Seth Schoen
Caption +

Technologist Seth Schoen holds a cell phone as it displays information, also seen on the screen behind, during a Federal Trade Commission (FTC) mobile tracking demonstration in this Associated Press file photo.

Show MoreShow Less

WASHINGTON • The Federal Trade Commission needs more authority to prevent data breaches that threaten consumers’ privacy and financial security, a Senate committee chairman said Wednesday.

Congress is considering legislation that would either mimic or pre-empt parts of a Colorado data privacy law that took effect in September.

The Senate Commerce, Science and Transportation Committee heard from data privacy experts at the hearing to determine how to craft the legislation.

“It is clear that we need a strong, national privacy law that provides baseline data protections, applies equally to business entities — both online and offline — and is enforced by the nation’s top privacy enforcement authority, the Federal Trade Commission,” said Sen. Roger Wicker, R-Miss., the committee’s chairman.

Colorado’s Protections for Consumer Data Privacy Act set some of the nation’s strictest standards for data protection. It requires all businesses to keep written policies on disposing of customers’ personal data. They also must notify their customers of data breaches within 30 days and notify the state attorney general if more than 500 consumers are affected. Businesses must demonstrate they have taken “reasonable” steps to protect their customers’ personal information.

Wicker provided only thin assurances that federal legislation won’t pre-empt state laws.

“It is important to note that a national framework does not mean a weaker framework than those that have already passed in the U.S. and overseas or being contemplated in the various states,” he said.

“Instead it means a pre-emptive framework that provides consumers with certainty that they will have the same set of robust data protections no matter where they are in the United States.”

One proposal would copy key parts of the European Union’s General Data Protection Regulation that took effect last May. It sets data protection obligations for businesses, similar to the Colorado law, but goes further in giving consumers choices over how their personal information is handled.

European businesses must use the highest privacy settings to avoid releasing consumers’ data without their consent. No personal information can be processed by businesses beyond single transactions without the consumers’ permission, which they can revoke at any time.

Another pace-setting law mentioned is the California Consumer Privacy Act. It gives consumers rights to know what personal information is collected, whether it is being sold or disclosed and to block the sales of their data.

“So together, the implementation of these two pieces of legislative policy, GDPR and CCPA, have brought new insights to the congressional efforts to pass meaningful privacy and data security laws,” said Sen. Maria Cantwell, D-Wash., the ranking member of the committee.

Part of the push in Congress arose from recent scandals over the unauthorized release of personal data by Facebook, Equifax and other companies.

Michael Beckerman, president of the Internet Association, said the General Data Protection Regulation can be rendered ineffective by overwhelming consumers with technical information they might not understand.

The European law “has exacerbated this problem with new requirements requiring companies to provide even more information,” he said. “It is not clear that more information benefits EU residents.”

The Internet Association is a trade group that represents more than 45 of the nation’s biggest internet companies, including Facebook.

Jon Leibowitz, co-chair of the consumer-oriented 21st Century Privacy Coalition, advocated a strong federal policy that would eliminate most discretion of states and businesses on how to protect personal information.

“Companies that collect, use or share the same type of personal information should not be subject to different privacy requirements based on how they classify themselves in the marketplace,” he said.

Differing state laws could create similar confusion, he said

“State intervention in this quintessentially interstate issue is problematic, no matter how well-intentioned it may be,” Leibowitz said. “A proliferation of different state privacy requirements would create inconsistent privacy protections for consumers.”

U.S. Sen. Cory Gardner, a Colorado Republican, is a member of the committee but did not speak during the hearing.

But in speeches and legislation, he has sought stronger data protection. A bill he introduced in August would impose sanctions against foreign-based hackers who launch cyber attacks against the U.S.

Load comments