Last week, the Senate Committee on Commerce, Science & Transportation held a hearing on Consumer Perspectives: Policy Principles for a Federal Data Privacy Framework. Unlike previous hearings this year that only featured tech industry panelists, this hearing featured a panel of consumer privacy advocates, including:
- Helen Dixon, Data Protection Commissioner, Republic of Ireland
- Jules Polonetsky, Chief Executive Officer, Future of Privacy Forum
- Jim Steyer, Chief Executive Officer and Founder, Common Sense Media, and
- Neema Singh Guliani, Senior Legislative Counsel, American Civil Liberties Union
There were few, if any, fireworks, which makes sense considering this was a panel of people who largely agree with each other on the big issues facing consumers and their privacy: Too many companies are collecting too much data that is unrelated to their product or service, a “notice and consent” regime does not protect consumers, and most importantly, Congress should allow the states that are already working on these problems to move forward with legislation.
One of the biggest issues surrounding a potential federal consumer data privacy law is preemption. More specifically, will Congress write “one national standard” that wipes out state legislation like California's Consumer Privacy Act (CCPA), Illinois' Biometric Privacy Act, and Vermont's Data Broker Act, or will the federal bill create a minimum standard that still allows states to build additional protections on top of it?
This is a recurring topic in all the consumer data privacy hearings so far, but unlike previous hearings, all of the witnesses today had "serious concerns with broad federal preemption,” concerns that EFF shares. As Guliani says, “The last thing we want to do is weaken the ability of [state governments] to have a seat at the table to enforce and create new laws.” Steyer agreed, saying that he has “deep skepticism about preemption if there’s going to be a watered-down federal law” compared to the California Consumer Privacy Act. We agree.
We also appreciate Senator Blumenthal saying, "I would oppose any effort that preempts state laws [that would] weaken protection for consumers… Nobody believes the people of the United states deserve less privacy protection than the people of California.” Especially coming from one of the negotiators of the Senate’s bipartisan working group, we hope that means that any federal bill would both be at least as strong as the CCPA and would also allow states to layer additional protections on top of that it.
Data Collection & Minimization
An ongoing issue in consumer data privacy discussions is what to do about companies, websites, and apps that require consumers to turn over more data than is actually needed for delivery of service. Steyer said that companies should “only able to collect data for necessary business purposes. … Guardrails on that [what data companies can collect] are absolutely critical to a strong privacy law.” Again, we agree.
Guliani used the example of a flashlight app, which needs little to no user information to function, to illustrate the importance of minimizing unnecessary permissions: “If it really reasonable to turn over all my financial data and all my location data just to use that app? I would say no.”
Notice & Consent
But when a company legitimately needs access to your data to provide a service, the question then becomes whether or not the company can share or sell the user’s data. Senator Tester brought up an example of smart tractors collecting useful data for farmers about the work the tractor performs in the field, but the farmers often don't even have access to the data about their own farms, let alone the ability to control the manufacturer's collection or use of the data. Sen. Tester wanted to know who else had access to the data from his tractors, but without transparency and disclosure laws, it’s difficult to know.
Similarly, Senator Peters brought up the Washington Post story about a period/pregnancy tracking app that shares data with users’ employers. While Sen. Peters’s questions focused on only one “menstrual surveillance” app, there are many other apps, like fitness trackers and productivity monitors, that can’t function without the user providing sensitive data. As we have learned in the past few years, there is nothing to prevent apps from sharing or selling any data, including sensitive data like this, to employers, insurance companies or advertisers. EFF hopes that any federal legislation includes strong consumer data privacy laws with strong enforcement mechanisms to safeguard the overcollection and improper use of sensitive data.
But that still leaves the question of what companies may do with data legitimately collected for its intended use. Individual users shouldn’t be required to give up their privacy to use apps and websites, so one possible solution would be to have the user agree to any additional use, collection, or sharing of their data. The witnesses at this panel and in previous panels have agreed that any request for consent, for any kind of data, should be easy to understand and should clearly advise the user what data the operator seeks to gather, how the operator will use it, how long the operator will keep it, and with whom the operator will share it.
However, while EFF is in favor of opt-in consent, obtaining a user’s consent is not enough to prevent abuse of the data. As Steyer said, “Transparency and control are important, but they are simply not enough. Notice and consent is not enough. We have to go farther.”
Guliani agreed, saying,
Notice and consent is not enough, in part because in a lot of cases people don’t have meaningful choice. If the option is between not having a service at all or turning over massive amounts of data, a lot of consumers consent but it’s not really consent… We have to go beyond notice and consent to get at terms that really take advantage of people’s privacy and exploit their lack of choice.
In other words, the Internet, smart phones, and apps have become so much a part of our lives that privacy standards shouldn’t center on expecting individual users to opt-out or not use certain apps. As Senator Markey, the author of the newly introduced Privacy Bill of Rights, said, “A federal privacy bill must build on the notice and consent framework by explicitly prohibiting certain types of data use.” We agree, and we were pleased to see that Senator Markey’s bill includes language that would ban a denial of service to refusers of opt-in consent. We hope that he will continue to fight for this provision in any federal privacy legislation.
It was certainly refreshing to watch a hearing on consumer data privacy with actual advocates for privacy at the witness table. We hope the Senators listened to them and will draft a federal bill that allows for additional state protections, disincentivizes the overcollection of data, and gives users real choices for how to protect their privacy.