WASHINGTON — The Federal Trade Commission needs more authority to prevent data breaches that threaten the privacy and financial security of U.S. consumers, the chairman of a Senate committee said during a hearing Wednesday.
Congress is considering legislation that would either mimic or preempt parts of a Colorado data privacy law that took effect in September.
The Senate Commerce, Science and Transportation Committee listened to data privacy experts at the hearing to determine how to craft the legislation.
“It is clear that we need a strong, national privacy law that provides baseline data protections, applies equally to business entities — both online and offline — and is enforced by the nation’s top privacy enforcement authority, the Federal Trade Commission,” said Sen. Roger Wicker, R-Miss., the committee’s chairman.
Colorado’s Protections for Consumer Data Privacy Act set some of the nation’s strictest standards for consumer data protection.
It requires all businesses to keep written policies on disposing of customers’ personal data. They also must notify their customers of data breaches within 30 days and the state attorney general if more than 500 consumers are affected. Businesses must demonstrate they have taken “reasonable” steps to protect their customers’ personal information.
Wicker only thinly provided assurances that state laws would not be preempted by any federal legislation developed by Congress.
“It is important to note that a national framework does not mean a weaker framework than those that have already passed in the U.S. and overseas or being contemplated in the various states,” he said. “Instead it means a preemptive framework that provides consumers with certainty that they will have the same set of robust data protections no matter where they are in the United States.”
One proposal Congress is considering would copy key parts of the European Union’s General Data Protection Regulation that took effect last May.
It sets data protection obligations for businesses, similar to the Colorado law, but goes further in giving consumers choices over how their personal information is handled.
European businesses are required to use the highest privacy settings to avoid releasing consumers’ data without their consent. No personal information can be processed by businesses beyond single transactions without the consumers’ permission, which they can revoke at any time.
Another pace-setting data protection law mentioned during the Senate hearing is the California Consumer Privacy Act. It gives consumers rights to know what personal information is collected on them, whether it is being sold or disclosed and to block the sales of their data.
“So, together the implementation of these two pieces of legislative policy, GDPR and CCPA, have brought new insights to the congressional efforts to pass meaningful privacy and data security laws,” said Sen. Maria Cantwell, D-Wash., the ranking member of the committee.
Part of the push in Congress for a new law arose from recent scandals over the unauthorized release of personal data by Facebook Inc., Equifax Inc. and other companies.
Michael Beckerman, president of the Internet Association, said the General Data Protection Regulation can be rendered ineffective by overwhelming consumers with technical information they might not understand.
The European law “has exacerbated this problem with new requirements requiring companies to provide even more information,” he said. “It is not clear that more information benefits EU residents.”
The Internet Association is a trade group that represents more than 45 of the nation’s biggest Internet companies, including Facebook.
Jon Leibowitz, co-chair of the consumer-oriented advocacy group 21st Century Privacy Coalition, advocated a strong federal policy that would eliminate most discretion of states and businesses on how to protect personal information.
“Companies that collect, use or share the same type of personal information should not be subject to different privacy requirements based on how they classify themselves in the marketplace,” he said.
Differing state laws could create similar confusion, he said
“State intervention in this quintessentially interstate issue is problematic, no matter how well-intentioned it may be,” Leibowitz said. “A proliferation of different state privacy requirements would create inconsistent privacy protections for consumers.”
Colorado U.S. Sen. Cory Gardner, a Republican, is a member of the Commerce, Science and Transportation Committee but he did not speak during the hearing.
Nevertheless, he has sought stronger data protection in speeches and legislation, including a bill he introduced in August that would impose sanctions against foreign-based hackers who launch cyber attacks against the United States.