House Hearing dismisses GDPR and CCPA as models for Federal Data Privacy
As lawmakers consider the way forward for federal data privacy legislation, the sense of urgency appears to be ramping up, as states like California and Colorado prepare to launch home-grown consumer privacy laws in 2020.
Moreover, the rise in data breaches and privacy violations by big tech companies is refocusing the conversation in government circles, on the need to protect the personal information of U.S. citizens.
Meanwhile, a hearing on 'Protecting Consumer Privacy in the Era of Big Data' in the House of Representatives pretty much dismissed the idea of shadowing the California Consumer Privacy Act (“CCPA”) and the European Union’s General Data Protection Regulation (“GDPR”) as a potential foundation for upcoming federal privacy legislation. At the same time, there is widespread agreement that the present state of affairs is unsustainable, with some arguing in favor of the adoption of certain CCPA and GDPR principles.
While many at the hearing voiced the urgent need for federal intervention, to protect the population from growing occurrences of data misuse by giant tech firms, who know far more about us than any past government ever did, there were calls by Republican committee members, that the U.S. should not follow in Europe’s footsteps, by implementing data privacy regulations as extensive as the GDPR.
Cathy McMorris Rodgers, Rep. R-Washington, argued that:
“Millions of dollars in compliance costs aren’t doable for startups and small businesses, and we have already seen this in Europe where GDPR has helped increase the market share of tech companies while forcing smaller companies offline,”
Greg Walden, Rep. R-Oregon, chimed in that the GDPR has burdened consumers with a host of required notices, saying:
“We should avoid creating a system that floods people’s inboxes with privacy policies they do not read,”
In dismissing the GDPR, it was almost inevitable that the CCPA was also shunned, since it was largely based on the E.U. regulation.
Dave Grimaldi, executive vice-president for public policy at Interactive Advertising Bureau, commented that the CCPA could potentially lead to higher litigation costs. Grimaldi singled out one of the law’s requirements for businesses to provide consumers with a copy of their personal data upon demand.
“… if it doesn’t meet the timeline, it is in the violation of the law,” he said, noting that, with the potential for thousands of requests, “that’s something smaller companies wouldn’t be able to deal with.”
Grimaldi supports a single federal privacy law in place of individual state laws, which he claims will “have incredibly negative effects on the digital economy” - a view shared by several other committee members.
However, even with a thumbs-down on the CCPA and GDPR, there was still a general acknowledgement, particularly on the part of the Democrats on the panel, that some of the protections provided by the laws were needed in the United States.
Jan Schakowsky, Rep. D-Illinois, chairperson of the subcommittee, called attention to the fact that the current privacy notice and consent system in the U.S. is far from consumer-friendly.
She said that vague and inaccessible privacy policies are “the limitation of the notice and consent system we have right now.” She added: “A person should not have to have an advanced law degree to not be taken advantage of.”
Consent processes and discrimination protection
Nuala O’Connor, CEO at the Center for Democracy & Technology, highlighted that present consent processes for many applications are too automated. She commented:
“Notice and choice are no longer a choice, and any privacy legislation that currently cements the status quo of the notice and consent is a missed opportunity.”
As well as consent issues, the hearing also considered shortcomings in discrimination protection.
Brandi Collins-Dexter, campaign director at Color of Change, an online civil rights organization, said that currently, companies are able to collect consumers’ data to charge different prices or to market specific products and services to a particular socioeconomic group.
In noting that there “are certainly issues with GDPR and improvements to be made with CCPA”, Ms. Collins-Dexter said an opt-in consent requirement is needed in the U.S. to force companies to be more circumspect with the data they collect. She said:
“I think we should be looking at all of this right now. Companies have financial incentives to collect as much information as they can and store it forever.”
Kathy Castor, Rep. D-California, commented:
Ms. Castor added that, while the Federal Trade Commission can pursue businesses for the misuse of data, it is only in situations of “deceptive or unfair acts”.
As far as some committee members are concerned, there is serious concern over the agency’s limitations.
“The FTC's enforcement actions have done little to curb the worst behavior in data collection and security,” Schakowsky said. “It is important to equip regulators and enforcers with the tools and funding necessary to protect privacy.”
Got something to say on this topic? We welcome your comments and opinions.