Back to General Resources

Senate Commerce Subcommittee Hearing on Small Business Perspective on a Federal Data Privacy Framework

Senate Commerce Subcommittee on
Manufacturing, Trade and Consumer Protection

“Small Business Perspectives on a Federal Data Privacy Framework”

Tuesday, March 26, 2019

 

Key Topics & Takeaways

  • FTC Authority and Civil Penalties: Panelists agreed that the Federal Trade Commission (FTC) should be given rule making authority, more funding and more resources. Engstrom said the FTC should be the primary enforcer and that the frameworks should balance certainty with flexibility to adapt to technology changes and provide reasonable tailored polices for first time offenders rather than leveling civil penalties. England said that the FTC has a long, rich tradition of enforcing protections and that the Federal Communications Commission (FCC) may not have the same capability and reach.
  • Preemption and CCPA: Panelists agreed that preemption is the way forward for a federal framework. Brookman stated that States still need room to innovate outside of the standards set by a federal framework, voicing support for the expansion of personal information rules like in the California Consumer Privacy Act (CCPA). Brookman added that legislation that should be included in a federal framework are the Maryland data protection legislation and the Vermont legislation addressing data brokers.

 

Witnesses

Opening Statements

Sen. Jerry Moran (R-Kan.), Subcommittee Chairman

Moran said that Congress will continue evaluating a framework which addresses concerns of “unfair and deceptive” practices regarding data collection and usage. He said the subcommittee will consider the jurisdiction of the FTC’s enforcement authority under section 5A of the FTC Act. Moran referenced the 140 data security related cases and feedback commissioners at the FTC have provided to Congress, and their importance in efforts to bolster consumer protections. He stated that recently the CCPA and European Union General Data Protection Regulation (GDPR) have shown the “increasing” need for a U.S. federal framework. Moran said the committee will continue to work to identify “responsible” federal privacy standards that provide clear and effective guidelines, while providing regulatory certainty to businesses and others in the industry. He stated his desire to create distinctions to size and scope for small businesses and providing safeguards to the varying levels of sensitivity of data.

Sen. Richard Blumenthal (D-Conn.), Subcommittee Ranking Member

Blumenthal said there have been significant and productive policy discussions and testimony on data protection, and he is committed to continue to collaborate across Congress and parties in developing a framework. Blumenthal said there is a need for a privacy “bill of rights” that are no less stringent than CCPA or GDPR, and that the U.S. should not be less protected than these laws. Blumenthal said he believes there is a possibility for a framework that allows the market to continue to innovate while protecting data.

Sen. Roger Wicker (R-Miss.), Senate Commerce Committee Chairman

Wicker briefly stated his support and agreement to remarks made by Moran and Blumenthal. He said the committee is knowledgeable and diligent in their approach on these issues, and that this is a priority. Wicker said he will continue to work towards developing a “strong” federal framework that pushes for economic development and innovation, as well as inclusion of support for small businesses.

Testimony

Justin Brookman, Director, Privacy and technology Policy for Consumer Reports

In his testimony, Brookman suggested that enforcement of big tech companies is lacking under GDPR and that laws, such as in Washington, can be illegitimately written to favor big companies. Brookman recommended Congress create legislation that provides clarity for “easy to follow rules,” such as collecting only necessary data, deleting outdated data, not selling data without the consent of customers, and using reasonable privacy security techniques. He said the law should carve out secondary use of data, such as internal analytics, fraud protections and first party marketing so companies know what is allowed under law. Brookman also said there should be thresholds, waivers based on size and scope, and disclosure obligations to exempt specific small businesses. He suggested online tracking should be through a third party, to put obligations to curtail collection practices, and that pushing data portability and inner operability would help control and consumer choice.

Nina Dosanjh, Vice Chair, Technology Policy Committee, National Association of Realtors

In her testimony, Dosanjh said the National Association of Realtors provide best practices and job training for their employees to best protect consumer data, as legal and data security employees are not employed in the business. She recommended the committee address six major principles for a uniform nationwide law;: 1) uniform standards for business and equal protection for consumers; 2) direct statutory obligations for all services providers; 3) to focus on transparency and customer choice; 4) to emphasize accountability for each business action; 5) a uniform nationwide standard and enforcement for data privacy; and 6) FTC enforcement authority. Dosanjh said that the CCPA merits committee attention to avoid duplication of unintended consequences, as the act is too broad in definitions of personal information and sale of that information, as well as their small business exemption for services and devices thresholds. Dosanjh said any framework should not add burden to small business.

Jefferson England, CFO, Silver Star Communications

In his testimony, England said customer requirements for privacy and security has always remained the same for his business and they do not monetize off any data collected from customers. England said the market is addressing desire for consumers wanting more protections around data, and therefore he commends the model of Duck Duck Go. He suggested legislation meet the criteria of consistent application of privacy protections that are tech neutral and uniform, preemption for federal framework, and a single federal agency to enforce federal privacy framework, such as the FTC, to provide consistency. England said it is important to factor what data is being collected, rather than who is collecting it, when developing a framework.

Evan Engstrom, Executive Director, Engine Advocacy and Research Foundation

In his testimony, Engstrom said a “strong” federal bill that is carefully crafted can avoid costs that make barrier to entry difficult for startups, maintain consumer trust and avoid abuse. Engstrom stated his support of the goals laid out by CCPA but said CCPA and GDPR have broad definitions and standards that hurt small business operations. He said CCPA has many unworkable provisions and contradictions that discourage prosperity and require collection of more personal user data, such as credit card and Social Security numbers, that never were collected before by businesses. Engstrom stated that a set of requirements and obligations will become more complex as States create their own privacy laws, making it more difficult for operations for startups.

Ryan Weber, President, KC Tech Council

In his testimony, Weber said he has heard from many small companies about their concerns on data protections, especially regarding to CCPA and GDPR. He said one of the biggest factors the small companies are advocating for is preemption to maintain one standard across the board. Weber also said they are concerned about the impact of CCPA and GDPR on innovation of new technologies, like Artificial Intelligence (AI) and blockchain. He had three recommendations: 1) that the committee should find solutions to prevent harmful methods of data usage; 2) that all data collection should not be treated equally; and 3) that enforcement of civil penalties should not be a “death blow” that is too costly to overcome for small businesses.

Question & Answer

FTC Authority and Civil Penalties

Sens. Moran, John Thune (R-S.D.) and Blumenthal asked out FTC enforcement authority, increasing resources to the FTC, civil penalties for first time offenders, and State AG authority. Panelists agreed that the FTC should be given rule making authority, more funding and more resources. Engstrom added said the FTC should be the primary enforcer and the frameworks should balance certainty with flexibility in order to adapt to technology changes and provide reasonable tailored polices for first time offenders rather than leveling civil penalties. Engstrom expressed his concerns about interpretation of the law between the FTC and AG.. Brookman voiced support for AG authority as States bring policies forward, but more clarity should be provided to avoid discrepancies. Weber stated that CCPA and GDPR fining for first time offenders is a “death blow” to small business and there should be a warning for first time offenders rather than fines. England said the FTC has a long, rich tradition of enforcing protections and that the FCC may not have the same capability and reach.

Preemption, CCPA and GDPR

Thune, Moran, and Blumenthal asked about preemption, and Blumenthal asked whether CCPA or GDPR should be the floor in a framework and if any other State laws should be considered in the process of developing a framework. Panelists agreed preemption is the way forward for a federal framework. Brookman added that States still need room to innovate outside of the standards set by a federal framework, voicing support for the expansion of personal information rules like in the CCPA, and that device information and household data collection should be carved out of deletion rights. Brookman stated legislation that should be included in a federal framework are the Maryland data protection legislation, and the Vermont legislation addressing data brokers. Weber added that Kansas and Missouri are waiting to see if federal preemption occurs, as it is very important to include in any framework. England said that if each state had their own law on privacy it would create administrative burdens for companies to hire staff experts to understand and work around each framework, and that preemption is a major concern and need. Engstrom noted that the consumer rights in CCPA are correct when addressing rights regarding access and deletion, but definitions need to be narrower to decrease user risk. He added that the framework can go further in defining user rights over data collection, more so than the usage of data. Engstrom continued that CCPA requires more user information collection and that more information collected attracts bad actors, which can lead to ambiguous liability leading to lengthy litigation, ultimately draining company resources. Dosanjh voiced support for a single federal standard, with revenue thresholds similar to CCPA, but stated there is a need to properly define the personal information in the law.

Data Collection and Sharing

Moran asked about prohibition of selling data, de-identification, and transparency of collection efforts. Weber said some firms he represents sell data, but the question to address is what data is being sold, if the practices could be treated differently for smaller and larger firms, and distinctions for the type of data collection efforts. Engstrom said the sale of information under CCPA definitions would result in most of his members falling under selling data and that early stages of startups require data collection and advertising-based models, which is not adequately addressed in CCPA. Brookman said he is not opposed to advertising, but his concerns are about tracking to monetize for startups, and the framework should carve these principles out. He added that there should be an evaluation of companies’ privacy policies that provide clarity for consumers to differentiate privacy policies of companies.

Data Brokers

Blumenthal and Thune asked about policies to regulate data brokers. Brookman said the principle of not selling customer information should be followed and that there is an important need for transparency and clear rights or presumption to cut off these streams. Engstrom said the key is to define what a data broker is and stressed how important it is to avoid preventing core tech functions so small businesses have access to information for functions, suggesting using the Maryland legislation as a benchmark.

For more information on this hearing, please click here.