Senate Commerce Committee lawmakers wrestled during a Feb. 27 hearing with how much new authority to give the Federal Trade Commission to regulate data privacy practices.
House and Senate lawmakers are eyeing legislation that potentially would give the agency increased powers while pre-empting state privacy laws such as the California Consumer Privacy Act. But Democrats and Republicans differ about precisely which powers the commission should have.
Committee Chairman Roger Wicker (R-Miss.) said it was “clear” the U.S. needs privacy legislation that “is enforced by the nation’s top privacy enforcement authority, the Federal Trade Commission.” But Wicker said legislation should “enhance the FTC’s authority and resources in a reasonable way to police privacy violations.”
Large-scale privacy incidents at Facebook Inc., Equifax Inc., and other tech companies have spurred Congress to weigh a broad federal data privacy bill. Business groups, including the U.S. Chamber of Commerce and the Business Roundtable, whose members are facing the California law and Europe’s General Data Protection Regulation, are urging lawmakers to act.
The FTC oversees consumer protection and enforces antitrust laws, but has limited ability to police data privacy. The commission also can’t create new privacy rules without explicit authority. Congress may include provisions in a prospective bill that would allow the agency to create more sweeping rules.
The FTC should enforce strong national privacy standards that won’t take away from the state enforcers, Victoria Espinel, CEO of BSA | The Software Alliance, said. The FTC and state attorneys general have successfully shared enforcement powers under the Childrens’ Online Privacy Protection Act (COPPA), she said.
Sen. Brian Schatz (D-Hawaii), who’s among a group of four bipartisan lawmakers from the panel that previously began working to write legislation, asked the witnesses if they believed the FTC should be empowered to write rules implementing a new privacy law, while also getting extra staff and the ability to fine violators in the first instance.
The witnesses largely agreed, while suggesting the rulemaking authority might not apply in all areas. Other lawmakers, like Sen. Jerry Moran (R-Kan.), agreed that the FTC needs more enforcement powers, but should have limited rulemaking authority.
“We need to provide clear-and-measurable requirements in statutory text for the FTC to utilize while also creating appropriate flexibility in narrow rulemaking authority,” Moran, the chairman of the panel’s consumer protection subcommittee, said.
Jon Leibowitz, a former FTC chairman who testified before the committee, said after the hearing that he doesn’t think the FTC needs broad privacy rulemaking powers.
The FTC should have “appropriate rulemaking powers with sufficient guardrails,” Leibowitz said. The system has worked well under COPPA, he said.
A new privacy law could codify enough consumer privacy protections that would render rulemaking unnecessary, Leibowitz said.
Randall Rothenberg, CEO of the Interactive Advertising Bureau; Michael Beckerman, CEO of the Internet Association; and Woodrow Hartzog, professor of law and computer science at Northern University School of Law also testified at the hearing.
State Privacy Preemption
Committee leaders also said they want the U.S. to pass strong federal privacy rules, but differ on the enforcement role states should play.
Ranking member Maria Cantwell (D-Wash.) said she was “certainly open to exploring the possibility of meaningful, comprehensive, federal privacy legislation,” but warned Congress “cannot pass a weaker federal law just at the expense of states.”
She later pressed witnesses about whether Congress should pre-empt states in a new privacy law. She said that the debate must focus on consumer privacy protections and increased Federal Trade Commission enforcement powers.
Cantwell said she was “a little more” in agreement with that position than those testifying who wanted preemption. She said she wasn’t sure members of Congress from California would vote to override their own state statute.
Hartzog said a 50-state regulatory patchwork isn’t unworkable “because it’s what we’ve been dealing with all along.”
Tech policy groups and tech companies have pushed for a strong federal privacy framework that would preempt the CCPA, as well as potential laws in other states.
“Preemption is less of an issue behind the scenes,” Rothenberg told Bloomberg Law before the hearing, citing his recent conversations with Senate lawmakers. Comprehensive privacy standards are needed, but the 50-state plus D.C. patchwork is unworkable, he said.