House Subcommittee on Commerce, Manufacturing, and Trade Hosts Hearing on SECURE Data Act

On June 3, the United States House Energy & Commerce Subcommittee on Commerce, Manufacturing, and Trade hosted a hearing to consider H.R. 8413, the SECURE Data Act. The bill, put forward by Rep. John Joyce (R-Penn.), is the latest congressional attempt at privacy legislation.

Witnesses at the hearing included:

• Tyler R. Bridegan, Partner, Womble Bond Dickinson; Former Director of Privacy and Technology Enforcement, Office of the Texas Attorney General
  Witness Testimony
• Kate Goodloe, Managing Director, Business Software Alliance
  Witness Testimony
• Ashli Watts, President and CEO, Kentucky Chamber of Commerce
  Witness Testimony
• Caitriona Fitzgerald, Deputy Director and Policy Director, EPIC
  Witness Testimony

What follows is a lightly edited transcript of the discussion, which may contain transcription errors. Check the video of the hearing to confirm before quoting.

Rep. Gus Bilirakis (R-Fla.):

The chairman recognizes himself for five minutes for an opening statement. Good morning and welcome to today's legislative hearing on federal comprehensive privacy reform. After years of debate, I'm pleased to see us return to the critical issue and discuss the Secure Data Act. Legislation, I believe, will establish a national standard that protects American consumers and provides much needed certainty to businesses across the country. Whether it's your favorite restaurant, your hometown newspaper, or the corner gas station. Every business, no matter the size, uses digital technology these days. These innovations bring enormous benefits to everyday Americans and help ensure that our country remains dynamic and competitive in an increasingly digital world. But today, when Americans ask if their personal data is protected, the answer depends entirely on which state they're in. Unfortunately, for the millions of Americans that live in states without a comprehensive privacy law, the answer is no.

This is unacceptable as far as I'm concerned, not only for consumers, but for the small and mainstream businesses navigating confusing patchwork of state mandates. The Secure Data Act takes the best ideas of the state privacy laws and incorporates many of the ideas developed over the past several years. It seeks to establish meaningful consumer protections while creating a uniform national standard that promotes innovation, economic growth, and regulatory certainty. I would like to thank Dr. Joyce for leading the committee's privacy working group and all the working group members and their staff for their efforts today. This group, I think Dr. Joyce did an outstanding job personally. This group was tasked with finding consensus on a difficult subject while balancing consumer protections with business certainty. Their work has laid an important foundation for today's discussion. I look forward to working with you, our colleagues across the aisle and the stakeholders so that we work to advance the strongest bill possible.

So I want to thank everyone here on the panel and I will yield back the balance of my time and I'll recognize the ranking member, Ms. Schakowsky for her five minutes for an opening statement.

Rep. Jan Schakowsky (D-Ill.):

Okay. Thank you. Until now, Democrats and Republicans have worked together on privacy and these important issues. But right now Democrats have really not been included, which is very distressing to me, but the ...

Aide:

Corporations over consumers.

Rep. Jan Schakowsky (D-Ill.):

Yeah. Corporations cannot be over consumers right now. So I'm going to yield right now to Rep. Mullin for his comments.

Rep. Kevin Mullin (D-Calif.) :

Thank you, Ranking Member Schakowsky. Americans overwhelmingly feel powerless over how their information is collected, used, and shared. And the evidence suggests they have good reason to fee this way. Information on whether someone has been to an abortion clinic or searched for information about addiction treatment can be easily bought and sold. Cars are transmitting driver location data to insurers. Gig work platforms are using nurses' personal financial data to set individualized pay offering lower wages to those who appear most in need of work. Foreign adversaries have legally purchased location data that can be used to track active duty US service members. We know how to address these problems. My home state of California enacted the nation's first comprehensive consumer privacy law in 2018 and has continued to strengthen those protections, giving consumers greater transparency and control over how their personal information is collected, used, and shared. In recent Congresses, this committee has also proposed strong bipartisan privacy legislation.

Unfortunately, this Secure Data Act is not that. The legislation before us today moves in the opposite direction. It protects companies that profit from personal data, places the burden on consumers to fight for control over their own information and undermines stronger state level protections already in place. So I urge my Republican colleagues to work in a bipartisan basis on meaningful privacy protections that put consumers in control of their personal information. And with that, I yield back to the ranking member.

Rep. Gus Bilirakis (R-Fla.):

Does the ranking member yield back? Yield back.

Rep. Jan Schakowsky (D-Ill.):

And I yield back.

Rep. Gus Bilirakis (R-Fla.):

Okay. Thank you very much. Now I'll recognize the chairman of the full committee, Mr. Guthrie, for his five minutes for an opening statement.

Rep. Brett Guthrie (R-Ky.):

Thank you very much. I want to thank my good friend. Thank you, Chairman, for having us. M good friend, Ashli Watts, CEO of the Kentucky Chamber of Commerce for being here. And this can be a bipartisan bill. Matter of fact, the model of this bill is what happened in our commonwealth where we have a very prominent Democrat governor and a super majority Republican legislature that put a bill together that's very similar to what we're doing that does protect individuals and also ensures that we can still be competitive in the world. We're not competing with Europe to regulate. We're competing with China to innovate. We have to innovate and also protect individuals' data. So it's a crucial time and I'm glad that we're here. I believe the Secure Data Act does protect individual's data and allows us to flourish and to make sure we're the world leaders.

Dr. Joyce has really led this effort. Dr. Joyce, when we first started this, Congress was vice chair of the full committee and took this on. He has done a fantastic job with the staff and I would like to yield the remainder of my time to Dr. Joyce for talk about and thank you for the great job that you've done.

Rep. John Joyce (R-Pa.):

Thank you, Chairman Guthrie. And thank you, Chairman Bilirakis. At the start of this Congress, you gave the privacy working group a tall order. Find a path forward on federal privacy reform that protects consumers, enables beneficial use of data, gives businesses the certainty that they need and can earn consensus among committee Republicans. As we saw in the 118th Congress, reaching agreement on comprehensive privacy legislation is not easy, even among members on the same side of the aisle. We cannot and will not take that consensus is for granted. The Secure Data Act is a result of 15 months of the working group's efforts. Reaching this consensus was only possible a strong collaboration between members of the working group who are all original co-sponsors of this legislation. Thank you for your partnership and thank you to your dedicated staff who spent countless hours on this issue reviewing more than 250 RFI responses, taking hundreds of meetings with stakeholders and working through difficult policy questions to reach agreement on legislatives task is no small task to the stakeholders who engaged with the working group.

Thank you for your thoughtful contributions. Many stakeholders have already expressed support of the Secure Data Act and I'm grateful for this support as we work to move this bill through regular order to the House floor. To my colleagues on both sides of the aisle, I look forward to engaging with you to advance the Secure Data Act and produce the strongest bill that is possible. This legislation is built on the foundations laid by more than 20 states, red states, blue states and purple states. The states have sketched a path forward for us that protects consumers, provides certainty for businesses, and offers a strong foundation for bipartisan federal privacy legislation. All of these issues are significant components of the Secure Data Act. I look forward to today's subcommittee discussion as we work to advance this legislation. And again, thank you, Chairman Bilirakis, and I yield back to Chairman Guthrie.

Rep. Gus Bilirakis (R-Fla.):

Thank you. Thank you, Mr. Chairman. Give a job to Dr. Joyce and he gets it done. So next we'll recognize the chairman of the full committee, actually the ranking member of the full committee, Mr. Pallone for five minutes for an opening statement.

Rep. Frank Pallone (D-N.J.):

Thank you, Chairman Bilirakis. When it comes to data privacy, it's clear what Americans need. They need a national privacy law that puts the focus on companies to collect and use data responsibly. They need their sensitive data used only for limited purposes that they control. They should have the ability to easily opt out across all data brokers and websites selling their data or using it for invasive targeted ads rather than opting out one by one. And they need to know that their data will be kept safe from data breaches and misuse and that they can pursue legal remedies if it's not. They need protections to ensure their data won't be used to discriminate against them and our nation's kids and teens need the strongest possible protections for their data. Now, the Republican Bill before us today does not meet that mark. The Partisan Secure Data Act is not the strong enforceable standard its sponsors describe.

Instead, this bill locks in the failed notice and consent status quo and then compounds loophole upon loophole to water down its provisions. And then to make matters worse, it adds expansive preemption that will leave many Americans with fewer privacy protections than they have today. Rather than taking the strongest consumer protections from the existing state privacy laws, this bill is assembled from industry friendly state privacy laws that have been pushed by big tech. It's therefore no surprise that this bill allows big tech and others to continue their ongoing privacy violations. And unfortunately, these intrusions will only get worse as they push to insert artificial intelligence into every corner of our live supercharging both incentives to gather every bit of personal data and the potential harm that could result. A future with AI chatbots that can tailor personalized recommendations to our unconscious wants and algorithms that can set prices based on intimate details demand strong privacy guarantees for all Americans.

And in fact, these privacy guarantees are more important than ever. And I've fought for years for data minimization standards to shift the burden of protecting Americans' privacy from consumers to the companies that profit off of their data, but the Secure Data Act is so- called data minimization provisions. Those provisions allow companies to collect and use data however they choose as long as it's disclosed in the fine print. So this is just another notice and consent by a different name. It continues to impose unreasonable burdens on consumers. They should not be forced to become privacy policy experts every time they visit a website or download an app. The sweeping preemptions in this bill would not only eliminate hard won privacy protections that millions of Americans currently enjoy, but would also invalidate any state law that relates to the bill. The legislation would prevent Maryland, for example, from continuing to protect its residents by ensuring their sensitive information is not sold.

It would prevent Californians from being able to delete their data from all data brokers in one step and it would invalidate state laws on wiretapping, on robocalls, data breach notifications, civil rights, and kids' online safety. Not only are these existing laws preempted, but states will be forever apart from addressing the future privacy harms that emerge with new technologies like AI. So I've long supported bipartisan national comprehensive privacy legislation, but previous bipartisan compromises like the American Privacy Rights Act, the American Data Privacy and Protection Act, they recognize that a federal privacy law must exceed the strongest protections of any state and not set a weak ceiling. These compromises also put consumers in control of their personal information, prioritized data minimization, protected kids and teens, and included algorithmic accountability measures. And all of this was paired with strong enforcement to make these protections meaningful for consumers. Such a compromise remains, in my opinion, the only path forward to truly protect American privacy.

And I want to stress, Mr. Chairman, that although I'm being very critical of this bill, I still think that we can come to a compromise similar to what we've done in the past, but this is not it. And so I have to criticize what's here today and hope that we can work for a better bill. And with that, I yield back, Mr. Chairman.

Rep. Gus Bilirakis (R-Fla.):

I thank the ranking member. Thanks so very much for your comments and we will work together. Today our witnesses are Ms. Kate Goodloe, Managing Director, Business Software Alliance, Ms. Ashli Watts, President CEO of Kentucky Chamber of Commerce, Ms. Caitriona Fitzgerald, Deputy Director of Electronic Privacy Information Center and Mr. Tyler R. Bridegan. I hope I said that right. Partner of the Womble Bond Dickinson. So let's begin with Ms. Goodloe. You're recognized for five minutes. Thank you.

Kate Goodloe:

Good morning, Chair Bilirakis. Good morning. Ranking Member Schakowsky, Chair Guthrie and Ranking Member Pallone and members of the subcommittee. My name is Kate Goodloe and I'm managing director at the Business Software Alliance or BSA. BSA represents the business to business technology providers that support companies in every sector of the economy. Privacy and security are core issues for our members, which is why we are deeply engaged on privacy legislation in the United States, including across the state capitals and worldwide. Companies of all sizes and in all industries, including manufacturers, automakers, hotel chains and energy companies rely on AI-driven business to business tools like cloud computing, collaboration software customer service platforms and cybersecurity services. BSA members provide these technologies so that other companies can focus on what they do best, making products and serving customers. The United States needs a national privacy law that is built for the modern economy, on that pairs strong consumer protections with clear rules that limit how companies can collect and use consumer's data.

We welcome your focus on these issues and I thank you for the opportunity to testify. This committee has led Congress's work to protect consumer privacy. We urge you to continue that work and to leverage progres made by the states in recent years. In July 2022, this committee approved a comprehensive consumer privacy bill. At that time, just one state had a comprehensive consumer privacy law enforce. Two years later in April 2024, leaders of this committee released a discussion draft of an updated federal privacy bill. At that time, five state laws had entered force. Now, two more years have passed and 22 states have acted. Past efforts to draft comprehensive federal privacy legislation started from a blank slate, but the landscape of American privacy laws is no longer blank.

22 states, both red and blue, have enacted comprehensive consumer privacy laws. Those laws are remarkably consistent because 21 share the same core structure with a common approach to definitions, rights, and obligations. But this core structure risks unraveling as at least 30 different amendments have revised, expanded, and changed state laws, making it hard for companies and consumers to keep up. The Secure Data Act adopts the right structure for protecting consumer privacy nationwide because it is grounded in the laws already passed by states. This is a key difference from prior federal bills. The Secure Data Act uses the same structure of privacy legislation that underpins 21 of the 22 state laws. It includes a core set of rights for consumers based on the clear consensus that consumers should have the ability to access, correct, delete and port their data and rights to opt out of activities like the sale of their data, targeted advertising and certain profiling.

It also adopts the longstanding widespread distinction between controllers and processors. This ensures its obligations fit companies across the modern supply chain in which one company relies on many others to serve customers. I want to emphasize this last point because every company that handles consumers' personal data should be required to do so responsibly in a way that fits their role. Grounding federal privacy legislation in the structure already used by state laws is a critical step and we urge you to continue this important work. Why is it good for businesses? Well, companies should not have to track 50 moving goalposts to do business in the United States. We need a single clear set of rules that limits how companies collect and use consumers' data so consumers trust it is used responsibly. Why is it good for consumers? They need rights that do not depend on whether they live in one of the 22 states that has already acted.

Consumer's data should also be used responsibly and kept securely no matter where they live. Of course, for any federal privacy bill to pass into law, it will need to have bipartisan support. As this bill moves through the process, we hope that the text can become a bipartisan product. Privacy has always been a bipartisan issue. In the states, 10 Democratic governors and 11 Republican governors have signed privacy bills with this structure into law. We look forward to working with both sides of the aisle as this bill moves forward. We appreciate the subcommittee's leadership on federal privacy legislation and we urge you to move the Secure Data Act through the legislative process to promote technology adoption across the economy and protect American consumers nationwide. Thank you and I look forward to your questions.

Rep. Gus Bilirakis (R-Fla.):

Thank you. Thank you for your testimony. Now recognize Ms. Watts. You're recognized for five minutes.

Ashli Watts:

Yes, thank you. Thank you. Again, good morning, Chairman Guthrie. Morning. Chairman Bilirakis, Ranking Member Pallone, Ranking Member Schakowsky and members of the subcommittee. Thank you for the opportunity to be here today. I'm Ashli Watts and I am the president and CEO of the Kentucky Chamber of Commerce, which is the Commonwealth's largest business advocacy association. We represent employers of every size and every sector who collectively employ hundreds of thousands of Kentuckians. I also serve as chair of the US Chambers Committee of 100 comprised of the chief executives of America's largest state and metropolitan chambers of commerce. Through that role, we have brought together more than 120 state and local chambers and unified support of the Secure Data Act, including the Kentucky Chamber. In 2024, the Kentucky Chamber played an important role as a convener throughout the state level conversation on data privacy. We brought together stakeholders from across industry sectors, business organizations, retailers and privacy, security and technology experts to negotiate a balanced workable solution.

The result was House Bill 15, Kentucky's comprehensive consumer data privacy law. Now, like Chairman Guthrie said, Kentucky is a bit of a unique state. We have a super majority Republican legislature and a Democratic governor. House Bill 15, which is very similar to the Secure Act passed unanimously was strong bipartisan support and was signed into law by Governor Andy Bashir. And it is a law that the Kentucky Chamber is proud of leading the way. The goal was straightforward. Protect consumer's data and privacy while maintaining an environment where Kentucky businesses can operate and compete. The Secure Data Act asks Congress to extend to all Americans what Kentucky and 19 other states have already put into law. We believe that federal action is urgent because when every state writes its own law, even good policy creates a patchwork. The majority of our businesses at the Kentucky Chamber are small businesses and no business, large or small, can realistically navigate 50 state legal strategy to comply with privacy expectations.

Small businesses in particular often lacked in- house legal teams, chief privacy officers, or large compliance budgets. The US Chambers Empowering Small Business Report found that nearly two thirds of small businesses are worried that complying with different state laws will expose them to higher compliance and litigation costs. A number that jumped 14 percentage points in just a single year. A fragmented privacy landscape is estimated to cost the US economy as much as $1 trillion with 200 billion of that burden falling on small businesses. It is important to note that strong consumer privacy protections and economic growth are not competing goals. They reinforce each other. When customers trust that their information is being handled responsibly, they're more willing to engage to transact and participate in the digital marketplace and clear rules help build that trust. The Secure Data Act is built on bipartisan state laws just like the one we passed in Kentucky.

It provides consumers with strong privacy protections, the right to access, correct, delete, import their data, opt out rights, and opt in requirements for sensitive information. It has a reasonable data minimization standard and it establishes a national standard without a private right of action. Every state that has passed this type of legislation has made that same choice because it produces consistent meaningful outcomes for consumers. This framework has been so Signed by nine Democratic governors and 11 Republican governors. More than 2,500 state lawmakers, both Democrats and Republicans have voted for it. More than 135 million Americans are already protected by it. This is not just a technology policy issue. It is a competitiveness issue. Kentucky's businesses and all American businesses, especially small businesses, need one clear set of rules of which they can build around. The Secure Data Act provides just that. The model is proven and the consensus exists across party lines.

What remains is for Congress to act. On behalf of the business community, I urge this subcommittee and the full Congress to pass the Secure Data Act. The Kentucky Chamber of Commerce, the US Chamber of Commerce, and our more than 120 state and local chamber partners saying ready to support you in this effort. Thank you and I look forward to your questions.

Rep. Gus Bilirakis (R-Fla.):

I'll tell you what, that was excellent testimony. I appreciate it. Ms. Fitzgerald, you're recognized for five minutes.

Caitriona Fitzgerald:

Chairs Guthrie and Bilirakis, Ranking Members, Pallone and Schakowsky, members of the subcommittee. Thank you for the opportunity to testify today. My name is Caitriona Fitzgerald and I'm Deputy Director of the Electronic Privacy Information Center, or EPIC. EPIC is an independent nonprofit established in 1994 to secure the fundamental right to privacy in the digital age for all people. And we have been deeply involved in the debate in the states over privacy legislation. We believe privacy is a fundamental human right. There's broad bipartisan agreement that Americans need stronger privacy protections. Poll after poll shows that consumers are fed up with the status quo. They don't want surveillance pricing at the grocery store. They don't want their cars broadcasting their driving habits to their insurance companies and they certainly don't want US troops put at risk in war zones because online advertising is a privacy nightmare. America needs a strong data privacy law, but the Secure Data Act is not the right approach.

This committee previously approved bipartisan bills that meaningfully protected privacy. In those negotiations, both sides worked to craft a federal bill that was stronger than the strongest state law. Those bills included meaningful data minimization, heightened protections for sensitive data, limits on data discrimination and robust enforcement. The Secured Data Act does the opposite. It sets a national standard that is weaker than the weakest state law. We shouldn't be making the floor the ceiling. You've heard today that this framework has been successful in the states, but it hasn't been successful for the people in those states. What makes it so weak? A core weakness of the Secure Data Act is its lack of a real data minimization rule. The Secure Data Act allows businesses to continue collecting and using data however they please as long as they disclose it in a privacy policy that we know few consumers read and no consumer has the power to change.

Data minimization only works if it actually limits how much data companies can collect and how they can use it. My eight-year-old is a huge soccer fan, but every team he joins requires me to download a new app to get the schedule and talk to the coach. If I don't like the app's terms, there's no disagree but download the app anyway button. I have to accept it or not download the app. Am I supposed to tell my son he can't play soccer because his mom doesn't want her data used to train AI systems? Congress shouldn't be passing a privacy law that bakes this unfair system where companies get to dictate the terms into law. The Secure Data Act also fails to adequately protect our most sensitive data, like our location data. Sensitive data should have stronger protection than beyond simply consent because in practice that just leads to endless popups that consumers grow numb to.

Another significant weakness of the Secure Data Act is that despite its focus on individual consumer rights, it lacks a private right of action. If a company ignores my request to delete my data or opt out, there's no recourse. It's essentially unenforceable. The FTC and state AGs don't take on individual cases. This bill has many more weaknesses than I have time to detail in my testimony today, but the fatal flaw is the combination of these weak rules with the most expansive preemption option available to the federal government. This bill would wipe out decades of state laws causing chaos in our legal system. My testimony includes a list of the hundreds of laws EPIC believes could be preempted, including those on robocalls, civil rights, kids online safety, and even longstanding privacy torts. This bill would also make it harder to hold big tech accountable in court. Just last week, Meta, Snap, YouTube, and TikTok agreed to a $27 million settlement with a Kentucky school district where platforms addictive designs harmed students' mental health.

Many of the claims in that case relate to rules in this bill, so there's no way of knowing whether similar cases could move forward. The weak rules in this bill paired with its extreme preemption provision would be a disaster for Americans. I want to emphasize that. The passage of this bill would be a worse outcome for Americans than no federal data privacy law at all. The trends in the US are clear. Companies are abusing increasing amounts of our personal data. AI is turbocharging that abuse and Americans want more protections from big tech. Yet this committee is proposing weaker legislation than it overwhelmingly approved in previous sessions. Congress should not pass a privacy law that fails to address the very real data abuses and privacy harms that Americans are asking them to fix and it certainly should not strip Americans of privacy rights they already have.

We know what's needed. Strong data minimization, heightened protections for sensitive data limits on data discrimination and robust enforcement. The Secure Data Act unfortunately doesn't meet the moment, but the solutions do exist and I urge the subcommittee to consider other approaches that give Americans the privacy they want and deserve. Thank you for the opportunity to testify today and I look forward to your questions.

Rep. Gus Bilirakis (R-Fla.):

Thank you. Now I'll recognize Mr. Bridegan for your five minutes. Appreciate it.

Tyler Bridegan:

Guess Ranking Member Pallone, Schakowsky, members of the subcommittee. My name's Tyler Bridegan. As a brief housekeeping matter, I'm here in my personal capacity today, not on behalf of any company, organization or client. One, I want to say thank you members for picking up this effort again. I think we all are in agreement that it is a essential priority to get a federal privacy law passed in the United States. I want to give you guys start with a bit of my background so you can understand the sort of lens that I am viewing the Secure Data Act.

Up until the end of last year, I was serving as the Director of Privacy and Tech Enforcement for the Texas Attorney General's Office. There I was headed up our efforts to implement and enforce all of the recently past Texas privacy laws that included comprehensive privacy, data broker laws, children's privacy and online safety laws. As part of that, we took a very intentional approach to looking at sort of what harms exist in the United States. Many of our cases were very high profile. They involved looking into the entire auto manufacturer industry. Several social media companies and several of our investigations ultimately led to litigation. Also, as part of my role, I have the opportunity to get to know my counterparts in other states. It was a incredible experience getting to hear what so many states are doing on the privacy front, both advising their legislatures on what is working and what isn't in their privacy laws, as well as figuring out ways to appropriately enforce their law and dedicate resources.

At the end of last year, I returned back to private practice at the law firm Womble Bond Dickinson. Our firm has a very broad client base. We have our origins in the Southeast and then we've since expanded across the United States. As part of that, we have clients of all sizes that are in every industry from your brick and mortar to defense to giant online retailers. It has been extremely educational for myself to see what all of these different companies and different sectors care about with respect to privacy. But enough about my background on the Secured Data Act front, I want to cover four key points with you guys today. First, there is widespread support, and I think that's been echoed by all the other witnesses that Americans want a privacy law passed. Companies' practices are unclear to consumers. They are learning of new ways their data is being used.

It is time to protect those consumers. In Texas, as part of our privacy law, we had to create a consumer privacy complaint database. It went online July 1st. By July 2nd, we had our first 10 consumer complaints coming from corners of Texas, you would not expect. Someone from Laredo filed a complaint asking for a, oh my gosh, fast food chain to update their privacy policy because it didn't have a right for them, an option for them to delete. Not the first company I probably would've looked into. I think all to say there's widespread support on that front. Now, second point, we now know much more tangible harms. I think several of our cases focus on how data was particularly sensitive data types were ultimately being used to monetize or affect consumers. Third, we now know more. When the last time Congress pushed forward with this effort, most of the state laws were not in effect and there has definitely not been enforcement that it occurred yet.

We now have had the opportunity to see which provisions in the laws protect from those key consumer harms, particularly the tangible harms that we're seeing emerge. And then fourth, I think that passing of federal privacy law is crucial. Right now, over half the states don't have sensitive data protections, meaning by default, companies can collect and use that data. However, they please trillions of data points are being generated about Americans every single day that still go unregulated. All that to say, I am extremely excited for this effort to be moving forward. I think we're actually pretty close on a lot of provisions, which is exciting when I was reviewing this law, but that is it for me and I'm happy to answer any

Rep. Gus Bilirakis (R-Fla.):

Questions. Thank you, gentlemen. Now I'll begin questioning and recognize myself for five minutes. I shared the concerns of many Americans that companies are collecting more of personal data than is really needed. At the same time, we've seen how overly restrictive privacy laws like Europe's general data protection regulation, throttle privacy, again, private industry and innovation. So Ms. Goodloe, how do the Secure Data Act's restrictions on data collection work and how do they differ from Europe's law and past proposals before the committee? Mr. Bridegan, if you want to add something after Mr. Goodloe would appreciate that as well. It's actually Ms. Goodloe, I apologize.

Kate Goodloe:

Sorry. Thank you for the question. The Secure Data Act builds on the experience of state laws to create a core set of rights for consumers and a core set of obligations on companies. Importantly, those obligations extend across the modern supply chain and they create rules for both controllers, which are the companies that decide how and why to collect consumers' data and for processors, which are the companies that handle data on behalf of other companies pursuant to their instructions. That is a critical difference from prior federal laws and it ensures that the obligations created by this act carry across the modern economy. I think it is important that Congress pass a law that creates one set of rules for companies to collect and use data so that consumers know it is used responsibly.

Rep. Gus Bilirakis (R-Fla.):

Thank you. Mr. Bridegan, would you like to add to that?

Tyler Bridegan:

Yeah. Compared to the GDPR, it's actually conceptually similar. There are similar restrictions in the GDPR about sensitive data and using consent in order to collect and use that data that is present in the Secure Data Act. There's a long history. Illinois Biometric Information Privacy Act, Washington State's most recent My Health My Data Act, Texas's Similar Biometric and Genetic Privacy Act. That principle is strong. It has led to several of the largest settlements in history in the United States. I'd also say GDPR takes a more high level approach without being too prescriptive. And that's similar to things we've seen in other contexts in the United States like the NIST cyber controls. It's explaining what types of controls you need and what sort of practices ultimately lead to stronger protections without being so prescriptive as to require companies to implement or include many specific requirements in a privacy policy, for example.

Rep. Gus Bilirakis (R-Fla.):

Thank you. Next question. There's a view in Washington as well as some states that more mandates on business means more protections for Americans. Right now we have 22 comprehensive consumer privacy laws in this country, which may become 24. In short order, it's governors of Louisiana and Vermont signed the bills on their deaths. And I know you alluded to this earlier, but these laws sit alongside existing federal requirements for different sectors such as healthcare and finance and FTC, the FTC Act. So Mr. Bridegan, is the status quo effectively protecting consumers? Are more state by state laws better than a uniform federal framework?

Tyler Bridegan:

I think there has been a good movement at the state level to increase enforcement that said at the end of the day, the 50 states having a uniform law to enforce and create precedent around, plus being able to team up with the Federal Trade Commission will create very clear market shifts in privacy practices around the country. Most companies want to good faith comply with the law, but at the end of the day, there's a real effect for when there's a heightened risk of enforcement from several entities. I think a federal law would create that heightened risk for enforcement and ultimately encourage companies to prioritize complying with the letter of the law.

Rep. Gus Bilirakis (R-Fla.):

I have a little more time. Ms. Goodloe and Ms. Watts, would you like to add anything?

Kate Goodloe:

I will add that the important piece of a national law is it will protect consumers nationwide. Right now, consumers are protected in 22 states with different state laws and we need a clear set of national rules that companies can build strong compliance programs toward. I think that will make sure that consumer protections are extended nationwide and that companies know what to do and what to focus on to better protect consumers.

Rep. Gus Bilirakis (R-Fla.):

Ms. Watts?

Ashli Watts:

Yes, thank you. Yes, thank you, Chairman. And I would echo my colleagues' answers on that. We in Kentucky really did kind of question whether we should continue to advocate for a federal law or work on a state law. After several years of no action by Congress, we decided that we needed to take matters a little bit into our own hands and pass a law in Kentucky, but we absolutely believe that a federal law is the way to go. I'm proud to speak on the majority of my members of the Chamber of Commerce or small businesses. They want one clear set of standards to be able to comply with and this is what this would bill would do instead of a patchwork of all the various states.

Rep. Gus Bilirakis (R-Fla.):

Very good. Thank you. I'll yield back the balance of my time and I'll recognize the ranking member of the subcommittee, Ms. Schakowsky, for five minutes of questioning.

Rep. Jan Schakowsky (D-Ill.):

Ms. Fitzgerald, I wanted to ask you, where are you? There you are. How is it? How does this bill benefit corporations instead of the- Yeah. How does this bill benefit corporations rather than the American people?

Caitriona Fitzgerald:

Thank you so much for that question, Ranking Member Schakowsky, because I think it's really important for members to understand a bit of the history of where these 22 state laws came from. Privacy and consumer rights and civil rights groups have opposed those laws in the states. Those bills originated from a draft that was written by tech giants in Washington State. It ultimately did not pass in Washington state, but they took it to Virginia first and passed in 2021 and then brought it to these now 22 states or 21, I guess, because California followed a different path and pushed their weak model with the hopes of getting exactly to this moment, coming to Congress and saying, "This is the consensus in the states, please process at the federal level and preempt states from doing anything for all of time on privacy." Those state laws are far too weak to adequately protect privacy and Congress should not be emulating that model, right?

Privacy laws should not be written by the very entities they seek to regulate.

This bill also contains about five pages of exemptions and loopholes, corporate carve outs. It makes you wonder who the weak rules in the bill will even apply to in the end. So that's something we really want to be careful of when we're looking at bills as well and who they're protecting. I'll say as a privacy advocate in the states, when it's disappointing to see how quickly the conversation turns to a focus entirely on business compliance and consumers are almost, they're hardly mentioned in the end. You almost would forget that you're working on a consumer protection bill in the end as opposed to a business compliance bill. So I'd say so much work was done on previous bartisan proposals to come up with a framework that protected Americans and allowed businesses to thrive and innovate and it's disappointing that the Secure Data Act throws all that out and starts over.

And I hope that we can come back to the table and come to a bipartisan agreement on a bill that works for both the American people and our businesses.

Rep. Jan Schakowsky (D-Ill.):

Are there other things that we should be doing to make sure that consumers are benefited?

Caitriona Fitzgerald:

I think the key with the privacy law is to make sure that the onus of protecting privacy is not entirely on the consumer and rather the businesses that are collecting, using, profiting off of our data have obligations on the forefront to limit the amount of data they're collecting and using. There's just such a power imbalance that if companies can just write these policies and say, take it or leave it, that just doesn't protect privacy. I realize that we're trying to put things back in the box because we didn't act on privacy early on. Epic has been asking Congress to pass a privacy law for 30 years, but that doesn't mean that we should just allow the status quo to continue. Consumers need adequate protections online. I really do think that the solutions exist to do that in a way that would allow our businesses to thrive but adequately protect consumers.

Rep. Jan Schakowsky (D-Ill.):

What are the things that we need to do to make sure that consumers are empowered?

Caitriona Fitzgerald:

We need a strong data minimization rule that limits data collection and use. It says to company the ADPPA and APRA limited data collection use to what was necessary for the product or service the consumer's asking for. So that means that companies have to better align their data practices with what consumers expect. I don't expect my flashlight app to collect my location data. I expect my weather app to collect my location data, but I don't expect them to sell it to a dozen data brokers. So we want to better encourage companies to have this culture of privacy where they're only collecting what they need to provide the service the consumer's asking for.

Rep. Jan Schakowsky (D-Ill.):

Thank you. Appreciate that very much.

Rep. Gus Bilirakis (R-Fla.):

General lady yields back. I now recognize the chairman of the full committee, Mr. Guthrie for his five minutes of questioning.

Rep. Brett Guthrie (R-Ky.):

Thank you very much. And the process by writing this bill that Mr. Fitzgerald described absolutely was not the process in writing this bill. Dr. Joyce will speak for itself, but we met with hundreds of different people, different groups. And everybody on here wants people's data to be secure and to have their privacy and have a security. As I said, we're not looking to compete with Europe to regulate. We're looking against to compete against China to innovate. And we don't want to be China either. We certainly don't want to be Europe. And so the question is, can you find a balance? And that's what we've worked hard to find a balance. And we think that we strongly believe that we have. Europe, United States had the same economy 20 years ago. The same economy 20 years ago. The European economy, and there's a lot of reasons.

Our energy policy can't dismiss that Britain has pulled out, but our economy is twice the size of Europe today and 15 years, twice the size. So now you got to look at the reverse. What if our economy today was half the size that is today? Talk about unemployment, you talk about affordability, talk about all these. So these things matter and things just don't happen in a think tank. Things doesn't happen in academia, things happen in the real world. And so people's data is being collected in the real world and people are trying to innovate and grow their companies in the real world. And so how do we strike that balance? That's what we're looking at. So Ms. Watts, we heard a lot about big tech. I know in Kentucky we have a lot of small businesses and you mentioned it in your remarks. Could you kind of go a little further on how typical Kentucky small businesses are affected by this and why they ... And I don't believe Governor Brazier was out looking for big tech and for businesses.

I'm thinking he's trying to make Kentucky a business state. I'm not saying he was anti, but I don't think he was ... How can we give everything to big tech? I don't think he had that at all. And it didn't just come from the general assembly because he's been known to veto a lot of bills and they get overwritten, but he vetoes a lot of them. So I would have to think that he had a hand in doing this too. And so I don't think he's out there trying to protect big tech at the expense of the consumer. It's been insinuated.

Ashli Watts:

Absolutely. Thank you, Chairman Guthrie, for that question. We are really proud of our small businesses in Kentucky. They are the backbone of our economy as you know in your district. And I always say, I've been at the Kentucky Chamber now for 14 years leading their advocacy. I feel like I'm pretty good at my job, but it's still really hard to pass a bill unanimously through the Kentucky General Assembly and have it signed into law by a Democratic governor. I think that shows the power of our convening and the power of the consensus that we built around this. It was not just big tech. Of course, we had tech at the table. We needed to have their voice be heard, but we also had small businesses. We had retail, we had restaurant, we had consumers, we had everyone kind of at this table really working together for a consensus based solution.

And that's exactly what we did in Kentucky that is really mirrored here with the Secure Act. And so I think just speaking for it wasn't only bipartisan, it was unanimous in Kentucky's general assembly and then signed into law by Governor Angela.

Rep. Brett Guthrie (R-Ky.):

Because every business no matter what size, if they have a credit card portal is affected by this.

Ashli Watts:

Exactly. If you're

Rep. Brett Guthrie (R-Ky.):

A loan person with a store, your family runs your store and you have a credit card report, which everybody has to have now, then you're affected by this bill.

Ashli Watts:

Absolutely. And I think you know small businesses- Or

Rep. Brett Guthrie (R-Ky.):

Any proposal that we do.

Ashli Watts:

Exactly. Small businesses in your district and throughout the Commonwealth want to be a nationwide marketplace. We do a lot of our shopping online. You want that ease and you want your small businesses in the commonwealth. And

Rep. Brett Guthrie (R-Ky.):

I was in the general assembly. So being a product of the general assembly, you do get a lot more grassroots input. Yes. So my guess is you had a lot of consumers and you had a lot of businesses around the table as opposed to consumer groups that represent the interest of consumers not out there that are think tanks. And you always got to wonder who's hired the think tank. And the second thing is, and then big tech. So not in Kentucky, you didn't have probably the four or five big titans of big techs in at the table with a bunch of consumer groups. It was consumers and small businesses. And so if you see one of these state laws have developed the way that they have, my guess is because they're listening to the people in their state, not because they're just trying to cover up for some other big ... This has been insinuated here today.

Ashli Watts:

I would absolutely agree. And I would say if small businesses were upset with a law that was passed in Kentucky two years ago, I absolutely guarantee you that law would not have been passed unanimously by the Kentucky General Assembly and signed into law by Governor Andy Bashir. Small businesses in Kentucky supported this bill. Local chambers of commerce all across the commonwealth supported this bill and that bill has now been mirrored a lot in the Secure Act. I think we're a great example to show the convening power and the consensus building that we built around data privacy in the commonwealth.

Rep. Brett Guthrie (R-Ky.):

And it's typical of state governments to have those kind of grassroots input. Thank you. And my time, I don't have time to ask another question, I'll yield back.

Rep. Gus Bilirakis (R-Fla.):

You're welcome to ask another question, Mr. Chairman. All right, gentlemen yields back. Now we'll recognize the ranking member of the full committee, Mr. Pallone, please.

Rep. Frank Pallone (D-N.J.):

Thank you, Chairman Bilirakis. I've long said that the core of any comprehensive privacy standard has to begin with strong data minimization, but if the Secure Data Act contains a provision that claims to offer data minimization, but actually allows companies to do anything they want with consumer data with notice and consent. So my question of Ms. Fitzgerald isn't actually have four, so I'm going to actually like to answer them in a minute or so if you could. So the first one is, how does the standard for data minimization in the Secure Data Act compare to the data minimization offered by prior bartisan federal privacy proposals like the American Data Privacy Act and the American, well, the two bills, American Data Privacy and Protection Act and the American Privacy Rights Act. And does it provide the SECURE Act any meaningful difference for consumer privacy compared to the status quo in a minute?

Caitriona Fitzgerald:

Thank you, Rank Member Pallone. EPIC views data minimization as the most important substantive rule in any privacy bill and I would hesitate to call what's in the Secure Data Act data minimization. I know that section is titled that way, but it's really data maximization. Companies are incentivized to write their privacy policy as broadly as possible, list as many purposes as possible because the only thing that counts as a violation is not disclosing. So they'll just say, "We collect your data for marketing purposes." That allows them to do anything, doesn't tell anything to consumers. And in fact, it's basically restating current consumer protection law, so it's not giving them any additional protections because unfair and deceptive trade practices laws already require companies to be truthful in their privacy policies. Whereas previous bipartisan proposals, like you said, required companies to limit their data collection and use to purposes that the consumer expected that were reasonably necessary for the product or service they asked for.

Rep. Frank Pallone (D-N.J.):

All right, thanks. So the second thing is about enforcement because meaningful consumer protection is only as effective as its enforcement and that includes cases involving individual consumers who've been uniquely harmed. So the question is, how will the lack of a private right of action in the Secure Data Act impact the law's effectiveness? Will the right to cure further impact the law's effectiveness and in what way?

Caitriona Fitzgerald:

Yes, thank you. We've seen in the states that the lack of a private right of action, without it, there's really little incentive for companies to comply with the law because they know the risk of government enforcement is so low and that's only made worse by the inclusion of a right to cure in the Secure Data Act because companies know they'll get a get out of jail free card. If government enforces do come knocking at their door, they can just fix the problem and there can't be any enforcement. Consumers lose in all these situations because they can't enforce their own rights. And then if a government agency, a state AG or the FTC does try to enforce, companies can just fix the problem after the fact, even though the harm is already done, your data's already out there, your privacy rights have already been violated and there's no getting that back.

Rep. Frank Pallone (D-N.J.):

All right. Then the third thing I recently began an inquiry into surveillance pricing to find just how widespread these practices are and this includes pricing that can use consumers' intimate details to predict when they're most vulnerable and most likely to pay more for the product. The question is, would the Secure Data Act address the problems presented by surveillance pricing algorithms and practices?

Caitriona Fitzgerald:

No Secure Data Act does nothing to address it. Surveillance pricing. Companies could just say in their privacy policy that they were using your personal data to offer personalized pricing. What that will look like for the consumer is they sign up for a loyalty program in the hopes of saving money and then their personal data is used to determine just how much they'll tolerate paying for eggs, which could be a different price than their neighbor. Secure Data Act would do nothing to stop that harmful practice.

Rep. Frank Pallone (D-N.J.):

All right. Then the last thing is about preemption. The Secure Data Act contains very broad preemption language that goes beyond what we saw in APRA and ADPPA and clearly preempts more than state comprehensive data privacy law. So the question is, under the Secure Data Act, what is the potential scope of state preemption and how might this affect consumers and states that already have strong protections in the law?

Caitriona Fitzgerald:

Yes. The Secure Data Act includes the broadest preemption option available to the federal government preempting anything that relates to the provisions in the bill. The Supreme Court has described this form of preemption as deliberately expansive. I attached a list of the hundreds of laws that EPIC believes could be preempted to my testimony. That's even a representative list. There could be many more. It's hard to overstate the chaos this will cause in our legal system. It goes so far beyond just preempting the comprehensive privacy laws that it attempts to mirror. It would preempt longstanding privacy tort. It would preempt a lot of kids online safety laws like age apropriate design code laws about robocalls that no one wants robocalls back and data breach notification law. So the preemption provision was just written so expansively that everything from kids online safety to robocalls is at risk.

Rep. Frank Pallone (D-N.J.):

Thank you so much. Thank you, Mr. Chairman.

Rep. Gus Bilirakis (R-Fla.):

I appreciate it. The gentleman yields back. Now I recognize the gentleman from the great state of California, Mr. Obernolte, for his five minutes of questioning.

Rep. Jay Obernolte (R-Calif.):

Thank you, Mr. Chairman. Let me begin by saying how delighted I am that we are finally having this hearing. This has been a long road. It's been an honor for me to serve on the Data Privacy Working Group under the leadership of Congressman Joyce. And let me emphasize some of the points that have been already been made here. This legislation has been over a year in drafting and we tried to correct some of the mistakes that have been made in previous efforts by broadly engaging all corners of the stakeholder community. We sat down with hundreds of different groups representing different points of view. I want to give a shout out to all of our individual staff and the committee staff because this has been a Herculean effort to get to this point. One of the things that I think we need to spend more time talking about is how burdensome it is on small businesses to have this complex regulatory landscape of potentially 50 different state laws, currently 22, but potentially 50 different state laws.

As a technology entrepreneur myself, I can tell you that a landscape like that is a barrier to entry to people trying to start new businesses and technology because what it does is it advantages big tech because those are the companies, not to pick on them, but those are the companies that have buildings full of lawyers and the sophistication to deal with a regulatory landscape like that. So if you're a Google, you're on Microsoft, you can do it. If you're two people in a garage somewhere trying to start the next Google or the next Microsoft, you can't. And this is the big challenge that we're trying to solve with one unified federal standard. So Ms. Goodloe, you have many small businesses as part of your organization. Can you talk about just how challenging it is to navigate this landscape of currently 22 different state regulations?

Kate Goodloe:

Thank you for the question. BSA represents the business to business technology providers that power companies across every sector of the economy and those are companies of all sizes. When you have to comply with laws on a state-by-state approach, companies are forced to track 50 moving goalposts. We have 22 state laws already enacted, several more awaiting action by governors and amendments that continue to go through the legislative process every day. It is a complicated landscape no matter what size your company is. I can only speak for the business to business part of the technology industry, but we think on standard is needed so that companies of all sizes know the rules and know how to comply with the goal of protecting consumer privacy so that consumers trust that their data is used responsibly.

Rep. Jay Obernolte (R-Calif.):

Right. Well, obviously I would very much agree with you. Ms. Fitzgerald, we could agree to disagree on some of these issues. You said a couple of things that I found to be kind of inflammatory and I wanted to talk about them and give you the opportunity to respond. One of the things you said is that the goal of this process of creating one federal standard should be to create a standard that's stronger than any of the individual state standards. And I very much disagree with that because we tried very hard to take a consensus approach where we took the best of what everything every state had to offer. And that would mean being somewhere in the middle, not the strongest, not the weakest, but looking at what worked. The other thing that you said that I take issue with a little bit is you said that this bill is weaker than the weakest state standard and that we would be better off to have no federal standard at all than to pass this bill.

And I do take exception to that because first of all, the weakest state standard right now is no state standard. We have 22 different state standards. That means the majority of states have zero protections for consumers when it comes to digital data privacy. How can you say that having no bill is better than the protections in this bill, even if we agree to disagree on how strong those protections should be?

Caitriona Fitzgerald:

Thank you, Representative. And thank you for the opportunity to elaborate on this. We believe at Epic, especially where there's a broad preemption provision in this bill, that if the federal law does not exceed the protections in the strongest state law, then Congress is taking away privacy rights from Americans that they already depend

Rep. Jay Obernolte (R-Calif.):

On. Half the states, they have no privacy rights in half those states. So even if that's true, you're giving privacy rights to consumers that right now have none.

Caitriona Fitzgerald:

But privacy rights that are not necessarily meaningful. And in practice, most businesses are now offering these consumer rights of access correction and deletion to residents of 50 states because so many states have these state privacy laws that include these consumer rights. So in practice, the enactment of this bill is going to give Americans, even in states without privacy laws, very few rights that they don't already have today.

Rep. Jay Obernolte (R-Calif.):

Well, I mean, the whole goal here is to create one federal standard that gives everyone the same rights that we all believe that we should have. And I'm hopeful, Mr. Chairman, I see my time's expired. I'm hopeful that we can get to a place of bipartisan agreement on this. Obviously for this to be a lawmaking exercise, we have to get there eventually. So I hope that we can still continue having this discussion as the bill moves forward. Are you back?

Rep. Gus Bilirakis (R-Fla.):

Good enough. Good enough. I now recognize Ms. Castor for her five minutes of questioning.

Rep. Kathy Castor (D-Fla.):

Well, Mr. Chairman, I'm not going to mince words. I think this bill is an appalling betrayal of hardworking Americans. Their ability to safeguard their personal information. It's a violation would just allow violation of their privacy to continue. It wipes away laws across the country that protect privacy. It will lead to higher costs for consumers. It will further unleash insidious AI surveillance pricing. It will end state laws relating to unwanted robocalls and spam text messages and it will gut lawn line privacy protections for kids. Ms. Fitzgerald, you have an entire section in your testimony about how the GOP Anti-Privacy Bill will make minors less safe online. We've debated this a lot in this committee. Will you expand and elaborate on that?

Caitriona Fitzgerald:

Yeah, sure. Thank you for the question. States have passed dozens of laws giving kids and teens stronger privacy protections online, both as part of comprehensive privacy laws and in age appropriate design codes and other kids' online safety rules. And this bill will take those protections away without really meaningfully replacing them. So it's an example of why I did say that I do think that passage of this bill would be a worse outcome for Americans because we know how this works. If this privacy bill passes, Congress will have checked the box on dealing with privacy for decades to come and these rules will be cemented into law. Technology is changing. We're already seeing the harms that kids are suffering, especially kids are suffering online due to the harmful business practices of big tech. And I just don't think that Congress should be passing a federal privacy law that fails to address those harms.

Rep. Kathy Castor (D-Fla.):

And it would weaken enforcement of those laws, kind of gut those enforcement mechanisms. In fact, there are many lawsuits right now that parents and families have brought against the tech companies. What would the impact be legally?

Caitriona Fitzgerald:

Yeah. The broad preemption provision in this bill would really cause chaos for those lawsuits because you're talking about school districts and parents and others going against the most powerful companies in the world. And so if those companies have an out to argue in court that their claims are preempted by this bill and that they disclosed in their privacy policy what they were doing, there's a question about whether

Rep. Kathy Castor (D-Fla.):

Those- I think that is so wrong. That is so wrong to rip the rug out from under the families and kids. I mean, the evidence of harm to children online is very apparent after many years. I hear the argument. They want to hang their hat on, okay, we want one set of rules nationwide, but if you have a very weak federal standard, that's no protection at all for people's privacy, is it?

Caitriona Fitzgerald:

No, it's not. I agree that we need a federal data privacy law and EPIC has been asking that for 30 years, but we need that rule to be strong.

Rep. Kathy Castor (D-Fla.):

In fact, we had a good bipartisan compromise that we had hammered out here and I think that Americans deserve better. They really do deserve to be able to safeguard their personal private data. Some of it is very sensitive, their personal health data as well. And this would just, I think, unleash the big tech company's ability to mine that data, make us the product with no recourse. It's kind of on theme for what this committee has done. If folks don't know what this committee has done this session, they passed out of this committee a complete ban on any AI regulation at all at all federally or for the states at all. They've also gutted our Kids Online Safety Act that is very bipartisan in the Senate. Also the Kids Online Privacy Protection Act passed unanimous by unanimous consent in the Senate and here, I don't know why the tech companies have greater influence.

They have gutted that weakened that. It just seems like it's another gift to the big tech companies. It's unfortunate that that's the tact of this committee, but I want folks to know what is going on here. I just think people deserve better. They deserve to have their privacy protected and not constantly mined and surveilled and then sold. And I'll end it there. Thank you very much.

Rep. Gus Bilirakis (R-Fla.):

Gentle lady yields back. We'll recognize Mr. Bentz for five minutes of questioning.

Rep. Cliff Bentz (R-Ore.):

Thank you, Mr. Chair. Mr. Bridegan again, just to start with you, and this is just a question I've had for years. And you say on page four of your testimony, consent is generally defined as a clear affirmative act that signifies the customers freely given specific informed unambiguous agreement to process their personal data. I don't know how many times I've quickly gone through the 26 pages or 56 pages of the consent in other situations and gone to the bottom box and checked yes. I'm just curious how you or anybody would ever suggest that we're going to get this kind of understood consent from anybody in these kind of situations.

Tyler Bridegan:

Yeah. Thank you for the question. I would like to clarify a couple, respectfully, a couple misunderstandings on how consent works in these privacy laws. So Texas has a very similar comprehensive privacy law as the Secure Data Act, particularly around consent and sensitive data. Texas is also the only state in the United States that has recovered over a billion dollars multiple times using laws that are based on consent. There's no other state that has ever recovered more than a billion dollars from a company. So consent in these scenarios is not something as simple as a click through when you see a banner at the bottom of the screen and say, accept all to privacy policies, it needs to be specific and informed. Texas courts have done a great job on explaining that each one of these adjectives has a meaning and a company needs to satisfy those specific meanings.

So at a minimum, you're going to need to be able to demonstrate that the company disclosed what they were collecting the data for and how they were using that

Rep. Cliff Bentz (R-Ore.):

Data. So if I may, I understand the desire to achieve that type of understanding, but what are the odds of that actually happening?

Tyler Bridegan:

Well, part of that relates to the enforcement mechanisms, right? So if there's actually the risk of enforcement, companies are going to take a close look at what they are disclosing and telling consumers and how they're obtaining consent.

Rep. Cliff Bentz (R-Ore.):

So let's say, if I may, the way this works, you harvest this data from millions of people. And so to suggest that these companies are going to go to millions of people and ascertain that each one has reached that level of consent seems highly unlikely. So I'm just trying to say, can you explain to me how we're going to reach that level of consent in any meaningful form?

Tyler Bridegan:

So it would be on a going forward basis, obviously, but you would, I mean, a company would need to, say if it was just a website that wanted to collect sensitive data, our position was always that it needed to be a separate disclosure and a short disclosure, not something that is mixed into a giant privacy policy that nobody reads. It needs to be something that is very clearly informing the consumer. And so you can condense that down to two sentences, but it does need to specifically state, we're collecting your geolocation data. Again,

Rep. Cliff Bentz (R-Ore.):

If I may, I don't want to be too mean to my state of Oregon, but our reading comprehensive test scores are abysmal. So I wonder how anybody is going to read these kinds of things in my state of Oregon and actually-

Tyler Bridegan:

I mean, under the law, the burden's on the company to demonstrate that they actually obtained specific informed consent. So they're going to have to be adversely arguing that with the regulator. So that is a burden shifting. It's not as simple as a notice provision, but that ultimately will fall on that burden to demonstrate that will be on the company.

Rep. Cliff Bentz (R-Ore.):

Ms. Watts, a state by state regime awards whoever has the biggest legal and compliance budget and that's rarely a new entrant. And this goes back to comments already made by previous folks. So my question is, does a privacy patchwork entrench the largest incumbents at the expense of smaller competitors? Seems to be the answer is obviously yes, but go ahead and tell me.

Ashli Watts:

Yeah, we absolutely agree that a federal framework is really the way to go for small businesses. As we have discussed several times throughout this committee testimony, the compliance for small businesses and the navigation is really cumbersome and burdensome. So we do believe that a national framework will help small businesses.

Rep. Cliff Bentz (R-Ore.):

Thank you. And I just want to thank the panel. The extraordinarily interesting conversation. Appreciate it very much yield back.

Rep. Gus Bilirakis (R-Fla.):

Thank you. Appreciate it. Now we'll recognize Mr. Mullin for five minutes of questioning.

Rep. Kevin Mullin (D-Calif.) :

Thank you, Mr. Chair, and thank you all for your testimony today. As I mentioned earlier, I am concerned that the legislation before us today moves us in the wrong direction on data privacy. Not only does it set a remarkably low ceiling for privacy protections, it also overrides the good work that the states have been doing in this arena. As I noted, California has enacted some of the strongest privacy protections in the country, giving consumers rights over how their personal data is collected, used, and shared. These laws are now actively being used by Californias to exercise control over their data. For example, California also recently enacted the DELETE Act, which allows consumers to submit a single request directing registered data brokers to delete their personal information. Hundreds of thousands of Californians have already used this service and Connecticut adopted similar legislation just last week as I understand it.

Ms. Fitzgerald, can you discuss how the legislation before us today would affect existing privacy protections for Californians?

Caitriona Fitzgerald:

Yes, it would completely wipe out the protections in the California Consumer Protection Act, the Privacy Act, I'm sorry, the Delete Act, the California Age Appropriate Design Code. There may be the California Human Privacy Act does cover employees. That might be the only kind of piece that's left since this doesn't cover the employment situation, but all of the provisions in those laws relate to provisions in this bill. So billions of Californians would be left with fewer privacy rights than they have today and that they've had on the books for eight years now. And in our federalist system, Congress's role should not be stripping privacy rights, eviscerating hard fought rights that their state legislators have decided they should have The Delete Act has been wildly popular. It's only been effective since January 1st and I think something like 300,000 Californians have already taken advantage of that to have that centralized deletion mechanism because we don't know who data brokers are as consumers.

So it's great that they have one place to go where they can say, "I don't want my information sold by data brokers," and that is conveyed to those companies. And it would leave Californians in a worse place than they are today.

Rep. Kevin Mullin (D-Calif.) :

Thank you for that. I also want to walk through a real world example that our witnesses are familiar with. Texas recently led a suit against an insurance company that used third party apps to collect trillions of miles worth of location data from over 45 million consumers nationwide and use that information to build what has been described as the world's largest driving behavior database. According to the allegations, insurers then use that data when setting or renewing consumers' insurance premiums. Under the Secure Data Act, even if those allegations are true, the company would have 45 days to remedy the issue without any penalty, even though the data has already been collected, shared and sold. So Mr. Bridegan, again, you just mentioned Texas's biometric privacy law and the recovery of billions of dollars for consumers. As I understand it, that law and others hold bad actors accountable even if they later fix any violations.

However, the SECURE Act would give bad actors 45 days to rectify any violations with no penalty if they do, but fixing the problem going forward doesn't undo the harm that the data has already been collected, already been sold, and consumers can't get it back. So why would we want to preempt state legislation with such a provision?

Tyler Bridegan:

Thank you for that question. I think that case is actually a very fascinating example of how narrow a cure period really is. Texas has a 30-day cure period that was not curable conduct under Texas's privacy law. There's actually very few ... We've had to do a lot of thinking on what really is curable. So if you collect data about a person without their consent, how do you fix ... How do you cure that? Do you delete it? I would say you already did the harm by collecting their data without their consent, deleting it doesn't do it. If you go back and get their consent that arguably you still violated that initial provision of the law, there's not really a way to walk that back. A lot of these data ecosystems are also extremely complex and pursuant to very complex contractual agreements they're negotiated with sophisticated law firms and parties.

Those have mechanisms that can't really be completed in a 30 to 45 day window. You could say you're counterparty to the agreement, big company and you've sold that data to them, you can't suddenly void that sale of data. And if that company went on and used that data, that would also be another layer of arguably incurable conduct. I have viewed the cure period as really something that goes for more of the facial violations, not including the right language in a privacy policy, not having the ability for consumers to exercise their rights working properly. And even that one might get into incurable conduct, but ultimately that case was a very good illustration of sort of how limited the cure period really is ultimately.

Rep. Kevin Mullin (D-Calif.) :

Well, thank you for that. I remain skeptical of the approach before us today and with that, I yield back. Thank you all.

Rep. Gus Bilirakis (R-Fla.):

Gentlemen, yields back. I recognized Ms. Lee from the great state of Florida. I'm a fellow Florida gator. You're recognized for five minutes of questioning.

Rep. Laurel Lee (R-Fla.):

Thank you, Mr. Chairman. What we are doing here today is so important. Americans should not have to surrender their privacy in order to participate in modern life and parents should not have to wonder whether a child's personal information is being collected, shared, or sold without their knowledge. The reality is that technology has changed dramatically, but many of the laws governing how we address personal information have not kept pace. I have worked along with many of my colleagues on this committee to modernize CAPA because the internet children use today looks nothing like the internet that Congress attempted to regulate in 1998. As we consider a national privacy framework, we should reject the false choice between protecting consumers and promoting innovation. We can do both and I appreciate all of you for sharing your insight about the pathway toward doing that here today. States like my home state of Florida have already shown that strong consumer protections and economic growth can go hand in hand.

We should build on those lessons by giving families meaningful control over their children's data, strengthening safeguards for sensitive information and establishing clear rules that consumers and businesses alike can trust. Mr. Bridegan, I want to come back to you. One of the major differences between the Secure Data Act and some of the existing privacy frameworks that we've been discussing here today is its requirement that companies obtain affirmative consent before processing sensitive information such as health information, biometric data, or precise geolocation data. During your time enforcing Texas privacy laws, what types of sensitive data abuses concerned you most and how does an affirmative consent requirement help us prevent those abuses?

Tyler Bridegan:

Thank you for the question, representatively. When I started as heading enforcement, privacy enforcement for Texas, I did not come in expecting to be focused so heavily on geolocation data. Around that time, the New York Times had reported that several car manufacturers were collecting data from people's vehicles directly and ultimately scoring them and sending it on to insurance companies for insurance companies to charge varying rates. That I think was sort of a novel use in some ways of geolocation data and it sort of to me underscores the importance of having a law that has those tried and true mechanisms like consent that enforcers can apply to different situations as more data types and uses emerge over time. Data ecosystem is incredibly complex, but there needs to be enough flexibility and sort of reliance on those mechanisms that we've seen work in the enforcement context. Children's data I think is extremely ... It has emerged and will continue to emerge as an area that requires heightened attention.

Rep. Laurel Lee (R-Fla.):

What is your perspective on the biggest privacy risks facing children and teens today and how does requiring parental consent help get to ensuring that that minor's personal information can be kept safe and parents can stay in control?

Tyler Bridegan:

There's data being collected by children now that I think will stay with them for the next 70 years, longer. It is unpredictable how that data will ultimately be used throughout their lives. I think there has not been enough of a focus on sort of ensuring that going from that age of minority to majority, that there's some sort of clear line about what needs to happen with that data. On the age verification front, Texas has been a leader in passing children's online safety and privacy laws. Those all come back to age verification. I know Congress is pushing forward with an additional children's privacy and online safety package, which I think is a great effort because there continues to be sort of a blind spot for parents and then arguably sometimes intentionally blind spot by companies as to what is happening on these platforms

Rep. Laurel Lee (R-Fla.):

And do you believe that parental consent in addition to those age verifications plays an important role? And if so, tell us more about that.

Tyler Bridegan:

Yes. I think it is key for parents to be in the loop on what is happening, what their children's data is being used for, and what features are allowed for children. In the social media context, there was a lot of focus from our office on sort of what different users could how they could interact with minors. And there needs to be some sort of stop gap there because there just has not been sort of a required demarcation of preventing certain interactions from like adults and minors or minors to minors in several of those spaces.

Rep. Laurel Lee (R-Fla.):

Thank you. Mr. Chairman, I yield back.

Rep. Gus Bilirakis (R-Fla.):

I thank the gentle lady. I'll recognize Mr. Veasey for his five minutes of question. Oh, Ms. Clarke is back. Okay. Well, recognize Ms. Clarke. You're recognized.

Rep. Yvette Clarke (D-N.Y.):

Thank you, Mr. Chairman, and good morning to both you and Ranking Member Schakowsky, my colleagues, and thank you to our panelists of witnesses for joining us today. Anyone familiar with the work and history of this subcommittee knows that for years I've been stressing the importance of a comprehensive federal privacy framework. While I can appreciate the title of today's hearing, I must address the fact that the legislation before us today is a nonstarter for comprehensive privacy and data security. In front of us is a piecemeal attempt at protecting Americans online and to be clear, naming a bill the Secure Data Act by no means qualifies it as a comprehensive privacy bill. A privacy bill should actually protect privacy. To level set today's hearing, we must acknowledge that my colleagues on the right have not only been unserious about Americans online safety, they have been actively working against it.

Let me remind us all that the party backing this legislation is the same one who has tried to illegally fire the Democratic FTC commissioners is insistently promoting sweeping preemption of state AI laws and continues to prioritize big tech over people. Sorry, but I don't trust this proposal as a good faith attempt. It wasn't too long ago that House Democrats and Republicans were able to come together and form the bipartisan AI task force that produced a comprehensive report with the intention that it would guide the 119th Congress on the necessary next steps at regulating AI. My colleagues and I have worked to advocate for the inclusion of civil rights priorities in the bipartisan report and while it could have gone further, I was proud to see that the task force report emphasized the different biases that AI can hold and how that may affect consequential decisions that AI occasionally is employed to make.

I'm beyond disappointed to see that the Secure Data Act has not only walked back on any effort to protect American civil rights online, but has gone as far as to narrow the scope of protections, water down the definition of consequential decision making and preempt state civil rights laws. When Congress works to stymie or dumb down privacy protections and technology safeguards, it is working against the public interest. This bill maintains the status quo. Big tech data brokers will carry on business as usual collecting and using people's data, whether they know it or not. Now more than ever, we should be holding companies responsible for failing to keep us from harm when we go online, to live up to their promises when they say they care about our privacy and to hold them to their commitments to ensure that AI systems they create are safe. I implore my colleagues to recognize that this bill is just not it.

This bill will do nothing to prevent or mitigate harm caused when the data collected and used by company drives discriminatory decisions and will only further harm black and brown Americans who will continue to have their data used against them. I move to enter into the record this letter from the Leadership Conference on Civil and Human Rights into the record.

Rep. Gus Bilirakis (R-Fla.):

Without objection, so ordered.

Rep. Yvette Clarke (D-N.Y.):

Well, I thank you, Mr. Chairman, and with that, I yield back.

Rep. Gus Bilirakis (R-Fla.):

Now I recognize Mr. Fulcher, the vice chairman of the subcommittee, for his five minutes of questioning.

Rep. Russ Fulcher (R-Idaho):

Thank you, Mr. Chairman. The purpose of the SECURE Act is to provide consumers more control over their personal data and create a uniform national framework. The bill does not include a private right of action and we've seen downsides of litigation abuse in the privacy space in other cases historically. Currently, opportunistic law firms have filed over 4,600 suits nationwide claiming that ordinary internet activities, the use of cookies and pixels and bots and analytical tools constitute wiretapping under various state laws. It's been more than 3,000 of these suits have been filed just in California alone. I'm going to just fast forward here, but we've got a situation where one plaintiff has filed 30 lawsuits claiming wiretapping by roofers, plumbers, general contractors, HVAC, employees, and so on. Another one has filed 38 lawsuits against Rocket Mortgage, Marriott, HP, Frontier, and Williams Sonoma. There's many more examples like that, but you get the picture of the issue I'm trying to bring up here.

Question for Ms. Watts. In your written testimony, you mentioned that private rights of actions are used to target small businesses who are incentivized to settle cases as opposed to engaging in the costly litigation. Do you think that if the SECURE Act did not contain federal preemption, that we'll see a growth in litigation and privacy suits? And just more generically, what are your thoughts of the ramifications if the SECURE Act did not have federal preemption?

Ashli Watts:

Yeah, thank you for that question. I think it's important to note that 22 states have not had private right of action in their legislation. It wasn't even taken out of the legislation. It was never included in the first place. We hear stories from small businesses all the time from other states where they are being targeted by the trial bar. And instead of going through a costly legal system, they're settling for 10,000, $15,000 because it's easier to do that than to fight that lengthy court system. I think it's also important to note that there is recourse in this bill and actually in Kentucky that would be strengthened. Right now in Kentucky, our recourse is to go to our state's attorney general, Russell Coleman, who absolutely has been very communicative with business and with consumers as well on how to, if there is an issue, to complain to his office.

He is a former US attorney, he is a former FBI agent. He very much wants to protect consumers and especially children as it has been mentioned throughout this testimony. I also think it's really important that we make sure that this bill, it's clear that it is not going to protect bad actors. In addition to states going through their attorney generals, there is also the recourse of going to the FTC as well. For a state like a Kentucky that has passed a state law, right now our recourse, kind of our pathway would be to go to the state's attorney general. Now consumers could go to the attorney general, but also the FTC as well. So I think it actually strengthens the protections of the states that already have these bills in place.

Rep. Russ Fulcher (R-Idaho):

Thank you for that. I appreciate your comments. Mr. Bradigan, when professional plaintiffs file lawsuits and there's no demonstrable harm, what's the impact to that? And I want to just preface my question by just sharing that I worked in the tech sector before this portion of my life. And as a matter of course, when an officer of the company would sell stock, whether it was in the window of time where that was allowed or not, there would just be a flurry of lawsuits that got filed automatically. And so there truly are professional plaintiffs out there, but when those lawsuits are filed and there's no demonstrable harm, what's the impact of that?

Tyler Bridegan:

Yeah, thank you for the question. Back in private practice, we've had to deal with this a lot and it comes in waves and I think underscores both the risks of a private right of action, but also the risk of not having a uniform standard. So using wiretap litigation as an example, that is legal theories crafted by the plaintiff's bar to essentially claim that someone's privacy rights are violated. It's a unfortunate model where many of them, and this happens in the ADA website compliance and TCPA litigation as well, where they will price this opening offer settlement so low that it's more than, or I'm sorry, the opening settlement offer is less than what it would take for a company to retain a law firm to respond to the lawsuit. So they're getting these five, 10, $15,000 on behalf of single consumers over and over and over from oftentimes several companies will have multiple filed against them in any one time.

It's very distressing for particularly small. The targets of those are, as Ms. Watts explained, oftentimes small, medium-sized businesses that do not have the resources to retain and fight those lawsuits.

Rep. Russ Fulcher (R-Idaho):

Thank you for that. Mr. Chairman, I yield back.

Rep. Gus Bilirakis (R-Fla.):

Gentlemen, yield's back. I'll recognize Mr. Veasey for his five minutes of questioning.

Rep. Marc Veasey (D-Texas):

Thank you, Mr. Chairman. Obviously there are a lot of things about this bill that really worry me. Obviously we need to do something about data and privacy. I think that everybody agrees on that, but again, there are just some worrisome language in this bill and I just specifically want to ask if Ms. Fitzgerald could answer this question. I don't think this bill explicitly bars the FTC from enforcing its own civil rights provision and can only pass complaints to other agencies. I was wondering that if a company is using personal data to deny someone a ride or a loan or a job based on race or religion or political views, who exactly is going to enforce that? Because that's what I kind of don't understand.

Caitriona Fitzgerald:

Yes, that is of every problematic provision in this bill, one of many. And it's unclear who a consumer would go to if they are discriminated against online. It points to other agencies that the FTC would refer those cases to, but the FTC has historically had that authority to protect consumers when data is used in ways that discriminate against them.

Rep. Marc Veasey (D-Texas):

Yeah, that's really interesting. If a company is caught misusing data to discriminate based on someone's race or religion or politics to give them a job, I know that the bill gives them a 45-day grace period to try and cure exactly what's going on so they can say that it's fixed no matter how serious the violation may be. And I was wondering why is it important for a company to get a free pass just because they promise not to do it again?

Caitriona Fitzgerald:

Yes. The right to cure in this bill is mandatory. Many states that have included rights to cure have either sunsetted them after a couple of years after the bill comes into effect so that companies have a chance to catch up on compliance for the first couple of years and then it goes at sunsets or they make the right to cure discretionary so that enforcement authorities can look at a specific case and see that it's curable or decide not to move forward that if the violation rises to that level. So I think that those are options that were not included in this bill and that could have been. And something else that's missing from the SECURE Act is the strong civil rights protections that were included in the American Data Privacy and Protection Act and American Privacy Rights Act that prohibited personal data from being used in ways that discriminate against Americans in many ways.

Rep. Marc Veasey (D-Texas):

Yeah. I was wondering from some of the other panelists, does it bother you that there's no language in there to help in those areas of civil rights? And just jump in, I would be curious. I mean, to me, this all seems very problematic.

Kate Goodloe:

We agree this is a really important issue. And in the past, the Business Software Alliance has called for legislation that addresses AI related issues, including this one. We have though deferred to Congress on whether to combine that with privacy legislation or to address it through standalone legislation. We know it is difficult to pass a federal comprehensive privacy law and we want to see progress on that. So it is something where we have really looked to leaders and Congress to decide how best to move these issues forward.

Rep. Marc Veasey (D-Texas):

Okay. Well, thank you very much. Speaking of that sort of puts the burden on individual consumers to request the deletion of their data, particularly if someone had no idea that their data is being used to profile them and deny services, how would someone be able to make that kind of request on their data?

Caitriona Fitzgerald:

Yeah.

Rep. Marc Veasey (D-Texas):

Please.

Caitriona Fitzgerald:

Yeah. So companies in their privacy policy are required to explain to consumers how to exercise their privacy rights. So if it's a company that they interact with directly, a social media company or a retailer's website, they would go to the website and either submit a form or email the company to ask to delete their data. The problem is that there are so many companies that most consumers have never even heard of that are gathering our data every minute of every day. And so they don't know that those companies exist to go to them and ask to delete their data.

Rep. Marc Veasey (D-Texas):

Yeah. And my last question, is it problematic that people will sometimes just click on the box to give people consent? Because I'm worried about that. It's almost like when people clicked on boxes before and they didn't know they were waiving the right to go to trial, is that a problem that people are just basically clicking this box to give consent a little popup box so they can sort of keep moving along without knowing exactly what they're clicking on and is that a fair and transparent way to help consumers?

Caitriona Fitzgerald:

I don't think so because even if they know what they're agreeing to, there's no choice not to agree. Usually the proceed button is grayed out until you check the box saying, "I agree to these terms." So that is not a real choice at all.

Rep. Marc Veasey (D-Texas):

Yeah. Oh, thank you very much. Thank you, Mr. Chairman.

Rep. Russ Fulcher (R-Idaho):

Thank you. The chair recognizes Mr. Goldman for five minutes, please.

Rep. Craig Goldman (R-Texas):

Thank you, Mr. Chairman. First, let me thank my desk mate today, Dr. Joyce. Thank you so much for your leadership on this. For those of you who don't know, Dr. Joyce and his staff have put insane amount of hours into this and I just want to thank you. It's been an honor to work with you on this. As a member of the Privacy Working Group, I'm proud to co-sponsor the Secure Data Act, which is based on consensus privacy laws like those in my home state of Texas. Mr. Bridegan, thank you for being here. Great to see a fellow Texan. Thank you for your work on data privacy and security. If the Secure Data Act becomes law, would Texas still be able to hold bad actors accountable?

Tyler Bridegan:

Yes. I think to Ms. Fitzgerald's point, the consent mechanisms at the end of the day, that shifts the burden to companies to demonstrate to the government. If they can't do that, it's somewhat a side note whether the consumer understood or not what was contained in that consent provision. It fundamentally shifts the onus onto companies to be able to demonstrate that to the government. Compare that to California, which is the only state of every state that has passed a privacy law that does not require consent. This was alluded to earlier. I think Ms. Fitzgerald's point, in California, by default, as long as a company includes notice of what they're doing with their privacy law, I'm sorry, with sensitive data in their privacy policy, they are allowed to collect, use, process, sell, whatever with that sensitive data. It is a sort of, I would say, arguably lowest standard for sensitive data of any privacy law in the world at this point.

Every other state strengthened that requirement with consent. Some states have taken it further to go to a full on ban, but I would say that even goes further than the GDPR on that front.

Rep. Craig Goldman (R-Texas):

Super. And based on your experience leading privacy enforcement in Texas, can you explain why state attorneys, generals and their federal trade commission would be better equipped than private trial lawyers to enforce federal privacy laws?

Tyler Bridegan:

Yeah. I alluded to this earlier. The wiretap litigation is a really good example of how there's this sort of different interpretation of privacy laws that is inconsistent with, say, take the California wiretap law compared to California's privacy law. Those provisions, if you comply with California's comprehensive privacy law, that does not immunize you from suit by private plaintiffs. So there's companies that were having to divert resources to limited resource dollars for privacy compliance to focusing on these class action private litigation as opposed to implementing requirements that would be required under California's privacy law. These laws also give government regulators an immense amount of discretion. If say a company doesn't include specific language in a privacy policy, should they now be hauled into court and sued by individual plaintiffs? I would argue that's not really protecting privacy and taking dollars away from actually making sure compliance programs are up to snuff.

Alternatively, because of the cure period, because these are highly technical laws, those are much more sort of attuned to government interpretation in sort of the injunctive nature that comes along with government enforcement as opposed to a larger focus on obtaining a monetary settlement.

Rep. Craig Goldman (R-Texas):

Right. Thank you. Ms. Watts, thank you very much for coming. Throughout your testimony, you explained the small businesses are increasingly dependent on data technology and online commerce to compete and grow. Can you explain why the Secure Data Act is important for the success of many small businesses, both in my district and Texas and around the nation?

Ashli Watts:

Yes. Thank you for that question. As I said, most of our members of the Kentucky Chamber of Commerce are small businesses and they want to grow their businesses. They want to take those businesses outside of the Commonwealth and get consumers and customers from all over the nation. And so having a patchwork of laws is very cumbersome and burdensome to them. So really what we have been saying is the 22 states that have these comprehensive data protection laws, really we don't need to reinvent the wheel. We can use what we've done in 22 states that have protected consumers first, but also had businesses have a clear set of guidelines to follow nationwide. I think it's really important for small businesses in particular to be able to grow their business. And as we know, we are a digital world. I know myself as a working mom of two, I do most of my shopping on my phone.

That is really important to businesses. We had a small business member that is a member of the US Chamber of Commerce say that if all of the data was gone and kind of this technology ceased to exist, it would be another pandemic for him. So I think we cannot underestimate the power of technology and data for our small businesses to really grow and flourish like we all want them to do.

Rep. Craig Goldman (R-Texas):

Thank you very much. I appreciate it. I do want to thank everyone for being here. It's always great to have a full house and the general public here attending this hearing. I specifically want to point out we have two young Americans. They've been sitting here on the front row the entire hearing without their phones, without playing games. I just want to thank y'all for being paying attention the entire hearing. So thank y'all very much for being here, especially. Thank you, Mr. Chairman.

Rep. Russ Fulcher (R-Idaho):

Thank you. We can all take a lesson from that. Chairman, I recognize as the representative from Illinois, Ms. Kelly, please.

Rep. Robin Kelly (D-Ill.):

Thank you, Chair Bilirakis and Ranking Member Schakowsky for holding this morning's hearings and thank you to our witnesses for participating. As has been said, Americans won a strong privacy act, but the Secure Data Act does not quite meet the mark and preempt the stronger protections already in place in the states. This piece of legislation keeps a notice and consent model in place where a company can collect and use data for almost any purpose as long as it lists that purpose somewhere in a privacy policy. Almost no one reads those policies and the few who do cannot reasonably understand them in many cases. This is not true consent. Ms. Fitzgerald, you stated that under this legislation, a company can bundle a necessary purpose like processing a payment with an unnecessary one like selling data into a single set of terms. When a consumer clicks accept, do they have any real way to know what they just agreed to?

Caitriona Fitzgerald:

I think it is difficult for consumers to ... I'm a privacy advocate. I still don't read all the privacy policies. You would do nothing else with your time if you read all the privacy policies for everything you used. So while consent is an important piece of consumer protection, it shouldn't be the only thing standing between consumers and the collection and use of their data. There should be obligations on companies to limit how much data they're collecting and how they're using it. Because if the only protection is at the end of a long privacy policy, there's a checkbox for accept and I have to check it in order to use the website or app, that's not a meaningful protection. That leaves me with no choice in modern day society. There's just so many apps that we have to use. And also I want to highlight that there are protections in many state laws in terms of what consent means that we're not included in this bill.

The protections that Mr. Bridegan mentioned about making sure that consent isn't just acceptance of broad terms and conditions or prohibitions on dark patterns. There's nothing in this bill prohibiting dark patterns. So that means that a company can just have one big, brightly colored accept button and then disagrees in small font and requires toggling a dozen button. So you want to make sure that when you are using consent, it's meaningful and that it's not the only protection for consumers.

Rep. Robin Kelly (D-Ill.):

Thank you. Ms. Goodloe, your members write the privacy policies and consent screens consumers every day and your testimony says that federal law should help people trust their data is used responsibly. That trust depends on people understanding what they agree to. What standard would your members support to make sure consumers actually understand what they are agreeing to?

Kate Goodloe:

Thank you for the question. And before I respond, I want to clarify, I represent the business to business part of the technology industry. I know we've talked about the technology industry more broadly. I represent BSA members who are a very specific part providing business to business technologies to companies of all sizes across every industry sector, things like cloud computing, software that can track inventory and keep track of customer service inquiries, these sort of backend functions that everyday businesses across the economy rely on. Very often it is those other companies, the consumer facing companies who are creating this sort of privacy policy to tell consumers what they're going to collect from the consumer, how they're going to use that information. I think the bill that is before this committee today reflects both of those roles by being anchored in this longstanding distinction between controllers who decide how and why to collect data and processors who handle it on their behalf.

When we step back and look at the consent requirements that apply to those controllers, the ones who are deciding why do I collect a consumer's data, how am I going to use it? I think that is a longstanding and very important topic in the broader conversation about privacy legislation and the right set of safeguards that are put on how companies collect and use consumers' data. I think there has been a concern that consumers are sort of bombarded by consent requests and that ends up in the situation where they're unable to read all of them. At the same time, consent is an important guardrail and consumers do want to know when companies are collecting very sensitive types of data and know how companies intend to use that data and be offered that choice. This bill requires consent to collect sensitive data as some of the other witnesses have mentioned that is stronger than the law right now in California.

But I think the goal of privacy legislation is to make sure that that consent is meaningful and consumers actually have a choice about the things that matter most to them.

Rep. Robin Kelly (D-Ill.):

Thank you so much and thank you to all the witnesses I yield back.

Rep. Russ Fulcher (R-Idaho):

Thank you. And the chair recognizes Representative Fry for five minutes, please.

Rep. Russell Fry (R-S.C.):

Thank you, Mr. Chairman. I've found myself in this working group just kind of really interested in diving into the legalese of what states are doing, how they operate, the lessons learned. I served in the state legislature and we often borrowed good ideas from other states and we shunned ones that were not successful in other states. And this was, I think, no different when you're looking at this. Ms. Watts, what do you think is important here in what are the competing interests, excuse me, what are the competing interests that exist when you were debating this in the Kentucky legislature? It seems to me that the competing interests are privacy, right? Citizens right to their data maybe, but also innovation, small business entrepreneurship, that seems to be kind of the rub between the two sides. Is that fair to say roughly?

Ashli Watts:

Yeah. Thank you, Representative Fry, for that question. We passed this bill back in 2024 and you as a former state legislator know that sometimes it does take a couple years to get the right bill. We worked for several years with a broad coalition and I often say, I know many of you work with your local or state chambers of commerce. If the chamber of commerce had one superpower, it's the ability to convene and find consensus. We bring groups of all different shapes and sizes and sectors to the table to really find a feasible path forward. And that's exactly what we did with House Bill 15 back in 2024.

Rep. Russell Fry (R-S.C.):

So you worked with stakeholders, right? With different ideas on what is acceptable and what is unacceptable and they were not always aligned. Is that correct?

Ashli Watts:

That is correct. I mean, I said earlier, I've been doing this job for 14 years and very rarely have I ever passed a bill unanimously through the Kentucky General Assembly, but this was one of them. So you're exactly right. It was the balance of consumer protection, but also business innovation.

Rep. Russell Fry (R-S.C.):

Isn't that the balance that we have? Isn't that the balance that we have right now, Ms. Goodloe, right? I mean, to your point, you have multiple states that have done this. California's model seems to be modeled after the European model more than it does some other states. Would you characterize it that way, Ms. Goodloe?

Kate Goodloe:

Thank you for the question. I think California has a different approach than the other 21 state consumer privacy laws. And California took the important step of adopting the United States first state level comprehensive privacy law back in 2018, but we haven't seen anyone copy it since. The model that has been widespread throughout the states where it's had common agreement is this model that has a core set of rights, a core set of obligations for companies to make sure that their data is used responsibly and it's regulatory led enforcement. And that's the model that we see in the Secure Data Act.

Rep. Russell Fry (R-S.C.):

Do you know what happened in Europe after they passed the GDPR model? What happened to investment in Europe and tech? Do you know? Ms. Watts, would you care to-

Ashli Watts:

Yeah, I would like to comment on that. Recently, the European Commission has said that the overregulation has harmed their economy and when every day we talk to our consumers, our businesses about affordability, I do think it's a great concern to be going down the path of what Europe did with privacy.

Rep. Russell Fry (R-S.C.):

Yeah. In fact, there was a National Bureau of Economic Research found that the GDPR that took effect in 2018 has seen technology startups decline in Europe. And so when we talk about competing interests, when we talk about this in a global economy that we have, what Europe did might have been an overreaction to a problem and maybe what California did was an overreaction to a problem. So states like Kentucky seem to be trying to find the right balance. Is that fair to say?

Ashli Watts:

I think it's absolutely fair to say, and like Ms. Goodloe said, I think it's very important to note that California and no other states have passed the California model. We're pretty proud that many states have passed the Kentucky model. So they were the first,

Rep. Russell Fry (R-S.C.):

But everyone said, we don't want any part of that.

Ashli Watts:

It doesn't work for business. It doesn't balance those rights to consumers as well as let business flourish and innovate, which is what we want them to do.

Rep. Russell Fry (R-S.C.):

Ms. Watts, why do you think it's important that this bill, the federal bill, have a strong preemption on privacy laws?

Ashli Watts:

I think it's important so that businesses know what rules to follow. And like we've mentioned before, large businesses have teams of attorneys and privacy officers and they can usually navigate the complexity of various state laws. I represent mostly small businesses who do not have that. They are dealing with workforce issues with inflation and affordability and all the things that small businesses deal with every single day. So

Rep. Russell Fry (R-S.C.):

If you're a big, big tech company, you've got the lawyers to be able to navigate a 50 state patchwork of laws, right?

Ashli Watts:

Yeah, of course. They have.

Rep. Russell Fry (R-S.C.):

You and I decided to put a hundred bucks into the collection plate and start up our own tech company. Would we have those same financial resources to navigate 50 state laws?

Ashli Watts:

Absolutely not.

Rep. Russell Fry (R-S.C.):

So we stifle innovation if we don't do something about this.

Ashli Watts:

Correct.

Rep. Russell Fry (R-S.C.):

Thank you to that, Mr. Chairman. I yield back.

Rep. Russ Fulcher (R-Idaho):

Thank you. The chair recognizes the gentle lady from Washington. Ms. Schrier, please.

Rep. Kim Schrier (D-Wash.):

Thank you, Mr. Chairman. Congress has talked for years about passing comprehensive privacy legislation to give consumers the ability to keep their data private and secure. And so I'm really glad we're holding this hearing today to discuss policy that we're long overdue in passing and I appreciate all of your comments. The internet basically runs on your data. There's the old adage. If something is free, then you are the product. And I think we should all keep that in mind. Just about every app, every site, every interaction online is collecting personal data that companies can use and sell to their financial benefit and not necessarily or not at all comparably to yours. And it is almost impossible to track exactly when your data is being collected and certainly impossible to track where it goes afterwards and for what purpose, who's getting hold of it. And that's why an enforceable right to privacy is so important.

But a national standard, although I understand the importance of preemption, it's useless if it's weak and it doesn't actually give consumers control over their own data. And in fact, a national standard can be actually actively harmful if it overrides or fails to adequately replace the protections that have been passed already in dozens of states. That would certainly be true for Washington State, which passed the My Health, My Data Act into law in 2023. And this law protects Washington Residents Health Day Data beyond the limits of HIPAA. HIPAA protects patients by preventing healthcare providers from sharing or selling your data, but it doesn't prevent other companies from tracking, analyzing, selling your health data that they collect in other ways. Like HIPAA doesn't cover health tracking apps or wearable devices that are collecting unprecedented amounts of your biometric data. It doesn't cover companies using your data to infer health conditions from your purchasing history.

I think we all remember people getting advertisements for cribs when they started buying prenatal vitamins at a certain large retailer. But the My Health My Data Act does and it's been an enormous step toward giving Washington residents privacy when it comes to their health. It has strict data minimization standards and assures that companies have to gain explicit authorization to collect and sell personal health data. And specifically that authorization cannot be part of a broad terms of use agreement or through any kind of hidden or deceptive means. So that means it can't be buried in just a long legalistic notice that no one ever reads or hidden behind a complicated menu of options. But the Secure Data Act would override this state law and its health protections are not nearly as robust as Washington states. So I fear that this would be a net loss for my constituents and this would happen in a patchwork of states across the country.

Ms. Fitzgerald, thank you for all of your comments. Can you speak to the kinds of robust protections and data minimization standards that you would like to see for health data specifically?

Caitriona Fitzgerald:

Yes. Thank you for the question. There was just a discussion of whether GDPR and California overreacted to the problem. I think it's important that we also don't underreact to the problem. People are being harmed by these data practices every minute of every day and health data is a really good example of that. So any federal privacy law should require that the companies collecting that data, limit it to what's necessary, line it up with what the consumers expect and then make sure that not only that the collection is limited, but also those uses because often it's the secondary uses of our data where the harms really happen. We expect our fitness tracker to collect our health data and provide those services, but if they're selling it to third parties, that's where the harm really, really happens.

Rep. Kim Schrier (D-Wash.):

That's right. And we've seen this with ability to get life insurance, health insurance, the ability to get car insurance when our data gets sold without our authorization. Some of what concerns me about the Secure Data Act is that it places so much of the burden on consumers to navigate all these different opt-out options to protect their data. And the functionality and the ease of use is really going to make the difference here. I think more burden should be put on the companies that have been profiting off this data to protect this data. And I really appreciate that the Bill commissions a study on universal opt-out mechanisms, but I think we need to take more action than just a study. And the reality is that Congress is playing catch up right now to the states and I'm glad we're having this discussion. But as Ms. Fitzgerald, you noted in 2022, we had a stronger bill and I think it's time to return to that.

We can do better. We should do better and I yield back.

Rep. Russ Fulcher (R-Idaho):

Thank you. Chair recognizes Representative Cammack for five minutes, please.

Rep. Kat Cammack (R-Fla.):

Thank you, Mr. Chairman. Thank you to our witnesses and all our guests here today. It's nice to see the committee room packed full. I'm going to start with you, Ms. Goodloe. In your testimony, you state that the Secure Data Act reflects the modern economy by recognizing different roles and responsibilities with respect to data, especially differences between controllers and processors. Can you discuss how the Secure Data Act distinguishes between these roles and responsibilities, why it's important to do so, and for folks watching at home the difference between the two?

Kate Goodloe:

Yes. Thank you very much for the question. This is a core issue for our members who are the business to business technology providers that are competing to provide privacy protective and security protective services to other companies. The distinction between controllers and processors is longstanding widespread found in every state privacy law and it underpins modern privacy laws worldwide. It matters because if you conflate controllers and processors, you end up creating privacy risks for consumers. It's important to know that controllers are the companies that decide how and why to use a consumer's data. Processors are the companies that handle that data on behalf of another company. So one example is if you join a gym and the gym keeps your data in the cloud because it's not going to keep it in a file cabinet, the gym is deciding how to collect your data, why it's going to use that data and it's giving it to the cloud storage company to handle it as the gem says on its behalf.

So the cloud storage company is a processor here. If we conflate these roles and the privacy law starts assigning the wrong obligations to the wrong type of company, what we've seen is it can require that cloud storage company to start looking at all the membership data that Jim stores with it. And we don't want that. The goal of a privacy law should be to minimize how companies review data and not require them to start looking at data that they otherwise would not. And that can happen when we conflate these roles that really goes against the goal of privacy legislation.

Rep. Kat Cammack (R-Fla.):

Excellent. Thank you for that. That's a perfect dovetail into my next question. So I'm going to start with, I'm a very proud Floridian, go Gators, proud to represent the real Gator nation. And so many people on this committee know that I'm always talking about my Gators. So I am very pleased that this legislation, the Secure Data Act, is building on existing state privacy and data security frameworks like those that we have across the country, but in particular the Sunshine State. So less than half the country has comprehensive privacy laws in place. And I believe that every American should benefit from the rights and protections that Floridians enjoy every day. So I'm going to start with you. I'm going to mess up your last name, so I'm going to try really hard. Pritagon? Sorry. Can you share more about the consumer protections and rights that are laid out in the Secure Data Act and why it's important that we have a uniform federal framework?

Tyler Bridegan:

Yeah. I think the data minimization point is a really interesting one and hearkening back to the consent piece that we've been talking about, because of consent that, although it's a somewhat amorphous standard, we know what it doesn't look like. I think we had some great examples of it does not look like that disclosure at the end of a privacy policy that requires to click a box. Again, consent interacts with data minimization in a really interesting way, which we saw from the enforcement lens. Data minimization is somewhat not needed for sensitive data because you have to have consent, unless a company is actively able to get that consent. If they collected that data without that consent, they're in violation of the law. It doesn't matter whether they needed it or not. So that is a point just to keep in mind that these provisions are all interacting with each other.

Also, data minimization is a frankly more difficult provision to enforce. It is also a somewhat amorphous standard and sometimes hearkening back to consent again, if someone violated the consent provisions, I would rely on that as an enforcer to point to that they violated the law. I would not necessarily need to. I could add on a violation of data minimization, which is what California recently did, or because California does not have consent protections for sensitive data in the recent settlement with a vehicle manufacturer a couple weeks ago, they had to rely on their data minimization violation.

Rep. Kat Cammack (R-Fla.):

Well, and I know you want to finish that thought, so I'm going to ask you to finish that thought in writing because I want to do a quick rapid fire across the whole panel. When we're talking about data and data privacy, when it comes to a consumer, should they have the option to opt in or out when they're signing up for a service? And I'm just going to start with you and we'll go down the line, opt in or opt out

Tyler Bridegan:

For both data, for sensitive and nonsensitive?

Rep. Kat Cammack (R-Fla.):

Let's just go broadly and say nonsensitive.

Tyler Bridegan:

Nonsensitive, that would be an opt out.

Rep. Kat Cammack (R-Fla.):

Okay.

Caitriona Fitzgerald:

The company should have to limit what they're collecting and using. It shouldn't all be on the consumer.

Rep. Kat Cammack (R-Fla.):

So they should be forced to ... So consumers should opt in

Caitriona Fitzgerald:

They should not be presented with constant popups that will make their internet experience unusable. Okay. Our bill in Kentucky would be opt-in.

Kate Goodloe:

Okay. For non-sensitive data, I think opt-out has been the standard in part to avoid having too many consent requests going to consumers.

Rep. Kat Cammack (R-Fla.):

Okay. I'm going to say, Ms. Watts, I'm with you on this one. I think there should be a blatant opt-in in order for people's data to be shared. But I have a final question. I'll submit it for the record. I appreciate y'all's prompt responses. Thank you. I yield. Thank you chair.

Rep. Russ Fulcher (R-Idaho):

I recognize the gentleman from Florida, please. Mr. Soto, for five minutes.

Rep. Darren Soto (D-Fla.):

Thank you, Mr. Chairman. Americans are desperate to take back our privacy rights. For generations, people conducted transactions without a trail of their personal data left behind. Imagine when I was a kid going to major retail stores or to the mall or all these other places and they didn't get your biometric data, they didn't get your religion. They didn't get so many different things that now we have to protect. But now that we're online, every transaction leaves a long trail of breadcrumbs and it has fundamentally changed the dynamic between consumers and businesses. Americans want to own their own personal data. We want more control over it. We want to protect it from misuse. That's why we have so many people here today sharing those same values and we especially want to protect our kids. The personal data that is recognized as sensitive is a good list.

I do agree with it. Health and DNA, data, geolocation, calendar, children's data, religion, immigration, status, ethnicity, and others. These are things that people should be able to protect if they want to. Yet the enforcement is lacking. Rules without a strong enforcement is like a tiger without teeth. No cause of action means we can't have a strong cause of action without ... We need a strong cause of action and preemption together that's reasonable. If you do one without the other, you could actually have really unintended consequences. So if you have strong preemption, but then you block state causes of action and you have no federal relief, then you've actually just shut the door on a lot of these states we've heard from both Kentucky and Texas today on their regimes that they have. And then when you look at what the FTC can do, they really can't take meaningful action in this bill.

They can't address civil rights issues or protect personal data. They can refer it to attorney generals. And this is where I get deeply concerned about the bill. If you leave this all to state attorney generals, you're going to have different enforcement by different attorney generals by how aggressive they want to be and how much they want to deal with thousands and thousands of complaints. So you go from a patchwork of laws in the states to a patchwork of enforcement, depending on what the attorney general wants to do. I know a lot of states, they've done these privacy laws but have not included a private cause of action. My own state of Florida, although there are three common law privacy claims that you can make like appropriation, intrusion, and public disclosure of private facts. But I noticed Kentucky and Texas, no cause of action either. And so we're given a lot of work to the state attorney generals and I worry that whether they're going to be equipped to handle this kind of volume.

My opinion, we at least have to have injunctive relief and attorney's fees available so that most people can't afford to hire an attorney just to do some personal data violation that they have. And you need to make sure you could take down the information that you want to take down. And so we could argue about anything beyond there, about proper compensation, whether we have it or not, but injunctive relief and the ability to make sure you can hire an attorney is absolutely critical if we're going to have stronger preemption provisions on the federal level. And I get it. This is interstate commerce. It's the internet is flowing through different states. And so first, Ms. Fitzgerald, what happens when consumers face violations of their privacy but they can't go to court to fix it? What are you seeing across the states right now? How quickly can they get their data offline?

Caitriona Fitzgerald:

Yeah, unfortunately without a private right of action, there's little they can do. And I think it's really important when we're talking about a private right of action to recognize that it's not an all or nothing proposition. We can talk about small business carve outs for private right of action. The bipartisan bill that passed this committee on a vote of 53 to two included a compromised private right of action that focused on injunctive relief and actual damages to avoid some of the issues that were raised earlier. So I think if both sides come to the table and we can come up with a compromise, there are ways where individuals would have the ability to enforce their privacy rights as opposed to what's in this bill right now, which is they're left without a remedy.

Rep. Darren Soto (D-Fla.):

I'm glad you mentioned the small business exception. So we're not talking about someone with one little website that makes a mistake. They're one of your local barbershops or general stores or other restaurants or retail establishments. So where do you think the small business exceptions should fit in? Because that's very important.

Caitriona Fitzgerald:

Yeah. States have been considering private rights of action. It has struggled to get across the finish line, but one option is set a revenue threshold or set a threshold of companies that only collect over X amount of personal data and only have the private right of action apply to them. Because as you mentioned, state attorney generals are under-resourced, overworked. And if you're talking about cases against some of the biggest companies in the world and they have two or three assistant attorney generals in a privacy division, you're talking about five years of those people's time and that's going to be taking up their entire workload-

Rep. Russ Fulcher (R-Idaho):

Time’s expired.

Caitriona Fitzgerald:

To enforce.

Rep. Russ Fulcher (R-Idaho):

Thank you. And the chair recognizes gentleman from Ohio. Mr. Balderson, for five minutes, please.

Rep. Troy Balderson (R-Ohio):

Thank you, Mr. Chairman, and thank you all for being here today. My first question is for Mrs. Watts. Good afternoon. Last Congress, this committee considered data processing rules or data minimization standards that were equivalent to Europe's burdensome general data protection regulation. According to economic analysis, if the US were to adopt European style data standards like some are proposing, it could cost the US up to $123 billion and cost up to 340,000 jobs. Can you discuss the impact that strict European style data standards would have on businesses, especially small and main street?

Ashli Watts:

Absolutely. Thank you for that question. Representing small businesses in Kentucky, which obviously borders your great state, we are really proud to make sure to protect small businesses in our state law in Kentucky. We know that the European Commission has now said that the overregulation has actually harmed their economy. I know much like you, which borders our state, we are dealing with affordability and the cost of small business to just keep their businesses open every day and we really can't risk that. So we definitely do not need to go down the path of having a European style model that they have now been on record of saying the overburdensome regulations have harmed their economy. You quoted it yourself, it could cost up to 340,000 jobs. We absolutely do not need that in the United States.

Rep. Troy Balderson (R-Ohio):

Thank you very much, Ms. Watts. I appreciate that answer and we love Kentucky. Ohioans do. My next question is for Mr. Bridegan. Thank you for being here, sir. Also. Some advocates argue that these European style data standards are necessary to protect consumers. In your opinion as a former privacy and technology enforcement official, what effects would adopting those stricter European style rules have on consumers and their privacy?

Tyler Bridegan:

Yeah. I think as alluded to in my opening, we have now learned a lot about sort of emerging privacy harms and which protections actually can help consumers and help regulators to go after those privacy harms in which can't including additional language in a privacy policy that's prescriptive. There's not necessarily any tangible benefit because the consumer and all of us don't tend to read those privacy policies. So there's a balance that I think needs to be struck of what is prescriptive in the sense that it's actually getting to those core privacy harms. And I've harped a lot about sensitive data that is an area where there needs to be heightened protections. We have seen that on a bipartisan basis. Illinois, Washington, Texas all have heightened data standards for sensitive data types and several of them have standalone privacy laws for just those sensitive data types. And so I think it's important to keep in mind and really think through which requirements are actually protecting consumers from privacy harms.

And I think California has a long list of a long law, a lot of regulations that I would struggle to see how a violation of many of those actually resulted in a tangible privacy harm.

Rep. Troy Balderson (R-Ohio):

Okay. Thank you very much for that detailed answer. I appreciate that. My next question is for Ms. Goodloe. Thank you for being here, ma'am. Small businesses that sell products online may interact with customers in all 50 states, even though they're often run out of a single storefront or a garage. How does the existing patchwork of privacy requirements complicate day-to-day operations for those businesses? And I'll have a follow-up for you.

Kate Goodloe:

Thank you for the question. Right now, companies are required to track 50 moving goalposts to do business in the United States. As long as they are serving customers in more than one state, they need to keep track not only of the 22 states that have already enacted laws, but of the many states that are already revising and amending those laws. And by my count, we're up to 30 amendments. We need a clear national standard that sets one set of rules so that companies can operate nationwide and know how to protect consumer's privacy.

Rep. Troy Balderson (R-Ohio):

Thank you. My follow-up then, and we have about a minute left. In contrast, how would establishing a single national standard under the Secure Data Act make it easier for them to serve customers across state lines?

Kate Goodloe:

I think it tells them what to do. Our companies as business to business technology providers are in the business of competing to provide privacy protective and security protective services. They want to comply with strong privacy laws because their customers demand it. When they know the rules, when there's a single clear rule and regulatory led enforcement, it helps them know what to do to focus on core protections for consumers and providing one standard can do that.

Rep. Troy Balderson (R-Ohio):

Thank you very much. Mr. Chairman, I yield back.

Rep. Russ Fulcher (R-Idaho):

Thank you. Chair recognizes Representative Trahan for five minutes, please.

Rep. Lori Trahan (D-Mass.):

Well, I thought I was ready here. Thank you, Mr. Chair. I want to thank the panel as well. A federal consumer privacy law is certainly long overdue. There's broad agreement on that, but I do worry that this Congress is going to, again, fail to make progress on it. I appreciate Representative Joyce and the committee's work on the Secure Data Act, but I'm concerned that it falls short in a few ways and I'm going to use my time to identify one of them. And that's the unique harms that data brokers perpetuate and advanced artificial intelligence exacerbates. Today, AI can be used to correlate data from across data sets, meaning anyone with access to an AI model can purchase your data from a broker and paint a very intimate picture of your life from your location to your browsing data and your purchases. That actors can infer your sexual orientation, how much money you earn and where you work, study, or worship.

Ms. Fitzgerald, how can AI now draw these kinds of inferences about people who never knew that their data was collected and never consented to it? And what are the privacy risks of advanced AI systems built on data acquired from data brokers?

Caitriona Fitzgerald:

Yes. Thank you for that question. AI is turbocharging the ability for companies to make inferences about consumers and that's leading to data discrimination and surveillance pricing is another harm that consumers really can't stand that is being turbocharged by AI. And strong data privacy legislation is a really critical baseline protection to protect Americans from the harms of AI. It doesn't do everything, but it's a really important first step.

Rep. Lori Trahan (D-Mass.):

Thank you. As you mentioned, it's so critical that data privacy legislation provides Americans a meaningful way to prevent their data from being collected, stored, or sold by data brokers. While the bill requires data brokers to allow Americans to opt out, this must be repeated for every data broker, meaning that you might have to opt out of hundreds, if not thousands of times. I have a bill, the Delete Act, which would give Americans control over their own data by allowing them to force data brokers to delete their data and stop collecting future data through a single opt-out request. So Ms. Fitzgerald, would a single universal opt-out be more effective for consumers than requiring them to opt out broker by broker?

Caitriona Fitzgerald:

Yes. A centralized deletion mechanism is especially important when we're talking about data brokers because these are companies that consumers don't know, have their data, don't even know exist for the most part. I don't think many Americans could name a data broker for you and they've never interacted with these companies. So they don't know who to go to ask to delete their data. So the centralized deletion mechanisms are really important. There's a reason it's been incredibly popular in California and just the five months since it went into effect, 300,000 Californians have taken advantage of it. And I think that shows the desire Americans have to protect their information from data brokers.

Rep. Lori Trahan (D-Mass.):

But even a universal opt-out has a loophole here. The bill bars Americans from requesting deletion of what it calls de- identified data. Brokers can keep collecting and selling it so long as buyers promise not to re-identify it. So have there been cases before where de- identified or pseudonymous data was able to be linked back to individuals and what kind of information might bad actors be able to infer even from de- identified data?

Caitriona Fitzgerald:

Yeah. Thank you for that question because it highlights something that hasn't been raised yet today. There's an exemption in this bill for de- identified and synonymous data, as you mentioned, and synonymous data in particular is problematic because it includes things like our advertising ID and our IP address. These are identifiers that companies are using to track us across the internet and by exempting them from the consumer rights in this bill, from exempting them from the opt-out, it almost makes the opt-out meaningless because they're not often identifying it with my name, they're identifying it with my advertising ID. So the FTC has long held a position that pseudonymizing identifiers or it does not render data anonymous. So that is not something that should be exempted. And then in the case of de- identified data, yes, there have been many cases where de- identified data has been able to be re-identified back to the original consumer.

Rep. Lori Trahan (D-Mass.):

Thank you. Look, I believe there's agreement across the aisle that Congress must act to protect Americans' privacy as a number of states have already done. The recent advancements with AI make this issue even more urgent, but this bill, as written, fails to meet the moment. So I look forward to working with my colleagues and I yield back. Thank you.

Rep. Russ Fulcher (R-Idaho):

Thank you. The chair recognizes the gentleman from Colorado. Mr. Evans, please, for five minutes.

Rep. Gabe Evans (R-Colo.):

Thank you, Chair. Of course, to the ranking member for this hearing, to the witnesses for coming today, strong data security is essential for protecting consumers in today's digital economy. The FBI's Internet Crime Complaint Center showed that consumers lost more than $20 billion in fraud just last year. In Colorado, there was a total financial loss of $355 million statewide, and that's an increase of more than 250% since 2020. Colorado's got one of the fastest aging populations in the nation and we see scammers and fraudsters are explicitly targeting seniors with complex schemes and phishing traps. I saw it during the 10 years that I spent as a cop in the Denver Metro area. And unfortunately, Colorado has the third worst rate in the nation for senior fraud. We've got malicious cyber actors, weak data security. These are some of the reasons that Americans are facing a fraud epidemic, and it's why I'm pleased to see the Secure Data Act requiring companies to adopt some common sense data security measures to protect constituents like mine from these fraud impacts.

And so Ms. Goodloe, first question to you, since you're here from the Business Software Alliance, can you share how the Secure Data Act's data security requirements work in practice and how the industry can integrate them with existing policies?

Kate Goodloe:

Yes. Thank you for the question. I think this is a very important issue when we think about the privacy legislation. The Secure Data Act requires controllers to adopt reasonable security measures to make sure that data is kept secure and confidential. What that means in practice is that companies have to establish, implement, and maintain data security practices. And we see this requirement already across state laws and it needs to apply nationwide. The Secure Data Act also tells companies how to do this because it creates a rebuttable presumption that they satisfy this obligation if they use leading tools like cybersecurity risk management frameworks that have set the gold standard globally.

Rep. Gabe Evans (R-Colo.):

Thank you so much. The next question will be to Mr. Bridegan. We know prevention is the first step in making sure that people's data stays safe from fraud and from these malicious actors, but we still need to be able to go and prosecute the bad guys when they, because they sit around all day long and try to figure out how to hack and bypass these security protocols. Security isn't static. So when you have malicious actors that still work overtime to go out and do bad things, defraud Americans, we got to have the ability to go get those guys. And so I'm pleased to see that the National Insurance Crime Bureau has sent a letter supporting the Secure Data Act because this helps us not only detect, prevent and deter insurance fraud and financial crimes and related crimes. It also helps us work with law enforcement to be able to go and get the bad guys.

So can you talk a litle bit about how the Secure Data Act works with law enforcement to protect Americans?

Tyler Bridegan:

Yeah. I think in general, the more cyber requirements that companies are required to implement, the greater the chance that law enforcement can do its job because the more protections you have on the front end, you're collecting more information about those threat actors and ultimately you can coordinate with law enforcement to help go after them. We recently recovered on behalf of a client that was a financial institution that was defrauded of six figure amount go after the fraudsters civilly because of our work with law enforcement who was able to go after them criminally. So it's an incredibly complex scheme, but it is permeating throughout the United States, as you alluded to.

Rep. Gabe Evans (R-Colo.):

And then my final question, and this is unfortunately just a tragically horrifying statistic, Colorado has got 2% of the nation's population, but we're 10% of the human trafficking in the nation. And a lot of these are kids that are being subject to this. And we know that when you have human trafficking, there's money transactions, there's a lot of digital footprint that's involved here. And so again, we want data privacy for Americans, but we also have to be able to interrupt not just the financial crime space, but we have to be able to trace that back and untangle that to horrific crimes like human trafficking and human trafficking of minors. So can you talk in my remaining 30 seconds just a little bit about how this not only works to protect Americans' data and to work with law enforcement, not just on the financial piece, but also on things like human trafficking?

Tyler Bridegan:

Yeah. Again, this bill helps create that information flow between law enforcement and the private sector. The FBI has done a great job over the past decade or so holding itself out as a partner to companies that are either observing crime or the target of fraud. And so there's been that palpable shift over the past decade to really encourage that coordination, which I think is so key to sort of getting out the core issues here.

Rep. Gabe Evans (R-Colo.):

Thank you so much and I'm out of time. Yield back

Rep. Russ Fulcher (R-Idaho):

Thank you. The chair recognizes a ranking member for one minute please. Ms. Schakowsky.

Rep. Jan Schakowsky (D-Ill.):

I am concerned that this bill right now protects companies and not people and that what we really need to do is protect our everyday people and that's not happening right now.

Rep. Russ Fulcher (R-Idaho):

Thank you. The chair recognizes the gentleman from Ohio. Mr. Joyce for five minutes, please.

Rep. John Joyce (R-Pa.):

From Pennsylvania, the other joys, but it's good to be with you.

Rep. Russ Fulcher (R-Idaho):

My apologies about this. Sorry.

Rep. John Joyce (R-Pa.):

Thank you. Thank you for our witnesses for being here. Thank you for participating in this candid conversation. To start, I'd like to rebut a shallow attack on the Secure Data Act that Secure Data Act's consensus approach is flawed because it's based on over 20 states, blue, red, and purple states. To that end, Mr. Chairman, I'd like to enter into the record a May 11th, 2022 press release from the well-known consumer advocacy group, Consumer Reports that's entitled Connecticut Governor Signs Comprehensive Bill into Law that explicitly states this year we saw giant tech companies push weak bills at the state level. So we are especially pleased to see Connecticut sign a strong law that will extend real privacy protections to its citizens. In May 2022, a Connecticut law that was modeled on Virginia modeled on Colorado and modeled on Utah laws was dubbed by consumer advocates as extending real privacy protections, protections to consumers and not the product of giant tech companies.

Yet today a federal law that is modeled and centered on those exact laws and extends privacy protections to all Americans is somehow in retrospect all just part of some multi-year multidimensional scheme by big tech to ultimately create a federal standard. This is a clear example of how consumer groups will move the goalposts not based on what is working for the consumers, but rather on a desire to hamper legitimate uses of data that benefit Americans, consumers and American workers. For far too long, consensus on federal privacy reform has been elusive and a lack of that consensus has plagued legislation in multiple Congresses. As I shared at the beginning of this hearing hours ago, I'm committed to working with my colleagues on both sides of the aisle as well as stakeholders to advance the strongest possible bill out of this committee and onto the House floor. Ms. Watts, why do you believe that the consensus state approach to comprehensive privacy and data security offers the best pathway forward to consensus from the federal level?

Ashli Watts:

Yes. Thank you for that question. Thank you for all of your work on this bill. We are really proud in Kentucky to have had a consensus-based bill that passed unanimously through our general assembly and was signed into law.

Rep. John Joyce (R-Pa.):

How's it working?

Ashli Watts:

It's working great so far. It just went into effect in January. So it passed during the general assembly of 2024. It is now full effect. We actually just checked with our attorney general.

Rep. John Joyce (R-Pa.):

You worked hard to get that passed.

Ashli Watts:

We worked very hard. And I will say for a couple of years we really wanted a federal bill. We wanted you all to take that step so that there was not going to be a patchwork.

Rep. John Joyce (R-Pa.):

This passed unanimously, you said earlier?

Ashli Watts:

It passed unanimously and we are a super majority- It was

Rep. John Joyce (R-Pa.):

A super majority of which side?

Ashli Watts:

Republicans.

Rep. John Joyce (R-Pa.):

And you signed it into law.

Ashli Watts:

A Democratic governor this year.

Rep. John Joyce (R-Pa.):

And this shows that this is a bipartisan concern.

Ashli Watts:

Completely. We

Rep. John Joyce (R-Pa.):

And the US House of Representatives understand that and can work in a bipartisan manner to make this effective. Ms. Goodloe, can you please talk to us about comprehensive privacy and data legislation from a whole economy regulation? Because you deal business to business and you understand the entire economy from the tech sector and the Secured Data Act will grant consumer rights and protections across all industries from life sciences to real estate to manufacturing. Talk to me how that will affect that business to business relationship.

Kate Goodloe:

Well, I should start by saying thank you for all of your work with a working group to work on pushing forward comprehensive federal privacy legislation. We deeply appreciate that because this matters to BSA member companies. We have long supported federal comprehensive privacy legislation because it is important to the national economy. Companies of all sizes and in all industries rely on technology. BSA represents the business to business technology providers that power businesses in every sector. And so what we see is a need for a single standard that sets the right level of consumer protections for companies nationwide and across sectors.

Rep. John Joyce (R-Pa.):

That US digital economy that supports all sectors supports over 28 million American jobs, which means that the stakes are serious for so many Americans. We need to get privacy right. And we've seen in Europe that embracing impractical and burdensome approaches to privacy results in stagnation and results in job losses. The Secure Data Act is a result of a consensus framework. I think it was Justice Brandeis who said 80 or 90 years ago that the states are the laboratories of democracy. We took that very seriously. We looked at the 20 plus states that have privacy acts. This is our opportunity to bring consensus-based legislation that protects consumers first and foremost and gives certainty to American businesses to stop moving the goalposts. Once again, I look forward to working with all of my colleagues on both sides of the aisle to advance the Secure Data Act. Again, I thank you for being here with us on this long morning and Mr. Chairman, I yield back.

Rep. Russ Fulcher (R-Idaho):

Thank you. And the chairman appreciates the good gentleman from Pennsylvania. Ask unanimous consent that the documents and the staff document list be submitted for the record without objection so ordered. I'd like to thank our witnesses for being here today. Members may have additional written questions for you. I'll remind members they have 10 business days to submit questions for the record and I ask the witnesses to respond to the questions promptly. Members should submit their questions by the close of business June 17th. Without objection, subcommittee is adjourned.