Will 2019 be the year of privacy legislation? To start the process, the House Energy and Commerce Committee and the Senate Commerce Committee each held hearings on consecutive days this week. The hearings included representatives of the internet industry, internet service providers, advertisers, retailers, advocacy groups, academics and others. Here are the major takeaways:
- There was general agreement on both sides of the dais on the need for federal privacy legislation. This agreement, however, probably masks important differences on what such legislation should include that may make enactment difficult.
- The “Notice and Choice” framework, the foundation of the Fair Information Practice Principles (FIPPs) and many privacy laws and proposals for decades, is now widely viewed as unworkable. Rational consumers don’t want to deal with the plethora of choices involved. What might replace this framework is unclear.
- Following the enactment of the California Consumer Privacy Act (CCPA) and other state laws, preemption was the most visible area of disagreement. Those favoring preemption noted that digital markets are at least national in scope and it is costly for businesses and consumers to deal with a patchwork of state regulations. Those opposed to preemption believe a federal law should be a floor, not a ceiling and that state representatives (e.g., from California) would not acquiesce to preemption.
- Several witnesses cautioned against the U.S. following the European General Data Protection Regulation (GDPR) or CCPA models. The GDPR has already been shown to be harmful to competition and consumers. (CCPA will not take effect until 2020).
- The hearings generally skirted over the difficulties of crafting a new regulatory regime that doesn’t restrict data uses beneficial for consumers. There was little discussion of the large benefits to consumers from data used for legitimate commercial purposes and the lack of demonstrable harms.