Back to General Resources

Brookings Institution Event on the Impact of GDPR and CCPA

Brookings Institution

What do the GDPR and CCPA mean for privacy in America?

Friday, December 13, 2019

 

Key Topics & Takeaways

  • Kerry, Brookings Institution, recommended that a federal framework consider a flexible approach, competition consequences, potential carve-out obligations regarding access, the effects of compliance costs, as well as language regarding preemption and private right of action.
  • Wender, Officer of Senator Ed Markey (D-Mass.), expressed the possibility of Congress considering provisions addressing preemption, algorithmic bias, intended and unintended consequences, Federal Trade Commission (FTC) enforcement, and definitions about sensitive and non-sensitive information.
  • Brueggeman, AT&T, said legislation should be flexible and enforceable, with a broad overview of how to comply with the private right of action.
  • Layton, American Enterprise Institute, recommended that a federal framework consider what consumers prefer, be uniform across states, include independent certifiable standards, and map out safe harbors for companies working to comply.

Panelists

  • Nicol Turner Lee, Fellow – Governance Studies, Brookings Institution, Center for Technology Innovation
  • Cameron F. Kerry, Ann R. and Andrew H. Tisch Distinguished Visiting Fellow- Governance Studies, Brookings Institution, Center for Technology Innovation
  • Joseph Wender, Senior Policy Advisor, Office for Senator Ed J. Markey (D-Mass.)
  • Jeff Brueggeman, VP, Global Public Policy, AT&T
  • Roslyn Layton, Visiting Scholar, American Enterprise Institute

Lee moderated the panel, asking the panelists to discuss how the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) have impacted compliance costs, discrimination policies, companies’ abilities to operate in Europe and California, and how a federal standard would be designed.

Kerry highlighted that GDPR language is fairly prescriptive and that CCPA provides consumers more individual control and the ability to opt-out. He continued that Sens. Roger Wicker (R-Miss.) and Catherine Cortez Masto (D-Nev.) have both been working on legislation for data collection with a focus on designing more responsible management practices.  Kerry stated that GDPR has forced businesses to look at their data governance policies more carefully and that CCPA is only the first set of privacy standards in California. He recommended that a federal framework consider a flexible approach, competition consequences, potential carve-out obligations regarding access, the effects of compliance costs, as well as language regarding preemption and private right of action.

Wender said that current privacy standards put the burden on consumers to protect their data. He emphasized concerns about whether consumers own their own data and whether they are provided enough information regarding such data. He said that Congress could learn from the mistakes that arose in designing both GDPR and CCPA as well as consider what other states such as New York, Washington, Massachusetts, and Maryland set as their privacy standards. Wender expressed the possibility of provisions addressing preemption, algorithmic bias, intended and unintended consequences, FTC enforcement, and definitions about sensitive and non-sensitive information.

Brueggeman expressed that AT&T has been long supportive of privacy legislation and that there is broad consensus across the industry for engagement. He continued that CCPA going into effect next year and the California Attorney General (AG) drafting further regulations has raised concerns about what compliance costs will entail. Brueggeman added that preemption would be preferred compared to a patchwork of legislation. He also recommended avoiding the mistakes made in Europe or California that could restrict the ability of small and mid-sized companies market access and could prevent innovation and data sharing. Brueggeman said legislation should be flexible and enforceable, with a broad overview of how to comply with the private right of action.

Layton stated that based on her research, GDPR and CCPA prescribe 45 and 77 new data privacy regulations, respectively. She said that the early data in Europe shows the cost of compliance to range from $100,000 to $1 million, while it would be larger in California. She said that GDPR has led to market share distortion that favors larger companies while harming small and mid-sized companies. Layton said that the largest concerns are compliance costs and information technology (IT) costs. She recommended that a federal framework consider what consumers prefer, be uniform across states, include independent certifiable standards, and map out safe harbors for companies working to comply.

Question and Answer

When asked about enforcement and flexibility, Layton said that the FTC and Facebook settlement should be used as an example to strengthen enforcement provisions. Kerry stated that legislation being considered strengthens FTC fining authority, and it is important to focus on the general duty of fairness.

When asked about efforts regarding educational components for a federal standard, Wender said that it is a big challenge and that Congress is debating the issue. He said that consumers like free, workable, and targeted advertising and technology. He said that awareness of bad practices has increased and that consumers should be granted ownership of their privacy.

For more information about this event, click here.

For an archive of past SIFMA hearing coverage, please click here.