As the framework of a federal privacy law starts to take shape, Senate Republicans and Democrats agree on the need for tougher regulations on the collection of consumers' health and biometric data.
If lawmakers come together on a bipartisan federal privacy law it could result in new rules over health data currently not covered by the Health Insurance Portability and Accountability Act (HIPAA). That includes physical health data collected by health tracking apps and fitness wearables and biometric data from facial recognition as well as location tracking data.
During a Senate Commerce committing hearing Wednesday on legislative proposals to protect consumer privacy, Sen. Roger Wicker, R-Miss., committee chairman, said the goal of a privacy law is to give Americans more transparency, choice and control over their data, and to find ways to keep businesses more accountable to consumers when they seek to use data for other purposes.
"Given the 2018 implementation of the European Union’s General Data Protection Regulation, the passage of the California Consumer Privacy Act, and near-daily reports of data breaches and misuse, it is clear that Congress needs to act now to provide stronger and more meaningful data protections to consumers and address the privacy risks that threaten the prosperity of the nation’s digital economy," Wicker said.
Sen. Maria Cantwell, D-Wash., ranking member of the committee, said consumers' digital footprints continue to be under attack. "Just last month, the Washington state attorney general released a report saying that the number of data breaches in my state has increased nearly 20% in one year," she said.
Momentum is building to pass a uniform, comprehensive federal law to protect consumer data privacy after massive data scandals, ongoing problems with data breaches and consumers' growing wariness about how companies use their data.
Two proposals from Democrats and Republicans are now being discussed among members of the Senate Commerce Committee. Both proposals aim to put guardrails in place on how companies collect, use, sell and share consumers' data and give consumers the ability to access, delete, correct and move their data.
Lawmakers are also discussing providing more resources and greater enforcement power to the Federal Trade Commission (FTC) to investigate and pursue privacy violations.
But the proposals differ on key points, such as whether national legislation should trump state data privacy laws and giving consumers the right to sue companies that violate privacy laws.
During the committee hearing, Sen. Edward Markey, D-Mass., floated the idea of banning the sale of biometric information as part of a federal privacy law.
That idea was supported by one privacy lawyer at the hearing. "If your Social Security number is compromised, you can change it. You can’t change your body. There should not be a market for this information. There is no redress if it's compromised," testified Laura Moy, executive director of Georgetown Law Center on Privacy & Technology and an associate law professor.
Moy advocated for a privacy law that includes civil rights protections. "Eighty-one percent of Americans feel the risk of collecting data outweighs the benefits. You need to legislate boldly in a way that transforms data practices. Now is not the time for a light-touch approach," she said.
Cantwell introduced the Consumer Online Privacy Act to establish privacy rights, outlaw harmful and deceptive practices, and improve data security safeguards. The Democrats’ bill leaves state laws such as California’s in place and enables consumers to sue to enforce the new federal standard’s provisions.
Wicker proposed draft legislation, considered more industry-friendly, that would also provide consumers with new privacy rights. Wicker's draft bill would override state laws related to data privacy, including California's law, and would not provide for a private right of action.
Wicker's proposal also would require express opt-in consent from consumers before a company could collect or transfer their sensitive data, including many types of health and personal identification information.
During the hearing, lawyers representing Walmart and telecommunications providers expressed support for Wicker's proposal, specifically that it overrides state laws and does not include a provision that consumers have a right to sue companies.
"A patchwork of inconsistent state laws is inefficient to protect individuals and inefficient for interstate commerce," said Nuala O’Connor, senior vice president and chief counsel, digital citizenship at Walmart.
The retail giant is "scrambling" to be ready for California's privacy law by the Jan. 1 compliance date, O'Connor said. "State laws add more complexity to consumers’ lives but it's not helping their privacy. There is strength in clarity, simplicity, and consistency offered at the federal level."
Maureen Ohlhausen, a partner at the law firm Baker Botts and co-chair of the 21st Century Privacy Coalition, a lobbying group for telecommunications companies, shot down the idea of a private right of action for data privacy violations.
Giving consumers the right to sue companies for violations "results in class actions that primarily benefit attorneys while providing little, if any, relief to actual victims," Ohlhausen said during her testimony.
Sen. John Thune, R-S.D., said only a bipartisan proposal has a chance of clearing the Senate. "We must include strong consumer protections by avoiding a legislative patchwork that is beginning to emerge at the state level," he said.