Back to General Resources

HEC Hearing on Protecting America’s Consumers: Bipartisan Legislation to Strengthen Data Privacy and Security

House Committee on Energy & Commerce Subcommittee on Consumer Protection & Commerce

Protecting America’s Consumers: Bipartisan Legislation to Strengthen Data Privacy and Security

Tuesday, June 14, 2022

Topline

  • Both Democrats and Republicans expressed their commitment to making sure Congress pass strong and enforceable privacy legislation that secures user data.
  • Protecting children’s privacy was a main concern of the majority of members present at the hearing.
  • Both Democrats and Republicans expressed concern about the American Data Protection and Privacy Act’s impact on small businesses while panelists acknowledged creating a level playing field is important when addressing consumer data protections.

Witnesses

  • Caitriona Fitzgerald, Deputy Director, Electronic Privacy Information Center
  • David Brody, Managing Attorney, Digital Justice Initiative, Lawyers’ Committee for Civil Rights Under Law
  • Bertram Lee, Senior Policy Counsel, Data Decision Making, and Artificial Intelligence, Future of Privacy Forum
  • Jolina Cuaresma, Senior Counsel, Privacy & Technology Policy, Common Sense Media
  • John Miller, Senior Vice President of Policy and General Counsel, Information Technology Industry Council
  • Graham Dufault, Senior Director for Public Policy, ACT | The App Association
  • Doug Kantor, General Counsel, National Association of Convenience Stores
  • Maureen K. Ohlhausen, Co-Chair, 21st Century Privacy Coalition

Opening Statements

Chairwoman Janice D. Schakowsky (D-Ill.)

In her opening statement, Schakowsky said it is important that Congress ensure that online privacy rights are protected for all Americans. She discussed the bipartisan effort that went into getting a bill drafted and stated the importance of protecting civil rights by not having discriminatory algorithms.

Representative Anna G. Eshoo (D-Calif.)

In her opening statement, Eshoo stated that she is committed to making sure Congress passes strong and enforceable privacy legislation that secures user data, requires companies to minimize collection of personal data, and give users access to control of their data. She concluded by saying privacy laws should also provide protections for small businesses.

Representative Frank Pallone, Jr. (D-N.J.)

In his opening statement, Pallone said privacy concerns are something Americans face every day, adding that comprehensive federal legislation is necessary to limit the access of “big tech” and ensure that Americans can safely navigate the digital world. He discussed various portions of the bill and their intentions. He concluded by saying that data privacy rights are civil rights and that the draft legislation ensures that online discrimination is prohibited and requires the largest companies to conduct impact assessments on their algorithms.

Ranking Member Gus M. Bilirakis (R-Fla.)

In his opening statement, Bilirakis expressed his intent to create a transparent act for businesses to follow in order to protect consumers. He continued to show his support for small businesses by promoting the exclusion of small businesses from the American Data Privacy and Protection Act (ADPPA) and providing additional resources to promote compliance. Bilirakis concluded by discussing targeted child advertisements and emphasized the need of children’s privacy rights to be prioritized.

Representative Cathy McMorris Rodgers (R-Wash.)

In her opening statement, Rodgers emphasized the importance of regulating “big tech” and protecting American children. She championed the need to promote innovation through secure privacy laws and said that a national standard for data protection is long overdue. Rodgers discussed the importance of protecting consumers, specifically children, from “big tech” and reducing the amount of data collected. She concluded her statement with a review of the numerous data privacy issues that consumers and small businesses face and how these issues are addressed in the current bill draft.

Testimony

Caitriona Fitzgerald, Deputy Director, Electronic Privacy Information Center

In her testimony, Fitzgerald stated that robust data protection standards are essential to ensure the preservation of human rights, individual dignity, and the healthy functioning of our democracy. She said the bipartisan ADPPA presents Congress with the best opportunity to stop data abuses and the privacy harms that are happening. She concluded by urging Congress to pass the legislation.

David Brody, Managing Attorney, Digital Justice Initiative, Lawyers’ Committee for Civil Rights Under Law

In his testimony, Brody discussed the ADPPA in detail and said passing the legislation would be a major advancement for the public good. He did however express his concern about the private right of action provision within the bill, stating that the provision severely curtails the ability of individuals to obtain relief from a court when a company violates the ADPPA. He also said the bill gives many new responsibilities and authorities to the Federal Trade Commission (FTC) and that Congress must ensure that the FTC receives all of the resources it needs to successfully execute this new mission.

Bertram Lee, Senior Policy Counsel, Data Decision Making, and Artificial Intelligence, Future of Privacy Forum

In his testimony, Lee discussed four main points regarding the ADPPA. 1) Now is the time for Congress to pass comprehensive privacy legislation; 2) the ADPPA is more comprehensive in scope, more inclusive of civil rights protections, and provides individuals with more varied enforcement mechanisms; 3) the ADPPA compares favorably to global frameworks, including Europe’s General Data Protection Regulation (GDPR); and 4) work remains to be done on specific provisions to ensure individuals are protected, the bill is workable for business, and there are not unexpected or undesired consequences.

Jolina Cuaresma, Senior Counsel, Privacy & Technology Policy, Common Sense Media

In her testimony, Cuaresma said the ADPPA draft is a significant step forward from the status quo and limited her comments to the sections that are most relevant to children and teens. She discussed the term “actual knowledge” in section 205(a) and said the standard must be changed by closing the loophole which may enable companies to evade complying with children’s protections. Cuaresma also said the private right of action waiting period should be shortened and simplified so consumers can obtain relief. She concluded by saying Congress has an obligation to the consumers to ensure the FTC receives a robust and sustained increase in appropriations and staff slots.

John Miller, Senior Vice President of Policy and General Counsel, Information Technology Industry Council

In his testimony, Miller expressed his support for the ADPPA but also said the bill still needs improvements. He called for a united, national framework to address data security instead of the fragmented individual state approach. Miller suggested The Information Technology Industry Council (ITI) FAIR Privacy Act to be used as a governmental framework to promote national data protection laws. He concluded by stressing the importance of enforcement provisions in the ADPAA.

Graham Dufault, Senior Director for Public Policy, ACT | The App Association

In his testimony, Dufault discussed three provisions of the ADPPA. He stated that the preemption language in Sec. 404(b) is reasonably strong, but a small tweak could enhance its effectiveness. He said the private right of action provision is powerful by offering compensatory damages or injunctions as available remedies. He concluded by discussing the small business treatment by the Act and said the bill takes a balanced approach to small businesses, applying certain requirements only to large data holders and providing a safe harbor for small businesses under a certain threshold.

Doug Kantor, General Counsel, National Association of Convenience Stores

In his testimony, Kantor discussed the need for a uniform national privacy law in order to provide transparent expectations for consumers and businesses. He gave seven principles to help achieve this: 1) establish uniform nationwide rules and enforcement for data privacy; 2) ensure industry neutrality and equal protection for consumers across business sectors; 3) impose direct statutory obligations (rather than contractual requirements alone) for all entities that handle consumer data; 4) preserve customer rewards and benefits; 5) achieve transparency and customer choice; 6) ensure accountability for business’s own actions; and 7) include reasonable data security requirements.

Maureen K. Ohlhausen, Co-Chair, 21st Century Privacy Coalition

In her testimony, Ohlhausen discussed elements of the ADPAA necessary to govern privacy laws and  proposed enforcement of the ADPPA on voice services citing the importance they play in American society and stated that the language of the bill may be too strong and overshadow previous requirements that have worked in the past. She discussed state preemption and said the bill leaves a lot of gray area up to states. She concluded by discussing the limited remedies which are available to consumers under the current ADPPA draft. 

Question & Answer

The American Data Privacy and Protection Act (ADPPA)

Schakowsky asked how the ADPPA makes the internet a safe place for everyone across the United States. Lee said the bill will make the internet safer for everyone by doing four things: 1) mandating data security requirements for companies; 2) including corporate accountability mechanisms; 3) creating significant protections for marginalized communities; and 4) requiring that businesses incorporate privacy by design principles through the development of their data processes and activities. Pallone asked why it is important to include data minimization in the ADPPA. Fitzgerald said it makes privacy the default, adding that it takes the responsibility off individuals to protect their privacy and instead requires companies to do so. Rep. Brett Guthrie (R-Ky.) asked how preserving digital advertising will affect small business. Miller said the definition of targeted advertising within the legislation is very restrictive and as written would restrict targeted advertisement to its own digital customers. Rep. Jerry McNerney (D-Calif.) asked Fitzgerald whether data deletion standards should be included in the Act. Fitzgerald said yes. Rep. Kathleen M. Rice (D-N.Y.) asked how the ADPPA would help small businesses level the playing field with larger businesses whom they compete against. Kantor said the bill sets statutory requirements for covered entities to lay out their different responsibilities which is key so that larger entities don’t impose obligations not required by contract. Rep. Greg Pence (R.-Ind.) asked if it is fair to compensate users for the exchange of the data they provide. Fitzgerald explained they did not want to set up a system where only the wealthy could have data privacy.

The American Data Privacy and Protection Act Enforcement Mechanisms

Schakowsky asked about the enforcement mechanisms that will ensure that consumers are protected and that companies live up to their promises. Brody said the bill empowers the FTC with a range of authorities to create a new privacy and kids division. He said it also allows state attorney generals the ability to fully enforce the law which is important because state attorney generals are more closely connected to the citizenry, adding that the bill includes a private right of action which is important so individuals can vindicate their rights. Rice asked Brody if he could speak to examples where state attorney generals have sought penalties against companies for offenses under existing privacy laws and what challenges state attorney generals face pursing these crimes without a federal legislative standard. Brody said state attorney generals play a very important role in enforcing the ADPPA and discussed cases the New York attorney general prosecuted as it relates to data privacy crimes. 

Civil Rights

Reps. Yvette D. Clarke (D-N.Y.), McNerney, Schakowsky, and Pallone asked about the ADPPA protections for people of color. Lee said the bill prohibits discriminatory practices by mandating algorithmic impact assessments for large data holders. Brody also emphasized the bill’s anti-discrimination provision that prohibits covered entities from processing personal data in a manner that discriminates in the provision of goods and services on the basis of protected characteristics. Fitzgerald added that it is important to make sure inputs and outputs are fair. 

Actual Knowledge Standard

Bilirakis asked Default what his opinion is on the actual knowledge standard in regards to covered entities when prohibiting certain practices like targeted advertising as opposed to a constructive standard. Default said the actual knowledge standard is one that can be workable and is a reasonable compromise, adding that the key is making sure that there is enough evidence to determine whether a company knew an individual was under a certain age. Bilirakis asked whether data collection on children should only reserved for the largest data holders. Kantor said the bill must work for everyone adding that actual knowledge is a very important standard here. He said as long as data collection is done right, there is no problem with a company large or small collecting data.

Child Data Protection

Pallone asked how the legislation addresses some of the difficulties of teens using online social media. Cuaresma said the bill does so in two ways, both in section 204 and 205. She discussed the definition of sensitive covered data which includes children under the age of 17 and also discussed the targeted advertisement section and said it would prohibit companies from advertising to children under the age of 17. Reps. Kathy Castor (D-Fla.) and Lori Trahan (D-Mass.) asked what sections of the bill should be strengthened. Cuaresma said provisions relating to children under the age of 17 should just cover anyone under the age of 18 for simplicity reasons. Rep. Debbie Lasko (R.-Ariz.) asked if there was concern about children giving consent to data collecting services due to ambiguous language in the ADPPA. Cuaresma said there was a concern and that the definitions are not in the framework but that they are defined by the general law. Rep. Tim Walberg (R.-Mich.) asked how blocking advertisements directed at children will affect mental health. Fitzgerald said the ban is necessary to protect children while they develop their skills and capabilities.

General Data Protection Regulation (GDPR)

Rodgers asked how the ADPPA compares to General Data Protection Regulation (GDPR) in terms of encouraging a competitive environment for startups. Default said the U.S. can improve upon what it has learned from GDPR adding that the ADPPA is more thoughtful towards younger companies than the GDPR is. 

Third Party Data Collection

Rep. Bobby L. Rush (D-Ill.) asked why regulating third party data collecting companies is important.

Fitzgerald said third party data collectors are some of the worst offenders in the online space typically because they do not have a direct relationship with the individual with whose data they are harvesting. She also said that creating a data collector registry is important so we can so who all is collecting consumers information.

The Federal Trade Commission (FTC)

Bilirakis asked how a new division within the FTC specifically dedicated to business mentorship will allow for greater instruction and compliance amongst covered entities. Ohlhausen said the FTC has a long history in engaging in business education and has been a very useful engagement for the FTC adding that it is an investment that will pay dividends. Rep. Robert E. Latta (R-Ohio) asked Ohlhausen, based on her experiences at the FTC, how do rulemakings work versus issuing guidance. Ohlhausen said if Congress has given the FTC authority under a bill like The Children’s Online Privacy Protection Act (COPPA), the agency publishes the proposed rule for public comment, engages in the public comment process, and then enacts and enforces the rule. She also said the FTC issues guidance subject to its given authority. McNerney asked if the ADPPA would ensure that covered entities adequately protect personal data and make possible for the FTC to define encryption standards if it has the resources. Ohlhausen said the bill has data security protection built into it and said the FTC has traditionally not been involved in defining encryption standards so it would have to rely on outside expertise.

Effects on Small Business

Guthrie asked how the private right of action provision would impact small businesses. Default said we do not want to create a sue and settle business model, adding that individuals that are trying to take advantage of the law usually target small businesses. Kantor said complying with everything in the bill will be difficult and that the private right of action allows for compensatory damages which can significantly impact smaller businesses. Rep. Neal Dunn (R-Fla.) asked what the burden would be for convenience stores to collect sensitive data on consumers. Kanter said there are concerns convenience stores could be classified as a large data holders and small data holders at the same time. Dunn asked how important it is for small businesses that data privacy law is consistent through all 50 states. Kantor said it is very important. He continued saying that putting everyone on an even playing field will reduce liability on small businesses, and specifically mentioned banks that small businesses deal with. 

Short Form Privacy Notices

Rep. Robin Kelly (D-Ill) asked how short form privacy notices would help consumers better understand how their personal data is being used. Lee said long form privacy notices are difficult to read and short form privacy notices allow consumers to better understand how their data is being used and in what context.

National Security

Dunn asked how important is it for the law to mandate that entities inform users if their data is transferred to bad actors like China or Russia. Miller said he had not heard much feedback from his members on that provision, but that it did seem reasonable.

Family Educational Rights and Privacy Act (FERPA)

Trahan asked why the Family Educational Rights and Privacy Act has proven insufficient to protect students. Fitzgerald said that the current U.S. privacy laws only cover certain spheres specifically the laws under FERPA which doesn’t cover data collection comprehensively of young students.

Health Data

Rep. Lizzie Fletcher (D-Texas) asked why health data should be considered sensitive data. Fitzgerald said people assume that their health data is covered by Health Insurance Portability and Accountability Act (HIPAA) and are alarmed when they find out that it is not adding that is a problem that stems from having sectoral laws.

 

For more information on this hearing, please click here.

For an archive of past SIFMA hearing coverage, please click here.