RICK SCOTT, Florida JACKY ROSEN, Nevada John Keast, Staff Director Crystal Tully, Deputy Staff Director Steven Wall, General Counsel Kim Lipsky, Democratic Staff Director Chris Day, Democratic Deputy Staff Director Renae Black, Senior Counsel C O N T E N T S ---------- Page Hearing held on May 1, 2019...................................... 1 Statement of Senator Wicker...................................... 1 Statement of Senator Cantwell.................................... 3 Statement of Senator Blunt....................................... 59 Statement of Senator Schatz...................................... 61 Statement of Senator Fischer..................................... 63 Statement of Senator Tester...................................... 65 Statement of Senator Blackburn................................... 67 Statement of Senator Peters...................................... 68 Statement of Senator Thune....................................... 70 Statement of Senator Markey...................................... 72 Statement of Senator Moran....................................... 75 Statement of Senator Rosen....................................... 76 Statement of Senator Blumenthal.................................. 78 Statement of Senator Sinema...................................... 80 Statement of Senator Sullivan.................................... 81 Statement of Senator Cruz........................................ 83 Witnesses Helen Dixon, Commissioner, Data Protection Commission of Ireland. 5 Prepared statement........................................... 7 Jules Polonetsky, Chief Executive Officer, Future of Privacy Forum.......................................................... 12 Prepared statement........................................... 13 James P. Steyer, Chief Executive Officer and Founder, Common Sense Media.................................................... 26 Prepared statement........................................... 28 Neema Singh Guliani, Senior Legislative Counsel, Washington Legislative Office, American Civil Liberties Union............. 31 Prepared statement........................................... 33 Appendix Response to written questions submitted by Hon. Jerry Moran to: Helen Dixon.................................................. 87 Jules Polonetsky............................................. 88 Neema Singh Guliani.......................................... 90 CONSUMER PERSPECTIVES: POLICY PRINCIPLES FOR A FEDERAL DATA PRIVACY FRAMEWORK ---------- WEDNESDAY, MAY 1, 2019 U.S. Senate, Committee on Commerce, Science, and Transportation, Washington, DC. The Committee met, pursuant to notice, at 10 a.m. in room SD-G50, Dirksen Senate Office Building, Hon. Roger Wicker, Chairman of the Committee, presiding. Present: Senators Wicker [presiding], Thune, Blunt, Cruz, Fischer, Moran, Sullivan, Gardner, Blackburn, Capito, Scott, Cantwell, Blumenthal, Schatz, Markey, Peters, Tester, Sinema, and Rosen. OPENING STATEMENT OF HON. ROGER WICKER, U.S. SENATOR FROM MISSISSIPPI The Chairman. Good morning. Today, the Committee gathers for another hearing on consumer data privacy. I am glad to convene this hearing with my colleague, Ranking Member Cantwell, and I welcome our witnesses and thank them for appearing today: Ms. Helen Dixon, Ireland's Data Protection Commissioner; Mr. Jules Polonetsky, CEO of the Future of Privacy Forum; Mr. Jim Steyer, CEO and founder of Common Sense Media; and Ms. Neema Singh Guliani, Senior Legislative Counsel for the American Civil Liberties Union. Welcome to all of you. Consumers are the bedrock of our economy. Through the consumption of goods and services, consumers drive economic activity, power job creation, and create opportunities for innovation and economic advancement in the United States and around the world. To foster relationships with consumers, businesses have historically collected and used information about their patrons. The collection of data about consumers' likes, dislikes, and commercial interests has ultimately served to benefit consumers in the form of more customized products and services and more choices at reduced costs. Consumer data has tremendous societal benefits as well. In a world of ``big data'' where physical objects and processes are digitized, there is an increased volume of consumer data flowing throughout the economy. This data is advancing entire economic sectors such as health care, transportation, and manufacturing. Data enables these sectors to improve their operations, target resources and services to underserved populations and increase their competitiveness. The consumer benefits of a data-driven economy are undeniable. These benefits are what fuel the vibrancy and dynamism of today's Internet marketplace. Despite these benefits, however, near daily reports of data breaches and data misuse underscore how privacy risks within the data-driven economy can no longer be ignored. The increased prevalence of privacy violations threatens to undermine consumers' trust in the Internet marketplace. This could reduce consumer engagement and jeopardize the long-term sustainability and prosperity of the digital economy. Consumer trust is essential. To maintain trust, a strong, uniform Federal data privacy framework should adequately protect consumer data from misuse and other unwanted data collection and processing. When engaging in commerce, consumers should rightly expect that their data will be protected. So today, I hope our witnesses will address how a Federal privacy law should provide consumers with more transparency, choice, and control over their information to prevent harmful data practices that reduce consumer confidence and stifle economic engagement. To provide consumers with more choice and control over their information, both the European Union's General Data Protection Regulation and the California Consumer Privacy Act provide consumers with certain privacy rights. Some of these rights include the right to be informed or the right to know; the right of access; the right to erasure or deletion; the right to data portability; and the right to nondiscrimination, among others. I hope our witnesses will address how to provide these types of rights within a United States Federal framework without unintentionally requiring companies to collect and retain more consumer data. Provisioning certain privacy rights to individuals without minimum controls may have the opposite effect of increasing privacy risks for consumers. In developing a Federal privacy law, the existing notice and choice paradigm also has come under scrutiny. Under notice and choice, businesses provide consumers with notice typically through a lengthy and wordy privacy policy about their data collection and processing practices. Consumers are then expected to make a ``take it or leave it'' choice about whether or not to purchase or use a product or service. But is this really a choice? I hope our witnesses will address how to ensure that consumers have access to simplified notices that offer meaningful choices about what information an organization collects about them instead of a lengthy and confusing privacy notice or terms of use that are often written in legalese and bury an organization's data collection activities. I also hope witnesses will speak to ways in which Congress can provide additional tools and resources for consumers to make informed privacy decisions about the products and services they choose to use both online and offline. Fundamental to providing truly meaningful privacy protections for consumers is a strong, consistent Federal law. This is critical to reducing consumer confusion about their privacy rights and ensuring that consumers can maintain the same privacy expectations across the country. I look forward to a thoughtful discussion on these issues. And again, welcome to all of our witnesses. I now recognize my good friend and Ranking Member, Senator Cantwell. STATEMENT OF HON. MARIA CANTWELL, U.S. SENATOR FROM WASHINGTON Senator Cantwell. Thank you, Mr. Chairman. And thank you to the witnesses for being here today on this important hearing about how to develop a Federal data privacy framework. It is essential that we give a front row seat to the consumer advocate perspective, and that is what today's conversation does. When the dust settles after a data breach or a misuse of data, consumers are the ones who are left harmed and disillusioned. In the two months since our last Full Committee hearing on privacy, consumer data has continued to be mishandled. It is clear that companies have not adequately learned from past failures, and at the expense of consumers, we are seeing that self-regulation is insufficient. Just days ago, cybersecurity researchers revealed the existence of a massive cloud data breach left wide open and unprotected, containing addresses, full names, dates of birth, income, marital status on more than 80 million U.S. households. This blatant disregard for security and privacy risks makes it clear why we are here today. Microsoft recently admitted that an undisclosed number of consumer Web e-mail accounts were compromised. We learned more about privacy lapses on Facebook and two more third party Facebook apps exposed data on Facebook users revealing over 540 million records including comments, likes, account names, and Facebook IDs. So, Mr. Chairman, how do we create a culture of data security that protects consumers and allows commerce to continue to grow? Consumers continue to be bombarded by threats to their privacy. Cybersecurity adversaries become more sophisticated and more organized day by day, and we really need to understand privacy on a continuum of data security. We need to make a more proactive approach to cybersecurity and make sure that we are continuing to protect consumers. This becomes especially important in the age of Internet of Things. Yesterday, the Security Subcommittee considered this issue at length. Billions of devices collecting data about consumers at all times means there are billions of entry points and large surface areas for cyber attack. We learned more about new botnet attacks and now weaknesses almost daily. And we face serious questions of how supply chain vulnerability, which is reminding us about how security here in the U.S. is dependent upon the health of our Internet cybersecurity. Members on our side of the aisle even had a secure briefing on the potential threats and impacts to our own devices. So it is important to remember that the Internet is a global network. No matter how secure we make our networks, we remain vulnerable to weaknesses abroad. This is why it is essential that we have a national strategy to deal with these threats. We also need to work with our international partners to form coalitions around cybersecurity standards and work toward harmonizing privacy and cybersecurity regulations. These latest privacy and security breaches and advancing cyber threats show that this problem is accelerating, but as you said, Mr. Chairman, there is also lots of opportunity for great applications, services, and devices that we all like. So it illustrates the complexity of the challenges we face. Consumers are at the center of this and we cannot just require them to have a deeper understanding of the risks involved. We need to make sure that their devices and concerns are not just about notice and consent, but we have strong provisions here and a description that will help create a better culture. The best plain language notices, the clearest opt-in consent provisions, the most crystal clear transparency does not do any good when companies are being careless or willingly letting our data out the back door to third parties that have no relationship to the consumers. While the benefits of the online world are everywhere--and I truly mean that-- everywhere--so must be the protection of personal information that is more than just a commodity. We need to make sure that the culture of monetizing our personal data at every twist and turn is countered with the protection of people's personal data. So Congress has to come to terms with this. I know that the members of this committee are working very diligently on trying to address that and that we are working to try to make sure that the things that happened in the 2016 election cycle also do not happen in the 2020 cycle. But these issues of information being stolen or manipulated or trying to influence or disrupt governments, even our own hacking of our employee personal information account, show that we are vulnerable and that we need to do more. So the consistency of the hearings that we have had on this issue--I appreciate both Chairman Thune and you having these hearings about cybersecurity, about Equifax, about cyber hygiene, and what we should be doing--these all I believe should be part of the solution. Data security for Americans means that we extend the protections and we make sure that the online world is operating in a way that we see are helping to protect consumers and individual information. So, Mr. Chairman, I know that you remain very dedicated to comprehensive legislation here. I do as well, even though the challenge is high. We need to have the opportunity to craft solutions that address security and privacy for the entire life cycle of our data and collection to storage and to processing. So hopefully today's hearing will give us more input as to the way consumers look at this issue and what we can do to help us move forward. Thank you. The Chairman. Thank you very much, Senator Cantwell. And again, we welcome our witnesses. Your entire statements will be included in the record, and we ask each of you to summarize your opening statements within five minutes. We will begin down at this end of the table with Ms. Dixon. Welcome. STATEMENT OF HELEN DIXON, COMMISSIONER, DATA PROTECTION COMMISSION OF IRELAND Ms. Dixon. Chairman Wicker, Ranking Member Cantwell, and members of the Committee, thank you for inviting me to be here today. I am pleased to have the opportunity to share with the Committee the experience of the Irish Data Protection Commission in dealing with complaints from consumers under EU data protection law and hope it will be of assistance in your deliberations on a Federal privacy law. As the Committee is aware, I submitted in advance a slightly more expansive written statement to you than my five minutes today will permit. So as suggested by the Chair, I will cover all of its key points for you briefly now. An important context in talking about EU data protection law is the fact that the right to have one's personal data protected exists as an explicit fundamental right of EU persons under the EU Charter of Fundamental Rights. It is the case then that the right to data protection in the EU exists in all personal data processing contexts and not just in commercial contexts. The Committee is well aware I think at this stage of the basic structure of the EU GDPR which sets out, firstly, obligations on organizations, then rights for individuals, and finally, provides for supervision and enforcement provisions to be implemented by independent data protection authorities. As an EU regulation, it has direct effect in every EU member state. The obligations on organizations processing information that relates to an identified or identifiable person are set down in a series of high-level technology-neutral principles, so principles of lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, and confidentiality and accountability. The GDPR contains some prescription around new accountability provisions and, in particular, requirements in certain cases to now appoint a data protection officer. In addition there is an obligation to notify breaches of personal data that give rise to risks for individuals to the data protection authority within 72 hours of the organization becoming aware of the breach. In turn then, the individuals and consumers whose personal data are processed have a series of enumerated rights under the GDPR. These cover the right to transparent information, the right to access to a copy of their personal data, the right to rectification, the right to erasure, and so on. And each of these rights has varying conditions pertaining to the circumstances in which those rights can be exercised. Finally, then the GDPR provides for independent and adequately resourced data protection authorities in each EU member state. As data protection authorities, we have a very broad range of tasks that range from promoting awareness and issuing guidance on data protection law, to encouraging industry codes of conduct, to handling all valid complaints from consumers, and then investigating significant infringements of the GDPR. The new one stop shop for multinationals under the GDPR means that the Irish Data Protection Commission is the lead supervisory authority in the EU for the vast majority of U.S. global Internet companies such as Facebook, Twitter, WhatsApp, Google, AirBnB, and Microsoft as these have their main establishment in Ireland. The GDPR has introduced a much harder enforcement edge to EU data protection law with a range of corrective powers at the disposal of data protection authorities in addition to a capability to apply fines of up to 4 percent of the worldwide turnover of multinationals. In the 11 months since GDPR came into application, the Irish Data Protection Commission has received in excess of 5,900 complaints from individuals. It is frequently a feature of the complaints we handle from consumers that their interest in their personal data is as a means of pursuing further litigation or action. So, for example, former employees of organizations often seek access to their personal data as part of the pursuit of an unfair dismissals case. Consumers may seek access to CCTV images in various different scenarios to pursue personal injuries cases and so on. Overall, the most complained-against sectors in a commercial context are retail banks, telecommunications companies, and Internet platforms. And my written statement has provided you with some specific case studies and examples of the complaints we have handled. Equally worth mentioning is the complainants to my office have rights to appeal and judicially review decisions of the Data Protection Commission, and my office is involved in over 20 litigation cases currently before the Irish courts. And the Committee might be interested to know that the vast majority of decisions appealed to court from my office relate to disputes between employers and employees and far fewer relate to commercial contexts. Aside then from handling complaints, the Data Protection Commission has power to open investigations of its own volition, and we have 51 large-scale investigations underway covering the large tech platforms, amongst others. So in conclusion, the EU data protection law places a very strong emphasis on the individual in light of the fundamental rights and strong emphasis on the exercise of the rights of the individual, and accordingly, it mandates the handling of every complaint from an individual by data protection authorities. This means the EU data protection authorities play an important dual role, on the one hand resolving high volumes of issues for individuals and on the other, supervising companies to ensure systemic issues of noncompliance are rectified and punished as appropriate. The GDPR is 11 months old at this point, and clarity and consistency of standards will evolve in the coming years, driving up overall the standards of protection for consumers in every sector. Thank you. [The prepared statement of Ms. Dixon follows:] Prepared Statement of Helen Dixon, Commissioner, Data Protection Commission of Ireland Introduction Chairman Wicker, Ranking Member Cantwell and Members of the Committee, thank you for inviting me to be here today. I am pleased to have the opportunity to share with the Committee the experience of the Irish Data Protection Commission in dealing with complaints from consumers under the General Data Protection Regulation or GDPR, applicable since 25th May 2018. Clearly, in a global context, the GDPR represents one significant form of regulation of the collection and processing of personal data and the Irish Data Protection Commission's approach to monitoring and enforcing its application provides an early insight into the types of issues raised by consumers in complaints about how their personal data is handled. It's useful for me to take a few minutes to set in context for you the circumstances in which complaints from consumers are lodged with the Data Protection Commission. The right to have one's personal data protected exists as an explicit fundamental right of EU persons under the EU Charter of Fundamental Rights that came into legal force in 2009 and the right is called out specifically in Article 16 of the Treaty on the Functioning of the European Union--the ``Lisbon Treaty''. It is of course not an absolute or unlimited right. It may be and often is subject to conditions or limitations under EU and member state law but those conditions cannot render it impossible for individuals to exercise core elements of the right to data protection. The aim equally of a consistent and harmonised data protection law across the EU is to ensure a level-playing field for all businesses and a consistent digital market in which consumers can have trust. While many may argue that data privacy is now ``dead'' given the ubiquitous nature of data collection in online environments, the Data Protection Commission can nonetheless identify the clear benefits to consumers of having exercisable and enforceable rights. (Dorraji, 2014) The committee is well aware of the basic structure of the GDPR which sets out a) obligations on organisations, b) rights for individuals, and c) enforcement provisions. As an EU regulation, it has direct effect in every EU member state but also has extra-territorial reach in that it applies to any overseas company targeting goods or services at European consumers. Obligations Under the GDPR, a series of obligations apply to any organisation collecting and processing information that relates to an identified or identifiable person. A broad definition of personal data is in play with the GDPR specifying that identification numbers, location data and online identifiers will be sufficient to bring data in scope. The obligations on organisations are set down in a series of high-level, technology neutral principles: lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality and accountability. Rights In turn, the individuals whose personal data are processed have a series of enumerated rights under the GDPR. Incidentally, individuals under the GDPR are referenced as ``data subjects'' which is a concept far broader than consumers given that the GDPR concerns itself with any personal data processing and not merely that which occurs in commercial contexts. However, I understand for the purposes of this committee, that it is the subset of data subjects that are consumers and service users that is of particular interest. The rights of consumers under the GDPR are set out in Chapter 3 and cover the right to transparent information, the right of access to a copy of their personal data, the right to rectification, the right to erasure, the right to restriction of data processing, to object to certain processing and the right to data portability with varying conditions pertaining to the circumstances in which those rights can be exercised. And I will revert to these rights shortly when I outline for the committee a profile of the complaints from consumers the Data Protection Commission is handling where consumers allege those rights are not being delivered on by companies. Enforcement Provisions Finally, the GDPR provides for independent and adequately resourced data protection authorities in each EU Member State to monitor the application of the GDPR and to enforce it (these authorities are separate and distinct from the consumer protection and anti-trust authorities in the Member States). In this context, data protection authorities have a very broad range of tasks from promoting awareness, to encouraging industry codes of conduct to receiving notifications of the appointment of Data Protection Officers in companies to handling complaints from consumers and investigating potential infringements of the GDPR. In general terms, the individual EU member state data protection authorities are obliged to handle every valid complaint from any individual in their member state and to supervise establishments in their territory. However, because of a new ``one-stop-shop'' innovation in the GDPR, multinational organisations operating across the EU can be supervised by one lead supervisory authority in the EU member state where that multinational has its ``main-establishment''. Equally, any individual across the EU may lodge a complaint with the data protection authority in the member state of the main establishment of the company concerned. As a result, the Irish Data Protection Commission is the lead supervisory authority in the EU for the vast majority of U.S. global Internet companies such as Facebook, Twitter, WhatsApp, Google, AirBnB, Microsoft and Oath as they have their main establishments in Ireland. Equally, complaints are lodged with the Irish Commission from complainants across the EU either directly or via the supervisory authority in their own member state. This may seem like a difficult computation given that there are potentially up to half a billion consumers in the EU. How can a data protection authority with currently 135 staff deal with complaints from across the EU and supervise so many large companies? Part of the answer lies in the orientation of the GDPR itself which places accountability to consumers directly on the shoulders of companies themselves. Companies must in many cases appoint Data Protection Officers; they must publish contact details for those officers and they must administer systems to allow them effectively handle requests from consumers to exercise their data protection rights. It's therefore now the case that many issues arising for consumers are being resolved directly through the intervention of the mandatorily appointed Data Protection Officer in the company before there's a need to file a complaint with the data protection authority. Many companies we supervise report to us that that have had a steep rise in consumer requests to exercise rights since the application of the GDPR in May 2018. Equally, EU data protection authorities can conduct joint operations where an authority like the Irish Commission can leverage specific expertise in another EU data protection authority in conducting an investigation. Further, multiple consumers may often raise the same issue as one another which may lead the Data Protection Commission to open an investigation of its ``own volition'' in order to resolve what may be a systemic matter. Finally, the threat of very significant administrative fines hangs over companies that fail to implement the principles of GDPR and/or deliver on consumer rights under the law with 4 percent of global turnover representing the outer but significant limit of fine that may be imposed. Clearer Standards Much of the success over the coming years of the GDPR will derive from the evolution of clearer, objective standards to which organisations must adhere. These standards will evolve in a number of ways:Through the embedding of new features of the GDPR such as Codes of Conduct, Certification and Seals that will drive up specific standards in certain sectors. Typically, codes of conduct that industry sectors prepare for the approval of EU data protection authorities will have an independent body appointed by the industry sector to monitor compliance with the code thereby driving up standards of protection and means by which consumers can exercise their rights. Through enforcement actions by the Data Protection Commission where the outcome, while specific to the facts of the case examined, will be of precedential value for other organisations. The Data Protection Commission currently has 50 large scale investigations running which, as they conclude in the coming months, will serve to set the mark for what is expected of organisations under the principles of transparency, fairness, security and accountability Through case law in the national and EU courts, where data protection authority decisions are appealed or in circumstances where individuals use their right of action under the GDPR to claim compensation for any material or non-material damage they have suffered arising from an infringement of the GDPR. Through the provision of further guidance to organisations on specific data processing scenarios particularly through published case studies of individual complaints the Data Protection Commission has handled. Equally, guidance will be published off the back of consultations with all stakeholders on how to implement principles in complex scenarios such as those involving children where specific protections and consideration of the evolving capacities of the child need to be factored in. Consumer Complaints In the 11 months since GDPR came into application, the Data Protection Commission has received 5839 complaints from individuals. It is frequently a feature of complaints we handle from consumers that their interest in their personal data is as a means of pursuing further litigation or action. For example, former employees of organisations often seek access to their personal data as part of the pursuit of an unfair dismissals case; consumers seek access to CCTV images in different scenarios to pursue personal injuries cases and so on. Overall, the most complained against sectors in a commercial context are retail banks, telecommunications companies and Internet platforms. In the cases of the retail banks and telecommunications providers, the main issues arising relate to consumer accounts, over-charging, failure to keep personal data accurate and up-to-date resulting in mis- directing of bank or account statements, processing of financial information for the purposes of charging after the consumer has exercised their right to opt-out during the cooling-off period. While you might argue that these are clearly predominantly customer service and general consumer issues, it is the processing of their personal data and in particular deductions from their bank accounts that bring consumers to the door of the Data Protection Commission. In terms of the Internet platforms, individuals, as well as Not- for-profit organisations on their behalf that specialise in data protection, raise complaints about the validity of consent collected for processing on sign-up to an app or service, the transparency and adequacy of the information provided and frequently about non-responses from the platforms when they seek to exercise their rights or raise a concern. Further, the Data Protection Commission has received several complaints about the inability of individuals to procure a full copy of their personal data when they request it from a platform. This can arise in scenarios where platforms have instituted automated tools to allow users by self-service to download their personal data but elements of data are not available through the tool. In one such complaint we are handling, the user complains that significant personal data is held in a data warehouse by a platform and used to enrich the user's profile. The platform argues that access to the data is not possible because it's stored by date and not individual identifier and further that the data would be unintelligible to a consumer because of the way it's stored. The Data Protection Commission must resolve whether this is personal data to which a right of access applies. Other cases dealt with this year by the office relate to financial lenders required to notify details to the Irish Central Bank of credit given to individual consumers. Certain lenders notified the details twice resulting in adverse credit ratings for the individuals as they appeared to have 2 or 3 times the number of loans as compared to what they actually had. In another case, a multinational agent dealing by web chat with a service user about a customer service complaint took note, according to the complaint received by the office, of the consumer's personal details including mobile `phone number she used to verify her account and contacted the user asking her on a date. That didn't turn out to be a happily-ever-after story when independently of the investigation of my office, the agent was removed from his job! A further complaint dealt with was lodged by an individual who had suffered a family bereavement. A tombstone company issued immediate correspondence to her family advertising cheap headstones in respect of the dead relative. The tombstone company had taken data from an online death notice website and recreated the full address from multiple other sources. The actions of the company were not only distasteful but in breach of the purpose limitation requirements of data protection law. A particularly concerning case was reported to the office six months ago concerning a mobile `phone user whose ex-partner had managed to verify identity with her mobile telephone provider by masquerading as the individual herself and gained control of her telephone number. He did this by contacting the telco via web chat and when asked to identify himself, he provided her name and mobile `phone number. He then told the customer service agent at the telco that he (masquerading as her) had lost his mobile `phone, had now purchased a new SIM card and requested that the `phone number be ported over to the new SIM he had bought. The agent asked the imposter the following verification questions: What is your full address? Answered correctly What are 3 frequently dialled numbers? Could not answer Can you tell me your last top-up date? Could not answer Can you tell me your last top-up amount? Answered correctly Despite the imposter not answering all of the questions, the agent accepted this as valid authentication, and ported the complainant's number onto the imposter's newly bought SIM card. This gave access to any future texts and calls coming to the complainant's phone number. This would allow for example the imposter to bypass the `phone number factor for authentication with her online banking account. In this case, the telco had failed to adhere to its own standards for verification of identity with very unfortunate consequences. Parallel but overlapping laws to the GDPR specific to E-Privacy are equally enforced by the Data Protection Commission and annually the office prosecutes a range of companies for multiple offences. In the majority of cases, these relate to targeting of mobile `phone users with marketing SMS messages without their consent and/or without providing the user with an OPT OUT from the marketing messages. Equally, a number of companies are prosecuted annually where they offer an OPT OUT but fail to apply it on their database resulting in the user continuing to receive SMS messages without their consent. As a result of several years of consistent high-profile prosecutions in this area, the Data Protection Commission considers the rate of compliance appears to be improving. Considerable resources of the office have been applied in recent years to a series of investigations into the ``Private Investigator'' sector. The Data Protection Commission received complaints from individuals who had lodged claims with their insurance providers and later became concerned about how their insurance company had sourced particular information about them and used it to deny their claims. The Data Protection Commission uncovered a broad-ranging national ``scam'' involving a considerable number of private investigator or tracing companies that had been either bribing or blagging government officials and utility company staff in some cases to procure a range of pieces of personal information about the claimants. 5 companies and 4 company directors were successfully prosecuted by the Data Protection Commission for these data protection offences over the last 4 to 5 years. The final case I'll mention in a commercial context is the case of an individual who suffered an accident giving rise to a leg injury. When her claim to her insurance company was denied, she sought access to a copy of her personal data that had been used by the company to deny her claim as she was surprised at the reasons given. She discovered on receipt of her personal data, that her family doctor had, instead of sending a report detailing information about the nature of her leg injury suffered in the recent accident, sent the entire file of 30 plus years of consultations between him and the patient to the insurance company. The company used very sensitive information about another condition the woman had suffered from years previously to deny the claim. Aside from the denial of the claim, the complainant suffered considerable distress at the thought of a very sensitive and irrelevant set of information about her having been disclosed and then processed in this matter. This office found the family doctor had infringed data protection law in disclosing excessive personal data including sensitive personal data. Ultimately, this complainant pursued a civil claim for compensation in the courts and the case settled on the steps of the court. Outside of these commercial contexts, a large volume of complaints that come to the Commission relate to, for example, employees complaining about their employers using excessive CCTV to monitor them or unauthorised access and excessive processing of their image if the employer uses CCTV as part of disciplinary proceedings. Each of these cases has to be examined on its specific facts with consideration given to the proportionality of processing in the given circumstances. The most frequent category of complaint relates to access requests where an individual considers they have been denied access to a copy of the personal data they requested from an organisation. In the majority of cases, the Data Protection Commission amicably resolves these cases which in an access request scenario means we ensure the individual receives all of the personal data to which they're entitled. This may of course be less than they sought as an organisation may legitimately apply exemptions where it is lawful to do so. The Committee will be well aware of various academic studies on the so-called ``privacy paradox'' where discrepancies between our attitudes as online users and our behaviours are apparent. This is a complex area of study but I raise it by way of pointing out that consumer complaints alone may not give us a very complete picture of what concerns consumers or what elements of the controls provided by platforms are useful to them. The platforms don't publish data on user engagement with their privacy control dashboards and the frequency with which users complete ``privacy checkup'' routines prompted by the platforms but based on data they have shared with the Data Protection Commission, the number of users seeking to engage with and control their settings is significant. Of course, this leads us then to the issues raised by Dr Zeynef Tufecki in the recent New York Times privacy series on whether being ``discreet'' online protects users and where she concludes that powerful computational inferences make it unlikely discretion is of much assistance. (Tufekci, 2019) Academic Woodrow Hartzog equally argues against idealising a concept of control as a goal of data protection. (Hartzog, 2018) Large-scale Investigations This brings me then to the important work of the Data Protection Commission outside of the role in handling complaints from individuals. In many ways, effective implementation of principles of fairness, transparency, data minimisation and privacy by design will negate the need for users and consumers to have the responsibility for ensuring their own protection thrust entirely upon them through making decisions about whether to ``consent'' or not. The Data Protection Commission has powers to open an investigation of its own volition or may opt to open an investigation into a complaint from an individual that discloses what appears to be a systemic issue that potentially affects hundreds of millions of users. The Data Protection Commission has currently 51 large-scale investigations underway. 17 relate to the large tech platforms and span the services of Apple, Facebook, LinkedIn, Twitter, WhatsApp and Instagram. Because the GDPR is principles-based and doesn't explicitly prohibit any commercial forms of personal data processing, each case must be proved by tracing the application of the principles in the GDPR to the processing scenario at issue and demonstrating the basis upon which the Commission alleges there is a gap between the standard we say the GDPR anticipates and that which the company has implemented. The first sets of investigations will conclude over the summer of 2019. Redress EU data protection authorities resolve complaints of individuals amicably for the most part and where amicable resolution is not possible, the action of the authority is directed against the processing organisation. Authorities do not order redress in the form of payment of damages to individuals whose rights have been infringed. In order to secure damages, individuals have a right of action under Article 82 GDPR where they or a not-for-profit representing them can bring a case through the courts to seek compensation for material or non-material damage they allege they have suffered as a result of infringements of the GDPR. Such Article 82 actions for compensation by individuals in the Irish courts have not yet been heard but when these are, they will represent further clarifications on how the courts view the GDPR and its application. No class action system exists in Ireland and in general this is not a feature of the EU landscape. While there are some reports emanating particularly from the UK that representative actions are being lined up by some law firms on a ``no win no fee'' basis post large-scale breaches being notified, nothing of significance has materialised in this regard. (Osborne Clarke--GDPR one year on: how are EU regulators flexing their muscles and what should you be thinking about now?) Conclusion EU data protection law places a strong emphasis on the individual and the exercise of their rights and accordingly mandates the handling of every complaint from an individual by data protection authorities. This means EU data protection authorities play an important dual role-- on the one hand, resolving high volumes of issues for individuals and on the other supervising companies to ensure systemic issues of non- compliance are rectified and punished as appropriate. The GDPR is 11 months old and clarity and consistency of standards will evolve in the coming years driving up standards of data protection for consumers in every sector. References Dorraji, S. E. (2014). Privacy in Digital Age: Dead or Alive?! Regarding the New EU Data Protection Regulations. SOCIALINES TECHNOLOGIJOS SOCIAL TECHNOLOGIES 2014, 4(2), 306-317. Hartzog, W. (2018, Volume 4 Issue 4). The Case Against Idealising Control. European Data Protection Law Review . (n.d.). Osborne Clarke--GDPR one year on: how are EU regulators flexing their muscles and what should you be thinking about now? 2019 Lexology: daily subscriber feed. Tufekci, Z. (2019, April 21). Think You're Discreet Online? Think Again. New York Times. The Chairman. Thank you very much, Ms. Dixon. Mr. Polonetsky. STATEMENT OF JULES POLONETSKY, CHIEF EXECUTIVE OFFICER, FUTURE OF PRIVACY FORUM Mr. Polonetsky. Thank you, Chairman Wicker, Ranking Member Cantwell, Committee members. Eighteen years ago, I left my job as the New York Consumer Affairs Commissioner to become one of the first wave of Chief Privacy Officers when that was yet a novel title. Today as CEO of FPF, I work with the CPOs of more than 150 companies, with academics, with civil society, and with leading foundations on the privacy challenges posed by tech innovations. I first testified before this Committee almost 20 years ago to address privacy concerns around behavioral advertising. And almost every day since, we have seen those reports of new intrusions, new risks, new boundaries crossed. Sometimes it is simply a company being creepy. Sometimes it is a practice that raises serious risks to civil liberties or our sense of autonomy. It is long past time to put a privacy law in place that can support that trust that Americans should have when they use their phones, when they surf the Internet, when they shop online, all of the activities of daily life. Every day we delay, it becomes harder. New businesses launch. New technologies are developed and become entrenched. At the same time, we are, of course, benefiting from many of these technologies, as you both mentioned, companies reinventing mobility and making transportation safer. Machine learning has been built into so many of the products and services, health care diagnosis, education tech providers working on personalized learning. Every one of these holds great promise. Every one of them also brings new perils. It is a global challenge, of course, and almost every leading economy, not just our European colleagues, have put comprehensive laws in place. Japan. We should take special note perhaps of the APEC CBPRs, the Asia-Pacific region where the U.S. has played a long role and which we have recently committed to in the proposed treaty for trade between U.S., Mexico, and Canada. We should not be left behind as the standards that are actually defining technologies today and the terms of trade for a decade to come are being established. Even small businesses do business globally today via the Web and need that guidance. So a baseline law should have strong protections matching and exceeding the key rights of California's privacy law: transparency, access, deletion, the right to object, protections for minors, the right to object to sales of data. But we also need to add some of the other core privacy principles that are not included in CCPA. Compatible use, contexts, special restrictions on sensitive data, the full range of fair information practices, as they have been reflected in so many of the national and international models, and many which originated back in the 1970s in the U.S. should be in our law. In drafting, we should be clear about what is covered. If we do not know what is personal, we do not know what is in and what is out. But I would argue that this is not a binary in or out decision. Information is not either completely explicitly personal and it is probably never completely anonymous. There are stages of data, and a law that is careful would nuance different levels of rights and restrictions based on whether data is fully anonymous, whether it is pseudonymous. The actual different stages in the lifestyle are the best way to match the corresponding requirements. Research has not always been handled well in a number of the legislative models around the world. We want to, I think, encourage beneficial research if it is being carried out in a way that supports privacy, fairness, equity, the integrity of the scientific process. We should encourage legitimate research when the appropriate ethical reviews are in place. And at the end of the day, internal accountability mechanisms are how organizations actually make sure they follow the law. We do not want just privacy in the law. We want it on the ground. We want privacy by design, and that means employees that are trained. That means tools and systems that support responsible data stewardship. So laws should encourage comprehensive programs, and whenever possible, we should incentivize PETs, privacy enhancing technologies, that deliver us perhaps the benefits of data while making sure that we have strong mathematical proofs that we have minimized any risks. And of course, any law is going to impact the sectoral State privacy laws that have been passed in recent decades. We certainly should avoid a framework where a website operator or a small business should have to deal with a complexity of inconsistent State mandates on many of the day-to-day issues of operating a business. But these concerns can be reasonably avoided with carefully crafted Federal preemption. There are clearly core State privacy laws that can and must exist, student privacy laws and others, and that I think is an important challenge for the Committee. But laws are only as good as enforcement. The FTC should have not only the civil penalties, not only the careful targeted rulemaking, but it also should have education and outreach so that new businesses understand, can get their questions answered. The FTC needs both the carrot and the stick. And of course, State AGs, who have been such critical partners to our Federal leaders, should continue to have a role. Thank you for the chance to share those thoughts with you today. [The prepared statement of Mr. Polonetsky follows:] Prepared Statement of Jules Polonetsky, Chief Executive Officer, Future of Privacy Forum Thank you for inviting me to speak today. The Future of Privacy Forum is a non-profit organization that serves as a catalyst for privacy leadership and scholarship, advancing principled data practices in support of emerging technologies. We are supported by leading foundations, as well as by more than 150 companies, with an advisory board representing academics, industry, and civil society.\1\ We bring together privacy officers, academics, consumer advocates, and other thought leaders to explore the challenges posed by technological innovation and develop privacy protections, ethical norms, and workable business practices. --------------------------------------------------------------------------- \1\ The views herein do not necessarily reflect those of our supporters or our Advisory Board. See Future of Privacy Forum, Advisory Board, https://fpf.org/about/advisory-board/; Supporters, https:// fpf.org/about/supporters/. --------------------------------------------------------------------------- I speak to you today with a sense of urgency. Congress should advance a baseline, comprehensive Federal privacy law because the impact of data-intensive technologies on individuals and vulnerable communities is increasing every day as the pace of innovation accelerates. Each day's news brings reports of a new intrusion, new risk, new harm, another boundary crossed. Sometimes it's a company doing something that consumers or critics regard as ``creepy;'' sometimes it is a practice that raises serious risks to our human rights, or civil liberties, or our sense of autonomy. There is a growing public awareness of how data-driven systems can reflect or reinforce discrimination and bias, even inadvertently.\2\ --------------------------------------------------------------------------- \2\ Virginia Eubanks, Automating Inequality: How High-Tech Tools Profile, Police, and Punish the Poor (2018). --------------------------------------------------------------------------- For many people, personal privacy is a deeply emotional issue, and a real or perceived absence of privacy may leave them feeling vulnerable, exposed, or deprived of control. For others, concrete financial or other harm may occur; a loss of autonomy, a stifling of creativity due to feeling surveilled, or the public disclosure of highly sensitive information like individuals' financial data or disability status are just some potential consequences of technology misuse, poor data security policies, or insufficient privacy controls.\3\ --------------------------------------------------------------------------- \3\ Lauren Smith, Unfairness By Algorithm: Distilling the Harms of Automated Decision-Making (Dec 11, 2017), Future of Privacy Forum, https://fpf.org/2017/12/11/unfairness-by-algorithm-distilling-the- harms-of-automated-decision-making/. --------------------------------------------------------------------------- At the same time, individuals and society are benefitting from new technologies and novel uses of data. Companies reinventing mobility are making transportation safer and more accessible; healthcare providers are using real-world evidence to advance research; and education technology providers can empower students and teachers to enhance and personalize learning.\4\ In much the same way that electricity faded from novelty to background during the industrialization of modern life 100 years ago, we see artificial intelligence and machine learning becoming the foundation of commonly available products and services, like voice-activated digital assistants, traffic routing, and accurate healthcare diagnoses.\5\ --------------------------------------------------------------------------- \4\ Future of Privacy Forum, Policymaker's Guide to Student Data Privacy, (April 4, 2019), FERPA/Sherpa, https://ferpasherpa.org/ policymakersguide/. \5\ Brenda Leong & Maria Navin, Artificial Intelligence: Privacy Promise or Peril? (February 20, 2019), Future of Privacy Forum, https:/ /fpf.org/2019/02/20/artificial-intelligence-privacy-promise-or-peril. --------------------------------------------------------------------------- Each of these examples holds the promise of improving our lives but each one also poses the risk of new and sometimes unforeseen harms. It is in the best interests of individuals and organizations for national lawmakers speak in a united, bipartisan voice to create uniform protections that help rebuild trust. Congress has the opportunity now to pass a law that will shape these developments to maximize the benefits of data for society while mitigating risks. Delaying Congressional action means that businesses will inevitably continue to develop new models, build infrastructure, and deploy technologies, without the guidance and clear limits that only Congress can set forth. This is a global challenge, and other countries have responded. The European Union (EU) has substantially updated its data protection framework, the General Data Protection Regulation (GDPR),\6\ and Japan has made substantial updates to its data protection law, the Act on Protection of Personal Information (APPI).\7\ The EU and Japan have also announced a trade agreement that includes a reciprocal data adequacy determination, creating the world's largest exchange of safe data flows and boosting digital trade between the two zones.\8\ Other nations, from India \9\ to Brazil,\10\ are passing privacy laws or updating existing data protection regimes.\11\ --------------------------------------------------------------------------- \6\ Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), https://eur-lex.europa.eu/eli/reg/2016/679/oj \7\ Japanese Act on Protection of Personal Information (Act No. 57/ 2003). \8\ Press Release: European Commission adopts adequacy decision on Japan, creating the world's largest area of safe data flows, European Commission (Jan. 23 2019), http://europa.eu/rapid/press-release_IP-19- 421_en.htm \9\ Mayuran Palanisamy and Ravin Nandle, Understanding India's Draft Data Protection Bill (Sep 13, 2018), IAPP Privacy Tracker, https://iapp.org/news/a/understanding-indias-draft- data-protection-bill. \10\ Lei 13.709/18, Lei Geral de Protecao de Dados Pessoais (Brazil General Data Protection Law). \11\ Data Privacy Law: The Top Global Developments in 2018 and What 2019 May Bring, DLA Piper (Feb. 23 2019), https://www.dlapiper.com/en/ us/insights/publications/2019/02/data-privacy-law-2018-2019/ --------------------------------------------------------------------------- Current business practices along with new technologies are being shaped by laws around the world, while the U.S. approach to data protection remains outdated and insufficient. The continuation of cross-border data flows, which are crucial to the United States' leadership role in the global digital economy, are under stress. This may put U.S. companies, from financial institutions to cloud providers, at a disadvantage due to the perception that our laws are inadequate. Congress must ensure that the U.S. is not left behind as the rest of the world establishes trade and privacy frameworks that will de facto define the terms of international information and technology transfers for decades to come. The United States currently does not have a baseline set of legal protections that apply to all commercial data about individuals regardless of the particular industry, technology, or user base. For the past decades, we have taken a sectoral approach to privacy that has led to the creation of Federal laws that provide strong protections only in certain sectors such as surveillance,\12\ healthcare,\13\ video rentals,\14\ education records,\15\ and children's privacy.\16\ As a result, U.S. Federal laws currently provide strong privacy and security protection for information that is often particularly sensitive about individuals but it leaves other ‒ sometimes similar ‒ data largely unregulated aside from the FTC's Section 5 authority to enforce against deceptive or unfair business practices.\17\ For example, health records held by hospitals and covered by the Health Insurance Portability and Accountability Act (HIPAA)\18\ are subject to strong privacy and security rules, but health-related or fitness data held by app developers or online advertising companies is not covered by HIPAA and is largely unregulated. Student data held by schools and covered by the Family Educational Rights and Privacy Act (FERPA)\19\ is subject to Federal privacy safeguards, but similar data held by educational apps unaffiliated with schools is not subject to special protections. The Fair Credit Reporting Act (FCRA)\20\ helps ensure the accuracy of third-party information used to grant or deny loans, but FCRA's accuracy requirements do not apply to similar third-party reviews used to generate user reputation scores on online services. --------------------------------------------------------------------------- \12\ Electronic Communications Privacy Act (ECPA), 18 U.S.C. Sec. 2510-22. \13\ Health Insurance Portability and Accountability Act of 1996 (HIPAA), P.L. No. 104-191, 110 Stat. 1938 (1996). \14\ Video Privacy Protection Act of 1988 (VPPA), 18 U.S.C. Sec. 2710. \15\ Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. Sec. 1232g. \16\ Children's Online Privacy Protection Act of 1998 (COPPA), 15 U.S.C. Sec. Sec. 6501-6506. \17\ Section 5 of the Federal Trade Commission Act, 15 U.S.C. Sec. 45(a). \18\ Health Insurance Portability and Accountability Act of 1996 (HIPAA), 45 CFR Sec. 164.524. \19\ Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. Sec. 1232g. \20\ Fair Credit Reporting Act (FCRA), 15 U.S.C. Sec. 1681. --------------------------------------------------------------------------- The U.S. has not always lagged behind its major trade partners in privacy and data protection policymaking. In fact, the central universal tenets of data protection have U.S. roots. In 1972, the Department of Health, Education, and Welfare formed an Advisory Committee on Automated Data Systems, which released a report setting forth a code of Fair Information Practices.\21\ These principles, widely known as the Fair Information Practice Principles (FIPPs), are the foundation of not only existing U.S. laws but also many international frameworks and laws, including GDPR.\22\ And while GDPR is the most recent major international legislative effort, the U.S. should look for interoperability with and insights from the OECD Privacy Guidelines \23\ and the Asia-Pacific Economic Cooperation (APEC) framework and Cross-Border Privacy Rules (CBPRs).\24\ --------------------------------------------------------------------------- \21\ Records, Computer, and the Rights of Citizens: Report of the Secretary's Advisory Committee on Automated Personal Data Systems, U.S. Dept. of Health & Human Services (1973), https://aspe.hhs.gov/report/ records-computers-and-rights-citizens. \22\ Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), https://eur-lex.europa.eu/eli/reg/2016/679/oj. \23\ Organization for Economic Co-operation and Development, Privacy Guidelines, https://www.oecd.org/internet/ieconomy/privacy- guidelines.htm \24\ APEC has 21 members comprising nearly all of the Asian-Pacific economies, including the United States, China and Russia. The CBPR system--endorsed by APEC member economies in 2011 and updated in 2015 attempts to create a regional solution across 21 member economies, whose governments are at different stages of compliance with the APEC Privacy Framework. In the United States, the Federal Trade Commission has agreed to enforce the CBPRs. Eight APEC countries have formally joined the CBPR system--United States, Canada, Mexico, Japan, Singapore, Taiwan, Australia and the Republic of Korea. In the recent United States-Mexico-Canada Agreement (USMCA), which Congress is reviewing as it considers ratification, the three countries promote cross-border data flows by recognizing the CBPR system as a valid data privacy compliance mechanism for data-transfers between the countries. See Cross-Border Privacy Rules System, http://cbprs.org/ (last visited Apr. 28, 2019). Also relevant for the Committee's reference is Convention 108 of the Council of Europe, an international data protection treaty that has been signed by 54 countries to date, not including the United States. --------------------------------------------------------------------------- As privacy concerns continue to escalate, states around the U.S. are charging ahead, proposing, passing, or updating consumer privacy laws.\25\ Many of these laws are serious, nuanced efforts to provide individuals with meaningful privacy rights and give companies clarity regarding their compliance obligations. At the same time, multiple, inconsistent state law requirements risk creating a conflicting patchwork of laws that create uncertainty for organizations that handle personal information. Individuals deserve consistent privacy protections regardless of the state they happen to reside in. --------------------------------------------------------------------------- \25\ See Mitchell Noordyke, U.S. State Comprehensive Privacy Law Comparison, IAPP (April 18, 2019), https://iapp.org/news/a/us-state- comprehensive-privacy-law-comparison/. --------------------------------------------------------------------------- The U.S. has a shrinking window of opportunity to regain momentum at both the national and international level. If we wait too long, more countries and states will act, which will have an immediate impact on new technologies and business initiatives and ultimately reduce the impact of any Federal law. There are key points that need to be addressed with particular care in any Federal consumer privacy law. A baseline Federal privacy law should offer strong protections.\26\ This, in turn, will bolster trust in privacy and security practices. The law will regulate a substantial share of the U.S. economy, and must therefore be drafted with careful attention to its effects on every sector as well as a wide range of communities, stakeholders, and individuals. --------------------------------------------------------------------------- \26\ Leading scholars and advocates have expressed skepticism about market-based responses to privacy and security concerns. Common criticisms of a purely market-driven approach include: consumers' lack of technical sophistication with respect to data security (See, e.g., Aaron Smith, What the Public Knows About Cybersecurity, Pew Research Center (Mar. 22, 2017), http://www.pewinternet.org/2017/03/22/what-the- public-knows-about-cybersecurity/ (last accessed on Nov. 9, 2018); the typical length and substance of modern privacy notices (See e.g., Aleecia M. McDonald and Lorrie Faith Cranor, The Cost of Reading Privacy Policies, I/S: A Journal of Law and Policy for the Information Society, at 8-10, (2008)); research suggesting that most individuals do not adequately value future risks (See e.g., Chris Jay Hoofnagle & Jennifer M. Urban, Alan Westin's Privacy Homo Economicus, 49 Wake Forest L. Rev. 261, 303-05 (2014)); the design of user interfaces to encourage decisions that are not aligned with users' best interests (See Woodrow Hartzog, Privacy's Blueprint: The Battle to Control the Design of New Technologies (2018)); and a lack of sufficient protections for privacy as an economic externality or ``public good'' (Joshua A. T. Fairfield and Christoph Engel, Privacy As A Public Good, 65 Duke L.J. 385, 423-25 (2015)). --------------------------------------------------------------------------- Eighteen years ago, I left my job as the New York City Consumer Affairs Commissioner to become one of the first company chief privacy officers (CPO) in the U.S. Working for eight years in privacy and consumer protection roles at major tech companies helped me understand that it takes people, systems, and tools to manage data protection compliance. I have also served as a state legislator and a Congressional staffer, and today at FPF work with companies, foundations, academics, regulators, and civil society to seek practical solutions to privacy problems. With this perspective, gained from my experience with key stakeholder groups and ongoing focus on the protection of privacy of individuals and consumers, I offer the following views. 1. Covered Data and Personal Information Under a Federal Privacy Law In drafting baseline Federal privacy legislation, the most important decision is one of scope: how should the law define the ``personal information'' that is to be protected? Laws that adopt an overly broad standard are forced to include numerous exceptions in order to accommodate necessary or routine business activities, such as fraud detection, security, or compliance with legal obligations; or to anticipate future uses of data, such as scientific research or machine learning. Conversely, laws that define personal information too narrowly risk creating gaps that allow risky uses of data to go unregulated. Leading government and industry guidelines recognize that data has a range of linkability where it can potentially be used to identify or contact an individual or to customize content to an individual person or device.\27\ A Federal privacy law should avoid classifying covered data in a binary manner as either ``personal'' or ``anonymous.'' Instead, it should draw distinctions between different states of data given their materially different privacy risks. Context matters. Personal data that is intended to be made public should be regulated differently than personal data that will be kept confidential by an organization.\28\ Similarly, data that is out in the wild should not be treated the same as data that is subject to technical deidentification controls (such as redacting identifiers, adding random noise, or aggregating records) as well as to effective legal and administrative safeguards (such as commitments not to attempt to re-identify individuals or institutional access limitations). --------------------------------------------------------------------------- \27\ According to the Federal Trade Commission (FTC), data are not ``reasonably linkable'' to individual identity to the extent that a company: (1) takes reasonable measures to ensure that the data are deidentified; (2) publicly commits not to try to re-identify the data; and (3) contractually prohibits downstream recipients from trying to re-identify the data (the ``Three-Part Test''). Federal Trade Commission, Protection Consumer Privacy In An Era of Rapid Change (2012), at 21, https://www.ftc.gov/sites/default/files/documents/ reports/federal-trade-commission-report-protecting-consumerprivacy-era- rapid-change-recommendations/120326privacyreport.pdf. According to the National Institute of Sciences and Technology (NIST), ``all data exist on an identifiability spectrum. At one end (the left) are data that are not related to individuals (for example, historical weather records) and therefore pose no privacy risk. At the other end (the right) are data that are linked directly to specific individuals. Between these two endpoints are data that can be linked with effort, that can only be linked to groups of people, and that are based on individuals but cannot be linked back.'' Simson L. Garfinkel, NISTIR 8053, De- Identification of Personal Information (Oct. 2015), at 5, http:// nvlpubs.nist.gov/nistpubs/ir/2015/NIST.IR.8053.pdf. Leading industry associations provide similar guidelines. See, e.g., Digital Advertising Alliance, Self-Regulatory Principles for Multi-Site Data (Nov 2011), at 8, available at http://www.aboutads.info/resource/download/Multi-Site- Data-Principles.pdf (considering data to be deidentified ``when an entity has taken reasonable steps to ensure that the data cannot reasonably be re-associated or connected to an individual or connected to or be associated with a particular computer or device.''). \28\ See, e.g., Netflix Prize, Netflix, https:// www.netflixprize.com/ (last accessed April 28, 2019) (releasing data publicly as part of a contest to improve user recommendations); Arvind Narayanan & Vitaly Shmatikov, Robust De-anonymization of Large Sparse Datasets (2018), https://www.cs.utexas.edu/shmat/ shmat_oak08netflix.pdf (re-identifying records of known Netflix users). --------------------------------------------------------------------------- FPF has crafted modular draft statutory language that attempts to capture these distinctions.\29\ We believe, in broad terms, that categories of data that are exposed to individual privacy and security risks, yet materially different in their potential uses and impact, include:\30\ --------------------------------------------------------------------------- \29\ See Appendix D. \30\ See generally, Jules Polonetsky, Omer Tene, & Kelsey Finch, Shades of Gray: Seeing the Full Spectrum of Practical Data De- identification, Santa Clara L. Rev. (2016); A Visual Guide to Practical De-identification, Future of Privacy Forum, https://fpf.org/2016/04/25/ a-visual-guide-to-practical-data-de-identification/. Identified data: information explicitly linked to a known --------------------------------------------------------------------------- individual. Identifiable data: information that is not explicitly linked to a known individual but can practicably be linked by the data holder or others who may lawfully access the information. Pseudonymous data: information that cannot be linked to a known individual without additional information kept separately. deidentified data: (i) data from which direct and indirect identifiers \31\ have been permanently removed; (ii) data that has been perturbed to the degree that the risk of re- identification is small, given the context of the data set; or (iii) data that an expert has confirmed poses a very small risk that information can be used by an anticipated recipient to identify an individual. --------------------------------------------------------------------------- \31\ Direct identifiers are data that directly identifies a single individual, for example names, social security numbers, and e-mail addresses. Indirect identifiers are data that by themselves do not identify a specific individual but that can be aggregated and ``linked'' with other information to identify data subjects, for example birth dates, ZIP codes, and demographic information. Simson L. Garfinkel, NISTIR 8053, De-Identification of Personal Information (Oct. 2015), at 15, 19, http://nvlpubs.nist.gov/nistpubs/ir/2015/ NIST.IR.8053.pdf. By recognizing such distinctions, Federal privacy legislation would craft tiers of safeguards that are commensurate to privacy risks while at the same time allowing for greater flexibility where it is warranted. For example, on the one hand, appropriate regulatory requirements for deidentified data might mandate that companies cannot make such data public or share it with third parties without technical, administrative, and/or legal controls that reasonably prevent re- identification. But it may be appropriate to exempt deidentified data from other requirements, such as providing users with access or portability rights or the right to object to or opt-out of a company's use of deidentified data, since by definition it is not technically feasible to link deidentified data to a particular, verifiable individual. On the other hand, for pseudonymous or identifiable data that can be reasonably linked to a known individual, it may be more fitting to provide individuals with access and portability rights, or the ability to opt-in or opt-out of certain uses of that data, as appropriate. In many cases, the ability to reduce the identifiability of personal data through technical, legal, and administrative measures will allow a company to retain some utility of data (e.g., for research, as we discuss below),\32\ while significantly reducing privacy risks. New advances in deidentification and related privacy- enhancing technologies (PETs) (discussed below at number 5) are continuing to emerge.\33\ As a result, it is wise for lawmakers to take account of the many states of data and to provide incentives for companies to use technical measures and effective controls reduce the identifiability of personal data wherever appropriate. --------------------------------------------------------------------------- \32\ See section 3 below. \33\ See section 5 below. --------------------------------------------------------------------------- 2. Sensitive Data The term sensitive data is used to refer to certain categories of personal data that require additional protections due to the greater risks for harm posed by processing or disclosing this data. While individuals should generally be able to exercise reasonable control over their personal information, those controls should be stronger with respect to sensitive data. Thus, a Federal privacy law should provide heightened protections for the collection, use, storage, and disclosure of users' sensitive personal information or personal information used in sensitive contexts. FPF has crafted modular draft statutory language that proposes a practical approach to regulating sensitive data that is consistent with current norms and best practices.\34\ The Federal Trade Commission has defined sensitive data to include, at a minimum, data about children, financial and health information, Social Security numbers, and precise geolocation data.\35\ The GDPR defines sensitive data more broadly by recognizing special categories of personal data as ``personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.'' \36\ Under GDPR, the legal grounds for processing these special categories of data are more restricted.\37\ --------------------------------------------------------------------------- \34\ See Appendix D. \35\ Federal Trade Commission, Protection Consumer Privacy In An Era of Rapid Change (2012), at 8, 58-60. https://www.ftc.gov/sites/ default/files/documents/reports/federal-trade-commission-report- protecting-consumer-privacy-era-rapid-change-recommendations/ 120326privacyreport .pdf. \36\ GDPR, Article 9. \37\ GDPR, Article 9, Recital 51-52. --------------------------------------------------------------------------- In addition to opt-in controls, Federal legislation should include additional requirements--such as purpose limitation and respect for context--for certain sensitive categories of data. For example, if information such as a user's precise geolocation or health information is collected with affirmative consent for one purpose (such as providing a location-based ridesharing service, or a fitness tracking app), a law should restrict sharing that sensitive, identifiable information with third parties for materially different purposes without user consent. This is consistent with the choice principle in the FTC's 2012 Report, which urged companies to offer the choice at the point in time, and in a context, in which a consumer is making a decision about his or her data.\38\ There may be instances where sensitive data will require consent, and where such consent will be impossible to obtain.\39\ The law should provide for the creation of a transparent, independent ethical review process that can assess such cases and provide a basis for a decision that a use of data is beneficial and will not result in harm. --------------------------------------------------------------------------- \38\ Federal Trade Commission, Protection Consumer Privacy In An Era of Rapid Change (2012), at 60. https://www.ftc.gov/sites/default/ files/documents/reports/federal-trade-commission-report-protecting- consumer-privacy-era-rapid-change-recommendations/ 120326privacyreport.pdf. \39\ For example, recruiting individuals for rare disease drug trials. --------------------------------------------------------------------------- 3. Research It is vital that a national privacy law be crafted in a way that does not unduly restrict socially beneficial research, and that policymakers at the local, state, and Federal levels continue to have the information they need to make evidence-based decisions. Today, in addition to the entities governed by the HIPAA Rule and legal mandates around human subject research,\40\ many private companies also conduct research, or work in partnerships with academic researchers, to gain important insights from the data they hold. --------------------------------------------------------------------------- \40\ 45 CFR 46 (amended 2018). Currently, 20 U.S. agencies and departments intend to follow the revised Common Rule and their CFR numbers. See U.S. Department of Health & Human Services, Federal Policy for the Protection of Human Subject (`Common Rule') https:// www.hhs.gov/ohrp/regulations-and-policy/regulations/common-rule/ index.html (last visited Mar. 8, 2019). --------------------------------------------------------------------------- While obtaining individuals' informed consent may be feasible in controlled research settings, it is often impossible or impractical for researchers studying databases that contain the footprints of millions, or indeed billions, of data subjects. For example, when researchers are studying the effectiveness of personalized learning tools or evaluating disparate impacts of automated systems, they can benefit from access to large datasets. Legal mandates that require data holders to obtain continual permission from individuals for future uses of data--while appropriate in many commercial contexts--may create undue burdens for researchers who rely on datasets that contain information about individuals who cannot be contacted or who have been deidentified, particularly if researchers do not know, at the point of collection, what insights future studies may reveal. This does not mean that data-based research should be exempted from a Federal privacy law. The use of private commercial data for socially beneficial research should remain subject to strict standards for privacy, security, scientific validity, and ethical integrity.\41\ However, we recommend that legal frameworks contain flexible provisions for research, such as enforceable voluntary compliance with Federal Common Rule for human subject research; carefully tailored exceptions to the right of deletion for less readily identifiable information; or the creation of independent ethical review boards to oversee and approve beneficial research using personal information. --------------------------------------------------------------------------- \41\ In the words of danah boyd and Kate Crawford, ``It may be unreasonable to ask researchers to obtain consent from every person who posts a tweet, but it is problematic for researchers to justify their actions as ethical simply because the data are accessible. Future of Privacy Forum, Conference Proceedings: Beyond IRBS: Designing Ethical Review Processes for Big Data Research (Dec. 20, 2016), page 4, https:/ /fpf.org/wp-content/uploads/2017/01/Beyond-IRBs-Conference- Proceedings_12-20-16.pdf, citing danah boyd & Kate Crawford, Critical Questions for Big Data, 15(5) INFO. COMM. & SOC. 662 (2012). --------------------------------------------------------------------------- This balance between facilitating data research and evidence-based decision-making while maintaining privacy and ethical safeguards aligns with the 2017 report of the bipartisan Commission on Evidence-Based Policymaking and the 2018 Foundations for Evidence-Based Policymaking Act.\42\ The Commission noted that increasing access to confidential data need not necessarily increase privacy risk. Rather, ``steps that can be taken to improve data security and privacy protections beyond what exists today, while increasing the production of evidence.'' \43\ --------------------------------------------------------------------------- \42\ Foundations for Evidence-Based Policymaking Act of 2018, Pub. L. No. 115-435, 132 Stat. 5529 (2019). \43\ Report of the Commission on Evidence-Based Policymaking, 8 (September 2017) https://www.cep.gov/report/cep-final-report.pdf. --------------------------------------------------------------------------- In short, companies that conduct research or partner with academic institutions must do so in a way that protects privacy, fairness, equity, and the integrity of the scientific process, and a Federal privacy law should encourage, rather than place undue burdens on, legitimate research when appropriate ethical reviews take place. 4. Internal Accountability and Oversight A Federal baseline privacy law should incentivize companies to employ meaningful internal accountability mechanisms, including privacy and security programs, which are managed by a privacy workforce. Ultimately, to implement privacy principles on the ground, including not just legal compliance but also privacy by design and privacy engineering, organizations will need to devote qualified and adequately trained employees. Indeed, over the past two decades, a privacy workforce has developed that combines the fields of law, public policy, technology, and business management. This workforce's professional association, the International Association of Privacy Professionals (IAPP), has doubled its membership in just the past 18 months.\44\ The IAPP provides training and professional certification, demonstrating the heightened demand among organizations for professionals who manage data privacy risks. --------------------------------------------------------------------------- \44\ See IAPP-EY Annual Governance Report (2018), https://iapp.org/ media/pdf/resource_cen ter/IAPP-EY-Gov_Report_2018-FINAL.pdf. --------------------------------------------------------------------------- In their book Privacy on the Ground, Kenneth Bamberger and Deirdre Mulligan stress ``the importance of the professionalization of privacy officers as a force for transmission of consumer expectation notions of privacy from diverse external stakeholders, and related `best practices,' between firms.'' \45\ --------------------------------------------------------------------------- \45\ Kenneth A. Bamberger & Deirdre K. Mulligan, Privacy on the Books and on the Ground, 63 Stan. L. Rev. 247, 252 (2010). --------------------------------------------------------------------------- Accordingly, today, data privacy management should no longer be regarded as a role that employees in legal or HR departments fulfill as a small piece of their larger job. Rather, it must be a new professional role with standards, best practices, and norms, which are widely agreed upon not only nationally but also across geographical borders. Responsible practices for personal data management are not common knowledge or intuitive, any more than accounting rules. They require training, continuous education, and verifiable methods for identifying and recognizing acceptable norms. Put simply, the digital economy needs privacy professionals. Encouraging organizations to implement internal governance programs that employ such professionals will ensure higher professional standards and more responsible data use, regardless of the specific rules ultimately chosen for data collection, processing, or use. Federal legislation could provide a safe harbor or other incentives for development, documentation, and implementation of comprehensive data privacy programs; execution of ongoing, documented privacy and security risk assessments, including for risks arising from automated decision-making; and implementation of robust accountability programs with internal staffing and oversight by senior management. For example, GDPR requires companies to document their compliance measures,\46\ appoint Data Protection Officers,\47\ and create data protection impact assessments,\48\ among other requirements. Another way to increase internal expertise is to incentivize employee training through recognized programs. --------------------------------------------------------------------------- \46\ GDPR, Art. 24, 40. \47\ GDPR, Art. 37-39. \48\ GDPR, Art. 35. --------------------------------------------------------------------------- External certification processes act as objective validators to help companies, particularly those with limited resources, navigate complex legal requirements. Similarly, incentivizing companies or industry sectors to create ``red teams'' to proactively identify privacy abuses or to cooperate with watchdog entities or independent monitors to support additional oversight, such as through safe harbors or other methods, would create an additional layer of privacy safeguards. 5. Incentives for Technical Solutions Federal privacy legislation should promote the use of technical solutions, including privacy-enhancing technologies (PETS). The ``holy grail'' for data protection is utilizing technology that can achieve strong and provable privacy guarantees while still supporting beneficial uses. Legislation should create specific incentives for the use of existing privacy-enhancing technologies and for the development of new PETS. Following are ten PETS or technological trends that may become increasingly useful tools to manage privacy risks: Advances in Cryptography a. Zero Knowledge Proofs--Zero knowledge proof (ZKPs) are cryptographic methods by which one party can prove to another party that they know something to be true without conveying any additional information (like how or why the mathematical statement is true). ZKPs can be used in identity verification contexts, e.g., to prove that someone is over a certain age without revealing their exact date of birth. ZKPs help with data minimization and data protection and promote privacy by design and default. b. Homomorphic Encryption--Homomorphic encryption is a process that enables privacy-preserving data analysis by allowing some types of analytical functions and computations to be performed on encrypted data without first needing to decrypt the data.\49\ It is especially useful in applications that retain encrypted data in cloud storage for central access. --------------------------------------------------------------------------- \49\ See David Wu, University of Virginia Computer Science Department, available at https://www.cs.virginia.edu/dwu4/fhe- project.html. c. Secure Multi-Party Computation--Secure multi-party computation (SMPC) is a distributed computing system or technique that provides the ability to compute values of interest from multiple encrypted data sources without any party having to reveal their private data to the others. A common example is secret sharing, whereby data from each party is divided and distributed as random, encrypted ``shares'' among the parties, and when ultimately combined can provide the desired statistical result.\50\ If any one share is compromised, the remaining data is still safe. SMPC holds particular promise for sharing or managing access to sensitive data such as health records. --------------------------------------------------------------------------- \50\ See Christopher Sadler, Protecting Privacy with Secure Multi- Party Computation, New America (Jan. 11, 2018), https:// www.newamerica.org/oti/blog/protecting-privacy-secure-multi-party- computation/. d. Differential Privacy--Differential privacy (DP) is a rigorous mathematical definition of privacy that quantifies the risk that an individual is included in a data set. It leverages anonymization techniques that involves the addition of statistical ``noise'' to data sets before calculations are computed and results released. DP can be global or local.\51\ Global DP is server-side anonymization or deidentification (where trust resides in the service provider); local DP is applied on the client or user's device. There are now differentially private versions of algorithms in machine learning, game theory and economic mechanism design, statistical estimation, and streaming. Differential privacy works better on larger databases because as the number of individuals in a database grows, the effect of any single individual on a given aggregate statistic diminishes. --------------------------------------------------------------------------- \51\ Evaluation of Privacy-Preserving Technologies for Machine Learning, Outlier Ventures Research (Nov. 2018), https:// outlierventures.io/research/evaluation-of-privacy-preserving- technologies-for-machine-learning/. --------------------------------------------------------------------------- Localization of Processing e. Edge computing and Local Processing--For devices where speed is of the essence or connectivity is not constant, applications, data, and services are increasingly run away from centralized nodes at the end points of a network. Such local processing helps with data minimization by reducing the amount of data that must be collected (accessible) by the service provider, or retained on a centralized service or in cloud storage. f. Device-Level Machine Learning--New machine learning focused semiconductor components and algorithms--along with the speedy, low-cost local storage and local processing capabilities of edge computing--are allowing tasks that use to require the computing horsepower of the cloud to be done in a more refined and more focused way on edge devices. g. Identity Management--Many identity management solutions under consideration or development leverage a variety of platforms, including distributed ledger technology (described above), and local processing, that capitalize on device-level machine learning to provide the ability for individuals to verify and certify their identify. This enables people without Internet access beyond smartphones or other simple devices to form secure connections, exchange identity-related credentials (such as transcripts or voting records) without going through a centralized intermediary. Verified personal data can be accessed from the user's device and shared via secure, encrypted channels to third parties, with data limited to the basic facts necessary for the relying party (e.g., that the individual is over 21, or does in fact qualify for a specific government service) on an as-needed basis. Depending on the implementation and standards, identity management can create privacy risks or can be deployed to support data minimization and privacy by design and default. Advances in Artificial Intelligence (AI) & Machine Learning (ML) h. ``Small Data''--Small data AI and machine learning systems use significantly less, or even no real data, via techniques such as data augmentation (manipulating existing data sets), transfer learning (importing learnings from a preexisting model), synthetic data sets (see below), and others.\52\ With small data techniques, the future forms of AI might be able to operate without needing the tremendous amounts of training data currently required for many applications.\53\ This capability can greatly reduce the complexity and privacy risks associated with AI and ML systems. --------------------------------------------------------------------------- \52\ Harsha Angeri, Small Data & Deep Learning (AI): A Data Reduction Framework, Medium (Apr. 1, 2018), https://medium.com/ datadriveninvestor/small-data-deep-learning-ai-a-data-reduction- framework-9772c7273992. \53\ H. James Wilson, Paul R. Daugherty, Chase Davenport, The Future of AI Will Be About Less Data, Not More, Harvard Business Review (Jan. 14, 2019), https://hbr.org/2019/01/the-future-of-ai-will-be- about-less-data-not-more. i. Synthetic Data Sets--Synthetic data sets are sets of artificial data created to replicate the patterns and analytic potential of real data about real individuals or events by replicating the important statistical properties of real data.\54\ They can be created at a vast scale and reduce the need for large training or test data sets, particularly for AI and ML applications, and thus support reduced data sharing or secondary use concerns. --------------------------------------------------------------------------- \54\ Applied AI, Synthetic Data: An Introduction & 10 Tools, (June 2018 update), https://blog.appliedai.com/synthetic-data/. j. Generative Adversarial Networks--Generative Adversarial Networks (GANs) are a type of artificial intelligence, where algorithms are created in pairs (one to ``learn,'' and the other to ``judge''). Used in unsupervised machine learning, two neural networks contest with each other in a framework to produce better and better simulations of real data (creating faces of people, or handwriting). One valuable use: generating synthetic data sets.\55\ --------------------------------------------------------------------------- \55\ Dan Yin and Qing Yang, GANs Based Density Distribution Privacy-Preservation on Mobility Data, Security and Communication Networks, vol. 2018, Article ID 9203076, (Dec. 2, 2018), https:// doi.org/10.1155/2018/9203076. These tools and resources can potentially help mitigate data protection concerns posed by future technologies. Federal legislation could incentivize the growth and development of new PETS. The market for compliance tools for privacy and security professionals also continues to accelerate. Services that discover, map, and categorize data for organizations, wizards that help manage and complete privacy impact assessments, programs that handle data subject access requests and consent management, and deidentification services are already supporting privacy and security professionals at leading organizations as well as attracting investor interest.\56\ Data protection resources entering the marketing are increasingly central to building systems that allow professionals to manage the challenges that accompany the expanded data collection and the multiplying uses that shape modern business practices. --------------------------------------------------------------------------- \56\ IAPP Privacy Tech Vendor Report (2018), https://iapp.org/ resources/article/2018-privacy-tech-vendor-report/ --------------------------------------------------------------------------- 6. Machine Learning A Federal privacy law should also promote beneficial uses of artificial intelligence (AI) and machine learning. Many device manufacturers are making strides to minimize data collection by conducting data processing on-device (locally) rather than sending data back to a remote server. However, AI and machine learning technologies typically require large and representative data sets to power new models, to ensure accuracy, and to avoid bias. A U.S. framework would be wise to ensure that uses of data for machine learning are supported when conducted responsibly. To assess such responsible uses, we again recommend the development of a serious ethics review process. The academic IRB is well established as a necessary way for federally funded human subject research to be vetted.\57\ Counterparts for corporate data will be important, if structured to provide expertise, confidentiality, independance, transparency of process, speed, and expertise.\58\ --------------------------------------------------------------------------- \57\ Protection of Human Subjects, 45 C.F.R. Sec. Sec. 46.103, 46.108 (2012). \58\ See Future of Privacy Forum, Conference Proceedings: Beyond IRBS: Designing Ethical Review Processes for Big Data Research (Dec. 20, 2016), https://fpf.org/wp-content/uploads/2017/01/Beyond-IRBs- Conference-Proceedings_12-20-16.pdf. --------------------------------------------------------------------------- 7. Interaction with Existing Legal Frameworks A Federal baseline privacy law should take into consideration existing legal frameworks, by preempting certain state laws where they create conflicting or inconsistent requirements, and superseding or filling gaps between existing Federal sectoral laws. While recognizing the United States' unique global privacy leadership, a Federal privacy law should also address issues of interoperability with GDPR and other global legal regimes. At a minimum, it is important for the U.S. to protect cross-border data flows by not creating obligations that directly conflict with other existing international frameworks. A. Interaction with State Laws The drafting of a Federal privacy law in the United States will necessarily impact the range of state and local privacy laws that have been passed in recent decades or are currently being drafted. The question of preemption is at the forefront of many conversations regarding a Federal privacy bill. Stakeholders from government, industry, civil society, and academia have expressed strong and sometimes conflicting views. At a minimum, we should seek to avoid a framework where website operators are expected to comply with multiple inconsistent state mandates on the many day-to-day issues at the core of the digital economy, ranging from signing users up for e-mail lists, implementing website analytics, or conducting e-commerce. These concerns can reasonably be avoided with carefully crafted Federal preemption, so long as the law also ensures a strong level of uniform privacy protections, certainly meeting and exceeding the core protections of the California Consumer Privacy Act (CCPA). It is important to recognize that lawmakers' options are not binary. The choice is not between a preemptive Federal law and a non- preemptive Federal law. Rather, lawmakers must grapple with a range of state authorities and choose which to preempt and which to preserve.\59\ I provide further context below. My core recommendations are that Congress: (1) preserve state Unfair and Deceptive Acts and Practices (UDAP) laws, which regulate a wide range of commercial conduct, from fair pricing to honest advertising, when they do not specifically target privacy or security requirements; (2) preempt generally applicable consumer privacy laws, like the California Consumer Privacy Act (CCPA); and (3) be thoughtful about which state sectoral privacy laws to preempt or preserve. --------------------------------------------------------------------------- \59\ Peter Swire, U.S. Federal privacy preemption part 1: History of Federal preemption of stricter state laws (Jan 9, 2019), IAPP Privacy Tracker, https://iapp.org/news/a/us-federal-privacy-preemption- part-1-history-of-federal-preemption-of-stricter-state-laws/. --------------------------------------------------------------------------- For example, to the extent that a Federal law contains provisions that conflict with state common law or statutes, the latter will be preempted by default.\60\ Congress may, to the extent it wishes, take further steps to prevent states or local governments from drafting further new, different, or more protective laws, through express or implied ``field preemption.'' Within this range, there is great flexibility in the extent to which a Federal law can have preemptive effect.\61\ --------------------------------------------------------------------------- \60\ Supremacy Clause, U.S. CONST. art. VI, cl. 2. \61\ See generally, Paul M. Schwartz, Preemption and Privacy, 118 Yale L.J. 902 (2008), available at https:// scholarship.law.berkeley.edu/cgi/ viewcontent.cgi?article=1071&context=facpubs. --------------------------------------------------------------------------- As this Committee considers the appropriate balance of Federal and state intervention in the field of information privacy, it should carefully consider how a Federal privacy law will impact certain key aspects of current state regulation: State UDAP Laws. Every state has broadly applicable Unfair and Deceptive Acts and Practices (UDAP) laws that prohibit deceptive commercial practices or unfair or unconscionable business practices.\62\ State enforcement authorities have increasingly applied UDAP laws to data-driven business practices such as mobile apps and platform providers.\63\ In general, states should maintain the freedom to enforce broadly applicable commercial fairness principles in a technology- neutral manner, to the extent that they do not specifically regulate the collection and processing of personal information addressed in the Federal law. --------------------------------------------------------------------------- \62\ National Consumer Law Center, Consumer Protection in the States: A 50-State Evaluation of Unfair and Deceptive Practices Laws, (Mar. 2018), http://www.nclc.org/images/pdf/udap/udap-report.pdf. \63\ See e.g. Federal Trade Commission, Privacy & Data Security Update: 2017, https://www.ftc.gov/system/files/documents/reports/ privacy-data-security-update-2017-overview-commissions-enforcement- policy-initiatives-consumer/privacy_and_data_security_update_2017.pdf. (As one of the examples of state enforcement actions, the FTC and 32 State Attorneys General alleged that Lenovo engaged in an unfair and deceptive practice by selling consumer laptops with a preinstalled software program that accessed consumer's sensitive personal information transmitted over the Internet without the consumer's knowledge or consent.) State Constitutions. Eleven states have enumerated constitutional rights to privacy, most of which were created through constitutional amendments in the last 50 years.\64\ In addition to governing law enforcement access to information, some states have chosen to express a free-standing fundamental right to privacy.\65\ These amendments to state constitutions reflect the states' explicit intention to extend--or clarify-- the fundamental rights of their own residents beyond the existing status quo of Federal legal protections. --------------------------------------------------------------------------- \64\ See National Conference of State Legislatures, Privacy Protections in State Constitutions (Nov. 7, 2018), http://www.ncsl.org/ research/telecommunications-and-information-technology/privacy- protections-in-state-constitutions.aspx.; Gerald B. Cope, Jr., Toward a Right of Privacy as a Matter of State Constitutional Law, 5 Fla. St. U. L. Rev. 631, 690-710 (2014). \65\ See e.g. Cal. Const., art. I, Sec. 1; Haw. Const., art. I, Sec. Sec. 6-7; Alaska Const., art. I, Sec. 22. State Sector-Specific Laws. Comprehensive state efforts to regulate consumer privacy and security, such as generally applicable data breach laws or the recent California Consumer Privacy Act, are likely to be partially or fully preempted by a Federal law that meaningfully addresses the same issues and creates similar substantive legal protections. However, a Federal law should also carefully anticipate its effect on sectoral state efforts, such as those regulating biometrics,\66\ drones/UAV,\67\ or employer or school ability to ask for social media credentials.\68\ For example, in the field of student privacy, more than 120 state laws have passed since 2013 regulating local and state education agencies and education technology companies,\69\ and replacing those laws with a general consumer privacy law could eliminate important nuances that those laws incorporated; for example, a consumer privacy law would likely allow for users to delete their data, but, in the education context, students obviously should not have the ability to delete a homework assignment or test scores. Further complicating these matters, states retain a constitutional right to regulate the core behavior of their own governmental entities, including the regulation of school districts.\70\ --------------------------------------------------------------------------- \66\ Biometric Information Privacy Act (BIPA), 740 ILCS/14 (2008). \67\ National Council of State Legislatures, Current Unmanned Aircraft State Law Landscape (Sept. 10, 2018). http://www.ncsl.org/ research/transportation/current-unmanned-aircraft-state-law- landscape.aspx. \68\ National Council of State Legislatures, State Social Media Privacy Laws (Nov. 6, 2018). http://www.ncsl.org/research/ telecommunications-and-information-technology/state-laws-prohibiting- access-to-social-media-usernames-and-passwords.aspx. \69\ State Student Privacy Laws, FERPA/Sherpa (April 23, 2019), https://ferpasherpa.org/state-laws. \70\ See U.S. CONST. art. X; Sonja Ralston Elder, Enforcing Public Educational Rights Via a Private Right of Action, 1 Duke Forum For L. & Soc. Change 137, 154 (2009). --------------------------------------------------------------------------- B. Interaction with Federal Sectoral Laws In some cases, it may be appropriate for a baseline, comprehensive Federal privacy law to supersede and replace existing sectoral Federal laws where a consistent baseline set of obligations would be beneficial. In other cases, the wide range of existing sectoral laws, including privacy laws and anti-discrimination laws, may be well suited to address concerns around automated decision-making or unfair uses of data. C. Interaction with Global Privacy Frameworks The U.S. has an opportunity to demonstrate leadership, protect consumers, and facilitate commerce by crafting a Federal privacy law that ensures interoperability with international data protection laws. Just as the U.S. is currently confronting challenges posed by an assortment of privacy-focused state laws, disparate privacy regimes with varying degrees of privacy protections and controls are proliferating internationally. These laws and the corresponding multiplicity of compliance obligations adversely affect cross-border data flows and the multinational businesses that rely on such flows to remain competitive. Legislation should consider and address, as much as possible, interoperability with other nations' privacy frameworks.\71\ For example, legislation should promote interoperability with the most well-known example of a comprehensive privacy law, GDPR, which provides an extensive framework for the collection and use of personal data. The basic principles of GDPR should provide a reference for policymakers during the legislative process, with an understanding that the U.S. approach to privacy and other constitutional values may diverge in many areas, such as breadth of data subject rights, recognition of First Amendment rights, and the need for minimization requirements that may impact data use for AI and machine learning purposes. Also important for comparison are the OECD privacy guidelines and the APEC CBPS, particularly since the proposed United States-Mexico-Canada Agreement (USMCA), which Congress is reviewing as it considers ratification, recognizes the CBPR system as a valid data privacy compliance mechanism for data-transfers between the countries. --------------------------------------------------------------------------- \71\ Per a McKinsey report, ``Cross-border data flows are the hallmarks of 21st-century globalization. Not only do they transmit valuable streams of information and ideas in their own right, but they also enable other flows of goods, services, finance, and people.'' McKinsey Global Institute, Digital Globalization: The New Era of Global Flows, (March 2016) at 30, https://www.mckinsey.com//media/McKinsey/ Business%20Functions/McKinsey%20Digital/Our%20 Insights/ Digital%20globalization%20The%20new%20era%20of%20global%20flows/MGI- Digital-globalization-Full-report.ashx. --------------------------------------------------------------------------- A Federal baseline privacy law should also promote cross-border data flows by avoiding the creation of obligations that directly conflict with other international laws. For example, an emergence of recent data localization laws have expressly prohibited data transfers or mandated highly-restrictive regulatory environments, resulting in inefficient and burdensome requirements for activities including: data storage, management, processing, and analytics. Countries that erect these barriers to data flows often cite concerns about cybersecurity, national security, and privacy.\72\ Localization detrimentally impacts businesses,\73\ consumers who benefit from free flows of data, and potentially data security. Thoughtful data governance and oversight policies with data subject rights and other protections can address data protection issues without resorting to a regulatory environment that employs localization as a solution. --------------------------------------------------------------------------- \72\ The U.S. International Trade Commission and Department of Commerce have considered these concerns in a series of convenings and reports over the past several years. See e.g., U.S. Dept. of Commerce, Measuring the Value of Cross-Border Data, (Sept. 30, 2016), https://www .commerce.gov/news/fact-sheets/2016/09/measuring-value-cross-border- data-flows; U.S. Intl. Trade Comm'n, Global Digital Trade 1: Market Opportunities and Key Foreign Trade Restrictions, (Aug. 2017), https:// www.usitc.gov/publications/332/pub4716_0.pdf. \73\ For example, a U.S. International Trade Commission report notes that there are cost, speed, and security advantages to cloud- based technologies. U.S. Intl. Trade Comm'n, Global Digital Trade 1: Market Opportunities and Key Foreign Trade Restrictions, (Aug. 2017) at 20, https://www.usitc.gov/publications/332/pub4716_0.pdf. A 2016 McKinsey report found a 10.1 percent rise in GDP over 10 years is attributable to cross-border flows. McKinsey Global Institute, Digital Globalization: The New Era of Global Flows, (Mar. 2016) at 30, https:// www.mckinsey.com//media/McKinsey/Business%20Functions/ McKinsey%20Digital/Our%20Insights/Digital%20 globalization%20The%20new%20era%20of%20global%20flows/MGI-Digital- globalization-Full-report.ashx. --------------------------------------------------------------------------- 8. Rulemaking, Civil Penalties, and Enforcement No matter how well crafted, a privacy law will almost certainly require a well-resourced administrative mechanism to clarify certain terms and standards. In Europe, the GDPR contemplates that guidance from Data Protection Authorities will clarify key concepts and requirements. In California, the CCPA tasks the state attorney general with promulgating rules on complicated aspects of the statute. Under Federal law, Congress provided for the FTC to issue regulations under the COPPA statute that have helped define key provisions and enable the law's safe-harbor program for the collection and use of children's data. A comprehensive Federal privacy law is no different. I urge the Committee to carefully consider what aspects of a Federal law might benefit from regulatory clarity or guidance over time. And I urge legislative drafters to empower the FTC to provide such clarity, with specific parameters and considerations to take into account and subject to reasonable guardrails on the agency's authority. The Commission and other stakeholders have agreed, and noted that additional investigatory resources would be welcome.\74\ The Commission receives many consumer complaints and would benefit from the ability to hire more technology and legal experts. Enhanced resources, and the deeper understanding of technology and business practices they bring to the Commission, can lead to fairer outcomes for both individuals and companies. --------------------------------------------------------------------------- \74\ FTC Staff, FTC Staff Comment to the NTIA: Developing the Administration's Approach to Consumer Privacy, Docket No. 180821780- 8780-01 (November 9, 2019) https://www.ftc.gov/system/files/documents/ advocacy_documents/ftc-staff-comment-ntia-developing-administrations- approach-consumer-privacy/p195400_ftc_comment_to_ntia_112018.pdf. --------------------------------------------------------------------------- The authority to bring civil penalties is another key aspect of the FTC's current oversight of global technology firms. But today, the FTC can only fully exercise this oversight regarding companies with whom the Commission has entered into settlement agreements. Civil penalty authority in the first instance would enable to FTC to bring its oversight to bear on all companies that handle personal data, protecting individuals and consumers and leveling the playing field. It is also vital that technical assistance be provided if a new law is passed, particularly for small businesses. The FTC can help fulfill this role. A potential model for this is the U.S. Department of Education's Privacy Technical Assistance Center (PTAC), which has played a vital role in providing guidance, technical assistance, and best practices to states, districts, companies, and privacy advocates.\75\ --------------------------------------------------------------------------- \75\ U.S. Department of Education, Privacy Technical Assistance Center, https://studentpri vacy.ed.gov. --------------------------------------------------------------------------- Finally, there has also been a growing recognition of the important role of state attorneys general in the creation and protection of evolving privacy norms.\76\ State attorneys general have brought enforcement actions that meaningfully push forward legal protections in many areas.\77\ As officials with a broad scope of authority and the freedom to respond to rapidly evolving privacy challenges, they should remain key partners in the enforcement of a baseline Federal information privacy law. --------------------------------------------------------------------------- \76\ Danielle Keats Citron, The Privacy Policymaking of State Attorneys General, 92 Notre Dame L. Rev. 747, 785-91 (2016), http:// ndlawreview.org/wp-content/uploads/2017/02/NDL205.pdf. \77\ Id. --------------------------------------------------------------------------- Conclusion This is a critical juncture for U.S. policymaking. Privacy regulation is charging ahead in the EU and in the states. Now is the time for the United States as a nation to reassert its policy leadership, which stretches from Warren and Brandeis' 1890 treatise on The Right to Privacy,\78\ through William Prosser's explication of the privacy torts in 1960,\79\ to the Department of Health, Education, and Welfare's report first outlining the fair information practices in 1972,\80\ which are the cornerstone for every data protection framework from OECD to GDPR. --------------------------------------------------------------------------- \78\ Samuel D. Warren & Louis D. Brandeis, The Right to Privacy, 4 Harvard L. Rev. 193 (1890), https://www.cs.cornell.edu/shmat/courses/ cs5436/warren-brandeis.pdf. \79\ William L. Prosser, Privacy, 48 Calif. L. Rev. 383 (1960), https://doi.org/10.15779/Z383J3C. \80\ Records, Computer, and the Rights of Citizens: Report of the Secretary's Advisory Committee on Automated Personal Data Systems, U.S. Dept. of Health & Human Services (1973), https://aspe.hhs.gov/report/ records-computers-and-rights-citizens. --------------------------------------------------------------------------- Federal legislation should empower the FTC to rulemake and enforce and allow state AGs to retain enforcement powers. It should recognize broad spectrum of identifiability in definition of PII. It should provide heightened protection for sensitive data or contexts. It should not unduly restrict socially beneficial research find a way to enable crucial data-driven research. It should incentivize and recognize the privacy profession and PETs. In my view, the best approach would be for Congress to draft and pass a baseline, non-sectoral Federal information privacy law. Although I have flagged specific considerations related to such a law's content and its interaction with existing legal frameworks, I overall believe that a strong Federal law remains the best approach to guaranteeing clear, consistent, and meaningful privacy and security protections in the United States. APPENDED: A. Future of Privacy Forum, Infographic, Personal Data and the Organization: Stewardship and Strategy B. Future of Privacy Forum, Infographic, A VIsual Guide to Practical De-Identification C. Future of Privacy Forum Infographic, Financial Data Localization: Conflicts and Consequences D. Future of Privacy Forum, Draft Legislative Language: ``Covered Data'' E. Future of Privacy Forum, Unfairness by Algorithm: Distilling the Harms of Automated Decision-making (December 2017) F. Future of Privacy Forum & Anti-Defamation League, Big Data: A Tool for Fighting Discrimination and Empowering Groups The Chairman. And thank you very much, sir. Mr. Steyer. STATEMENT OF JAMES P. STEYER, CHIEF EXECUTIVE OFFICER AND FOUNDER, COMMON SENSE MEDIA Mr. Steyer. Thank you, Chairman Wicker, Ranking Member Cantwell, and the distinguished members of this Committee. It is great to be here. I am Jim Steyer. I am the Founder and CEO of Common Sense Media. We are the leading kids' media and tech group in the United States. We launched about 15 years ago. Just for a little background, we have 110 million unique users every year on our consumer platform. We created an award-winning digital citizenship curriculum that is in most of the schools in your guys' states. And we have 75,000 member schools across the world, most of which are in the U.S., teaching kids about not just their privacy rights but the safe, responsible use of tech. I am also a prof at Stanford where I have taught constitutional law for the last 30 years. The one thing I would sort of say in general today is that as someone who has been a child advocate for 30 years--I am a father of four. I have got a 15-year-old. That is our youngest now. I think this is a major moment in time on these issues. It has been literally almost 20 years since the U.S. Congress did anything meaningful in the area of privacy. And right now, even though there are tens of millions of American families who are worried about privacy issues for themselves, but most of all for their children, there is only one state, the state that I live in, California, that has a comprehensive privacy law. And in fact, it was us at Common Sense Media who spearheaded that law last year, the CCPA that has been referred to. I just think it is this great moment in time where this body has to act. I always say when I get up in front of parents that 20 years ago Mark Zuckerberg was barely out of diapers. Google was a concept in sort of obscure math ideas. And this device did not even exist. But it is all here now and our kids are living on it and we are all living on it. And so during this time of extraordinary growth in the tech economy, we have got to come up with a comprehensive, smart, common sense privacy law that is going to protect all of us, all of our families, and most of all, our kids. Right now, there essentially are no guardrails when it comes to privacy federally. We have one law, the California law that we passed last year. It goes into effect in January. And then we have GDPR, which Ms. Dixon referred to. So it is high time that Congress and this august body stepped up to the plate and protected the fundamental privacy rights of every citizen in this country. The one thing that we saw very much in California when we passed the law is that it is a totally bipartisan issue. This is something that everybody ought to be able to agree on because we all are both the beneficiaries of the extraordinary aspects of the tech industry, but we are also the victims when privacy rights are violated, whether it is individually or whether it involves interference with our electoral process. So overwhelming majorities of Americans agree with us. The California law passed unanimously. And so I would just urge you to really work, as you do, as a bipartisan group to support comprehensive privacy laws now. Four big points that I would say to you. One, the California law is a floor, not a ceiling. Anything that should come out of this committee and this Senate should be stronger than the California law. I know. We negotiated it. We gave up a number of rights in order to get it passed. We worked with companies like Microsoft, Apple, and SalesForce to get it done. But this body should be looking at California as an absolute floor rather than as a ceiling. The second thing I would say is that kids and teens are the most vulnerable. They deserve special protection. As our good friend, Senator Markey, knows as well as anyone, kids need extremely important and unique protections. So as you consider the law, we hope you will put kids first and include teens in this law as well. Third, there needs to be ongoing public education, a public awareness campaign. The average American, I would argue the average Senator, is not a computer wizard or tech wizard. So once we have a law, we need to explain it to the public how to use it. That is a big thing we are going to start doing in California in 2020. But I would urge you to think about that, how do you make it simple, easy, and easily understandable for a luddite like me and some of you. And last but not least, I do want to raise the other thing. In the wake of the live streaming of mass shootings on Facebook a few weeks ago, and the inability of YouTube and other platforms to pull some of that extraordinarily inappropriate content for anyone, let alone children, down, we would urge you to think about it separately, the concept of section 230 in the safe harbor provision and what kind of regulations there ought to be, for kids in particular, of inappropriate content on the Web. At the end of the day, I think the bottom line is clear. This is your folks' moment to do something great for everybody in America on a bipartisan basis, and we are happy to help. Thank you very much for having me. [The prepared statement of Mr. Steyer follows:] Prepared Statement of James P. Steyer, Chief Executive Officer and Founder, Common Sense Media Good morning Chairman Wicker, Ranking Member Cantwell, and distinguished Committee Members. Thank you for the opportunity to appear before you, and for your willingness to engage with the complicated--but critically important--issue of consumer privacy. My name is James P. Steyer and I am the founder and CEO of Common Sense Media. Common Sense is America's leading organization dedicated to helping kids and families thrive in a rapidly changing digital world. We help parents, teachers, and policymakers by providing unbiased information, trusted advice, and innovative tools to help them harness the power of media and technology as a positive force in all kids' lives. Since launching 15 years ago, Common Sense has helped millions of families and kids think critically and make smart, responsible choices about the media they create and consume. Common Sense has over 108 million users and our award winning Digital Citizenship Curriculum is the most comprehensive K-12 offering of its kind in the education field; we have over 700,000 registered educators using our resources in over half of U.S. schools. Common Sense was a sponsor of California's precedent-setting consumer privacy law, the California Consumer Privacy Act (CCPA). We have also sponsored and supported privacy laws across the country and at the Federal level, including California's landmark Student Online Privacy Information Protection Act (SOPIPA) and the recently introduced bipartisan COPPA 2.0. Children And Teens Are Particularly Vulnerable When we started Common Sense a decade and a half ago, privacy was not a major concern for kids and families. But it has grown significantly as an issue over the past several years, to the point where we find ourselves today. Privacy concerns are particularly acute for kids: Ninety-eight percent of children under 8 in America have access to a mobile device at home.\1\ American teens consume an average of 9 hours a day of media,\2\ and half of teens report feeling addicted to their devices. Children today face surveillance unlike any other generation--their every movement online and off can be tracked by potentially dozens of different companies and organizations. Further, kids are prone to sharing and impulsive behavior, are more susceptible to advertising, and are less able to understand what may happen to their personal information.\3\ --------------------------------------------------------------------------- \1\ Common Sense: Technology Addiction: Concern, Controversy, and Finding Balance (2016) \2\ Ibid \3\ Children, Adolescents, and Advertising (2006) --------------------------------------------------------------------------- Unfortunately, too many companies are not protecting children's and their families' privacy. A recent analysis found that more than half of 6,000 free children's apps may serve kids ads that violate COPPA.\4\ 60 percent of connected devices don't provide proper information on how they collect, use and disclose users' personal information.\5\ Millions of kids and parents have had sensitive information--including family chats--exposed by connected toys.\6\ Data brokers are selling profiles of children as young as two (and identity theft can occur before a child's first birthday).\7\ --------------------------------------------------------------------------- \4\ Reyes et. al, ``Won't Somebody Think of the Children?'' Examining COPPA Compliance at Scale. Proceedings on Privacy Enhancing Technologies (2018) \5\ GPEN Privacy Sweep on Internet of Things (2016) \6\ Jensen, Data Breach Involving CloudPets ``Smart'' Toys Raises Internet-of-Things Security Concerns, Data Privacy + Security Insider (2017); and Real-World Reasons Parents Should Care About Kids and Online Privacy (2018) \7\ Ibid --------------------------------------------------------------------------- A growing lack of privacy and distrust of the online and tech world impacts every family, and could significantly impact the personal development of young people. At Common Sense, we believe kids need the freedom to make mistakes, try new things, and find their voices without the looming threat of a permanent digital record that could be used against them. It is our goal to help our millions of American members improve the digital wellbeing of their families--and while in many instances that means teaching parents, teachers, and kids good digital citizenship practices and privacy skills, it also means ensuring there are baseline protections in place. Even savvy digital citizens are powerless if they do not know what companies are doing with their information, if they cannot access, delete, or move their information, or if they have no choices with respect to the use and disclosure of their information. Families' Privacy Expectations And Desires What do families want in privacy protections? According to our research: More than 9 in 10 parents and teens think it's important that websites clearly label what data they collect and how it will be used.\8\ Those same numbers--more than 9 in 10--think it is important that sites ask permission before selling or sharing data.\9\ And almost 9 in 10, or 88 percent, think it is important to control whether data is used to target ads across devices.\10\ Speaking of devices, 93 percent of parents believe that with smart devices it is important to control what information is collected about them and to know when their voices are being recorded.\11\ --------------------------------------------------------------------------- \8\ Privacy Matters: Protecting Digital Privacy for Parents and Kids (2018) \9\ Ibid \10\ Ibid \11\ Ibid --------------------------------------------------------------------------- These views and data points informed the values--including consent, transparency, control, plus special protections for young people--that guided our approach to the privacy work we did in California. The California Consumer Privacy Act (CCPA) The CCPA is the first generally applicable consumer privacy law in America--not limited to financial or health information, or any specific entity--that recognizes that Americans have privacy rights in all of their information, no matter who holds it. Importantly, the California privacy law protects everyone, not just kids or students. This is born of our belief that, while children and teens need special safeguards, the best way to protect them is to have baseline protections for everyone: (1) so families are protected and (2) so businesses cannot pretend they are not dealing with kids. In California, a statewide ballot initiative focused on notice and saying no to sales of data was the catalyst that led to larger discussions to develop more comprehensive privacy legislation. At Common Sense, we worked hard to expand substantive rights under the law--including opt-in rights (which we achieved for minors under 16), and new access, deletion, and portability rights. The CCPA ultimately passed unanimously through both houses of the California legislature. The law goes into effect in 2020, and will allow California residents to access the personal information companies collect about them--as well as port their data to another platform, or demand the deletion of their data (with exceptions) if they wish. Californians will be empowered to tell companies to stop selling their personal information. And kids under 16 or their parents must actively consent before their data is ever sold. The Attorney General is charged with enforcing violations of the law--with a private right of action for certain data breaches--and the law applies equally to service providers, edge companies, and brick and mortar entities. Any Federal Law Should Build Upon California Like the CCPA, any Federal law must go beyond ``consent'', and include rights to access, port, and delete information. It must enable consumers to say no to the sharing of their information, and it would be even better if the law required that consumers say yes before their information is sold or shared--families would be better served if the rule for all people, not just minors under 16, was that companies could not sell information without opt-in approval. Indeed, the California law is a huge step forward, but it is not perfect and it does not offer consumers all of the protections they deserve. As this committee considers bipartisan Federal legislation, additional protections families want and deserve include: the rights to limit companies' own use of consumer information; the ability for consumers to enforce their own rights in court; and the assurance that companies are building default privacy protections (privacy by design) and practicing data minimization. Certain practices should be off limits, and individuals, especially children, should not be able to consent to them (such as, for example, manipulative user designs that subvert user autonomy, or behaviorally targeted marketing to kids). Privacy protections must be strong across the board, but they must recognize the unique vulnerabilities of children and teenagers. The bipartisan COPPA 2.0 offers an excellent example of the protections young people need: in addition to putting families in the driver's seat regarding information collection, use, and disclosure, COPPA 2.0 contains additional safeguards (and, for young children, flat prohibitions) around targeted and behavioral marketing; it would enhance the privacy and security of vulnerable connected devices families are bringing inside their homes; and it offers new resources and authority to the Federal Trade Commission to focus on examining the industry and enforcing these protections. Any law Congress passes should be at least as strong, if not stronger, than California's CCPA. The CCPA will go into effect next year, and it is clear from polling that vast majorities of Californians from all parties support it.\12\ What's more, it is also clear from other states that individuals and state legislators are not going to accept laws that are weak on privacy. --------------------------------------------------------------------------- \12\ California Voters Overwhelmingly Support Stronger Consumer Privacy Protections (2019); and Privacy Matters: Protecting Digital Privacy for Parents and Kids (2018) --------------------------------------------------------------------------- And, as with past Federal privacy laws, national legislation should ensure that there are baseline protections in place, but provide room and space for states to continue to innovate. A weak preemptive law would be a travesty of justice and take away rights from millions of consumers, not just the eighth of the country that lives in California but the many individuals who live in other states with strong privacy laws such as Illinois, with its biometric law, or Vermont, with its data broker registry. States have always been the first line of defense to protect individual citizens from scams and unfair business practices, and state tort law has protected the privacy of homes and persons. State innovation in the privacy sphere has brought us data security rules, laws applying directly to ed tech vendors, laws protecting the privacy of our bodies, and laws shining light on data brokers. The speed of technology is lighting fast, and states are in a position to act nimbly and innovate, just like businesses. States are true laboratories of democracy, and in the past few decades they have been engaging on privacy and working with consumers and businesses to determine workable new protections and safeguards. Any Law Must Be Coupled With Consumer Education It is critical that any new law be coupled with effective consumer education. From our research at Common Sense, we know that families crave better privacy protections. We also know that some are taking measures to try and protect themselves--for example, 86 percent of parents and 79 percent of teens have adjusted privacy settings on social media sites.\13\ But in many instances, families have the desire but lack the knowledge. In discussing connected devices with parents, we learned 71 percent would like to limit data collection, but a full third do not know how.\14\ --------------------------------------------------------------------------- \13\ Privacy Matters: Protecting Digital Privacy for Parents and Kids (2018) \14\ Ibid --------------------------------------------------------------------------- This is why it is important to have companies build products, platforms and services with the most protective privacy defaults possible. It is also why kids and adults need to know how to exercise their privacy rights. Education is imperative in this regard. As I mentioned, Common Sense is committed to giving parents and teachers the information they need to make informed choices about the apps they use with their children at home and the learning tools they use with students in the classroom. We provide expert advice articles and privacy evaluations for parents to learn more about how they can protect their kids' privacy and we empower schools and districts to thoroughly assess technology products used in K-12 classrooms. We collaborate with hundreds of school and district partners and provide assistance to software developers to make sure their privacy practices are transparent and comprehensive and created with kids' best interests in mind. We also provide a high-quality Digital Citizenship Curriculum for school communities that supports teachers with improved classroom tools, and prepares kids to take ownership of their digital lives. At present, across the country, opportunities to empower individuals to make real decisions or protect their privacy are few and far between. Companies offer a ``take it or leave it'' framework that, because of jobs, school requirements, or an interest in participating in democratic life, individuals feel forced to accept. We must ensure consumers have default protections in place, and we must also work to educate them about additional, or alternative, choices. Digital citizenship education should be a part of school curriculums, and requires more support and funding. What's more, privacy protections are just one piece of the puzzle. As young people live more and more of their lives online, they face an ever expanding array of opportunities and risks. In addition to protecting children and families' privacy, we must endeavor to provide all kids with access to high quality content, and protect them from being exposed to the worst of humanity with the click of a button, scroll of a feed, or failure to stop a new video from autoplaying. We must consider, as a country, whether laws like Section 230 are serving the best interest of our children, and what we can do to improve the entirety of their digital experience. Conclusion Thank you again for your bipartisan efforts to address consumer privacy. It's critical that we teach individuals how to protect themselves, but the burden should not fall entirely on consumers, especially on kids and families. We have seen many businesses will not protect consumer privacy on their own. We need a strong Federal baseline privacy law, that offers everyone protections and recognizes the special vulnerabilities of children and teens. The Chairman. Thank you very much, Mr. Steyer. Ms. Guliani. STATEMENT OF NEEMA SINGH GULIANI, SENIOR LEGISLATIVE COUNSEL, WASHINGTON LEGISLATIVE OFFICE, AMERICAN CIVIL LIBERTIES UNION Ms. Guliani. Thank you for the opportunity to testify today on behalf of the ACLU. We are all here because the current privacy regime is broken and it is failing consumers. Lack of privacy affects everyday life. It can increase unfair discrimination, exacerbate economic inequality, and even threaten physical safety. For example, studies have documented how some retailers charge customers different prices based on things like their Zip code or their browsing habits. In many cases, consumers are not even aware their information is being collected, much less how they can protect themselves against these types of uses. In another study, online mortgage lenders charge black and Latin borrowers more and higher rates for their loans, replicating the types of discrimination that Federal laws like the Equal Credit Opportunity Act were designed to prevent. The ACLU strongly supports Federal privacy legislation to address problems like these. There are many elements that such legislation should include, but I want to highlight four areas in particular that are of concern. The first is any Federal law should be a floor, not a ceiling. Some industry representatives have urged you to broadly preempt State laws as part of any Federal legislation. I want to be crystal clear here. This would be a bad deal for consumers. If Congress uses Federal privacy legislation as an opportunity to broadly preempt State laws, it will cause more harm than good. As an organization with affiliates in every state, the ACLU has been at the forefront of many efforts to pass strong State privacy laws. We know firsthand that in many cases it has been states, not Congress, that have led efforts to protect consumers. California was the first State in the Nation to require companies to notify customers of a data breach, and just last year it passed a broader consumer privacy bill that you all are familiar with. Illinois has set important limits on the commercial collection and storage of biometric information, and nearly all states regulate unfair and deceptive trade practices, complementing the FTC's authority in this area. These states have acted as laboratories. They have experimented and innovated with new ways to protect consumers. We should be wary of the Federal Government stepping in and with one stroke of a pen wiping out dozens of State laws already on the books and preventing future ones. Broad preemption, in fact, would represent a shift in the approach taken by many Federal laws. HIPAA allows states to enact more stringent privacy protections for health information, and Federal civil rights laws have historically allowed states to pass higher standards. This is one of the reasons we have State laws that protect against discrimination on the basis of sexual orientation, despite the gaps in Federal law. Federal legislation must certainly account for cases where it would be impossible to comply with both a State and Federal law. But that can be accomplished through a narrow and clear preemption provision that addresses conflicts and explicitly preserves the rights of states to pass stronger laws and to enforce those laws. Two, any privacy legislation should allow consumers to sue companies that violate their rights. The FTC undoubtedly needs more power and more resources. But even if its size were doubled or even tripled, there would be giant enforcement gaps. This is part of the reason that the California Attorney General recently supported legislation to strengthen California's law with a privacy right of action. In discussing the legislation, he said, quote, we need to have some help. He highlighted that individuals should be able to enforce their rights in cases where the government was not able to take action. Polling in California has found that 94 percent of consumers support being able to take a company to court if their privacy rights are violated. Three, legislation should protect against discrimination. There must be the resources and the technical expertise to enforce existing Federal laws that prohibit discrimination in the housing, credit, and employment context. In addition, however, Federal law must be strengthened to prohibit advertisers from offering different price, services, and opportunities to individuals based on protected characteristics like race and gender. And consumers must also have the tools to address algorithms or machine learning tools that disparately impact individuals on the basis of such protected characteristics. Finally, there should be guardrails on how data can be collected, stored, and used. For example, use of information should be limited to the purpose for which it was collected unless there is additional informed consent. And we should also prohibit so-called pay for privacy schemes that threaten to create privacy haves and have-nots and risk causing disastrous consequences for people who are already struggling financially. Without these protections a new Federal law risks being a step backward, not forward. I look forward to answering your questions. [The prepared statement of Ms. Guliani follows:] Prepared Statement of Neema Singh Guliani, Senior Legislative Counsel, Washington Legislative Office, American Civil Liberties Union Chairman Thune, Ranking Member Cantwell, and Members of the Committee, Thank you for the opportunity to testify on behalf of the American Civil Liberties Union (ACLU)\1\ and for holding this hearing on, ``Consumer Perspectives: Policy Principles for a Federal Data Privacy Framework.'' --------------------------------------------------------------------------- \1\ For nearly 100 years, the ACLU has been our Nation's guardian of liberty, working in courts, legislatures, and communities to defend and preserve the individual rights and liberties that the Constitution and laws of the United States guarantee everyone in this country. With more than three million members, activists, and supporters, the ACLU is a nationwide organization that fights tirelessly in all 50 states, Puerto Rico and Washington, D.C., to preserve American democracy and an open government. --------------------------------------------------------------------------- Privacy impacts virtually every facet of modern life. Personal information can be exploited to unfairly discriminate, exacerbate economic inequality, or undermine security. Unfortunately, our existing laws have not kept pace with technology, leaving consumers with little ability to control their own personal information or recourse in cases where their rights are violated. And, as numerous examples illustrate, consumers are paying the price. Studies have documented how several retailers charged consumers different prices by exploiting information related to their digital habits inferred from people's web-browsing history.\2\ Some online mortgage lenders have charged Latino and Black borrowers more for loans, potentially by determining loan rates based on machine learning and patterns in big data.\3\ And, sensitive data about the location and staffing of U.S. military bases abroad was reportedly revealed inadvertently by a fitness app that posted the location information of users online.\4\ --------------------------------------------------------------------------- \2\ Aniko Hannak, et al., Measuring Price Discrimination and Steering on E-commerce Web Sites, PROCEEDINGS OF THE 2014 CONFERENCE ON INTERNET MEASUREMENT CONFERENCE, 2014, at 305-318, http://doi.acm.org/ 10.1145/2663716.2663744. \3\ ROBERT BARTLETT, ADAIR MORSE, RICHARD STANTON & NANCY WALLACE, CONSUMER-LENDING DISCRIMINATION IN THE ERA OF FINTECH 4 (2018), http:// faculty .haas.berkeley.edu/morse/research/papers/ discrim.pdf?_ga=2.121311752.1273672289.15563249 69-25127549.1556324969. \4\ Alex Hern, Fitness Tracking App Strava Gives Away Location of Secret U.S. Army Bases, THE GUARDIAN (Jan. 28, 2018), https:// www.theguardian.com/world/2018/jan/28/fitness-tracking-app-gives-away- location-of-secret-us-army-bases. --------------------------------------------------------------------------- The current privacy landscape is untenable for consumers. The ACLU supports strong baseline Federal legislation to protect consumer privacy. I would like to emphasize several issues that are of particular concern to the ACLU and our members. The ACLU strongly urges Congress to ensure that any Federal privacy legislation, at a minimum, (1) sets a floor, not a ceiling, for state level protections; (2) contains robust enforcement mechanisms, including a private right of action; (3) prevents data from being used to improperly discriminate on the basis of race, sexual orientation, or other protected characteristics; and (4) creates clear and strong ground rules for the use, collection, and retention of consumers' personal data, which does not rest solely on the flawed notice and consent model. I. Federal legislation should not prevent states from putting in place stronger consumer protections or taking enforcement action Any Federal privacy standards should be a floor--not a ceiling--for consumer protections. The ACLU strongly opposes legislation that would, as some industry groups have urged, preempt stronger state laws.\5\ Such an approach would put existing consumer protections, many of which are state-led, on the chopping block and prevent additional consumer privacy protections from ever seeing the light of day. We also oppose efforts to limit the ability of state Attorneys General or other regulators from suing, fining, or taking other actions against companies that violate their laws. --------------------------------------------------------------------------- \5\ See U.S. Chamber of Commerce, U.S. Chamber Privacy Principles, (Sept. 6, 2018), available at https://www.uschamber.com/issue-brief/us- chamber-privacy-principles; Internet Association, Privacy Principles, available at https://internetassociation.org/positions/privacy/. --------------------------------------------------------------------------- There are multiple examples of states leading the charge to pass laws to protect consumer privacy from new and emerging threats. For example, California was the first state in the Nation to require that companies notify consumers \6\ of a data breach (all states have since followed suit),\7\ the first to mandate that companies disclose through a conspicuous privacy policy the types of information they collect and share with third parties,\8\ and among the first to recognize data privacy rights for children.\9\ The state's recently passed California Consumer Privacy Act of 2018, which goes into effect next year, is also the first in the Nation to apply consumer protections to a broad range of businesses, including provisions that limit the sale of personal information, give consumers the right to delete and obtain information about how their data is being used, and provide a narrow private right of action for some instances of data breach. --------------------------------------------------------------------------- \6\ See California Civil Code s.1798.25-1798.29. \7\ See National Conference of State Legislatures, Security Breach Notification Laws, (Sept. 29, 2018), available at http://www.ncsl.org/ research/telecommunications-and-information-technology/security-breach- notification-laws.aspx. \8\ See California Code, Business and Professions Code--BPC Sec. 22575. \9\ See California Code, Business and Professions Code-- BPCSec. 22582. --------------------------------------------------------------------------- Similarly, Illinois has set important limits on the commercial collection and storage of biometric information, such as fingerprints and face prints.\10\ Idaho, West Virginia, Oklahoma, and other states have passed laws to protect student privacy.\11\ Nevada and Minnesota require Internet service providers to keep certain information about their customers private and to prevent disclosure of personally identifying information.\12\ Arkansas and Vermont have enacted legislation to prevent employers from requesting passwords to personal Internet accounts to get or keep a job. At least 34 states also require private or governmental entities to conduct data minimization and/or disposal of personal information,\13\ and 22 have laws implementing data security measures.\14\ --------------------------------------------------------------------------- \10\ See Biometric Information Privacy Act, 740 ILCS 14/, http:// www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=3004&ChapterID=57. \11\ See Center for Democracy and Technology, State Student Privacy Law Compendium (Oct. 2016), available at https://cdt.org/files/2016/10/ CDT-Stu-Priv-Compendium-FNL.pdf. \12\ See National Conference of State Legislatures, Privacy Legislation Related to Internet Service Providers-2018 (Oct. 15, 2018), available at http://www.ncsl.org/research/telecommunications-and- information-technology/privacy-legislation-related-to-internet-service- providers-2018 .aspx. \13\ See National Conference of State Legislatures, Data Disposal Laws, available at http://www.ncsl.org/research/telecommunications-and- information-technology/data-disposal-laws .aspx. \14\ See National Conference of State Legislatures, Data Security Laws (Oct. 15, 2018), available at http://www.ncsl.org/research/ telecommunications-and-information-technology/data-security-laws.aspx. --------------------------------------------------------------------------- Historically, states have also served a critical enforcement role in the consumer space, as illustrated by the recent Equifax breach. As a result of that breach, the data of over 140 million consumers were exposed due to what some members of Congress referred to as ``malfeasance'' on the part of the company.\15\ Despite this, the company posted record profits the following year, and consumers have still have not been fully compensated for the cost of credit freezes the breach made necessary. While the FTC has an ongoing investigation, it has yet to take action. In the meantime, the Massachusetts attorney general is currently suing Equifax seeking damages in an attempt to obtain compensation for individuals impacted by the breach. In addition, several state regulators have entered into a consent decree with the company that puts in place new requirements.\16\ --------------------------------------------------------------------------- \15\ Kevin Liles, Hack Will Lead to Little, if Any, Punishment for Equifax, N.Y. TIMES (Sept. 20, 2017), available at https:// www.nytimes.com/2017/09/20/business/equifax-hack-penalties.html. \16\ Kate Fazzini, Equifax Gets New To-do List, But No Fines or Penalties, CNBC (Jun. 27, 2018), https://www.cnbc.com/2018/06/27/ equifax-breach-consent-order-issued.html. --------------------------------------------------------------------------- States have been and will continue to be well-positioned to respond to emerging privacy challenges in our digital ecosystem. New technology will likely require additional protections and experimenting with different solutions, and states can serve as laboratories for testing these solutions. Thus, we should avoid preemption that could lock in place Federal standards that may soon be obsolete or prevent states from fully utilizing their enforcement capabilities. Preemption would not only be bad for consumers, it would represent a shift in the approach taken by many of our existing laws. For example, the Telecommunications Act explicitly allows states to enforce additional oversight and regulatory systems for telephone equipment, provided they do not interfere Federal law; it also permits states to regulate additional terms and conditions for mobile phone services. Title I of the Affordable Care Act permits states to put in place additional consumer protections related to coverage of health insurance plans, and HIPPA similarly allows states to enact more stringent protections for health information. In addition, all 50 states in some way regulate unfair or deceptive trade practices, an area also governed by section 5 of the FTC Act.\17\ While the strength of these state laws vary, they are harmonious with the FTC's mandate and are integral to manageable privacy regulation enforcement. Such coordination has historically allowed states to fill gaps that Federal regulators simply do not have the resources or expertise to address. (An Appendix of additional state privacy laws is attached to this testimony.) --------------------------------------------------------------------------- \17\ Carolyn Carter, Consumer Protection in the States: A 0-State Report on Unfair and Deceptive Acts and Practices Statutes, National Consumer Law Center, (Feb. 2019), available at https://www.nclc.org/ images/pdf/udap/report_50_states.pdf. --------------------------------------------------------------------------- We recognize that any Federal legislation must account for conflicts in cases where it would be impossible for an entity to comply with both Federal and state laws. However, this can be accomplished through a clear, narrow conflict-preemption provision, which explicitly preserves stronger state laws that do not undermine Federal standards, maintains state enforcement capabilities, and retains state consumer remedies. II. Federal legislation must contain strong enforcement mechanisms, including a private right of action Federal privacy legislation will mean little without robust enforcement. Thus, any legislation should grant greater resources and enforcement capabilities to the FTC and permit state and local authorities to fully enforce Federal law. To fill the inevitable government enforcement gaps, however, the ACLU urges Congress to ensure that Federal legislation also grants consumers the right to sue companies for privacy violations. The FTC has a long history of protecting consumer privacy in the United States. But, alone and with current resources and authorities, it cannot effectively police privacy alone. In the last 20 years, the number of employees at the FTC has grown only slightly.\18\ And the number of employees in the Division of Privacy and Identity Protection (DPIP) and the Division of Enforcement, which are responsible for the agency's privacy and data security work, stands at approximately 50 and 44 people, respectively.\19\ To put this in perspective, this is smaller than the Washington, D.C. offices of many large technology companies alone. Both the FTC as a whole and DPIP require additional resources and employees to address the outsize risks to privacy facing consumers. --------------------------------------------------------------------------- \18\ FTC Fiscal Year 2019 Budget, p. 4, https://www.ftc.gov/system/ files/documents/reports/fy-2019-congressional-budget-justification/ ftc_congressional_budget_justification_fy_2019.pdf \19\ Id. at 18. --------------------------------------------------------------------------- And for the agency's investigations and enforcement actions to have meaningful deterrent effect, the FTC should be given authority to levy significant civil penalties in consumer protection actions for the first violation, rather than only in cases where a company is already under a consent decree.\20\ It was recently announced that Facebook has set aside 3 to 5 billion dollars to pay a potential fine to the FTC for its mishandling of personal information, including conduct related to Cambridge Analytica.\21\ Following this announcement, Facebook's stock value surged nonetheless, suggesting that the FTC's current enforcement powers are woefully lacking when measured against the earning potential of the largest online businesses. --------------------------------------------------------------------------- \20\ See Testimony of FTC Chairman Joseph Simons Before the House Committee on Energy and Commerce, 6 (``Section 5 does not provide for civil penalties, reducing the Commission's deterrent capability''), available at https://www.ftc.gov/system/files/documents/ public_statements /1394526/p180101_ftc_testimony_re_oversight_house_07182018.pdf. \21\ Elizabeth Dwoskin and Tony Romm, Facebook Sets Aside Billions of Dollars for Potential FTC Fine, Washington Post (April 24, 2019), https://www.washingtonpost.com/technology/2019/04/24/facebook-sets- aside-billions-dollars-potential-ftc-fine/?utm_term=.b09f3d5a6bbd --------------------------------------------------------------------------- To augment the limited Federal enforcement resources, state and local enforcement entities should also be given the power to investigate and enforce Federal privacy law. This aligns with the approach taken by other laws, including the Fair Debt Collection Practices Act, which is enforceable by state Attorneys General as well as through a private right of action.\22\ --------------------------------------------------------------------------- \22\ Letter from Attorneys General of Twenty-One States to House and Senate Leadership, April 19, 2018, https://ag.ny.gov/sites/default/ files/hr_5082_multistate_letter.pdf. --------------------------------------------------------------------------- Even with these reforms, however, the scale and scope of potential harm associated with poor privacy practices are too extensive to be left to regulators.\23\ Government enforcement will inevitably have gaps. Thus, providing consumers a private right of action is also critical from an enforcement standpoint--a concept reflected in several state approaches. For example, the Illinois Biometric Information Privacy Act permits aggrieved individuals whose rights are violated to file suit to seek damages.\24\ The Illinois Supreme Court has interpreted the law as providing a private right of action to individuals who allege a statutory violation of the law.\25\ Similarly, recently, the California Attorney General supported legislation that would provide a private right of action to consumers in the privacy context, noting ``We need to have some help. And that's why giving [consumers] their own private right to defend themselves in court if the Department of Justice decides it's not acting--for whatever number of good reasons--that's important to be able to truly say. . .you have rights.'' \26\ --------------------------------------------------------------------------- \23\ See Letter from California Attorney General Xavier Becerra to California Assemblymember Ed Chau and Senator Robert Hertzberg, August 22, 2018 (``The lack of a private right of action, which would provide a critical adjunct to governmental enforcement, will substantially increase the [Attorney General's Office's] need for new enforcement resources. I urge you to provide consumers with a private right of action under the [California Consumer Privacy Act].''), available at https://digitalcommons.law.scu.edu/cgi/ viewcontent.cgi?article=2801&context=historical. \24\ Biometric Information Privacy Act, supra note 10, 740 ILCS 14/ , Section 20. \25\ Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186 (2019). \26\ Cheryl Miller, Becerra Backs Bill Giving Consumers Power to Sue for Data Privacy Violations, LAW.COM: THE RECORDER (Feb. 25, 2019), https://www.law.com/therecorder/2019/02/25/becerra-backs-bill-giving- consumers-power-to-sue-for-data-privacy-violations/. --------------------------------------------------------------------------- In order to be effective, a private right of action should have two key protections for consumers. First, it should specify statutory damages for all violations of privacy rights, not just instances where a consumer has offered conclusive proof of tangible damages. When conduct is potentially harmful, statutory damages offer a compelling solution. In copyright infringement, for example, statutory damages can range from $750 to $30,000 per work infringed.\27\ Similarly, the Fair Debt Collection Practices Act provides for statutory damages of up to $1,000 per violation.\28\ These statutory-damage provisions encourage rigorous compliance by establishing that violations carry a significant penalty. Privacy law should do the same. --------------------------------------------------------------------------- \27\ 17 U.S.C. Sec. 504(c)(2). \28\ 15 USC 1692k. --------------------------------------------------------------------------- Second, consumers should be protected against mandatory arbitration clauses buried in terms of service that restrict their rights to have a court hear their claims and undermine the ability of class actions to collectively redress privacy violations.\29\ One Federal judge called these arbitration clauses ``a totally coerced waiver of both the right to a jury and the right of access to the courts'' that are ``based on nothing but factual and legal fictions.'' \30\ Similarly, in a dissent in this term's Lamps Plus case, Justice Ginsburg noted, ``mandatory individual arbitration continues to thwart `effective access to justice' for those encountering diverse violations of their legal rights.'' \31\ Privacy law should neither tolerate such waivers nor indulge the legal and factual fictions that underlie them. --------------------------------------------------------------------------- \29\ Jessica Silver-Greenberg & Robert Gebeloff, Arbitration Everywhere, Stacking the Deck of Justice, N.Y. Times, October 31, 2015, https://www.nytimes.com/2015/11/01/business/deal book/arbitration-everywhere-stacking-the-deck-of-justice.html. \30\ Meyer v. Kalanick, 291 F. Supp. 3d 526, 529 (S.D.N.Y. 2018). \31\ Lamps Plus v. Varela, 587 U.S. __(2019)(Ginsburg, R., dissenting). --------------------------------------------------------------------------- III. Federal legislation should guard against discrimination in the digital ecosystem Existing Federal laws prohibit discrimination in the credit, employment, and housing context. Any Federal privacy legislation should ensure such prohibitions apply fully in the digital ecosystem and are robustly enforced. In addition, we urge Congress to strengthen existing laws to guard against unfair discrimination, including in cases where it may stem from algorithmic bias. Many online providers have been slow to fully comply with Federal antidiscrimination laws. The rise of big data and personalized marketing has enabled new forms of discrimination that run afoul of existing Federal laws, including Title VII of the Civil Rights Act, the Age Discrimination in Employment Act, the Fair Housing Act, and the Equal Credit Opportunity Act. For example, Facebook recently settled a lawsuit brought by ACLU and other civil rights organizations amid allegations that it discriminated on the basis of gender and age in targeting ads for housing and employment.\32\ The lawsuit followed repeated failures by the company to fully respond to studies demonstrating that the platform improperly permitted ad targeting based on prohibited characteristics, like race, or proxies for such characteristics. The company is also now the subject of charges brought by the Department of Housing and Urban Development (HUD), which includes similar allegations.\33\ --------------------------------------------------------------------------- \32\ ACLU, Facebook Agrees to Sweeping Reforms to Curb Discriminatory Ad Targeting Practices (Mar. 19, 2019), https:// www.aclu.org/news/facebook-agrees-sweeping-reforms-curb-discriminatory- ad-targeting-practices. \33\ Complaint of Discrimination Against Facebook, FHEO No. 01-18- 032308, https://www .hud.gov/sites/dfiles/Main/documents/HUD_v_Facebook.pdf. --------------------------------------------------------------------------- Outside the credit, employment, and housing contexts, discriminatory targeting and marketing may also raise civil rights concerns. For example, commercial advertisers should not be permitted to offer different prices, services, or opportunities to individuals, or to exclude them from receiving ads offering certain commercial benefits, based on characteristics like their gender or race. And regulators and consumers should be given information and tools to address algorithms or machine learning models that disparately impact individuals on the basis of protected characteristics. Federal law must be strengthened to address these challenges. First, Federal privacy law should make clear that existing antidiscrimination laws apply fully in the online ecosystem, including in online marketing and advertising. Federal agencies that enforce these laws, like HUD, the EEOC, and the Consumer Financial Protection Bureau, should be fully resourced and given the technical capabilities to vigorously enforce the law in the context of these new forms of digital discrimination. In addition, companies should be required to audit their data processing practices for bias and privacy risks, and such audits should be made available to regulators and disclosed publicly, with redactions if necessary to protect proprietary information. Finally, researchers should be permitted to independently audit platforms for bias, and Congress should not permit enforcement of terms of service that interfere with such testing. IV. Federal privacy legislation must place limits on how personal information can be collected, used, and retained Legislation must include real protections that consider the modern reality of how people's personal information is collected, retained, and used. The law should limit the purposes for which consumer data can be used, require purging of data after permissible uses have completed, prevent coercive conditioning of services on waiving privacy rights, and limit so-called ``pay for privacy'' schemes. Otherwise, we risk ending up in the same place we began--with consumers simply checking boxes to consent with no real understanding of or control over how their data will be used. This current broken privacy regime has largely been built around the concept of ``notice and consent'': as long as a company includes a description of what it is doing somewhere in a lengthy fine-print click-through ``agreement,'' and the consumer ``agrees'' (which they must do to utilize a service), then the company is broadly regarded as having met its privacy obligations. And legally, a company is most vulnerable if it violates specific promises in those click-through agreements or other advertisements.\34\ An ecosystem of widespread privacy invasions has grown out of the impossible legal fiction that consumers read and understand such agreements.\35\ The truth is that consumers do not have real transparency into how their data is being used and abused, and they do not have meaningful control over how their data is used once it leaves their hands. --------------------------------------------------------------------------- \34\ Dave Perrerra, FTC privacy enforcement focuses on deception, not unfairness, Mlex Market Insight, February 22, 2019, available at https://mlexmarketinsight.com/insights-center/editors-picks/Data- Protection-Privacy-and-Security/north-america/ftc-privacy-enforcement- focuses-on-deception,-not-unfairness. \35\ See Alex Madrigal, Reading the Privacy Policies You Encounter in a Year Would Take 76 Work Days, THE ATLANTIC (Mar 1. 2012), available at https://www.theatlantic.com/technology/archive/2012/03/ reading-the-privacy-policies-you-encounter-in-a-year-would-take-76- work-days/253851/. --------------------------------------------------------------------------- Worse, technologists and academics have found that advertising companies ``innovate'' in online tracking technologies to resist consumers' attempts to defeat that tracking. This is done by, for example, using multiple identifiers that replicate each other, virus- like, when users attempt to delete them. Technical circumvention of privacy protections is sufficiently commonplace that data brokers are even offering what is effectively re-identification as a service, promising the ability to ``reach customers, not cookies.'' \36\ Advertisers, the experts conclude, ``use new, relatively unknown technologies to track people, specifically because consumers have not heard of these techniques. Furthermore, these technologies obviate choice mechanisms that consumers exercise.'' \37\ --------------------------------------------------------------------------- \36\ Reach Customers, Not Just Cookies, LiveRamp Blog, September 10, 2015 (available at https://liveramp.com/blog/reach-customers-not- just-cookies/) (``Cookies are like an anonymous ID that cannot identify you as a person.''). \37\ Chris Jay Hoofnagle, et al, Behavioral Advertising: The Offer You Cannot Refuse, 6 Harvard Law & Policy Review (Aug. 2010), available at https://papers.ssrn.com/sol3/papers.cfm? abstract_id=2137601. --------------------------------------------------------------------------- In short, not only have consumers lost control over how and when they are monitored online, companies are actively working to defeat efforts to resist that monitoring. Currently, individuals who want privacy must attempt to win a technological arms race with the multi- billion dollar Internet-advertising industry. American consumers are not content with this state of affairs. Numerous polls show that the current online ecosystem makes people profoundly uncomfortable.\38\ Similarly, recent polling released by the ACLU of California showed overwhelming support for measures adding strong privacy protections to the law, including requiring that companies get permission before sharing people's personal information.\39\ --------------------------------------------------------------------------- \38\ See, e.g., Marc Fisher & Craig Timberg, American Uneasy About Surveillance but Often Use Snooping Tools, Post Poll Finds, Wash. Post (Dec. 21, 2013), https://www.washingtonpost.com/world/national- security/americans-uneasy-about-surveillance-but-often-use-snooping- tools-post-poll-finds/2013/12/21/ca15e990-67f9-11e3-ae56- 22de072140a2_story.html; Edward Baig, Internet Users Say, Don't Track Me, U.S.A. Today (Dec. 14, 2010), http://usatoday30.usatoday.com/money/ advertising/2010-12-14-donottrackpoll14_ST_N.htm; Joseph Turow et. al., Contrary to What Marketers Say, Americans Reject Tailored Advertising and Three Activities that Enable It (2009), https://www.nytimes.com/ packages/pdf/business/20090929-Tailored_Advertising.pdf. \39\ California Voters Overwhelmingly Support Stronger Consumer Privacy Protections, New Data Shows, ACLU of Northern California, available at https://www.aclunc.org/news/california-voters- overwhelmingly-support-stronger-consumer-privacy-protections-new-data- shows. --------------------------------------------------------------------------- To address these deficiencies, privacy legislation should include a meaningful ``opt-in'' baseline rule for the collection and sharing of personal information. To be meaningful, protections must not allow businesses to force consumers, in order to participate fully in society, to ``agree'' to arcane lengthy, agreements that they cannot understand. Legislation should also support technological opt-in mechanisms such as ``do not track'' flags in web browsers by requiring that companies honor those flags. In addition to this, Federal legislation should approach the collection (and especially use) of personal information that is not necessary for the provision of a service with skepticism. Moreover, the law should reject so-called ``pay-for-privacy'' schemes, which allow companies to offer a more expensive or lower quality product to people who exercise privacy rights. These kinds of schemes discourage everyone from exercising their privacy rights, and risk causing disastrous follow-on consequences for people who are already financially struggling.\40\ Privacy is a right that everyone should have, not just people with the ability to pay for it. --------------------------------------------------------------------------- \40\ Mary Madden, The Devastating Consequences of Being Poor in the Digital Age, The New York Times, April 25, 2019 (``When those who influence policy and technology design have a lower perception of privacy risk themselves, it contributes to a lack of investment in the kind of safeguards and protections that vulnerable communities both want and urgently need.'') (available at https://www.nytimes.com/2019/ 04/25/opinion/privacy-poverty.html). --------------------------------------------------------------------------- V. Conclusion The current Federal privacy framework is failing consumers. But, in enacting Federal privacy legislation, Congress must ensure that it does not do more harm than good by preempting existing and future state laws that protect consumers. Moreover, it must ensure that its reforms amount to more than just a fig leaf. Consumers do not need another box to check; they need limits on how companies can treat their data, the ability to enforce their privacy rights in court, and protection against digital discrimination. These reforms and others are necessary to prevent exploitation of data from being used to exacerbate inequality, unfairly discriminate, and undermine security. Appendix. State Privacy Laws The chart below provides a list of some existing state privacy laws. This is not an exhaustive list of all state consumer privacy laws, nor does it include all general laws that may be relevant in the consumer privacy context. ------------------------------------------------------------------------ Summary and/or Relevant State Provisions Source ------------------------------------------------------------------------ Alabama 8Data security. Requires business Ala. Code 1975 entities and government to Sec. 8-38-1 to provide notice to certain 12 (``Alabama persons upon a breach of Data Breach security that results in the Notification Act unauthorized acquisition of of 2018'')0 sensitive personally identifying information. Provides standards of reasonable security measures and investigations into breaches. Deceptive Trade Practices Act. Ala. Code Sec. Broadly prohibits unfair, Sec. 8-19-1 to deceptive, or unconscionable 15 acts. Creates a private right of action and gives Attorney General and district attorneys power to enforce statute. ------------------------------------------------------------------------ Alaska 8Breach notification law that Alaska Stat. Ann. provides for: (1) notice Sec. 45.48.010 requirement when a breach of (``Alaska security concerning personal Personal information has occurred; (2) Information ability to place a security Act'')0 freeze on a consumer credit report; (3) various restrictions on the use of personal information and credit information; (4) disposal of records containing personal information; (5) allowing a victim of identity theft to petition the court for a determination of factual innocence; and (6) truncation of credit card information. The SSN section also states that no one can require disclosure of a SSN to access a product or service. State constitution: ``The right Alaska Const. of the people to privacy is art. I, Sec. 22 recognized and shall not be infringed. The legislature shall implement this section.'' 8Unfair Trade Practices and Alaska Stat. Sec. Consumer Protection Act. Broadly Sec. 45.50.471 prohibits unfair, deceptive, or to .5610 unconscionable acts. Creates a private right of action and gives Attorney General and district attorneys power to enforce statute. When disposing of records that Alaska Stat. Sec. contain personal information, a 45.48.500 business and a governmental agency shall take all reasonable measures necessary to protect against unauthorized access to or use of the records. ------------------------------------------------------------------------ Arizona 8Provides that public library or Ariz. Rev. Stat. library systems shall not allow Sec. 41-151.220 disclosure of records or other information which identifies a user of library services as requesting or obtaining specific materials or services or as otherwise using the library. State constitution: ``No person Ariz. Const. art. shall be disturbed in his II Sec. 8 private affairs, or his home invaded, without authority of law.'' 8Consumer Fraud Act. Broadly Ariz. Rev. Stat. prohibits unfair, deceptive, or Ann. Sec. Sec. unconscionable acts. Gives 44-1521 through Attorney General power to 44-15340 enforce statute. Entity must discard and dispose Ariz. Rev. Stat. of records containing personal Sec. 44-7601 identifying information. Enforceable by attorney general or a county attorney. ------------------------------------------------------------------------ Arkansas 8Requires government websites or Ark. Code Ann. state portals to establish Sec. 25-1-1140 privacy policies and procedures and incorporate machine-readable privacy policies into their websites Data security law that applies to Ark. Code Sec. 4- a person or business that 110-101 to -10 acquires, owns, or licenses (Personal personal information. Requires Information implementation and maintenance Protection Act) of reasonable security amended in 2019 procedures and practices Arkansas Law Act appropriate to the nature of the 1030 (H.B. 1943) information. Amended to include biometric data. 8Prevents employers from Ark. Code Ann. requesting passwords to personal Sec. 11-2-1240 Internet accounts to get or keep a job. Prohibits use of Automated Ark. Code Sec. License Plate Readers (ALPRs) by Sec. 12-12-1801 individuals, partnerships, to 12-12-1808 companies, associations or state (``Automatic agencies. Provides exceptions License Plate for limited use by law Reader System enforcement, by parking Act'') enforcement entities, or for controlling access to secure areas. Prohibits data from being preserved for more than 150 days. 8Deceptive Trade Practices Act. Ark. Code Ann. Broadly prohibits deceptive and Sec. Sec. 4-88- unconscionable trade practices. 101 through 4-88- Makes it a misdemeanor to 2070 knowingly and willfully commit unlawful practice under the law and gives attorney general power of civil enforcement and to create a Consumer Advisory Board. ------------------------------------------------------------------------ California Gives consumers right to request Cal. Civ. Code a business to disclose the Sec. 1798.100 categories and specific pieces to .198 (``The of personal information that the California business has collected about the Consumer Privacy consumers and the source of that Act of 2018'') information and business purpose for collecting the information. Consumers may request that a business delete personal information that the business collected from the consumers. Consumers have the right to opt out of a business's sale of their personal information, and a business may not discriminate against consumers who opt out. Applies to California residents. Effective Jan. 1, 2020. 8State constitution: ``All people Cal. Const. art. are by nature free and I Sec. Sec. 1, independent and have inalienable 230 rights. Among these are enjoying and defending life and liberty, acquiring, possessing, and protecting property, and pursuing and obtaining safety, happiness, and privacy.'' 8``Every natural person has the right to be let alone and free from governmental intrusion into the person's private life except as otherwise provided herein. This section shall not be construed to limit the public's right of access to public records and meetings as provided by law.''0 Require government websites or Cal. Govt. Code state portals to establish and Sec. 11019.9 publish privacy policies and procedures 8Permits minors to remove, or to Cal. Bus. & Prof. request and obtain removal of, Code Sec. Sec. content or information posted on 22580-22582 website, online service, online (``California's application, or mobile Privacy Rights application. Prohibits operator for California of a website or online service Minors in the directed to minors from Digital World marketing or advertising Act'')0 specified products or services that minors are legally prohibited from buying. Prohibits marketing or advertising products based on personal information specific to a minor or knowingly using, disclosing, compiling, or allowing a third party to do so. Protects a library patron's use Cal. Govt. Code records, such as written records Sec. 6267 or electronic transaction that identifies a patron's borrowing information or use of library information resources, including, but not limited to, database search records, borrowing records, class records, and any other personally identifiable uses of library resources information requests, or inquiries 8Protects information about the Cal. Civil Code books Californians browse, read Sec. 1798.90 or purchase from electronic (``Reader services and online booksellers Privacy Act'')0 who may have access to detailed information about readers, such as specific pages browsed. Requires a search warrant, court order, or the user's affirmative consent before such a business can disclose the personal information of its users related to their use of a book, with specified exceptions, including an imminent danger of death or serious injury. Operator of a commercial website Cal. Bus. & Prof. or online service must disclose Code Sec. 22575 in its privacy policy how it responds to a web browser 'do not track' signal or similar mechanisms providing consumers with the ability to exercise choice about online tracking of their personal information across sites or services and over time. Operator must disclose whether third parties are or may be conducting such tracking on the operator's site or service. 8Operator, defined as a person or Calif. Bus. & entity that collects personally Prof. Code Sec. identifiable information from 22575-22578 California residents through an (CalOPPA)0 Internet website or online service for commercial purposes, must post a conspicuous privacy policy on its website or online service (which may include mobile apps) and to comply with that policy. The privacy policy must identify the categories of personally identifiable information that the operator collects about individual consumers who use or visit its website or online service and third parties with whom the operator may share the information. Prohibits a person or entity from Cal. Bus. & Prof. providing the operation of a Code Sec. voice recognition feature in 22948.20 California without prominently informing, during the initial setup or installation of a connected television, either the user or the person designated by the user to perform the initial setup or installation of the connected television. Prohibits manufacturers or third-party contractors from collecting any actual recordings of spoken word for the purpose of improving the voice recognition feature. Prohibits a person or entity from compelling a manufacturer or other entity providing the operation of voice recognition to build specific features to allow an investigative or law enforcement officer to monitor communications through that feature. 8Requires private nonprofit or Cal. Educ. Code for-profit postsecondary Sec. 991220 educational institutions to post a social media privacy policy on the institution's website Requires all nonfinancial Cal. Civ. Code businesses to disclose to Sec. Sec. 1798. customers the types of personal 83 to .84 information the business shares with or sells to a third party for direct marketing purposes or for compensation. Businesses may post a privacy statement that gives customers the opportunity to choose not to share information at no cost. 8Breach notification requirements Cal. Civ. Code when unencrypted personal Sec. Sec. 1798. information, or encrypted 29, 1798.820 personal information and the security credentials, was or reasonably believed to have been acquired by an unauthorized person. Applies to agencies and businesses. Data security. Applies to a Cal Civ. Code business that owns, licenses, or Sec. 1798.81.5 maintains personal information & third-party contractors. Must implement and maintain reasonable security procedures and practices appropriate to the nature of the information. 8Provides that the California Cal. Vehicle Code Highway Patrol (CHP) may retain Sec. 24130 data from a license plate reader for no more than 60 days, unless the data is being used as evidence in felony cases. Prohibits selling or making available ALPR data to non-law enforcement officers or agencies. Requires CHP to report to the legislature how ALPR data is being used. Establishes regulations on the Cal. Civ. Code privacy and usage of automatic Sec. Sec. 1798. license plate recognition (ALPR) 90.50 to .55 data and expands the meaning of ``personal information'' to include information or data collected through the use or operation of an ALPR system. Imposes privacy protection requirements on entities that use ALPR information, as defined; prohibit public agencies from selling or sharing ALPR information, except to another public agency, as specified; and require operators of ALPR systems to use that information only for authorized purposes. Establishes private right of action. 8Prohibits unfair competition, Cal. Bus. & Prof. which includes any unlawful, Code Sec. Sec. unfair, or fraudulent business 17200 through act or practice. 175940 Prohibits unfair methods of Cal. Civ. Code competition and unfair or Sec. Sec. 1750 deceptive acts or practices through 1785 undertaken by any person in a (``Consumer transaction intended to result Legal Remedies or that results in the sale or Act'') lease of goods or services to a consumer. Provides a private right of action. ------------------------------------------------------------------------ Colorado 8Requires the state or any Colo. Rev. Stat. agency, institution, or Sec. 24-72-204. political subdivision that 50 operates or maintains an electronic mail communications system to adopt a written policy on any monitoring of electronic mail communications and the circumstances under which it will be conducted. The policy shall include a statement that correspondence of the employee in the form of electronic mail may be a public record under the public records law and may be subject to public inspection under this part. Requires government websites or Colo. Rev. Stat. state portals to establish and Sec. 24-72-501 publish privacy policies and to -502 procedures 8Data security. Applies to any Colo. Rev. Stat. private entity that maintains, Sec. 6-1-713, owns, or licenses personal Sec. 6-1-7160 identifying information in the course of the person's business or occupation. Must develop written policies for proper disposal of personal information once such information is no longer needed. Implement and maintain reasonable security practices and procedures to protect personal identifying information from unauthorized access. Requires that video or still Colo. Rev. Stat. images obtained by ``passive Sec. 24-72-113 surveillance'' by governmental entities, such as images from monitoring cameras, must be destroyed within three years after the recording of the images. Specifies that the custodian of a passive surveillance record may only access the record beyond the first anniversary after the date of creation of the record if there has been a notice of claim filed, or an accident or other specific incident that may cause the passive surveillance record to become evidence in any civil, labor, administrative, or felony criminal proceeding. Creates exceptions allowing retention of passive surveillance records of any correctional facility, local jail, or private contract prison and passive surveillance records made or maintained as required under Federal law 8Prohibits deceptive trade Colo. Rev. Stat. practices. Attorney generals and Sec. Sec. 6-1-1 district attorneys enforce 01 through 6-1- statute. 1150 ------------------------------------------------------------------------ Connecticut Requires any person who collects Conn. Gen. Stat. Social Security numbers in the Sec. 42-471 course of business to create a privacy protection policy. The policy must be ``publicly displayed'' by posting on a web page and the policy must (1) protect the confidentiality, (2) prohibit unlawful disclosure, and (3) limit access to Social Security numbers. 8Employers who engage in any type Conn. Gen. Stat. of electronic monitoring must Sec. 31-48d0 give prior written notice to all employees, informing them of the types of monitoring which may occur. If employer has reasonable grounds to believe that employees are engaged in illegal conduct and electronic monitoring may produce evidence of this misconduct, the employer may conduct monitoring without giving prior written notice. Labor Commissioner may levy civil penalties against a violator who fails to give notice of monitoring. Health data security law that Conn. Gen. Stat. applies to any health insurer, Sec. 38a-999b health care center or other entity licensed to do health insurance business in the state. Requires them to implement and maintain a comprehensive information security program to safeguard the personal information of insureds and enrollees that is compiled or maintained by such company. 8Data security law that applies Conn. Gen. Stat. to contractors, defined as an Sec. 4e-700 individual, business or other entity that is receiving confidential information from a state contracting agency or agent of the state pursuant to a written agreement to provide goods or services to the state. Must implement and maintain a comprehensive data-security program, including encryption of all sensitive personal data transmitted wirelessly or via a public Internet connection, or contained on portable electronic devices. Prohibits unfair or deceptive Conn. Gen. Stat. acts or practices in the conduct Sec. Sec. 42-11 of any trade or commerce. 0a through 42- Commissioner enforces. Creates 110q private right of action. ------------------------------------------------------------------------ Delaware 8Prohibits operators of websites, Del. Code Ann. online or cloud computing tit. 6, Sec. services, online applications, 1204C0 or mobile applications directed at children from marketing or advertising on its Internet service specified products or services. When the marketing is provided by an advertising service, the operator of Prohibits disclosing a child's personally identifiable information if it is known that the child's personally identifiable information will be used to market those products or services to the child. Requires an operator of a Del. Code Ann. commercial Internet website, tit. 6, Sec. online or cloud computing 1205C service, online application, or mobile application that collects personally identifiable information through the Internet about individual users residing in Delaware to make its privacy policy conspicuously available. An operator shall be in violation of this subsection only if the operator fails to make its privacy policy conspicuously available within 30 days after being notified of noncompliance. 8Prohibits a commercial entity Del. Code Ann. which provides a book service tit. 6, Sec. from disclosing users' personal 1206C0 information to law enforcement entities, governmental entities, or other persons, except under specified circumstances. Allows immediate disclosure of a user's book service information to law enforcement entities when there is an imminent danger of death or serious physical. Requires a book service provider to prepare and post online an annual report on its disclosures of personal information, unless exempted from doing so. The Consumer Protection Unit of the Department of Justice has the authority to investigate and prosecute violations of the acts. Prohibits employers from Del. Code Ann. monitoring or intercepting tit. 19, Sec. electronic mail or Internet 705 access or usage of an employee unless the employer has first given a one-time notice to the employee. Provides exceptions for processes that are performed solely for the purpose of computer system maintenance and/ or protection, and for court ordered actions. Provides for a civil penalty of $100 for each violation. 8Require government websites or Del. Code tit. 29 state portals to establish and Sec. 9018C0 publish privacy policies and procedures Prohibits deceptive acts in Del. Code Ann. connection with the sale, lease, tit. 6, Sec. or advertisement of any Sec. 2511 merchandise. Gives investigative through 2527, power to attorney general and 2580 through creates a private right of 2584 (``Consumer action. Fraud Act'') 8Any person who conducts business Del. Code Sec. in the state and owns, licenses, 12B-1000 or maintains personal information must implement and maintain reasonable procedures and practices to prevent the unauthorized acquisition, use, modification, disclosure, or destruction of personal information collected or maintained in the regular course of business. ------------------------------------------------------------------------ District of Prohibits unfair or deceptive D.C. Code Sec. Columbia trade practices involving any Sec. 28-3901 and all parts of economic output through 28-3913 of society. ------------------------------------------------------------------------ Florida 8State constitution: The right of Fla. Const. art. the people to be secure in their I Sec. 120 persons, houses, papers, and effects against unreasonable searches and seizures, and against the unreasonable interception of private communications by any means, shall not be violated Data security law that applies to Fla. Stat. Ann. commercial entities and third- Sec. 501.171 party agents (entity that has been contracted to maintain, store, or process personal information on behalf of a covered entity or governmental entity). Requires reasonable measures to protect and secure data in electronic form containing personal information. 8Creates a public records Fla. Stat. Ann. exemption for certain images and Sec. 316.07770 data obtained through the use of an automated license plate recognition system and personal identifying information of an individual in data generated from such images. Provides that images and data containing personal information obtained from automated license plate recognition systems are confidential. Allows for disclosure to criminal justice agencies and to individuals to whom the license plate is registered in certain circumstances. Prohibits unfair or deceptive Fla. Stat. Sec. acts or practices in the conduct Sec. 501.201 of any trade of commerce, through 501.213 defined as advertising, ('' Deceptive soliciting, providing, offering, and Unfair Trade or distributing commodity or Practices Act'') thing of value. Creates private right of action. ------------------------------------------------------------------------ Georgia 8License plate data may be Ga. Code Ann. collected and accessed only for Sec. 35-1-220 a law enforcement purpose. The data must be destroyed no later than 30 months after it was originally collected unless the data are the subject matter of a toll violation or for law enforcement. Allows sharing of captured license plate data among law enforcement agencies. Law enforcement agencies deploying an automated license plate recognition system must maintain policies for the use and operation of the system, including but not limited to policies for the training of law enforcement officers in the use of captured license plate data Broadly prohibits unfair and Ga. Code Ann. deceptive practices in the Sec. Sec. 10-1- conduct of consumer 390 through 10-1- transactions, defined as the 407 (``Fair sale, purchase, lease, or rental Business of goods, services, or property. Practices Act'') Creates private right of action. ------------------------------------------------------------------------ Hawaii 8Any business or government Haw. Stat. Sec. agency that collects personal 487N-1 to N-70 information shall provide notice upon discovery of a security breach. Establishes a council that will identify best privacy practices. State constitution: ``The right Haw. Const. art. of the people to privacy is I Sec. Sec. 6, recognized and shall not be 7 infringed without the showing of a compelling state interest. The legislature shall take affirmative steps to implement this right.'' ``The right of the people to be secure in their persons, houses, papers and effects against unreasonable searches, seizures and invasions of privacy shall not be violated; and no warrants shall issue but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched and the persons or things to be seized or the communications sought to be intercepted.'' 8Prohibits unfair competition Haw. Rev. Stat. against any person and unfair or Sec. 480-20 deceptive acts or practices, enforceable by any consumer. Applies to the conduct of any trade or commerce. ------------------------------------------------------------------------ Idaho Prohibits use of drones to Idaho Code Sec. capture images of people or 21-213 gather information about individuals in the absence of a warrant or written consent. 8Imposes regulations on Idaho Code Sec. individual student data, 33-1330 restricts secondary uses of such data, and provides for data destruction Broadly prohibits unfair or Idaho Code Ann. deceptive acts and practices in Sec. Sec. 48-60 the conduct of any trade or 1 through 48-619 commerce. An unconscionable act (``Consumer is a violation whether it occurs Protection before, during, or after the Act'') transaction. ------------------------------------------------------------------------ Illinois 8Prohibits state agency websites Ill. Rev. Stat. to use cookies or other invasive ch. 5 Sec. 177/ tracking programs to monitor 100 viewing habits Limits on collection and storage 740 Ill. Comp. of biometric data. Prohibits Stat. 14/1 private entity from capturing or (Biometric obtaining biometric information Information without notice and consent. Privacy Act) Creates private right of action 8State constitution: ``The people Ill. Const. art. shall have the right to be I, Sec. 60 secure in their persons, houses, papers and other possessions against unreasonable searches, seizures, invasions of privacy or interceptions of communications by eavesdropping devices or other means. No warrant shall issue without probable cause, supported by affidavit particularly describing the place to be searched and the persons or things to be seized. Makes it unlawful for an employer 820 Ill. Comp. or prospective employer to Stat. 55/10 request or require an employee (Right to or applicant to authenticate or Privacy in the access a personal online account Workplace Act) in the presence of the employer, to request or require that an employee or applicant invite the employer to join a certain group, or join an online account established by the employer; prohibits retaliation against an employee or applicant. 8Broadly prohibits unfair methods 815 Ill. Comp. of competition and unfair or Stat. 505/1 deceptive acts or practice in through 505/120 the conduct of any trade or commerce. ------------------------------------------------------------------------ Indiana Data Security. Applies to Ind. Code Sec. database owner, defined as a 24-4.9-3-3.5 person that owns or licenses computerized data that includes personal information. Must implement and maintain reasonable procedures, including taking any appropriate corrective action for breaches. 8Prohibits unfair, abusive, or Ind. Code Sec. deceptive act, omission, or Sec. 24-5-0.5-1 practice in connection with a to -12 consumer transaction. Creates (``Deceptive private right of action for a Consumer Sales person relying upon an uncured Act'')0 or incurable deceptive act. ------------------------------------------------------------------------ Iowa Require government Websites or Iowa Code Sec. state portals to establish and 22.11 publish privacy policies and procedures. 8Prohibits unfair and deceptive Iowa Code Sec. acts in connection with the Sec. 714.16 lease, sale, or advertisement of through 714.16A0 any merchandise. Enforceable only by the Attorney General, unless there was intent to cause reliance upon the act in which case consumers can enforce the prohibition. ------------------------------------------------------------------------ Kansas Defines breach of privacy such as K.S. Stat Sec. intercepting phone calls and 21-6101 private messages, use of recording devices inside or outside of a place without prior consent, use of video recording without prior consent. Does not apply to utility companies where recording communications is necessary in order to provide the service/utility requested. 8Data security. Applies to a K.S. Sec. 50- holder of personal information 6,139b0 (a person who, in the ordinary course of business, collects, maintains or possesses, or causes to be collected, maintained or possessed, the personal information of any other person.) Must implement and maintain reasonable procedures and practices appropriate to the nature of the information, and exercise reasonable care to protect the personal information from unauthorized access, use, modification or disclosure. Prohibits deceptive and Kan. Stat. Ann. unconscionable acts in Sec. Sec. 50-62 connection with a consumer 3 through 50-640 transaction, regardless of and 50-675a whether the act occurs before, through 50-679a during, or after the transaction. Creates private right of action. ------------------------------------------------------------------------ Kentucky 8Notification to affected persons Ky. Rev. Stat. of computer security breach Ann. 365.7320 involving their unencrypted personally identifiable information. Personal information security and Ky. Rev. Stat. breach investigation procedures Ann. 61.932 and practices for certain public agencies and nonaffiliated third parties. 8Prohibited uses of personally Ky. Rev. Stat. identifiable student information Ann. 365.7340 by cloud computing service provider Department procedures and Ky. Rev. Stat. regulations, including Ann. 171.450 appropriate procedures to protect against unauthorized access to or use of personal information 8Prohibits unfair, deceptive, and Ky. Rev. Stat. unconscionable acts relating to Ann. Sec. Sec. trade or commerce. Private cause 367.110 through of action only to person who 367.990 purchases or leases goods or (``Consumer services. Protection Act'')0 ------------------------------------------------------------------------ Louisiana Data security law applies to any La. Rev. Stat. person that conducts business in 51:3071 to :3077 the state or that owns or (``Database licenses computerized data that Security Breach includes personal information. Notification Must implement and maintain Law'') reasonable security procedures and practices appropriate to the nature of the information to protect the personal information from unauthorized access, destruction, use, modification, or disclosure. Personal information includes name, SSN, driver's license or state ID number, account numbers, passport numbers, or biometric data, but excludes information lawfully made public from federal, state, or local government records. 8State constitution: ``Every La. Const. art. I person shall be secure in his Sec. 50 person, property, communications, houses, papers, and effects against unreasonable searches, seizures, or invasions of privacy. No warrant shall issue without probable cause supported by oath or affirmation, and particularly describing the place to be searched, the persons or things to be seized, and the lawful purpose or reason for the search. Any person adversely affected by a search or seizure conducted in violation of this Section shall have standing to raise its illegality in the appropriate court.'' Prohibits unfair or deceptive La. Rev. Stat. acts and practices in the Ann. Sec. Sec. conduct of any trade or 51:1401 to :1420 commerce, including advertising. Creates private right of action. ------------------------------------------------------------------------ Maine 8Require government websites or 1 M.R.S.A. Sec. state portals to establish and 5420 publish privacy policies and procedures Prohibits the use of automatic 29-A M.R.S.A. license plate recognition Sec. 2117-A systems except for certain public safety purposes. Provides that data collected is confidential and may be used only for law enforcement purposes. Data collected may not be stored more than 21 days. 8Prohibits unfair or deceptive Me. Rev. Stat. practice in the conduct of any Ann. tit. 5, trade or commerce, including Sec. Sec. 205A advertising. Creates private to 214 (``Unfair right of action for any person Trade Practices who purchases or leases goods, Act'')0 services, or property as a result of an unlawful practice or act under the law. ------------------------------------------------------------------------ Maryland Data security provisions apply to Md. Code Com Law businesses and nonaffiliated Sec. Sec. 14-35 third party/service provider. 01 to -3503 Must implement and maintain reasonable security procedures and practices appropriate to the nature of the personal information owned or licensed and the nature and size of the business and its operations. Personal information includes name, SSN, driver's license or state ID number, account numbers, TIN, passport number, health information, biometric data, user name or e-mail address in combination with password or security question. 8Specifies the procedures and Md. Public Safety protocols that a law enforcement Code Sec. 3- agency must follow in connection 5090 with the operation of an ``automatic license plate reader system'' and ``captured plate data.'' Requires the State Police to adopt procedures to address who has access to the data, training, and create an audit process. Data gathered by an automatic license plate reader system are not subject to disclosure under the Public Information Act. Prohibits unfair, abusive, or Md. Code Ann., deceptive trade practices, Com. Law Sec. regardless of whether the Sec. 13-101 to consumer was in fact misled, 501 (``Consumer deceived, or damage as a result Protection of the practice. Consumer can Act'') file a complaint, which the agency will investigate and potentially refer to the FTC ------------------------------------------------------------------------ Massachusetts 8A person shall have a right Mass. Gen. Laws against unreasonable, Ch. 214 Sec. substantial or serious 1B0 interference with his privacy. The superior court shall have jurisdiction in equity to enforce such right and in connection therewith to award damages. Data security law applies to any Mass. Gen. Laws person that owns or licenses Ch. 93H Sec. personal information. Authorizes 2(a) regulations to ensure security and confidentiality of customer information in a manner fully consistent with industry standards. The regulations shall take into account the person's size, scope and type of business, resources available, amount of stored data, and the need for security and confidentiality of both consumer and employee information. 8Broadly prohibits unfair and Mass. Gen. Laws deceptive acts and practice sin Ann. ch. 93A, the conduct of any trade or Sec. Sec. 1 to commerce. Creates private right 110 of action. ------------------------------------------------------------------------ Michigan Preserve personal privacy with Mich. Comp. Laws respect to the purchase, rental, Ann. Sec. or borrowing of certain 445.1712 materials. Provides penalties and remedies 8Prohibits unfair, Mich. Comp. Laws unconscionable, or deceptive Sec. Sec. 445.9 methods, acts, or practices in 01 to .9220 the conduct of trade or commerce. Creates private right of action. ------------------------------------------------------------------------ Minnesota Requires Internet Service Minn. Stat. Sec. Providers to keep private Sec. 325M.01 to certain information concerning .09 their customers, unless the customer gives permission to disclose the information. Prohibit disclosure of personally identifying information, and requires ISPs to get permission from subscribers before disclosing information about the subscribers' online surfing habits and Internet sites visited. 8Require government websites or Minn. Stat. Sec. state portals to establish and 13.150 publish privacy policies and procedures. Makes a misdemeanor to publish or Minn. Stat. Ann. disseminate of advertisements Sec. 325F.67 which contain any material assertion, representation, or statement of fact which is untrue, deceptive, or misleading 8Prohibits act, use, or Minn. Stat. Sec. employment by any person of any Sec. 325F.680 fraud, false pretense, misleading statement, or deceptive practice, with the intent that others rely on it in the sale of any merchandise ------------------------------------------------------------------------ Mississippi Data security law that applies to Miss. Code Ann. any person who conducts business Sec. 75-24-29 in the state and in the ordinary course of business. Personal information includes name, SSN, driver's license or state ID number, or financial account numbers 8Broadly prohibits unfair and Miss. Code Ann. deceptive practices as long as Sec. Sec. 75-24 they are in or affecting -1 to -270 commerce. Only attorney general can enforce the prohibitions. ------------------------------------------------------------------------ Missouri Defines ``E-book'' and ``digital Mo. Rev. Stat. resource or material'' and adds Sec. 182.815, them to the items specified in 182.817 the definition of ``library material'' that a library patron may use, borrow, or request. Provides that any third party contracted by a library that receives, transmits, maintains, or stores a library record may not release or disclose all or a portion of a library record to anyone except the person identified in the record or by a court order. 8Prohibits unfair or deceptive Mo. Rev. Stat. trade practices or omissions in Sec. Sec. 407.0 connection with the sale or 10 to -.307 advertisement of merchandise in (``Merchandising trade or commerce, whether the Practices act was committed before, Act'')0 during, or after the sale, advertisement, or solicitation. Any person who purchases or leases merchandise and suffers loss as a result of the unlawful act may bring a civil action Montana Require government website or Mont. Code Ann. state portals to establish and Sec. 2-17-550 publish privacy policies and to -553 procedures. Allows sale and disclosure to third parties, provided notice and consent. 8State constitution: The right of Mont. Const. art. individual privacy is essential II Sec. 100 to the well-being of a free society and shall not be infringed without the showing of a compelling state interest. Prohibits methods of competition Mont. Code Ann. and unfair or deceptive acts or Sec. Sec. 30-14 practices in the conduct of any -101 to -142 trade or commerce. ------------------------------------------------------------------------ Nebraska 8Data security law applies to any Neb. Rev. Stat. individual or commercial entity Sec. Sec. 87-80 that conducts business in 1 to -8070 Nebraska and maintains personal information about Nebraska residents. Must establish and maintain reasonable security processes and practices appropriate to the nature of the personal information maintained. Ensure that all third parties to whom the entity provides sensitive personal information establish and maintain reasonable security processes and practices appropriate to the nature of the personal information maintained. Prohibits employers from Neb. Rev. Stat. accessing an applicant or an Sec. Sec. 48-35 employee's personal Internet 01 to 48-3511 accounts and taking adverse (Workplace action against an employee or Privacy Act) applicant for failure to provide any information related to the account; prohibits retaliation against an employee who files a complaint under the Act; prohibits an employee from downloading or transferring any private proprietary information or financial data to a personal Internet account without authorization. 8Requires any governmental entity Neb. Rev. Stat. that uses an automatic license Sec. 60-3201 to plate reader (ALPR) system to 32090 adopt a policy governing use of the system. Governmental entities also must adopt a privacy policy to ensure that captured plate data is not shared in violation of this act or any other law. The policies must be posted on the Internet or at the entity's main office. Requires annual reports to the Nebraska Commission on Law Enforcement and Criminal Justice on ALPR practices and usage. Provides that captured plate data is not considered a public record. Broadly prohibits unfair or Neb. Rev. Stat. deceptive trade practices in the Sec. Sec. 59-16 conduct of any trade or 01 to -1623 commerce. Creates private right of action. ------------------------------------------------------------------------ Nevada 8Requires operators of Internet Nev. Rev. Stat. websites or online services that Sec. 603A.3400 collect personally identifiable information from residents of the state to notify consumers about how that information is used. Require Internet Service Nev. Rev. Stat. Providers to keep private Sec. 205.498 certain information concerning their customers, unless the customer gives permission to disclose the information. 8Data security. Applies to data Nev. Rev. Stat. collector that maintains records Sec. Sec. 603A. which contain personal 210, 603A.2150 information and third parties to whom they disclose. Must implement and maintain reasonable security measures Prohibits deceptive trade Nev. Rev. Stat. practices, including knowingly Sec. Sec. 598.0 making any other false 903 to .0999 representation in the course of a business or occupation. Also prohibits failing to disclose material fact in connection with sale or lease of goods or services. Private right of action created under Nev. Rev. Stat. Sec. 41.600. ------------------------------------------------------------------------ New Hampshire 8Prohibits government officials N.H. Rev. Stat. from obtaining access to Sec. 359-C:40 customer financial or credit records, or the information they contain, held by financial institutions or creditors without the customer's authorization, an administrative subpoena, a search warrant, or a judicial subpoena Makes a crime to willfully N.H. Rev. Stat. intercept any telecommunication Sec. 570-A:2 to or oral communication without A:2-a the consent of all parties to the communication. It is unlawful to willfully use an electronic, mechanical, or other device to intercept an oral communication or to disclose the contents of an intercepted communication. Law enforcement needs warrant, exception to warrant, or consent to use cell site simulators. 8State constitution: An N.H. Const. Pt. individual's right to live free 1, art. II0 from governmental intrusion in private or personal information is natural, essential, and inherent. Broadly prohibits unfair method N.H. Rev. Stat. of competition or any unfair or Sec. Sec. 358-A deceptive practice in the :1 to -A:13 conduct of any trade or commerce within the state. Creates private right of action. ------------------------------------------------------------------------ New Jersey 8Prohibits act, use, or N.J. Stat. Ann. employment by any person of any Sec. Sec. 56:8- unconscionable commercial 1 to -910 practice, deception, fraud, misrepresentation, or the knowing concealment, suppression, or omission of any material fact with the intent that others rely upon it in connection with the sale or advertisement of any merchandise or real estate. Creates private right of action. ------------------------------------------------------------------------ New Mexico Data security law applies to a N.M. Stat. Sec. person that owns or licenses 57-12C-4, to 12C- personal identifying information 5 of a New Mexico resident. Must implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal identifying information from unauthorized access, destruction, use, modification or disclosure. 8Prohibits unfair, N.M. Stat. Sec. unconscionable, and deceptive Sec. 57-12-1 to practices involving goods, -22 (``Unfair services, credit, or debt Practices collection, made in the course Act'')0 of the person's trade or commerce. Private right of action. ------------------------------------------------------------------------ New York Require government Websites or N.Y. State Tech. state portals to establish and Law Sec. 201 to publish privacy policies and 207 procedures 8Prohibits deceptive acts in the N.Y. Exec. Law conduct of any business, trade, Sec. 63(12); or commerce or service. Only N.Y. Gen. Bus. attorney general can enforce Law Sec. Sec. prohibitions on repeated 349 and 3500 fraudulent acts or unconscionable contract provisions ------------------------------------------------------------------------ North Carolina Requires state or local law N.C. Gen. Stat. enforcement agencies to adopt a Sec. Sec. 20-18 written policy governing the use 3.30 to .32 of an ALPR system that addresses databases used to compare data obtained by the system, data retention and sharing of data with other law enforcement agencies, system operator training, supervision of system use, and data security and access. Requires audits and reports of system use and effectiveness. Limits retention of ALPR data to no more than 90 days, except in specified circumstances. Provides that data obtained by the system is confidential and not a public record. 8Prohibits unfair methods of N.C. Gen. Stat. competition, and unfair or Sec. Sec. 75-1. deceptive acts or practices in 1 to -350 or affecting business activities. Creates private right of action ------------------------------------------------------------------------ North Dakota Prohibits an act, use, or N.D. Cent. Code employment of any deceptive act Sec. Sec. 51-15 or practice, fraud, or -01 to -11 misrepresentation, with the intent that others rely thereon in connection with the sale or advertisement of any merchandise. Acts or advertisements which causes or is likely to cause substantial injury to a person and not reasonably avoidable by the injured person and not outweighed by countervailing benefits to consumers or to competition, is declared to be an unlawful practice. Creates private right of action. ------------------------------------------------------------------------ Ohio 8Data security law that applies Ohio Rev. Code to Business or nonprofit entity Ann. Sec. that accesses, maintains, 1354.01 to communicates, or handles 1354.050 personal information or restricted information. To qualify for an affirmative defense to a cause of action alleging a failure to implement reasonable information security controls resulting in a data breach, an entity must create, maintain, and comply with a written cybersecurity program that contains administrative, technical, and physical safeguards for the protection of personal information Prohibits unfair, unconscionable, Ohio Rev. Code or deceptive trade practices in Ann. Sec. Sec. connection with a consumer 1345.01 to .13 transaction, regardless of whether the act occurs before, during, or after the transaction. ------------------------------------------------------------------------ Oklahoma 8Requires public reporting of 70 Okl. Stat. which student data are collected Ann. Sec. 3-168 by the state, mandates creation (Student Data of a statewide student data Accessibility, security plan, and limits the Transparency and data that can be collected on Accountability individual students and how that Act)0 data can be shared. It establishes new limits on the transfer of student data to federal, state, or local agencies and organizations outside Oklahoma ------------------------------------------------------------------------ Oregon Data security law that applies to Or. Rev. Stat any person that owns, maintains, Sec. 646A.622 or otherwise possesses data that includes a consumer's personal information that is used in the course of the person's business, vocation, occupation or volunteer activities. Must develop, implement, and maintain reasonable safeguards to protect the security, confidentiality, and integrity of the personal information, including disposal of the data 8Prohibits unconscionable tactics Or. Rev. Stat. and other unfair or deceptive Sec. Sec. 646.6 conduct in trade commerce. 05 through Consumer can challenge unfair or 646.6560 deceptive conduct only after the Attorney General has first established a rule declaring that conduct to be unfair or deceptive. ------------------------------------------------------------------------ Pennsylvania Prohibits unfair or deceptive 73 Pa. Stat. Ann. practices in the conduct of any Sec. Sec. 201-1 trade or commerce. Creates through 201-9.3 private right of action. ------------------------------------------------------------------------ Rhode Island 8Data security measure applies to R.I. Gen. Laws a business that owns or licenses Sec. 11-49.3-20 computerized unencrypted personal information & a nonaffiliated third-party contractor. Must implement and maintain a risk-based information security program with reasonable security procedures and practices appropriate to the nature of the information. Prohibits unfair or deceptive R.I. Gen. Laws practices in the conduct of any Sec. Sec. 6-13. trade or commerce. Creates 1-1 through 6- private right of action. 13.1-27 ------------------------------------------------------------------------ South Carolina 8Requires government Websites or S.C. Code Ann. state portals to establish and Sec. 30-2-400 publish privacy policies and procedures Data security law that applies to S.C. Code Sec. a person licensed, authorized to 38-99-10 to - operate, or registered, or 100. required to be licensed, authorized, or registered pursuant to the insurance laws of the state. Requires a licensee to develop, implement and maintain a comprehensive information security program based on the licensee's risk assessment. Establishes requirements for the security program, such as implementing an incident response plan and other details 8State constitution: The right of S.C. Const. art. the people to be secure in their I, Sec. 100 persons, houses, papers, and effects against unreasonable searches and seizures and unreasonable invasions of privacy shall not be violated, and no warrants shall issue but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, the person or thing to be seized, and the information to be obtained. Prohibits unfair or deceptive S.C. Code Ann. practices in the conduct of any Sec. Sec. 39-5- trade or commerce. Creates 10 through 39-5- private right of action. 160 ------------------------------------------------------------------------ South Dakota 8Prohibits knowing and S.D. Codified intentional deceptive acts in Laws Sec. Sec. connection with the sale or 37-24-1 through advertisement of merchandise 37-24-35, amended by 2019 South Dakota Laws Ch. 177 (SB 20)0 ------------------------------------------------------------------------ Tennessee Requires the state or any agency, Tenn. Code Sec. institution, or political 10-7-512 subdivision thereof that operates or maintains an electronic mail communications system to adopt a written policy on any monitoring of electronic mail communications and the circumstances under which it will be conducted. The policy shall include a statement that correspondence may be a public record under the public records law and may be subject to public inspection under this part. 8Provides that any captured Tenn. Code Sec. automatic license plate data 55-10-3020 collected by a government entity may not be stored for more than 90 days unless they are part of an ongoing investigation, and in that case provides for data to be destroyed after the conclusion of the investigation. Prohibits specific unfair or Tenn. Code Ann. deceptive acts or practices Sec. Sec. 47-18 limited to those enumerated -101 through 47- which affect the conduct of any 18-125 trade or commerce. Only attorney general can bring an enforcement action. ------------------------------------------------------------------------ Texas 8Data security measure that Tex. Bus. & Com. applies to a business or Code Sec. association that collects or 521.0520 maintains sensitive personal information. (Does not apply to financial institutions). Requires implementation of reasonable procedures, including taking any appropriate corrective action. Prohibits false, unconscionable Tex. Bus. & Com. and deceptive acts in the Code Ann. Sec. conduct of any trade or Sec. 17.41 commerce. Consumer protection through 17.63 division can enforce ------------------------------------------------------------------------ Utah 8Require all nonfinancial Utah Code Ann. businesses to disclose to Sec. Sec. 13-37 customers, in writing or by -201 to -2030 electronic mail, the types of personal information the business shares with or sells to a third party for direct marketing purposes or for compensation. Provides a private right of action Requires government websites or Utah Code Ann. state portals to establish Sec. 63D-2-101, privacy policies and procedures to -104 8Data security. Applies to any Utah Code Ann. person who conducts business in Sec. Sec. 13-44 the state and maintains personal -101, -201, 3010 information. Must implement and maintain reasonable procedures. Amended in 2019 to define is subject to a civil penalty Captured license plate data are a Utah Code Ann. protected record if the captured Sec. Sec. 41-6a- plate data are maintained by a 2001 to -2005 governmental entity. Provides that captured plate data may only be shared for specified purposes, may only be preserved for a certain time, and may only be disclosed pursuant to specific circumstances such as a disclosure order or a warrant. Government entities may not use privately held captured plate data without a warrant or court order, unless the private provider retains captured plate data for 30 days or fewer. 8Prohibits deceptive and Utah Code Ann. unconscionable acts or practices Sec. Sec. 13-11 by suppliers in connection with -1 through 13-11- a consumer transaction, 230 regardless of whether it occurs before, during, or after the transaction. Private right of action. ------------------------------------------------------------------------ Vermont Prevents employers from 21 V.S.A. Sec. requesting passwords to personal 495 Internet accounts to get or keep a job. 8Data security. Applies to Data 9 V.S.A Sec. brokers--businesses that 2446-24470 knowingly collect and license the personal information of consumers with whom such businesses do not have a direct relationship. Must implement and maintain a written information security program containing administrative, technical, and physical safeguards to protect personally identifiable information. Broadly prohibits unfair or 9 V.S.A. Sec. deceptive acts or practices in Sec. 2451 to commerce 2480g ------------------------------------------------------------------------ Virginia 8Require government websites or Va. Code Sec. state portals to establish and 2.2-38000 publish privacy policies and procedures Prohibits specified fraudulent Va. Code Ann. and deceptive acts and practices Sec. Sec. 59.1- committed by a supplier in 196 through 59.1- connection with a consumer 207 transaction. ------------------------------------------------------------------------ Washington 8State constitution: No person Wash. Const. art. shall be disturbed in his I, Sec. 70 private affairs, or his home invaded, without authority of law Prohibits unfair methods of Wash. Rev. Code competition and unfair or Sec. Sec. 19.86 deceptive acts or practices in .010 through the conduct of any trade or 19.86.920 commerce. Private right of action. ------------------------------------------------------------------------ West Virginia 8Student data law governing use W. Va. Code, Sec. sharing of student privacy 18-2-5h0 rights, and notification of transfer of confidential information. Prohibits unfair methods of W. Va. Code Sec. competition and unfair or Sec. 46A-6-101 deceptive acts or practices in through 46A-6- the conduct of any trade or 110 commerce. Private right of action. ------------------------------------------------------------------------ The Chairman. Well, thank you very, very much. And we will now proceed to questions. Mr. Polonetsky, let me begin with you. And I referred to this in my opening statement. Both the GDPR and the CCPA are written to give consumers more control over their data by establishing certain rights. These rights include the right to access, right to erasure or deletion, right to data portability, and others. I mentioned in my opening statement a concern that these rights may inadvertently decrease privacy for consumers because companies may be compelled to retain, track, or re-identify data that they would otherwise have discarded. So if you would comment about that and then I will ask the others if they have got any observations. Mr. Polonetsky. I think we can effectively provide people strong rights of access and deletion if we carefully make it clear that we are not going to be requiring companies to do more tracking in order to be able to provide that data. Certainly GDPR goes in that direction. I think it is solvable by making it clear that you need to know who you are providing data to. You need to clearly verify so that you are providing the data to the person and not creating an opportunity for data breaches. But I think carefully crafting the right in a way that gives us those protections is quite feasible. The Chairman. Is that a problem that has been experienced under GDPR? I just did not understand exactly what you were saying there. Mr. Polonetsky. GDPR certainly makes it clear that you are not obligated to do extra tracking in order to have the data to provide back to people. I think there have been some concerns, since the CCPA is new, in exactly what it means to verify somebody is not quite clear. So people are looking for guidance. I think one of the reasons I argue this committee should act and, indeed, override CCPA is we can fix some of those areas where there is clarity so that people have a strong right of access and we do not create any over-disclosure by providing those deletion rights that we want to provide. The Chairman. OK. Mr. Steyer. Mr. Steyer. So thanks, Mr. Chairman. A couple of things. One, in California a few years ago, we passed a bill called The Eraser Button, and the point was you could erase---kids under 18 could have erased any content that they had foolishly posted without thinking about it. We think that that idea is something that should also be part of a broader Federal law. The issue has actually been the enforcement. So my colleague on my left mentioned the enforcement issues. That has been the biggest issue around the erasure issue. And actually I am sure that Ms. Dixon knows that because there is a right in Europe to be forgotten. So this is a very important thing that the Committee should do. The second thing I would mention off of what Jules just said is that data minimization, which for, again, a luddite, simpleminded person like me means that you only should use the data for what you really need it for, you should not be able to use data broadly for multiple purposes, is another critically important element of what a Federal privacy law should have. And that was the toughest part for us to actually hold onto in California. That is the piece of the CCPA that if you could do it over again or make it stronger, you would have stronger data minimization. So those are the two items I would mention, Mr. Chairman. The Chairman. Ms. Guliani. Ms. Guliani. I mean, I think absolutely. I mean, the average consumer does not know what data is being collected on them and does not necessarily know how to make sure that that data is accurate or to request deletion. So that is something that can certainly be accomplished while accommodating, I think, the interests of not wanting to encourage businesses to retain more information. I will note that the right to be forgotten is not something that we would want to be adopted identically in the U.S. There are potential First Amendment considerations. For example, we would not want an individual to be able to request that a newspaper published an article about them that was disparaging take down that content. So there might need to be some modifications from GDPR to be consistent with the U.S. Constitution. The Chairman. Thank you. Ms. Dixon, let me shift just in the few moments I have left. There is information that after the GDPR went into effect, a number of small businesses had to shut down because they simply could not afford to comply. Is that a concern, and what do you say to that? And what advice do you have for this Congress? Ms. Dixon. I mentioned earlier, Chairman, that the tasks of data protection authorities in the EU are broad, and one of our key tasks in advance of GDPR was to prepare industry and in particular SMEs and micro-enterprises. And in doing so, we heard a lot of concerns from smaller companies about their ability to comply with what is a vast and sometimes technical and complex law. However, through the awareness campaign that we rolled out and the very specific guidance we were able to issue to smaller enterprises, we were able to clarify the risk-based approach that the GDPR endorses, in other words, that organizations only need to implement what are called the organizational and technical measures appropriate to the levels of risk in the scale of personal data processing that they are undertaking. So, in fact, the GDPR does consider smaller enterprises. Some very specific articles in the GDPR, like article 30, the requirement to document data processing operations--it recognizes that smaller scale enterprises do not need to conduct that particular exercise. So I think for every organization, the GDPR is a win-win when it is implemented. It engenders the trust of consumers. It protects organizations. And we have not seen any direct evidence of organizations having to shut down because they could not meet the compliance burden once they understood how they could practically implement it. The Chairman. Thank you. Senator Cantwell. Senator Cantwell. Thank you, Mr. Chairman. Again, thank you, everybody, for your testimony. Ms. Guliani, it is good to hear from you and Mr. Steyer about the California law and its need for improvements. I can guarantee you one of the first calls I made when taking over this spot was to Attorney General Becerra, a former colleague, to ask him about the California law. And he said basically what you articulated, Ms. Guliani, that it needs improvement and that he sought to seek that. So I wondered--Ms. Guliani, you were very clear on the discriminatory practices in housing and employment, race and gender issues that are being deployed. To your point of people not even knowing how the information is used and collected, who do you think is the repository for all of these violations that are existing today? Do you think we get that from you, the AGs? Like who do you think has the running list of duplicitous actions that are being used against people with their data? Ms. Guliani. I do not think anybody has a running list, which is why I think it is so important that we have robust enforcement on multiple levels. So we need the FTC to be resourced and have the technical expertise. They should also be able to level civil penalties. But at the same time, I think we want to take advantage of State attorneys general and regulatory agencies who have a long history of protecting consumers. And finally, I think consumers have to have the right to go to court themselves. I mean, there may be many cases where either State or Federal authorities do not have the resources and so, for good reason, cannot follow up on a privacy violation. I think without a multi-pronged approach from an enforcement standpoint what you will effectively have are gaps and gaps that can be exploited. Senator Cantwell. Well, I think to the issues that you mentioned, these are things that we batted down in other areas of the law. So to see them pop up online would be really just an undermining of current Federal law. So that is why it is so important that we fight against it to make sure that the online world meets the same standard as broadcasters have to meet in the broadcast world or health care officials have to meet in other forms of health care. We do not allow those things to pop up. I think the one thing that we learned from the Facebook hearing or Facebook writ large is just that anytime you see a survey online, chances are that information is just a data collection source so that some information can be used against you. Or when you have that familiar do you want a call back from somebody on the service is really a can I sell your name to someone else who is going to then try to solicit something from you. So I think it is very important that we get a handle on these current privacy violations so that the public has a better understanding. To this point about the erasing of data, one thing that we have learned from our privacy law that we passed through this Committee on clearing your good name, which was a tool by which we gave those who were victims of identity theft the ability to get a claim through the FTC and basically present that to law enforcement that they were the victim, not the perpetrator of the crime. How do you see enforcement working on something like that? Because to me, it is a very big challenge to have--you know, the standard which we are operating now is basically people call attorney generals and attorney generals basically prosecute these people and get them shut down. Really, that is what happens. Consumers call in and complain. And so in this case, there is a lot data and information being used and they do not even know how it is being used and they do not even know that they are, as you said, on housing or loans being discriminated against. Ms. Guliani. Yes. I mean, I think that you really touch an important point, and one is that it is hard to figure out when a privacy violation has occurred or discriminatory conduct has occurred. I mean, just think about discriminatory advertising. I do not know the ads I have not seen, and so how do I know that I have been denied the opportunity for, let us say, an employment opportunity because I am a woman or a person of color. And so I think that it is really important that, one, the standards be clear so that companies know the rules of the road and, two, that the enforcement entities need to be looking at those companies, following up on those complaints when they get phone calls, having the resources to do that. But I think another thing that we also should look at is especially with algorithms and machine learning, more transparency, you know, companies allowing outside researchers to look at their algorithms and say, hey, this is having a disparate impact or this is having a discriminatory effect. And so we should really be encouraging those types of behaviors and encouraging companies to do risk assessments to measure potential discrimination. Senator Cantwell. But just to be clear, you think that these companies should face the same penalties as other companies who have violated the law that is already in existence? Ms. Guliani. Exactly. Self-regulation is not working and there should be robust enforcement. Senator Cantwell. Thank you. The Chairman. Thank you very much. Senator Blunt. STATEMENT OF HON. ROY BLUNT, U.S. SENATOR FROM MISSOURI Senator Blunt. Thank you, Chairman. Ms. Dixon, you mentioned in your testimony that the Irish Data Protection Commission is the lead supervisory authority in the EU for a significant number of U.S. companies because of domicile and other things. I do not want you to name companies, but are there U.S. companies, 11 months now into the implementation of this, that are noncompliant with the GDPR? Ms. Dixon. Thank you, Senator. In the 11 months since the GDPR came into application, we have opened 17 significant investigations into potential infringement by the large U.S. tech companies. So we have reason to believe then clearly that there are potential infringements of the GDPR arising. And we are significantly advanced in a number of those investigations and intend to bring a decision and an outcome on those investigations---- Senator Blunt. Do you have similar investigations with EU- based companies? Ms. Dixon. We do. So overall, we have 51 significant investigations underway currently. So a subset relate to the U.S. tech companies. We supervise government and public sector also in Ireland in addition to commercial enterprises. So it is across the board. Senator Blunt. So it is safe to assume that in the regime that has been put in place, that U.S. companies do not have a more difficult time or an easier time, either one, than EU companies in complying? Ms. Dixon. I think it is not a case of a more difficult or easier compliance approach. It is a risk-based approach that the GDPR endorses. And so when you have platforms that have billions of users in some cases and certainly hundreds of millions of EU persons as users, the risks are potentially higher in terms of the issues that arise around breaches and noncompliance with the principles. Senator Blunt. And both EU companies and U.S. companies are being fined for noncompliance? Ms. Dixon. We will have to conclude the investigations and---- Senator Blunt. Before the penalty? So have you issued any fines up till now? Ms. Dixon. The investigations have not yet concluded, the first tranche that we have underway. Senator Blunt. All right. Thank you. Mr. Polonetsky, Senator Schatz and I have some legislation on facial recognition, thinking that also is a significant data that uniquely recognizes people, obviously. I think we both agree that that information collected through facial recognition needs to be treated like all other personal data. Can you share your perspective on how Congress should define personally identified information, whether that should include facial recognition and how we would treat that in a way similar or unlike other commercially collected data? Mr. Polonetsky. I would argue that a bill should recognize that there are special categories, sensitive categories of information, and the typical default for collecting, using, sharing that information should be a strong consent-based model. There may be places where we can see opt out or default. But certainly when it comes to sensitive data, biometric data, DNA, facial prints, fingerprints are clearly sensitive data and should be subject to a stronger consent-based standard. Senator Blunt. Are there best practices out there yet? Mr. Polonetsky. We have done a fairly detailed set of best practices as we have seen these technologies in the market. What we try to do is differentiate between facial recognition, which I think we all know, recognizing my unique ID, creating a template, and then perhaps facial detection. How many heads are in this space? How many male or female heads? I certainly can see potential for discrimination if I treat people differently, but I do not have a unique identification. And so in our structure, we set up a tier. If a business just wants to know how many people are in the room, unique numbers of people, that might be a notice and a way to opt out, but if I am going to identify you by your name, the default ought to be that I need your permission. Senator Blunt. And, Mr. Steyer, I think you were at the meeting the other day the Senator and I had on the CAMRA Act. Mr. Steyer. Right. Senator Blunt. Is there a facial recognition element there or concern about kids on screens? Mr. Steyer. There should be. And by the way, thank you very much for supporting the CAMRA Act because I think this is really an issue that is a big deal for everybody because we get it. Your personally identifiable information is really, really important. The one thing I would say I differ with Mr. Polonetsky on is the California law basically does not differentiate between types of data. It just says all data deserve strong protection. And one thing I would urge the Committee to think about is look how California treated data. We did not actually distinguish. And Mr. Polonetsky wrote thoughtful comments for this hearing. But we think basically all data that is your personal data is really important. Obviously, stuff like facial recognition matters a lot to all of us because we understand it. We think all data matters. Senator Blunt. Thank you, and Senator Markey and I are working on the screen time, face time element of that particularly as it relates to kids. Mr. Steyer. And thank you for doing that very much. Senator Blunt. Thank you, Chairman. The Chairman. And thank you. Senator Schatz. STATEMENT OF HON. BRIAN SCHATZ, U.S. SENATOR FROM HAWAII Senator Schatz. Thank you, Mr. Chairman. Thank you for the testimonies. We have had a constructive conversation. I want to start with the FTC. My view is that any law ought to have--and this is for Mr. Steyer and Ms. Guliani--first fine authority and APA rulemaking authority. And I just want to get your view on whether you agree with that? Mr. Steyer. Mr. Steyer. I completely agree with that. I mean, if you really look at it in a practical common sense way--and Attorney General Becerra you guys were referring to who was angry at me because we passed a law--because he is my law school classmate and friend said, ``Oh, my God, now I became the Chief Privacy Officer in California.'' The big issue is resources for enforcement. You could speak to Attorney General Becerra. Senator Schatz. I will get to that, sir. It is a yes. Mr. Steyer. Yes, definitely to your question. Ms. Guliani. Yes, definitely. Senator Schatz. And let us talk about resources for enforcement. So the Ireland DPA has 135 employees. They are about one and a half percent of the U.S. population. The FTC has, obviously, more employees, but as it relates to--full-time privacy staff has 40. Do we need more human beings at the FTC devoted to privacy? Mr. Steyer. Yes, absolutely. No brainer. Ms. Guliani. Yes, absolutely and increase technical expertise. I think as you note, the size of the FTC is probably smaller than the DC office of a lot of major tech companies. Senator Schatz. That is a fair point. OK. Let me go back to transparency and control. I have been banging this drum for a while. I am great with transparency and control. I just do not think it is enough. And as we think about Senator Blunt and I working on facial recognition, you are going to walk into a mall and this idea that there will be sensors everywhere and they will be pinging off of your face. And then let us say we pass a pretty robust transparency and control regime. I am not sure how you can effectuate a transparency and control regime if your phone is not constantly giving you a notification and having you make individual micro- decisions about whether Banana Republic is going to send you a message or the Apple store or whatever. Or, heaven forbid, but what happens if you did not bring your phone into the mall? How do you even say no to some of this data collection? It seems to me that we do need belt and suspenders, that we ought to be able to turn the dials on some of these decisions. But we also need to recognize the impracticability in an IoT universe of transparency and control of giving any real control. I mean, to Chairman Wicker's point in his opening statement, is that really a choice. I am wondering, Mr. Steyer and then Ms. Guliani, how much of this do you think can be accomplished through transparency and control, and how much of this do you think ought to be backed up with a principle of, listen, we are going to configure a statute best we can, but in order to future-proof this and in order to back this thing up, we have to have a basic principle in the law which says you may not harm people with the data that you collect? Mr. Steyer. Mr. Steyer. I completely agree with you. You could have written my remarks. I agree with you. Transparency and control are important, but they are simply not enough by themselves. And we talked about the rights to access, to delete, to port your information. And certain acts should be completely off limits like behavioral ads targeting kids. So transparency and control are important, but they are simply not enough. Notice and consent, sort of broad terms like that, just are not enough. We have to go farther. And we think that the public would love you to do that. Senator Schatz. Ms. Guliani. Ms. Guliani. I think you are absolutely right. Notice and consent is not enough in part because in a lot cases people do not have meaningful choices. If the option is between not having a service at all or turning over massive amounts of data, a lot of consumers consent, but it is not really consent. So I think that the law should place strict guardrails on what companies can and cannot do. For example, if I have a flashlight app, is it really reasonable for that app to require me to turn over all of my location data or my financial data just as a condition of using that app? I would say no. And in the face recognition context, you know, if I want to go to the grocery store to buy food, is it really reasonable that the only option I have is a sign that notifies me that face recognition technology is being used? I do not think that that is really the control and the right that consumers want. And so absolutely we have to go beyond notice and consent to get at sort of terms that really take advantage of people's privacy and exploit their lack of choice. Senator Schatz. My final question--and this will be for the record and for the entire panel--is whether or not we are missing anything in terms of essential elements of a Federal data privacy law? And I will take that for the record. Thank you. The Chairman. That is a very good question, and so I hope all of our panelists will take that for the record and you have a few days to respond. That would be very helpful. Senator Fischer. STATEMENT OF HON. DEB FISCHER, U.S. SENATOR FROM NEBRASKA Senator Fischer. Thank you, Mr. Chairman. One core part of the GDPR is to protect consumer data by requiring freely given, specific and informed consent. However, we already are seeing user interface workarounds that we can consent by confusing user choice. Ms. Guliani, you just spoke to that in the answer to Senator Schatz's question. In these circumstances, users see a false choice or a simple escape route through the ``I agree'' button or ``okay'' button that pops up on our screen. And this can hide what the action actually does, such as accessing your contacts, your messages, Web activity, or location. Users searching for the privacy friendly option, if it exists there at all, often must click through a much longer process and many screens. Mr. Steyer, is clear, easy to understand user interface design a critical component of achieving informed consent and preserving any rights to consumer data privacy? Mr. Steyer. That is a great question, Senator Fischer, and it is. It really is. I think the truth is if we all think about ourselves--maybe there are one or two wizards up here, but I am not and I run a large organization that helps write privacy laws. So I think clear, easy-to-use information is absolutely critical. That is why I mentioned it in my opening remarks. This is complex stuff, and so we need to make it very easy for consumers to understand what their rights are and then how to exercise them. It is like having a privacy policy at the end of your phone, 80 pages on your phone, which no one ever reads. They just check here. So I think that is a really important element of what this committee and the Senate could do is make it simple and easy to understand for the consumer. If it is easy to understand for you folks, it will be fair to the consumer would be what I would say. Senator Fischer. I hope that is an endorsement. [Laughter.] Mr. Steyer. That is an endorsement, but it is also recognizing the complexity of this. It actually goes to the question Senator Schatz was asking. But it is really an important element of doing this right. Senator Fischer. Right. I appreciated Common Sense Media's endorsement of the bill that I have with Senator Warner, the DETOUR Act, and I believe that is going to guard against the manipulative user interfaces that are out there. Those are also known as dark patterns. Can a privacy framework that involves consent function properly if it does not also ensure that user interface design presents that fair and transparent options to manage our personal data setting, sir? Mr. Steyer. Is that directed to me? Senator Fischer. Yes, please. Mr. Steyer. You are absolutely right on that. By the way, the other point I would make is the fact that you and Senator Warner are working on the dark patterns, the fact that Senator Blunt is working with Senator Markey and others on bipartisan legislation, this is an area where--I keep saying it. This is common sense for everybody, and I really do believe that this committee, acting this way in a bipartisan fashion, is critical. But, yes, we have got to keep it simple and easy. Even though it is complex, you have got to make it simple and easy for the average user. Senator Fischer. Thank you. Ms. Dixon, as the GDPR has been implemented, have you seen any trends for companies that have taken steps toward focusing on user-centered design or others that are avoiding it on purpose? Ms. Dixon. We certainly, in the run-up to the GDPR, saw a lot of attempts in particular by the platforms to redesign their user engagement flow and to reexamine whether the consents they were collecting met the threshold articulated in the GDPR. But some of the investigations that we now have underway are looking at whether the ways in which in particular the transparent information is being delivered to users really meets the standards anticipated by the GDPR. So, for example, a lot of organizations have implemented layered privacy notices, which is something generally that we recommend to avoid the need to have a 100-page privacy notice. But on the other hand, there can be issues of inconsistency between the layers, too many layers for a user to go through to get basic information. So through the investigations that we have ongoing at the moment, we are examining whether the standards anticipated by the GDPR are being met and in what circumstances we say they are not being met. So there should be further clarification on that in the coming months. Senator Fischer. So as Mr. Steyer was saying, keep it simple. Ms. Dixon. Keeping it simple is always good. Senator Fischer. As we look to draft Federal data privacy policy, it is important that we do look at preventing irresponsible data use from the start. Ms. Dixon, you actually noted the complaint of someone who had been contacted by a headstone company after a family member passed away, generated by combining obituary data and public address data. And I am going to ask all of you the same question that I asked the previous industry panel, and hopefully you can respond in writing to the question since I am out of time. But I would just really appreciate if you could give one example of an unreasonable data practice to us. I think that would be helpful when we do look at trying to keep this simple and what is going to be needed. So thank you very much. Thank you, Mr. Chairman. The Chairman. Can each of you do that for us on the record? We would appreciate it if you would. Senator Tester. STATEMENT OF HON. JON TESTER, U.S. SENATOR FROM MONTANA Senator Tester. Thank you, Mr. Chairman. Thank you all for being here. I know you all came to talk about production ag today, so I am going to ask some questions about it. I have been farming for about the last 40 years, and one of the big advances in agriculture that has happened pretty recently is called precision ag where you get computers on your tractor that measure just about everything you do, from the amount of fertilizer you put down to the kind of seeds you put in the ground, to the number of acres you cover. You name it. So I have got this information. It is obviously connected up with a higher God. Is it possible for folks or do you know if they can use that information right now, if they can gather that information to try to influence my buying decisions? Do you understand what I am saying? I am saying we have got technology on the tractor that measures just about everything you do. Is that information gatherable? Just somebody taking that information and sweeping it up. Is it possible for them to do it? Can anybody answer that? Ms. Guliani. So I cannot answer specifically. I think with agriculture and some of, I think, the new technologies, I do think that a big problem is secondary uses. Right? Think about if I buy eggs from a grocery store and I give somebody my address to deliver those eggs, I expect that they are going to use my address to get the eggs to me. What I do not expect is that they are going to tell an insurance company that I bought eggs and they should charge me a higher rate. Senator Tester. OK. So what gives them the right to do that? What gives them the right to share that information? It looks to me like why should it not all be off the books unless I say, you know, what, go ahead and give it to my doc, give it to my insurance company, give it to a guy I am going to buy a car from, I do not care, go ahead and do it. Otherwise, if I do not do that, no sharing information. Period. What I do is my business and nobody can share it. It is against the law. Ms. Guliani. I mean, I would agree. And I think that what functionally happens sometimes is that there is a 30-page privacy policy. Somebody does not understand what is in it, nor do they have the time to read it. Senator Tester. So it looks to me like it does not have to be 30 pages. Does it? Could it not be just a simple question: Can we use your information, yes or no? Ms. Guliani. Yes. And I do not believe that there should be secondary uses and secondary sharing unless the person knows what is happening and has provided specific consent for it. Senator Tester. OK. So the lady from Dublin, would the GDPR stop the collection that I just talked about? And by the way, that is a scenario I use for agriculture, but you could use it on anything. Would they stop it? Would your rules stop it? Ms. Dixon. Thank you, Senator. It is a very interesting question. As I mentioned in my written statement, the GDPR is high- level, principles-based, technology-neutral, and it does not prohibit any specific forms of personal data processing. It provides that any form of personal data processing could be legitimized. So in this case, what we would have to do is trace through the various actions of the company and look at whether the principles of the GDPR are being met, in particular in this case around purpose limitation, transparency to you as a user in terms of sharing the data with third parties and the purposes for which it would be used. And to the extent that consent is legitimizing the processing, whether you had granular options to consent or not to consent. And so it is possible that the GDPR would prohibit it depending on how it is being done, but it would involve the specific parsing against the principles. Senator Tester. A previous question asked you about fines, and you said none have been levied yet because your investigations have not been done. You have been in effect for 11 months since it was put into effect? Ms. Dixon. It is 11 months since the GDPR came into application. Some of the investigations have been open more recently, but we have one or two that are open since May. Senator Tester. Since May. So we are coming on a year for the investigations? Ms. Dixon. That is right. Senator Tester. How quickly are they to a point where you can--are these investigations so complicated that we are looking at another year or is it weeks? Ms. Dixon. No. I think in the coming months over the summer, we will conclude decisions on some of them. They are complex investigations. There are also significant procedural safeguards that we have to apply because the sanctions are significant. So we do have to allow the party's right to be heard at various junctures in the investigation and decisionmaking. In addition, because of the form of a one stop shop we have in the EU, other procedural issues arise. Senator Tester. And very quickly because my time has run out. How are the fines levied? How do you determine the fine? Is that dictated in the GDPR or do you do it on the size of the company? Ms. Dixon. So article 83 of the GDPR sets out the limits on the fines and provides details of aggravating and---- Senator Tester. Can you give me an idea of what the largest fines are under the GDPR? Ms. Dixon. The largest fine would be 4 percent of the global turnover for the preceding year of an undertaking. Senator Tester. Thank you. The Chairman. Thank you, Senator Tester. Senator Blackburn. STATEMENT OF HON. MARSHA BLACKBURN, U.S. SENATOR FROM TENNESSEE Senator Blackburn. Thank you, Mr. Chairman. And thank you to each of you for being here today. And, Mr. Steyer, good to see you. Mr. Steyer. Nice to see you. Senator Blackburn. We have been talking privacy for quite a while. Mr. Steyer. We have. Senator Blackburn. Ms. Guliani, I am certain you know this, and to our friends who have joined us today, I think that for so long what we heard on Capitol Hill from people is do not do anything that is going to harm the golden goose. Leave it alone. And this is why I introduced the BROWSER Act several years ago, bipartisan in the House, and why I have long held that consumers need to possess the toolbox to protect, as I term it, their virtual you, which is you and your presence online. And this is vitally important as Americans move more of their transactional life online. And, Ms. Guliani, you said it well. There should not be a secondary use for other companies to know what credit cards we use, what time of month we pay our bills, the sites we search, the products we order. And for that to be data-mined and then repackaged and sold specific not to our name or physical address maybe, but to our IP address, which is our virtual you. So that is why the BROWSER does a few things very well. It says opt in for sensitive data, opt out for non-sensitive data, and one set of rules for the entire Internet ecosystem with one regulator. And I think when we look at an individual's privacy, that we ought to focus on doing a few things well, to do it understandably, and as we have discussed in the past, Mr. Steyer, to make certain that the protections are there for children and that their information is protected online. And I am delighted that the chairman is bringing this issue forward. Privacy and data security are essential because this transactional life that we live online underpins every single industrial sector of our nation's economy. And, Ms. Dixon, I want to ask you about the difference, let us say, for Ireland with having an EU-wide regime on privacy as opposed to an Ireland-specific. Preemption I think is vitally important, and I would like to hear from you what the difference has been by having the ability to have it EU-wide versus just for Ireland. Ms. Dixon. So, Senator Blackburn, the GDPR, as you note, is a direct effect regulation of the EU as opposed to a directive which requires transposition into member state law, which was the previous regime we had prior to last May. But, in fact, as a regulation, the GDPR is still something of a hybrid because each EU member state, nonetheless, had to implement a national law to give further effect to the GDPR. Senator Blackburn. It underpins. Ms. Dixon. It underpins and gives further effect to the GDPR and implements some choices that were left to each individual member state under the GDPR. So what we have is actually a hybrid where we have a 2018 Irish Data Protection Act that guides us in terms of the operation of our investigations and the procedures we must follow and around aspects such as the age of digital consent for children, which is set at 16 in Ireland, and then we have the GDPR. In the case of any conflict, which there should not be, the GDPR reigns supreme under the doctrine of supremacy of the EU law. So it is something of a hybrid, and there are still member state flavors in terms of choices made under the GDPR. Senator Blackburn. Thank you. I appreciated a visit with your EU Privacy Commissioner a few weeks ago and then this week visited with the Commissioner from New Zealand. And I think it is instructive to us that whether it is GDPR, as it comes through its first year of enactment, or other countries that are looking at enacting privacy policy, that it is important to our citizens that we do something and that we do it right the first time. So I appreciate your participation and look forward to continuing the conversation. I yield back my time. The Chairman. Ms. Dixon, the GDPR directs European member states to make certain decisions, for example, the age of consent. Is that what you are saying? Ms. Dixon. So under certain articles of the GDPR, such as article 8, the age of consent for children accessing information, society services was set at 16, but it gave member states the choice to implement as low as 13 under their member state laws. So, in fact, what you find is that the majority of EU member states went ahead and implemented an age of 13. So there are a number of articles like that where member state choice was implementable. The Chairman. Maybe we could search that ourselves. But if you would help us by supplementing your testimony and giving us some examples of that, I would appreciate it. Thank you. Senator Peters. STATEMENT OF HON. GARY PETERS, U.S. SENATOR FROM MICHIGAN Senator Peters. Thank you, Mr. Chairman. And thank you to each of our witnesses. It has been really a fascinating discussion. And, Mr. Steyer, I do believe you are right that this is an important issue that the time is now. In fact, I think the issue of privacy, given the explosion of data and technologies with the power to collect a lot of data are continuing to expand. This could be one of the defining issues of this decade as to how we deal with it because with data comes power, and that power is based on data collected from us each individually. So we have to be leaning into this very heavily. So I agree with that. My first question, though, for you, Ms. Guliani, is an example of some concerns that I have. There is a popular pregnancy tracking app Ovia that tracks medications, mood, bodily functions, and more and even use it to track newborn medical information for women that use this app. You may be familiar with it. The app has come under scrutiny because it allows employers to actually pay to gain access to the details about their workers' personal lives. Your testimony--you were very clear and others have mentioned about how Federal law should limit purposes for which consumer data can be used. So my question, though, is what should be included in a Federal privacy standard to ensure that employers, in particular, cannot have access to their employees' medical information from an app such as Ovia? Ms. Guliani. I mean, I would say first that that is information that should not be given to an employer absent the consent of the individual using the app, and they should not be denied using it if they say, look, I do not want my employer to know that but I would still like you to measure these things. So I think that those are sort of two sides of the same coin. And what I worry with apps like these is, again, these long privacy policies that individuals do not have time to read or understand that effectively require them to sign away all these rights just to use a service. Senator Peters. Well, to follow up on that comment, in Ovia they have a 6,000-word consent form. The company is granted, quote, a royalty-free, perpetual, and irrevocable license throughout the universe to utilize and exploit their de- identified personal information. The company is allowed to sell, lease, or lend aggregated personal information to third parties. This basically means that all of the information that was gathered--a package can be sold to whoever they want whenever as long is it does not meet their de-identified criteria. But how difficult is it for a company to re-identify somebody if there is enough data about them? Let us say a smaller company that may only have one woman who is pregnant-- could you identify that person probably even with de-identified data? Ms. Guliani. Yes. I mean, re-identification I think is becoming easier, and there are companies that are innovating around that. So, for example, there have been MIT studies that found that de-identified data could be re-identified 95 percent of the time with accuracy. So I think it is really important that when we talk about de-identified data, we are really clear on what that means and making sure that it is, in fact, de- identified. Senator Peters. Right. Mr. Polonetsky, an example. If I go to the doctor and I get prescribed an allergy medicine and then I put that information on an app that I have to keep track of the number of doses I have to take of medicine or whatever it may be, how do you envision a Federal privacy law, working with existing laws such as HIPAA, to ensure that my medical information is indeed protected after I put it on my own app? Mr. Polonetsky. Yes. This is increasingly going to be an important issue because patients are increasingly downloading their medical records, and there is obviously great value in people being able to see that data, maybe take it to a different doctor, analyze it themselves. But they may not appreciate that once they have downloaded it from their HIPAA- covered entity, that is is now in their hands, it is in their app. Legislation should recognize that there are sensitive categories of data that are going to be subject to much stricter and tougher controls. I may want to share that with another doctor. I may have a friend who is a doctor. I may want to show it to my spouse. And so I certainly should be able to share it, but it ought to be very clear and very practical, and I ought to be able to revoke that consent. It is not likely to be covered by HIPAA, but we increasingly have data that is outside of the regulatory world where we need to make sure that the consent standard in any proposed legislation is indeed balanced. Senator Peters. In March, it was reported that a data broker tried to sell the names, addresses, high schools, and hobbies of 1.2 million children. This was uncovered through the violation of Vermont's recently enacted law to regulate data brokers. Mr. Polonetsky, as you know, the Vermont law requires data brokers to register with the state annually and gives us some transparency as to who is actually out there, who is actually collecting all this information. Understanding that the law was just recently implemented, do you have an early assessment of the law, and should we look at that law in guiding some of our work at the Federal level? Mr. Polonetsky. I do not have enough information to know how it is playing out, but it is clear that people today have a limited idea of the number of places their data goes when they are online or when they can transact. And providing a simpler way for them to get to those endpoints so they do not have to go to multiple places so they can say no once or they can go to one place and effectively take their data out I think is valuable. Frankly, I think it is valuable for companies too, the people who really do not want to be getting catalogs in the mail or do not want to be marketed to. It is costly to send some of that out, and I would like to believe that at the end of the day, there is a win-win by giving people more control over what they receive from a whole range of third parties. Senator Peters. Thank you. Appreciate it. The Chairman. I think there are a lot of win-wins out there. Senator Thune. STATEMENT OF HON. JOHN THUNE, U.S. SENATOR FROM SOUTH DAKOTA Senator Thune. Thank you, Mr. Chairman. Ms. Dixon, in your testimony you touch on industry codes of conduct. Can you elaborate on how industry codes of conduct are intended to operate under the GDPR and whether you think such codes of conduct enhance compliance with the law? Ms. Dixon. So codes of conduct are a new feature of EU data protection law, and we do believe that they are going to pay dividends once they get off the ground. The European Data Protection Board has recently issued guidance on how it is intended that codes of conduct would work. And in the first instance, it is up to industry groupings to bring forward proposed codes of conduct that they would agree to implement. They have the benefits of creating a level playing field within industry sectors and driving up standards. Another key feature of codes of conduct under the GDPR is that it is intended that there would be an independent monitoring body paid for by the industry sector that would monitor compliance with the code of conduct and ensure that complaints from individuals--that the exercise of their rights, for example, is not being adhered to--are dealt with efficiently. So this is an area of the GDPR that we look forward to rolling out over the coming years. Senator Thune. Let me just direct this to everybody, and it is more of a general question. But Mr. Polonetsky, Mr. Steyer, and Ms. Guliani, with respect to privacy expectations of our consumers here in the United States, do you think the status quo is working? Yes or no? Mr. Steyer. No, but I would tell you that there has been a sea change in awareness in the last year. I think one of the most encouraging things that we have seen, other than the bipartisanship, I think, in understanding these very issues that affect everybody, is that the public is finally coming to understand that privacy really matters. Remember, it is a fundamental right, but people have forgotten that. I have four kids, and I remember talking to my kids about this a few years ago, about do you even understand what privacy is. So I think we are at a watersheds moment, which I think the work of this Committee and the broader Senate and Congress will drive forward. The public is finally understanding this is really my own personal information. It is really important, and I have the right to control it. So I think we are at a great moment, and I think that honestly, Senator Thune, if this Committee moves forward and the Senate moves forward, I think it will be incredibly important not just legally and from an enforcement and accountability standard for behavior, but public awareness. So I think we are at a really important tipping point that you all can drive forward in a very important way. Mr. Polonetsky. Senator, my 17-year-old son is sitting behind me and I have got a 15-year-old daughter, and it has been fascinating to see how they have been using technology and I do not think they think about it in terms of privacy. All they know is that their Instagram page should not have all of their photos. It should have the ones they curate. And they have another account they use a little more flexibility, a little more sloppily. My son is a big SnapChat user, and he is not thinking about it, oh, my pictures disappear. I am just saying hi. Why should that be around forever? And so I am optimistic that the technology is finally capturing the actual reality of how people act. Somehow when some of these sites launched, the notion was the more you share, the more people click on it, the more people see your stuff. And there is a place for that, for activism, for outreach. But that is not the default for the way most of us live. We want to talk to friends and family and small groups and alumni groups and the like. And somehow the engineering answer was, sorry, if it is on the Internet and it is public, it is public for everybody. So these are not perfect. You know, it is not perfect privacy when your photo disappears. It is probably somewhere. But it gave me a level of obscurity that actually ends up being critical and nuanced. So I would like to see us nudge companies to solve some of these problems by having technology reflect the way humans act. Right? It is supposed to be in service of our needs, not in service solely of advertising and marketing. I see that pushback happening. I would like to think it is because of privacy pressure, but I actually think it is because of what the younger generation actually wants. And they do not call it privacy. They call it this is the way I think about my relationships. Senator Thune. But the answer is no, the status quo is not working. Mr. Polonetsky. The status quo is not working. Senator Thune. Ms. Guliani, yes or no. I have another question I need to ask here. Ms. Guliani. Yes. The status quo is not working, and I just want to highlight that I think we are increasingly understanding that that status quo is hurting vulnerable populations in some cases the most, you know, exacerbating economic inequality and some of those issues. And so I think the law should reflect the special harm that is being placed on consumers. Senator Thune. And I agree the status quo is not working, which is exactly why this committee began to lay the groundwork for privacy legislation in the last Congress and we are building on that. I believe it is one of the issues that Congress should be able to work on together on a bipartisan basis, and I look forward to working with Chairman Wicker and other members of this Committee to find consensus on this very important issue. One very quick final question, and that, again, I think can be yes or no. But on principle, would any of you oppose any Federal law with preemption in it? Yes or no. Ms. Guliani. We would have serious concerns with broad Federal preemption. Mr. Steyer. I have serious concerns with broad Federal preemption. Mr. Polonetsky. I think preemption can be done carefully so that it preempts the inconsistencies that make compliance hard but preserve the rights and protections that I think we want to preserve. Senator Thune. I would be interested--and I guess we can take this for the record, Mr. Chairman--in your thoughts. You all referred to a Federal law as strong as California and just to maybe speak specifically to what you mean by that. Thank you. The Chairman. Thank you. And, Senator Thune, you questioned long enough for Senator Markey to get back in his seat. So Senator Markey is next. STATEMENT OF HON. EDWARD MARKEY, U.S. SENATOR FROM MASSACHUSETTS Senator Markey. Thank you, Mr. Chairman, very much. And thank you, Senator Thune. I have long advocated for privacy protections that include the principles of notice and consent, but a Federal privacy bill must build on that framework by explicitly prohibiting certain types of data use. Today companies amass troves of consumers' data and then repurpose that information to target ads in discriminatory ways. And that is why I recently introduced the Privacy Bill of Rights Act, comprehensive privacy legislation that bans discriminatory uses of consumers' private information. This legislation explicitly prohibits companies from using Americans? data to target employment, housing, health care, education, or financial opportunities in harmful, discriminatory ways. Ms. Guliani, can you provide one example of how a company currently uses consumers' personal data to target individuals of particular genders or socioeconomic groups in ways that threaten Americans' civil rights? Ms. Guliani. Sure. I mean, I can give you a recent settlement in an ACLU case. You know, over the last several years, there were multiple charges that Facebook was facilitating discriminatory advertising, particularly in the housing, credit, and employment contexts where Federal law prohibits discrimination. So, for example, allowing targeting of ads based on factors like race or gender or things that would be proxies for that. Over the years, complaints were made. The company said that they were going to resolve the problem but were slow to do so. And so the ACLU and other civil rights organizations filed a lawsuit, and the company, to its credit, has settled that lawsuit. But I think what this does is speak to a broader concern, and that is a question of how in this new online ecosystem are advertisers and others exacerbating discrimination, charging different prices for, let us say, a bus ticket, not allowing African Americans or women to see employment or housing opportunities. Senator Markey. So let me just follow up on that. Do each of the rest of you agree with Ms. Guliani that it should be illegal for companies to use consumers? personal data in these harmful discriminatory ways? Ms. Dixon. Ms. Dixon. So, Senator Markey, I think in terms of legislation prohibiting certain uses, as I have outlined, the GDPR is set up as principles-based and does not specifically prohibit uses but principles of fair processing, as an example, will go some way to tackling the issues that you have outlined. I think in terms of the issue of discrimination--and there is some complexity to the issue---- Senator Markey. But in general, do you agree with Ms. Guliani? In general on discrimination? Ms. Dixon. In general, discrimination---- Senator Markey. OK. Mr. Polonetsky. Mr. Polonetsky. In general, yes. Senator Markey. Mr. Steyer. Mr. Steyer. Absolutely I agree. Senator Markey. Thank you all. So let us move to children's privacy. I will go to you, Mr. Steyer. Children are a unique, vulnerable group online. That is why earlier this Congress I introduced bipartisan legislation with Senator Hawley to protect kids' and teens' privacy. This legislation is an update to the Children's Online Privacy Protection Act, a law which I authored back in 1997. This law creates critical new safeguards for young people. The legislation would extend protections to 13, 14, and 15- year-olds by requiring consent before collecting personal information about them, ban targeted ads to children, create an eraser button for parents and children to allow them to eliminate publicly available personal information submitted by the child or teen, and establish a youth privacy and marketing division at the Federal Trade Commission, which will be responsible specifically for addressing the privacy of children and minors in our country and marketing directly at children and minors in our country. We know we have a crisis in the country in terms of the targeting of children in our country by these online companies. So, Mr. Steyer, why is it critical that any comprehensive privacy law include these heightened protections for children and teens? Mr. Steyer. We totally support the law, and we are glad it is bipartisan. We just believe you should fold the COPPA 2.0 law into this broader law that you are doing. The truth is--we all know this as parents and grandparents--kids do not understand stuff. They may be more technically literate in a way, but they just do not understand it. So they deserve special protections, and the COPPA 2.0 law that you all have introduced is absolutely spot on, and I would urge everybody on this committee and all 100 Senators to support it. Senator Markey. Do you each agree that special protections have to be built in for children? Ms. Guliani. Ms. Guliani. Yes. Senator Markey. Mr. Polonetsky. Mr. Polonetsky. Yes. Senator Markey. Ms. Dixon. Mr. Steyer. And teens. COPPA stops at 12, and we all know what teenagers are like. They need special protections too. Senator Markey. So this bill would lift it up to 16. Mr. Steyer. Correct. Senator Markey. And that is kind of, I think, a reasonable place to put it. I wish I could make it higher, but I think at least at 16, kids are just unaware even though you are saying technically sophisticated, but their judgment in terms of what it might mean for themselves in the long run just has not been well thought out. Mr. Steyer. And California goes to 16. We took it up to 16 in the CCPA. Senator Markey. And in Europe? Ms. Dixon. 16 in Ireland, 13 in other member states. Senator Markey. Yes. I am Irish. [Laughter.] Senator Markey. We like our privacy. Thank you, Mr. Chairman. The Chairman. Thank you, Senator Markey. Senator Moran. STATEMENT OF HON. JERRY MORAN, U.S. SENATOR FROM KANSAS Senator Moran. Chairman, thank you. Thank you four for joining us today on this important topic. Let me start with Mr. Polonetsky. The terms of a Federal consumer privacy bill. Consumers I believe would benefit if Congress provides clear and measurable requirements in a statutory text while also including a level of flexibility in the form of narrow and specific rulemaking authorities presumably to the FTC. That would help account for evolving technological developments. My questions are how should this committee approach providing the FTC with rulemaking authority, and do you see value in what some of us have been calling strong guardrails around that rulemaking authority to preserve certainty to consumers that we aim to protect? Mr. Polonetsky. I think our proposed legislation--the Committee's proposed legislation, which hopefully will come forward should put as much detail as we can put in the bill because I think there are going to be key issues to negotiate. But clearly there are going to be areas that are going to need more time, where progress of time is going to require perhaps updates and nuance, and the FTC certainly needs APA rulemaking authority to fill those gaps. But I do think setting the parameters so that the considerations that the FTC should look at can be spelled out so that businesses can anticipate so that commission heads, no matter what party is in leading and so forth, in the right direction I think is going to be critical. Senator Moran. This is not exactly the right words I do not think, but the theory that I have is that we have to provide lots of certainty but not too much certainty. Where do we find that sweet spot that allows this to work well today and into the future? Ms. Dixon, you indicated in your testimony--I think I am quoting this about right--the aim equally of a consistent and harmonized data protection law across the EU is to ensure a level playing field for all businesses and a consistent digital market in which consumers can have trust. Would you be concerned that EU consumers' trust in the digital market would be undermined if the EU lacked a harmonized approach to privacy? And related to that is, do you think the GDPR has provided clearer privacy requirements to companies than if each EU country adopted a different privacy requirement? Ms. Dixon. So I think certainly it would be the case that EU service users' trust would be undermined if we do not give full effect to this harmonized regulation now in the EU, and it's more a case of companies, rather than consumers, at the moment arguing that some of the harmonization is not coming into effect as anticipated because of member state choices that have been made. So the European Data Protection Board is a grouping of all of the EU national supervisory authorities, and we are working very hard to give effect to a harmonized implementation through guidance that we issue, but also through cooperation and consistency mechanisms that mean, when I conclude the investigations I referenced earlier, I will have to bring my decision to the European Data Protection Board and take utmost account of the views of the other EU 27 in finalizing my decision. So I think the harmonization is extremely important not just in terms of a level playing field, but in terms of the consumer trust. Senator Moran. Thank you. Part of the conversation here has been things are getting better. People are more interested in privacy. But we have also talked about how difficult it is to--what you are thinking about when you opt in and opt out, where the responsibility lies. Are consumers currently considering privacy practices when choosing between an online service provider? Are there enough companies using privacy as a competitive advantage? Any consumer paying attention to this and there is now an economic reward for privacy protections? Mr. Steyer. I would like to speak to that. I think when we passed the California bill last year, we were working with Satya Nadella at Microsoft, Tim Cook at Apple, Mark Benioff at SalesForce. They absolutely know that--there is no way that Apple and Microsoft do not see that as a competitive advantage now which, Senator Moran, I think is a very healthy thing. But that alone is not enough. That is why I said in my earlier comments about how important it is for the Senate and for the Congress to pass comprehensive, strong Federal privacy protections. But there is no question. Just look at Apple's marketing campaign that is out there right now. They are all over privacy. We meet with them at the top levels all the time. They have decided this is both the right thing to do and also the right thing to do for their business. And so has Microsoft. So the wave is coming. Senator Moran. What a great blend that will be if we do our jobs correctly and the consumer demands this from their providers. Mr. Steyer. Agreed. Senator Moran. Let me ask a final question. Just a yes or no answer. If Congress were to enact what we hope is meaningful privacy legislation, would you each support the attorney general of our various states having enforcement capabilities? Ms. Guliani. Yes. I would strongly encourage that, as well as State enforcement agencies. Mr. Steyer. Completely agree. Absolutely I think State AGs are critical, and a private right of action is a good idea too. Mr. Polonetsky. AGs have a key role. Senator Moran. Thank you all very much. Thank you, Mr. Chairman. The Chairman. Thank you. Senator Rosen. STATEMENT OF HON. JACKY ROSEN, U.S. SENATOR FROM NEVADA Senator Rosen. Thank you. This is an amazing hearing and I have so many questions. I am going to first start with some vulnerable population questions. One of our most vulnerable populations are seniors, our disabled veterans, our hearing, our deaf community. I have over 38,000 deaf and hard of hearing people in the state of Nevada. They rely on IP captioned telephone service to communicate. We all know what that is. As privacy concerns, what are we doing to protect those vulnerable populations who are using the telephone, using these other services because of a disability? Ms. Guliani. So I think that this is one of the reasons that having a privacy framework is so important. I mean, you mentioned the disabled population. Low income individuals rely on their phones more for Internet access and to do other day- to-day activities. And what we do not want is a system where as a condition of using these things that are critical to everyday living, people have to hand over their personal data and that personal data can have downstream consequences. And so I think that as part of any framework, we have to consider, number one, limiting the extent to which somebody can require you to give consent just as a condition of using a service. And we also have to be really skeptical and outlaw sort of what has been called pay for privacy schemes where I am just going to charge you more if you choose to exert your privacy rights. Mr. Polonetsky. Senator, I would urge the Committee to hear from the disability community because I think there is actually a really nuanced set of views. Certainly the community--and I will not speak for them although we have done some joint work recently--is worried about new ways that they can be discriminated against, but they are also passionate about the ways assisted technology and data--they want a smart home speaker to be able to control devices if they cannot use the traditional UI. They do not want their data sold, but getting that balance right so the data they do want can support them is certainly important. Senator Rosen. So as I have been sitting here listening-- and I get the pleasure of being one of the last questioners--is that it seems to me that there are two issues about your data. It is kind of the who, what, where, when, and how. The who is your personal data. It is your name, your birth date, your Social Security number, whatever. You own that. Right? Your baseline definition. Then you have your recorded behavior, if you will, your usage, your active usage, your passive usage. What is caught on recording and geolocation, that is your what, when, and how. So the real issue is who owns your behavior. Right? I mean, there are new safety issues, security for your personal birthday and all those kinds of things. So who owns your behavior is the issue, and what do they do with it? And the real value and the real threat is the monetization of your usage data. That is where it is. It is economics. Let us just put it right there. So how do you think that we can tailor some legislation that protects your usage information? We are trying to get better about protecting that personal identify, the who, but what about the what, where, when, and how that happens outside of you, where you shop, where you drive by, where you record on your voicemail? Mr. Steyer. So, Senator Rosen, I mean, it is a very important question. It is a very good question. I think the truth is we should broadly protect--allow the individual to control not just their own data but their behavior. I used the term earlier, ``data minimization.'' It was one of the big issues in the California law and in GDPR, and it is a company should only be able to use the data for a necessary business purpose, not a secondary purpose. When Senator Tester was asking the question about the farm implements, why should that be sold---- Senator Rosen. Or the pregnancy, the same thing. Mr. Steyer. Right, or the pregnancy. So I think very strict and clear limits and guardrails around that are absolutely critical to a strong privacy law. I think everybody on both sides of the aisle would agree with that. And again, the more you guys can make that clear to your colleagues but also to the public, the more we will all win. Senator Rosen. And would you think since there is such a strong economic benefit to the monetization of your data, that there should be strong economic sanctions if violations occur? Mr. Steyer. I would. And the only thing I would just say is the big thing to simplify it is the business model is everything. So if you really want to understand how the companies behave--because remember, the technology industry is not monolithic--you really have to take them company by company. It is all about the business model. So if their business model is based on monetizing your personal information through ads, you are going to have to restrict those companies much more. Senator Rosen. What about using new technology? So you have a smart car. You are going to drive by a certain coffee shop or grocery store every day. Do they say, well, this person drives by there? That is kind of your location. That is your passive usage---- Mr. Steyer. If I opt in. If I opt into that, but give the consumer the right to opt in, not force them to opt out. Senator Rosen. Thank you. I appreciate it and yield back my time. The Chairman. Thank you very much. Senator Blumenthal. STATEMENT OF HON. RICHARD BLUMENTHAL, U.S. SENATOR FROM CONNECTICUT Senator Blumenthal. Thank you, Mr. Chairman. And thank you for having this hearing with these very expert and knowledgeable witnesses. I have heard a lot of worries about the ongoing effort, and I am a part of it in the Congress to frame Federal standards that will protect privacy. I have asked one panel after another whether the people of the United States should have less privacy protection than California. Nobody believes they should. And I assume nobody on this panel thinks that the people of the United States deserve less privacy protection than the people of California. Correct? Mr. Steyer. Correct. Mr. Polonetsky. Correct. Senator Blumenthal. Thank you. At the same time, there is a legitimate fear that we would either advertently or maybe inadvertently undermine State protections. I think that is a real danger, and I would oppose any effort that preempts State laws so as to weaken protection for consumers. And I think we are all--or we should be--on guard against that danger. I know that businesses want a common definition and consistent rules. I also understand some of the criticisms of the California law. Some of that criticism smacks of opposition to the protections and the substance of those safeguards for consumer protection. Federal rules simply cannot be an opportunity to weaken a strong framework that industry resists or opposes. We can learn from California. We have to provide at least the same standards. In fact, I believe they ought to be even more rigorous and more protective. So let me ask particularly Mr. Steyer and Ms. Guliani if Congress fails to act now, are other states likely to successfully pass similar bills in the near term. What is on the horizon? Mr. Steyer. So I can speak to that. I would say I believe Senator Cantwell knows the State of Washington just considered a fairly--it was a different version of the bill and it died. It is the only one that is on the table right now. So barring action by the Congress, the California law goes into effect in January 2020. It will essentially become the law of the land, and I believe that the tech companies understand that. When we were writing it, we were aware of that. I do not think you are going to see this hodgepodge, mishmash. And to your point, Senator Blumenthal, the people who are really pushing preemption are primarily certain tech companies that want to weaken the California law. So your point of view of that as a floor that we should build upon for a strong, comprehensive Federal law is I think a very good framework. Senator Blumenthal. A floor, not a ceiling. Mr. Steyer. It is absolutely a floor, not a ceiling. And I think there are some very smart folks on this Committee who can build an even better law. Senator Blumenthal. First do no harm. Mr. Steyer. Exactly. Ms. Guliani. And if I could just speak to that point specifically. I mean, I think particularly in the area of technology, we are talking about rapid changes, and states have shown themselves to be more nimble and adapt to responding to those rapid changes. So what I really fear is a Federal regime that ties State hands, and when new technologies pop up, new problems pop up, we see gaps in a Federal framework that they are not able to address those problems. And I think particularly in an area where when it comes to consumer rights and consumer privacy, states have a long history of expertise and a long history of leading on these issues. Senator Blumenthal. Well, I share your predilections about the importance of State action, having been State official for about three decades and including two decades as State Attorney General in Connecticut. And both in terms of being more nimble and also closer to their constituents and sharing the effects-- we share the real life effects of privacy invasion--I think State officials are a ready and willing source of wisdom on this topic. And so I think we need to be very, very careful in what we do here that may in any way supplant what they are doing. Thank you, Mr. Chairman. The Chairman. Thank you, Senator Blumenthal. Senator Sinema. STATEMENT OF HON. KYRSTEN SINEMA, U.S. SENATOR FROM ARIZONA Senator Sinema. Well, thank you, Mr. Chairman, for holding this hearing. Data privacy is an important topic for all Americans, and I am glad the Committee continues to explore this complicated issue from all angles. Every day we learn about new misuses of Americans' private data on the Internet, including recent examples in the past month of millions of social media passwords being stored in an unencrypted format. So this issue requires bipartisan solutions that protect the privacy and security of Arizonans while allowing innovation, creativity, and investment to flow into new and emerging technologies and businesses. I am particularly pleased this hearing focuses on the impact of data privacy legislation on consumers. They are the ones whose lives get upended if passwords get hacked or identities get stolen. And consumers should have the right to control their own private information. A particularly vulnerable population to privacy abuses and identity theft are elderly Americans. The United States has COPPA, a specialized privacy law to protect children, but our seniors also experience elevated risks of having their data misused. Elderly Americans sometimes struggle to navigate the complexities of privacy policies, and they are often the targets of fraud. I want to make sure that any Federal privacy law gives seniors in Arizona and across the country the tools they need to thrive in the digital economy and the protections they need to enjoy a productive and secure retirement. My first question is for Mr. Steyer, but I welcome the perspective of all of our witnesses. So thank you for your focus on children and the particular concerns they face. I think the consumer education piece is a critical aspect of any data privacy legislation. As you state in your testimony, many people who want to limit data collection by websites do not know how to do it, which is an issue of both transparency and digital literacy. Can you give a brief overview of your digital citizenship curriculum and discuss whether you think any of these tools are appropriate or could be adapted to educate older Americans? Mr. Steyer. Yes. I think that is a great question, Senator Sinema. So our digital literacy citizenship curriculum--75,000 members schools now--is basically driver's ed for the Internet and cell phones. It is sort of the basic rules of the road. I think your point about seniors is a great one because they did not grow up with the technology. It is hard for teenagers who are first generation native technology users to understand some of this stuff. So why should a senior citizen? So I think the importance of consumer education in simple clear ways to understand what your rights are and then how to exercise them--it is basically digital literacy. And if you guys put this into the bill, we will create a curriculum for you for all age ranges in the country. Mr. Polonetsky. Senator, I would love to see the FTC really taking a lead role. They have a business outreach department. We do a lot of work in Europe. The challenge, frankly, has been the huge number of small businesses that are sending questions, that are sending e-mails that they do not need to send to ask for permission. It has been a big transition. And if we are going to pass a new law--and I hope we do--we should be ready to help the teacher who is creating an app because she thinks it is a better way to teach her kids so that she does not have to hire outside counsel. And I think the FTC, certainly Common Sense, and other groups, but I think the FTC, in addition to giving them those enforcement staff, giving them those education, outreach is critical. Ms. Guliani. I would just like to make a point. I think that the onus should not be on the individual. Right? I think your question sort of speaks to a larger problem which is the complexities and difficulties that not just elderly Americans but everybody faces. And I think that that is one of the reasons that we have supported an opt-in framework instead of an opt-out. When you talk about technical literacy, the difficulty someone may have in figuring out not only all of the apps they do business with, all of the entities that might have their data, but how to navigate the complex framework of opting out is just too much of a stress to put on consumers. That is why we have supported opt in. Senator Sinema. Thank you. Ms. Dixon. I would agree that you should not put too much emphasis in terms of the responsibility of the individual solely to protect themselves, but I think consumer education is very important. The Data Protection Commission in Ireland has just closed a consultation in relation to children and the exercise of their rights under the GDPR, and we consulted directly with children through schools. We developed lesson plans, which was in part an education of children around the uses of their personal data. So we very much believe in active communication to consumers through our website, through the promotion of case studies promoted by the media. And I think this is an important part of the jigsaw as well. Senator Sinema. Thank you. Thank you, Mr. Chairman. The Chairman. Thank you very much. Senator Sullivan. STATEMENT OF HON. DAN SULLIVAN, U.S. SENATOR FROM ALASKA Senator Sullivan. Thank you, Mr. Chairman. And I apologize to the witnesses for my late arrival, but I wanted to make sure I was able to ask at least a few questions on very important topic. And what I want to do--and again, if this has been covered, I apologize, but I wanted to focus a little bit more on the international aspects. We had a hearing, actually a subcommittee hearing, that I chaired yesterday with Senator Markey after our leader here set up a really important new subcommittee on economics and security. And the idea was kind of international standards and where we have typically led in this area--the United States-- the NIST Director was there and a number of other witnesses at the subcommittee hearing. But how are we suppose to think through as we look at these privacy standards and the different standards internationally? Obviously, there is what is going on in Europe. But there are also concerns that I have even more broadly than just what is happening in Europe is that when you have kind of the 5G race that is happening globally and Huawei in some ways leading that, that you might have a de facto leadership that relates to standards coming from China that, to be honest, in the world of privacy is a real concern. I think even a bigger concern than the European regulatory framework. So how should we be thinking about this and trying to help make sure that what we are doing with our allies is the standard that we think is appropriate for countries like ours that are democratic capitalist countries? Mr. Steyer. Senator Sullivan, if I may, just two points. Senator Sullivan. Please and I open this up to all. Mr. Steyer. A couple of points. One, when we wrote the California law last year, the CCPA, which we have been talking about in the hearing, we met the folks who wrote GDPR, and we realized that the values of the U.S. are in many ways similar to folks in the EU, but they are different in certain areas. So we were very careful--and I think that this could be done here at the Federal level as well--to think about how there are certain areas like the First Amendment--we were talking about this earlier--that may mean that a privacy law in the United States would be slightly different than GDPR. But most of the protections are universal. That said, you can modify---- Senator Sullivan. Universal relative to liberal democracies? Mr. Steyer. That is what I was going to say. And the second thing is I would be willing to bet you a large sum of money that Huawei will not dominate the 5G universe, and I mean that. Senator Sullivan. Why? I am glad you are so optimistic. Mr. Steyer. Because the technology in the United States and the companies in the United States have brought this world extraordinary advances. That does not mean we do not need to be aware of this, but sacrificing important privacy protections for consumers just because China might do that would not be a smart strategy. And I think at the end of the day, a strong Federal privacy protection where the California law is the floor and where you really take into consideration the fact that most of the companies that matter are here in the United States will give us the protections that we need. Senator Sullivan. Other thoughts? Ms. Guliani. I was going to say, I mean, I think that we can take some good lessons from GDPR. Regulation in the U.S. is not going to look exactly the same as Europe. There are concerns with the right to be forgotten and changes that would need to be made to be consistent with the U.S. Constitution. The enforcement framework will look different. And also in the U.S., we have State-level actors, attorneys general, agencies, legislatures, and I think the last thing we want to do is weaken the ability of those actors who have a long history of working on these issues of sort of having a seat at the table and being able to enforce and create good laws. But having said that, there are positive elements of GDPR that we should take and learn from, the extent to which it places rights in the hands of consumers and increases standards around consent, and limits on how---- Senator Sullivan. Let me just real quick and then I would like to hear the rest. But none of you are advocating for a state-by-state approach to this. Are you? Mr. Steyer. No, but we were very clear we have deep skepticism about preemption if there was going to be a watered- down Federal law that would, say, lessen the protections you have at the baseline of California. So that was the discussion we had earlier. Mr. Polonetsky. Just to look to the Asia-Pacific allies that we do have. So we have had a leadership role in the APEC process where we have worked with Japan, Korea, a number of the major economies who similarly want to cooperate with data protection flows. You will be considering the new NAFTA treaty. We committed to use the APEC CBPRs, the APEC process to move data across North America. So GDPR, obviously, is an important place-setter, but we have been a leader in OECD, which has an important set of privacy frameworks, and we have been very active throughout many administrations in the APEC process, and those are two regimes we should look to for global cooperation. Senator Sullivan. Great. Thank you, Mr. Chairman. The Chairman. Thank you, Senator Sullivan. There is a vote on. Senator Cruz is recognized and will preside for a time. Senator Cruz. STATEMENT OF HON. TED CRUZ, U.S. SENATOR FROM TEXAS Senator Cruz [presiding]. Thank you, Mr. Chairman. Thank you to each of the witnesses for being here. There is no doubt that protecting privacy is critically important, and how we should do so, what government regulation should be in place concerning privacy is going to be a policy question that I suspect will be with us a very, very long time. At the same time that we want to protect privacy, we also want to avoid a regulatory system that imposes unnecessary burdens and that threatens jobs. And I think there are lessons that we can draw based on the experience we have seen elsewhere. There has been considerable discussion here about the European Union's General Data Protection Regulation, GDPR. In November 2018, the National Bureau of Economic Research found that, quote, the negative effects of GDPR on technology investment appear particularly pervasive for nascent 0 to 3- year-old ventures, which may have cost European startups as many as 39,000 tech jobs. Even more alarming, the report goes on to state, quote, the potential for job losses may well extend and intensify past our four months post-GDPR dataset period, in which case the effects on jobs is understated. In the wake of GDPR, California enacted its own law, the California Consumer Privacy Act of 2018. And according to the International Association of Privacy Professionals, the California Privacy Act will affect more than 500,000 U.S. companies, the vast majority of which are small to medium sized enterprises. What lessons should this committee or should Congress take from the experience with GDPR and the experience with the California Privacy Act? Mr. Steyer. So, Senator Cruz, I am Jim Steyer and we basically wrote the California privacy law with the legislature there. I would tell you the bottom line lesson is that privacy is good for business. We wrote that law really with some of the most important tech companies in the United States, Apple, Microsoft, SalesForce. But I run a small business with several hundred employees. We have to comply with the California law and GDPR. And so I run a small business and know the fact that it does matter. But in the long run, I think what you saw was you had unanimous bipartisan support in California among all the Republican legislators, as well as Democratic legislators to support it. So I would just say well crafted, strong privacy protections are in the best interest of business. And I think that the record speaks for itself in that regard, and you should feel confident that a smart Congress, just like a smart California legislature, will find the right balance on that. Senator Cruz. So let me focus for a second on the GDPR piece. Do the witnesses agree that the GDPR regulation is having or had a significant negative effect on jobs? And are there lessons that we should derive from that? Mr. Polonetsky. I think, Senator, one easy lesson that we can take and improve on, as we look how to legislate in the GDPR, the European Data Protection Board is issuing quickly-- but frankly, it is a year in--opinions on some of the core protections of the GDPR. There is an opinion out now that is not yet final on what can be in a contract. And obviously, that is a core thing. Lots of companies are doing their business based on contract. And we will not have final guidance and it is a year out. So the more we can do to give clarity--here are the rules, and yes, there is room for rulemaking in the areas that are complex and they have not been figured out. But I should be able to comply the day the law passes. There is a real overhang of uncertainty in a number of areas where the board has yet to issue opinions so people actually know what the rules are. Ms. Guliani. And I do not think it is necessary that a privacy law is going to hurt small businesses. I do think that a law should reflect the realities of small businesses. So, for example, penalties. You might want to have different penalties based on the size of a business or the amount of data they hold. And I do think there are some rumors and myths around the extent to which GDPR harms some businesses. I will give you a good example that has been reported. Following GDPR, the ``New York Times'' reportedly stopped doing targeted advertising in Europe and did contextual advertising. They did not find that their advertising dollars went down. They went up. And so I do think that there are ways that businesses can respect privacy and make a profit. And we are starting to see businesses that are innovating around that. DuckDuckGo, who is trying to create an alternative to Google that respects privacy. So this is also an industry to, I think, promote privacy and create rights- respecting products. Mr. Steyer. And, Senator Cruz, I would tell you that we have been spending a fair amount of time talking about the incredible importance to your family, my family, and everybody in this room's family, and ourselves about the protections. Living in the state where most of the big and small tech companies are based and working with them, I think they have now come to the conclusion that while there may be some modifications that need to be made, which is the normal legislative rulemaking process, in the long run this is good for business and it is good for consumers. It is good for everybody. So I agree with Ms. Guliani that I think some of the statements about job losses have been overstated and that the value of a quality privacy regime for the Cruz family, the Steyer family, and everybody else is totally worth it. Ms. Dixon. Senator, equally at the Irish Data Protection Commission, we are not aware of evidence that the GDPR is affecting jobs adversely. I spoke earlier about the risk-based approach that the GDPR endorses, and it does give a nod to smaller and micro-enterprises and it provides for implementation only of the organizational and technical measures that are appropriate and proportionate to the risks of the personal data processing operations in question and to the scale of the organization. So I think approached and implemented as it is intended, it should do the opposite of affect jobs. It should engender better consumer trust and a more sustainable business model. Senator Cruz. Well, I want to thank each of the witnesses for your testimony. This testimony has been helpful. The hearing record will remain open for two weeks. During that time, Senators are asked to submit any questions for the record. And upon receipt, the witnesses are requested to submit their written answers to the Committee as soon as possible, but no later than Wednesday, May 15, 2019. With that, I thank each of the witnesses for testifying, and the hearing is adjourned. [Whereupon, at 12:05 p.m., the hearing was adjourned.] A P P E N D I X Response to Written Questions Submitted by Hon. Jerry Moran to Helen Dixon Question 1. Your testimony highlighted obligations placed on organizations operating under the GDPR as a ``series of high-level, technology neutral principles,'' such as lawfulness, fairness, and transparency, among many others. Would you please explain the significance of any future regulatory privacy framework maintaining a technology neutral approach? Answer. The significance of a technology-neutral approach in any future regulatory privacy framework is that the law would remain adaptable to govern any type of personal data processing scenario and in any context. Equally, the law would not require frequent updating to keep pace with technology and terminology changes in addition to obsolescence that cannot easily be anticipated in advance. The flip-side of this capability of the law to remain adaptive to new technologies is that, in enforcing the law, supervisory authorities cannot start from a point where they are applying a very prescriptive and context-specific standard set down in the law. Rather, enforcers must go back to first principles and examine the technological features and context of any given set of personal data processing operations and decide whether there is compliance with the principles. So, for example, facial recognition as a technology is not referenced directly in the GDPR and nor are any use cases involving facial recognition prohibited. The enforcer in examining a complaint about facial recognition would have to examine whether the requirements and conditions for processing of special categories of data (biometric data is a special category under GDPR) are met in each very specific implementation context. This means investigations of issues require the time for in-context analysis prior to any enforcement action. Question 2. Your testimony briefly described the ``rights of consumers'' set out in Chapter 3 of GDPR, and you specifically mentioned the ``varying conditions pertaining to the circumstances. . .[that] those rights can be exercised.'' Based on your interpretation of the right to data portability, are there unique circumstances or factors that determine when this particular right should be exercised? Are there certain circumstances in which portability requests are not appropriate to execute? a. Given relevant competition concerns inherent in the portability requirement, are there special considerations taken into account for compliance determinations in regards to the right? Answer. The reference to the varying conditions under which the right to portability can be exercised was a reference to the fact that it applies only to data which has been collected under the legal bases of consent or contract. It applies only to the personal data provided directly by the user or to observed data flowing from the user actions. It does not apply to inferred data. I attach for the Senator's information an opinion of the European Data Protection Board interpreting and clarifying the right to portability which may be useful. An aim of the right is that it will ultimately lead to the fostering of more consumer services and choice for users. Any scenario where an organisation asserts a commercial or confidentiality sensitivity or a risk of prejudicing of third party rights in delivering portability would be examined on its merits by the Data Protection Commission. We are certainly in the early days with regard to full implementation of this right. Early initiatives such as this one implemented by some of the major platforms shows the direction of travel to-date with online service providers: https://datatransferproject.dev/ Question 3. In March, my Subcommittee on Consumer Protection held a hearing focused on the specific concerns of small and new businesses that operate in different sectors and how they utilize and protect consumer information in their operations. These businesses have fewer resources in handling the complexities of increased regulatory privacy compliance and associated costs. Additionally, not all businesses are the same, and consumer data offers different uses, challenges and, in some cases, liabilities, across the various models of small businesses and start-ups. How does the Irish Data Protection Commission account for small and new businesses in its enforcement actions aligned with GDPR? Answer. SMEs (Small and Medium Enterprises) make up over 99 percent of businesses in Ireland with a significant proportion of that figure being categorised as micro enterprises. It was therefore a considerable focus of the Irish Data Protection Commission in the run-up to the application of the GDPR in May 2018 to ensure that small business concerns were addressed and that they was clarity in terms of what was anticipated regarding their implementation of GDPR. A year prior application (May 2017), the Data Protection Commission procured an independent survey of small businesses to assess their level of awareness and understanding of the new law. This allowed us focus our support initiatives in specific ways. We engaged extensively with representative bodies of small businesses and worked with them on drawing up and publishing and promoting simple ``12 Step Guides'' on how to commence preparations. We developed a micro site (now removed) www.gdprandyou.ie which we populated with guidance materials. We engaged with specific sectors directly through seminars and workshops clarifying the risk-based approach endorsed by the GDPR. The Data Protection Commission rolled out an extensive media campaign that also covered cinemas in Ireland to promote awareness and to direct small business owners to our micro website. We increased staffing on our caller helpline in order to be available to answer queries from small businesses directly. When we re-ran the survey with SMEs in March 2018, awareness levels had jumped significantly and small business confidence in preparation for the new law had increased considerably. In terms of the fact that small businesses vary greatly from one another as conerns their types of data use, we communicated heavily that the approach that needs to be taken starts with a risk-assessment and ultimately implements organisational and technical measures appropriate to the risk. Several of the provisions of the GDPR in many cases do not apply to small businesses: for example, the Article 30 requirement to document data processing activities or the Article 37 requirement to appoint a Data Protection Officer may equally not apply. In terms of enforcement, the Irish Data Protection Commission mirrors the risk-based approach of the GDPR and targets enforcement activity at the areas of highest risk and which impact the most users. In the majority of cases currently involving smaller businesses, we will seek to mediate between a complainant and the business to amicably resolve any complaints about data protection we receive, ensuring as we do to educate the small business on where its compliance efforts may need to be stepped up. ______ Response to Written Questions Submitted by Hon. Jerry Moran to Jules Polonetsky Question 1. Are you concerned that overly broad purpose limitations could negatively impact research, including research related to artificial intelligence? a. Do you have similar concerns about overly broad consumer deletion rights? Answer. Thank you for considering the many beneficial opportunities to use some types of data for research purposes. General agreement on use limitations commonly allows for the inclusion of research for product improvement and related product development as ``reasonable expectations,'' which in recent years may include research, training or testing on machine learning models. We see this at an increasing rate as more and more products, services, features, and new technological capabilities are built on AI and ML systems. Research conducted to develop or improve entirely new or unrelated products is arguably not expected in this sense, and could be beyond the scope of what a consumer intended when originally providing the data. This might be particularly true for data processed using machine learning, as it may not be possible to identify sufficiently broad secondary use cases at the time of collection. In some cases, data may be de-identified, but in other situations this may not be feasible. In some circumstances, the new use creates no risk to individuals and should not be of concern. This is where an ethics review process, recognized by law, would be valuable. For example, for researchers subject to the Common Rule, this use of data for academic human subject search would go through review by an Institutional Review Board, where informed consent might be required as well as other protections. Or the Board might waive consent, after weighing the risks, benefits, and ethical concerns. FPF and other leading scholars have called for the creation of such review processes, which can be used by companies and academics conducting research on data that is outside the Common Rule IRB framework. We believe such a trusted process will be essential for assessing uses of data when informed consent is not feasible. Thank you for asking about an important aspect of many privacy laws and bills, which provide consumers with the opportunity to delete their data in appropriate contexts. In some cases, this is not an option. Based on existing regulatory requirements, a bank customer cannot request deletion of his bank records, even if he closes his account. Likewise, academic, medical, and other business related records may have independent requirements that limit a consumer's right in this area. When this is the case, sufficient leeway should limit the deletion rights to allow necessary retention. In other cases, for example, engagement with social media, or other discretionary interactions with individual organizations, an individual should reasonably be able to delete her information and rely on that erasure. To the extent that such data has already been included in aggregated or de-identified datasets, there should be no conflict between the deletion of personal data, and the retention of those datasets for further analysis or use to train machine learning models. In addition, the requirements for sufficient breadth and diversity of data in these training datasets might be impacted (that is, they may become unacceptably biased, or insufficiently representative) if individual records are required to be removed. In cases of particularly sensitive data where removal of an individual's record might be desired or required, additional strategies could be employed to ensure the validity of the dataset is retained. An example would be applying differential privacy strategies, which allow evaluation of a dataset both with, and without, an individual record, to ensure that analysis on that dataset remains consistent. Question 2. Your testimony thoroughly describes ten privacy- enhancing technologies, or PETs, that can ``achieve strong and provable privacy guarantees while still supporting beneficial uses'' of data. Do you have specific recommendations for this Committee as to how Federal legislation could incentivize the growth and development of new PETs? Answer. Thank you for asking about the benefits of privacy- enhancing technologies (PETs). Providing organizations with incentives to implement PETs is one of the most important things a Federal privacy law can do to improve consumer privacy while promoting beneficial uses of data. There are several legislative tools that could provide incentives for organizations to employ PETs. FPF has proposed that legislation recognize several tiers of personal information and tailor resulting rights and obligations based on the identifiability of the data, given the technical and legal controls that are applied. We propose a strong standard for covered data that would include a broad range of data that is linked or can practicably by linked to an individual. Within this range, we propose that lawmakers can provide for a degree of latitude for compatible uses when data is pseudonymized and non-sensitive. When data is pseudonymized and sensitive, we suggest that there be some but less latitude. Finally, we recognize that some technical methods can result in data being considered de-identified. These tiers would provide incentives for companies to apply technical de-identification to data, as opposed to binary proposals that treat data as either included or excluded from regulation. In addition to nuanced legislative definitions, a Federal privacy law can provide other direct incentives to employ PETs: A law could create safe harbors for certain PETs-protected activities. For example, a law could designate some data as ``not identifiable'' (and thus subject to few or no consent obligations) when the organization employs on-device differential privacy to ensure that aggregate data about user behavior cannot be reliably linked to individuals. A law could create rebuttable presumptions regarding data safeguarded by PETs. For example, a law could establish a presumption that an organization meets the law's security requirements with regard to data that is encrypted using robust cryptography and also protected by a comprehensive data security program. A law could reduce some legal obligations in order to promote practical privacy protections. For example, a law could reduce transparency or choice requirements when organizations use homomorphic encryption to reduce or eliminate third parties' ability to identify individuals during routine commercial transactions like retail purchases, online advertising, or marketing attribution. In addition to providing the FTC with greater enforcement resources, a Federal law can direct additional funding to the FTC's Office of Technology Research and Investigation. As a key part of the FTC's education efforts for legal compliance, especially for small businesses, the FTC should also research emerging de-identification technologies in order to be aware of their strengths and weaknesses, and hold workshops that provide opportunities for discussion and debate over the efficacy of emerging PETs. ______ Response to Written Question Submitted by Hon. Jerry Moran to Neema Singh Guliani Question. Similar to what your testimony stated, I have heard from many interested parties that the FTC currently lacks the resources needed to effectively enforce consumer privacy under its current Section 5 authorities. As a member of the Senate Appropriations Subcommittee with jurisdiction over the FTC, I am particularly interested in understanding the resource needs of the agency based on its current authorities, particularly before providing additional authorities. Do you have specific resource-based recommendations for this committee to ensure that the FTC has the appropriations it needs to execute its current enforcement mission? Answer. The FTC needs additional resources for enforcement to enable it to act as an effective watchdog. In the last 20 years, the number of employees at the FTC has grown only slightly. And the number of employees in the Division of Privacy and Identity Protection (DPIP) and the Division of Enforcement, which are responsible for the agency's privacy and data security work, stands at approximately 50 and 44 people, respectively. In addition, the FTC needs additional technical expertise, so that it can adapt to changes in technology. For example, technologists and academics have found that advertising companies ``innovate'' in online tracking technologies to resist consumers' attempts to defeat that tracking, frequently using new, relatively unknown technologies. It is unclear whether the agency has the technical capacity to keep pace with such innovations. A more detailed review of how the commission is currently allocating its existing resources is needed to assess whether there are additional areas where existing resources should be augmented. [all]