Majority Statement

• Chairman Roger Wicker
  Read statement

  Majority Statement

  Chairman Roger Wicker

  Consumers are the bedrock of our economy. Through the consumption of goods and services, consumers drive economic activity; power job creation; and create opportunities for innovation, and economic advancement in the United States and around the world. 

  To foster relationships with consumers, businesses have historically collected and used information about their patrons. The collection of data about consumers’ likes, dislikes, and commercial interests has ultimately served to benefit consumers in the form of more customized products and services, and more choices at reduced costs.

  Consumer data has tremendous societal benefits as well. In a world of “big data” where physical objects and processes are digitized, there is an increased volume of consumer data flowing throughout the economy. This data is advancing entire economic sectors, such as health care, transportation, and manufacturing. Data enables these sectors to improve their operations, target resources and services to underserved populations, and increase their competitiveness. 

  The consumer benefits of a data-driven economy are undeniable. These benefits are what fuel the vibrancy and dynamism of today’s Internet marketplace. Despite these benefits, however, near-daily reports of data breaches and data misuse underscore how privacy risks within the data-driven economy can no longer be ignored. 

  The increased prevalence of privacy violations threatens to undermine consumers’ trust in the Internet marketplace. This could reduce consumer engagement and jeopardize the long-term sustainability and prosperity of the digital economy. 

  Consumer trust is essential. To maintain trust, a strong, uniform federal data privacy framework should adequately protect consumer data from misuse and other unwanted data collection and processing. When engaging in commerce, consumers should rightly expect that their data will be protected.  

  So today, I hope witnesses will address how a federal privacy law should provide consumers with more transparency, choice, and control over their information to prevent harmful data practices that reduce consumer confidence and stifle economic engagement. 

  To provide consumers with more choice and control over their information, both the European Union’s General Data Protection Regulation and the California Consumer Privacy Act provide consumers with certain privacy rights. Some of these rights include the right to be informed or the right to know; the right of access; the right to erasure or deletion; the right to data portability, and the right to non-discrimination, among others. 

  I hope witnesses will address how to provide these types of rights within a United States federal framework without unintentionally requiring companies to collect and retain more consumer data. Provisioning certain privacy rights to individuals, without minimum controls, may have the opposite effect of increasing privacy risks for consumers. 

  In developing a federal privacy law, the existing “notice and choice” paradigm also has come under scrutiny. Under notice and choice, businesses provide consumers with notice – typically through a lengthy and worthy privacy policy – about their data collection and processing practices. Consumers are then expected to make a “take it or leave it” choice about whether or not to purchase or use a product or service, but is this really a choice? 

  I hope witnesses will address how to ensure that consumers have access to simplified notices that offer meaningful choices about what information an organization collects about them, instead of lengthy and confusing privacy notices or “terms of use” that are often written in legalese and bury an organization’s data collection activities.

  I also hope witnesses will speak to ways in which Congress can provide additional tools and resources for consumers to make informed privacy decisions about the products and services they choose to use both online and offline. 

  Fundamental to providing truly meaningful privacy protections for consumers is a strong and consistent federal law. This is critical to reducing consumer confusion about their privacy rights and ensuring that consumers can maintain the same privacy expectations across the country.

  I look forward to a thoughtful discussion on these issues and again welcome all of our witnesses. 

  I now recognize my good friend and Ranking Member, Senator Cantwell.

Minority Statement

• Ranking Member Maria Cantwell
  Read statement

  Minority Statement

  Ranking Member Maria Cantwell

  Thank you, Mr. Chairman. And thank you to the witnesses for being here today on this important hearing about how to develop a federal data privacy framework. It’s essential that we give a front row seat to the consumer advocate perspective, and that’s what today’s conversation does. When the dust settles after a data breach or a misuse of data, consumers are the ones who are left harmed or disillusioned. In the two months since our last full committee hearing on privacy, consumer data has continued to be mishandled. It’s clear that companies have not adequately learned from past failures and at the expense of consumers, we’re seeing that self-regulation is insufficient.

  Just days ago, cybersecurity researchers revealed the existence of a massive cloud data breach left wide open and unprotected containing addresses, full names, dates of birth, income, marital status on more than 80 million US households. This blatant disregard for security and privacy risk makes it clear why we are here today. Microsoft recently admitted that an undisclosed number of consumer web email accounts were compromised. We learned more about privacy lapses on Facebook, and two more third-party Facebook apps exposed data on Facebook users, revealing over 540 million records, including comments, likes, account names, and Facebook IDs.

  So Mr. Chairman, how do we create a culture of data security that protects consumer and allows commerce to continue to grow? Consumers continue to be bombarded by threats to their privacy. Cybersecurity adversaries become more sophisticated and more organized day by day, and we really need to understand privacy on a continuum of data security. We need to make a more proactive approach to cybersecurity and make sure that we are continuing to protect consumers.

  This becomes especially important in the age of the Internet of Things. Yesterday, the Security Subcommittee considered this issue at length. Billions of devices collecting data about consumers at all times means there are billions of entry points and large surface areas for cyber-attack. We learned more about new bot net attacks and new weaknesses almost daily. And we face serious questions about supply chain vulnerability, which is reminding us about how security here in the US is dependent upon the health of our internet cybersecurity. Members on our side of the aisle even had a secure briefing on the potential threats and impacts to our own devices.

  So it is important to remember that the internet is a global network – no matter how secure we make our networks, they remain vulnerable to weaknesses abroad. That is why it is essential that we have a nation strategy to deal with these threats. We also need to work with our international partners to form coalitions around cybersecurity standards and work towards harmonizing privacy and cybersecurity regulations.

  These latest privacy and security breaches in advancing cyber threats show that this problem is accelerating. But as you said, Mr. Chairman, there is also lots of opportunity for great applications, services, and devices that we all like. So it illustrates the complexity of the challenges we face. Consumers are at the center of this, and we cannot just require them to have a deeper understanding of the risk involved. We need to make sure that their devices and concerns are not just about notice and consent, but we have strong provisions here and a description that will help create a better culture.

  The best plain-language notices, the clearest opt-in consent provision, the most crystal-clear transparency doesn’t do any good when companies are being careless or willingly letting our date out the back door to third parties that have no relationship to the consumers. While the benefits of the online world are everywhere – and I truly mean that, everywhere – so must be protections of personal information that is more than just a commodity. We need to make sure that the culture of monetizing our personal data at every twist and turn is countered with the protection of people’s personal data.

  So Congress has to come to terms with this. I know that the members of this committee are working very diligently on trying to address that, and that we are working to trying to make sure that the things that happened in the 2016 election cycle also don’t happen in the 2020 cycle. But these issues of information being sold or manipulated or in trying to influence or disrupt governments – even our own hacking of our employee personal information account – show that we are vulnerable, and that we need to do more. So, the consistency of the hearings that we’ve had on this issue, I appreciate both Chairman Thune and you having these hearings about cybersecurity, about Equifax, about cyber hygiene and what we should be doing. These all, I believe, should be part of the solution. Data security for Americans means that we extend the protections and we make sure that the online world is operating in a way that we see are helping to protect consumers and individual information.

  So, Mr. Chairman, I know that you remain very dedicated to comprehensive legislation here. I do as well. Even though the challenge is high, we need to have the opportunity to craft solutions that address security and privacy for the entire life cycle of our data and collection to storage and to processing. So, hopefully today’s hearing will give us more input as to the way consumers look at this issue and what we can do to help us move forward. Thank you.

Testimony

• Ms. Helen Dixon

  Data Protection Commissioner

  Republic of Ireland
  Download Testimony (106.19 KB)

• Ms. Neema Singh Gulian

  Senior Legislative Counsel

  American Civil Liberties Union
  Download Testimony (346.82 KB)

• Mr. Jules Polonetsky

  Chief Executive Officer

  Future of Privacy Forum
  Download Testimony (230.66 KB)

• Mr. Jim Steyer

  Chief Executive Officer and Founder

  Common Sense Media
  Download Testimony (103.01 KB)