“Without a national data privacy law in place, Americans will continue to face a growing risk of having their personal data exposed and potentially exploited,” said Senator Roger Wicker, R-MS, opening a hearing on “Protecting Consumer Privacy” in the Senate Commerce Committee, the first in a promised series of hearings on the issue.
“We are already seeing this happen… earlier this year the FTC reported that identity theft increased by almost 3,000% in 2020. Cyberattacks and data breaches are also on the rise. Recent news reports show an uptick in exploitative data practices by social media, targeting children and teens, and there are near daily accounts of entities misusing consumers’ personal data or attempting to process their data in discriminatory ways,” said Sen. Wicker, the committee’s Ranking Member.
Indeed, the United States is out of step with most other developed nations that already have privacy regulations in place. These hearings are intended to revive the effort to arrive at a framework that can muddle through a divided legislature. Senator Wicker indicated that he and the committee’s Chair, Maria Cantwell, D-WA, “are united” in the belief that advancing such legislation is a priority.
David Vladeck, Professor and Faculty Director the Center on Privacy and Technology at Georgetown Law and a former Director of the Federal Trade Commission Bureau of Consumer Protection, used his opening statement to support legislation to “provide funding for the FTC to create a new technology center bureau to safeguard your constituents’ privacy and data security,” he said, pointing to underfunding and understaffing of the FTC stretching back to budget and staffing cuts in the 1980s. He noted that the FTC pays for itself by imposing civil penalties on companies- such as the $5 billion fine it assessed on Facebook related to the Cambridge Analytica scandal. “If the FTC were a company, we’d all want to buy stock in it because it always generates more income than it spends,” he said, in a remark that drew a smile from Senator Cantwell.
Maureen Ohlhausen, a partner at the law firm Baker Botts and a former Acting Chairman of the Federal Trade Commission, appointed by then-President Trump, also argued for a “comprehensive national privacy law,” saying it should have several components, including providing consumers clarity and agency around their data rights; a uniform set of protections; and strong enforcement. Like Ranking Member Wicker, Ohlhausen pointed to the possibility that an FTC rulemaking on privacy may create an obstacle to Congress advancing more comprehensive legislation on the issue.
Ashkan Soltani, now an independent researcher and technologist and the former Chief Technologist of the FTC, where he helped establish the agency’s Office of Technology Research and Investigation, argued in favor of a new bureau in the FTC “focused on technology and data protection.” He compared the dearth of human resources to countries such as Germany and France, which have hundreds of people working on these issues in regulatory agencies. He pointed out that the FTC is so understaffed that the “same lawyers who ensure that social media companies have robust privacy and data security programs are also making sure the labels on bed linens are correct.” He said the big tech companies, many of whom are already under consent decrees, are rarely policed due to limited resources.
Morgan Reed, President of a trade group called the App Association, pointed to the need to have national privacy legislation and enforcement to engender trust in the digital economy. He said Congress needs to give the FTC new authority. “The rest of the world has surged ahead on these questions. When Europe instituted the GDPR, it was clear the US would have to act, if just to harmonize. But now 16 other countries have national privacy laws matching GDPR and as Ranking Member Wicker noted there’s 100 more countries with some form of national privacy law., and the US still has nothing.” He said the government is now out of step with consumers, who have expectations about data privacy that are unaddressed.
Sen. Cantwell asked if the panelists supported more resources for enforcement- and all agreed. “The issue is right now we have a volume of cases, and we have a technology gap, and we don’t have people to do compliance, so what do we need to focus on when we say to the FTC, here’s resources?”
“One area in which we need resources is being able to hire more technologists and engineers. I don’t think the FTC has ever had a cohort of as many as ten technologists on staff,” said Vladeck. He said there were about 45 lawyers overseeing ongoing consent orders. “Just the volume of orders that need to be reviewed and subject to reporting requirements overwhelms the ability of staff to do the kind of surveillance of a company under order that is required.” He urged the Senators to look at Facebook- which he says escapes scrutiny because “we did not have technologists and staff that could spend time reviewing closely what the company was doing.”
There was a general disagreement between Vladeck and Olhausen on the implications of FTC rulemaking ahead of legislation, reflecting a partisan divide on the issue.
Senator Tammy Baldwin (D-WI) asked about how to strengthen the FTC without creating “revolving doors” between industry and the regulator. Soltani said “this committee is intimately familiar with staff going to large tech companies and working after the fact once they’ve gained that expertise here.” He has proposed ideas on how to handle conflicts for the technologists and lawyers at the FTC. “This can’t be a revolving door. We want to prevent a revolving door not just for staff attorneys, but for Commissioners as well.”
There was some discussion of a proposal from Democrats to put $1 billion into the FTC even before passing new legal authorities for the FTC. Olhausen said the FTC needs both- more money and more authorities. Senator Deb Fischer, R-NE, raised concerns that giving the funding before arriving at new rules.
Sen. Fischer also raised concerns about Facebook and the implications of its products on children and teen health. She queried Vladeck on some aspects of the DETOUR Act, which she has sponsored alongside Senator Mark Warner (D-VA), which would address various online harms, including dark patterns. While Vladeck pointed to complications in addressing dark patterns, he said there is more leeway in protecting children, echoing his concern about the reports on Facebook, and adding he would change standards in COPPA to allow for more enforcement to protect children.
In remarks after the hearing, Sen. Cantwell said the committee “could see a deal here” on these matters, pointing to commonalities that were on display during the hearing. Future hearings will drill down on the points of contention.
“The Senate has a choice about whether to fully fund a new digital harms bureau now, so that the FTC finally has the resources it needs to protect Americans’ privacy; or to wait to fund a regulator until a comprehensive privacy law passes Congress,” said Sara Collins, Policy Counsel at Public Knowledge, a nonpartisan think tank that advocates for tech policies in the public interest that recently joined a coalition to support an increase to FTC funding. “While we urge Congress to continue working on legislation that protects our privacy, that does not preclude Congress from giving the FTC authority and resources to act now.”
Justin Hendrix is CEO and Editor of Tech Policy Press, a new nonprofit media venture concerned with the intersection of technology and democracy. Previously, he was Executive Director of NYC Media Lab. He spent over a decade at The Economist in roles including Vice President, Business Development & Innovation. He is an associate research scientist and adjunct professor at NYU Tandon School of Engineering. Opinions expressed here are his own.