Testifying witnesses expressed different views over whether a new agency is needed to enforce any forthcoming privacy law and whether private citizens should be allowed to sue over noncompliance.
Some speakers also focused goals on alerting consumers to breaches of their data, while others called for combating widespread data collection and practices that might enable targeted manipulation.
Demand for a national law has been growing, as lives go increasingly digital and as lack of a federal policy prompts more states to act.
Last year saw 38 states introduce more than 160 bills addressing consumer privacy, according to the National Conference of State Legislatures, while California, Colorado and Virginia have comprehensive consumer privacy laws in place. A national law might supplant states’ existing privacy laws, or simply set a baseline that leaves states free to add on further protections.
WHAT COUNTS AS HARM?
Lofgren directed attention to her and Rep. Anna Eshoo’s Online Privacy Act. That bill would limit how companies can collect and use data and would provide residents with rights over their data, such as the ability to view, correct and delete it.
Daniel Castro is vice president of the Information Technology and Innovation Foundation (ITIF), a research and education nonprofit focused on encouraging policy that supports technological innovation. In spoken and written testimony, he advised the government to promote innovation by taking a light touch when restricting how organizations can collect and use data, and recommended focusing on preventing concrete, economic harm to consumers.
An example of actual harm from a data privacy issue might include a consumer’s financial accounts being charged for “unauthorized and unreimbursed” payments after their personally identifiable information was breached, according to a 2018 American Bar Association piece.
Some witnesses also sought to highlight more difficult to quantify harms. They raised the concern that organizations may use data they and others glean to compile comprehensive profiles on individuals, which could then be used to target them in abusive ways.
The profiles can be targeted with manipulative content — including political misinformation — or for discriminatory means, such as blocking people of particular backgrounds from seeing certain job postings or home listings, said Caitriona Fitzgerald, deputy director of the Electronic Privacy Information Center (EPIC). EPIC is a nonprofit research center that describes itself as focused on protecting “privacy, freedom of expression and democratic values in the information age.”
“Just as advertising companies use profiles about us to manipulate us into purchases, so, too, can they manipulate our views by filtering the content we see,” Fitzgerald said.
FTC OR DIGITAL PRIVACY AGENCY?
Whatever policy gets hammered out will only make a difference if it’s effectively enforced.
Castro, who appeared to view data privacy largely as a consumer protection matter, argued that enforcement would fall under the scope of the Federal Trade Commission (FTC). Rep. Rodney Davis, R-Ill., said the FTC also has established relationships with the state attorneys general (AGs) with whom it would work on enforcement.
Lofgren’s bill takes a different approach and would create a Digital Privacy Agency (DPA) to oversee compliance.
Fitzgerald supported such a move, saying that the FTC’s broad scope means it has enough on its plate already. The FTC also may lack the necessary technical expertise to battle large corporations over digital privacy, she said.
Fitzgerald argued that a regulator designated to focus solely on privacy would be more impactful and akin to how the Environmental Protection Agency and Federal Aviation Administration were established to tackle important, niche areas.
PRIVATE RIGHT OF ACTION?
Lofgren’s bill would allow state privacy regulators, like the California Privacy Protection Agency (CPPA), to also participate in enforcing the laws. State AGs could sue over breaches, and nonprofits could class action lawsuits.
Castro advised against a private right of action, saying this could lead to an onslaught of cases over situations in which organizations may have failed to fully comply with the law but had not caused actual economic harm. Organizations might then find themselves spending significant time and money responding to all the lawsuits.
Fitzgerald, however, said in written testimony that individuals — as well as groups — should be allowed to sue. State and federal officials have limited capacity to detect and respond to violations, so relying just on them risks giving organizations a sense of impunity.
Shoshana Zuboff, professor emeritus at Harvard Business School and author of The Age of Surveillance Capitalism, said during testimony that lawsuits are important to ensuring legislation evolves to better suit society’s needs. They allow for policies to be probed and adapted.
“What private right of action does is creates the opportunity … to really bring issues into the judicial system to have those issues explored and create precedents,” Zuboff said. “This is what's called the ‘life of the law ‘ — how the law evolves, and how we can move forward into this century, not just with statutes that are frozen in time, but with laws that are evolving.”
