Consent questions raised at data privacy bill hearing

WASHINGTON — Data privacy legislation put forward by House Republicans is friendly to businesses, Republicans and Democrats agree; whether or not that’s a good thing depends on which side of the aisle members sit on.

Republicans say the legislation would provide clarity for businesses and uniform protections for consumers around the country. Democrats say the bill would lessen protections for those in states with stronger privacy laws and put the burden of managing data privacy on individuals rather than companies.

Those views were on display at a House Energy and Commerce Subcommittee on Commerce, Manufacturing and Trade hearing Wednesday. The bill, sponsored by Rep. John Joyce, R-Pa., would create consumer rights to delete personal data and opt out of targeted ads online, as well as to correct inaccuracies in collected data, opt out of the data’s sale and opt out of the use of data profiling to make decisions with a legal effect.

Even with GOP backing, the bill still faced concerns from Republican lawmakers, who probed the bill’s opt-out structure and what consent would look like for the collection of sensitive data.

The bill would also require data collectors to notify users of the categories of data being collected, the purposes it’s used for, what category of data is shared and with what category of third party and how consumers can exercise their rights under the bill. It would also require companies to minimize their data collection to what is “adequate, relevant, and reasonably necessary” for the purposes they’ve disclosed to users.

The full-committee chair, Rep. Brett Guthrie, R-Ky., framed the bill as an alternative to the style of legislation in place in Europe under the General Data Protection Regulation.

“We’re not competing with Europe to regulate. We’re competing with China to regulate,” Guthrie said.

Joyce led the House Republican Data Privacy Working Group that wrote the bill. He has emphasized that it will be subject to regular order in the House and that the group’s goals included developing legislation that “protects consumers, enables beneficial use of data, gives businesses the certainty that they need and can earn consensus among committee Republicans.”

The subcommittee’s chair, Rep. Gus Bilirakis, R-Fla., said the bill, known as the SECURE Data Act, would “protect American consumers and provide much-needed certainty for businesses across the country.”

Bilirakis also said that state data privacy laws, currently in place in 22 states, create a patchwork that is “confusing” for businesses and leave residents of states without privacy laws out in the cold.

“Today, when Americans ask if their personal data is protected, the answer depends entirely on which state they’re in,” Bilirakis said.

But Democrats said the legislation, which would preempt all state laws related to the bill’s provisions, would not increase protections.

The full committee’s ranking member, Rep. Frank Pallone Jr., D-N.J., called the preemption mechanism “sweeping.”

“The legislation would prevent Maryland, for example, from continuing to protect its residents by ensuring their sensitive information is not sold. It would prevent Californians from being able to delete their data from all data brokers in one step,” Pallone said. “And it would invalidate state laws on wiretapping, on robocalls, data breach notifications, civil rights and kids’ online safety.”

Pallone and other Democrats also criticized the bill’s data minimization provision as too weak. The bill would allow companies to collect data if they disclose the purposes it will be used for.

Caitriona Fitzgerald, deputy director for the Electronic Privacy Information Center, a nonprofit research and advocacy group, told the committee that on data minimization, the bill is a step back from previous bipartisan data privacy bills.

“The SECURE Data Act allows businesses to continue collecting and using data however they please as long as they disclose it in a privacy policy that we know few consumers read and no consumer has the power to change,” Fitzgerald said. “Data minimization only works if it actually limits how much data companies can collect and how they can use it.”

Fitzgerald also criticized the lack of a private right of action in the bill, which would rely on the Federal Trade Commission and state attorneys general for enforcement.

Consent concerns

While Republicans were generally supportive of the bill, two had some pointed questions about how it would work.

Rep. Kat Cammack, R-Fla., asked panel members whether consumers should be asked to opt out of their data collection or opt in. The answers were mixed, especially when it came to the collection of sensitive information like precise geolocation.

“I think there should be a blatant opt-in in order for people’s data to be shared,” Cammack said.

The bill currently relies on opt-out for general data and consent to opt-in for the processing of sensitive data.

Rep. Cliff Bentz, R-Ore., had questions about what real consent looks like online, noting that he often scrolls quickly through policies and automatically clicks “yes.”

“The way this works, you harvest this data from millions of people. And so to suggest that these companies are going to go to millions of people and ascertain that each one has reached that level of consent seems highly unlikely,” Bentz said.

The bill defines consent as a “a clear affirmative act that signifies the freely given, specific, informed, and unambiguous agreement by a consumer to process personal data relating to the consumer.”

Tyler Bridegan, former director of privacy and technology enforcement for the Office of the Texas Attorney General, said the individual adjectives create requirements for companies in the way they structure their consent requests.

“At a minimum, you’re going to need to be able to demonstrate that the company disclosed … what they were collecting the data for and how they were using that data,” Bridegan said.

The bill has support from the business community and the technology industry specifically.

Ashli Watts, president and CEO of the Kentucky Chamber of Commerce, told the hearing that “strong consumer privacy protections and economic growth are not competing goals.”

The U.S. Chamber of Commerce sent a letter to committee leadership Tuesday in support of the legislation, saying it would “help small businesses who are disproportionately impacted by the regulatory confusion caused by a patchwork of state privacy laws.”

Amy Bos, vice president of government affairs for technology industry group NetChoice, said her group “applauds” the committee’s efforts.

“The SECURE Data Act is commendable because it establishes a consistent nationwide standard that eliminates regulatory confusion, strengthens consumer rights and ensures data transparency,” Bos said in a statement.

The committee has not yet announced plans for a subcommittee markup of the legislation.