Privacy Hearings Raise More Questions Than Answers

October 15, 2018

On October 10th the Senate Commerce Committee convened the second in a series of hearings entitled “Consumer Data Privacy: Examining Lessons From the European Union’s General Data Protection Regulation and the California Consumer Privacy Act.” The hearing, while focusing on the new privacy laws and regulations in Europe and California, also allowed the committee to hear from privacy advocates about the protections consumers should be afforded by future privacy legislation created by Congress.

Unfortunately, while a number of key questions were raised in the hearing, some of the witness’s answers tended to obscure rather than clarify the realities of existing privacy laws. Senator Moran (R-KS) and Senator Wicker (R-MS), for example, asked penetrating questions of Dr. Andrea Jelinek, the Chair of the EU Data Protection Board, about the impacts of the General Data Protection Regulation (GDPR) on competition and in particular new and small businesses.

Dr. Jelinek stated that she believed that the GDPR was having positive effects due to the fact that companies, large and small, only had to respond to a single set of regulations rather than 28 different entities’ rules across Europe and that by setting clear privacy parameters companies could build in privacy by design from their inception. What Dr. Jelinek conveniently ignored, however, is that privacy regimes like the GDPR that are dependent on opt-in consent for personal data collection provide enormous advantages to incumbent and well-known companies versus new entrants and smaller entities. Why will consumers opt-in to companies with which they have little or no experience?

Would Google, Yahoo, Amazon or Facebook, all of whom were literally launched from home garages, small offices or even college dorm rooms, have been able to get opt-in consent when they tried to launch and enter the digital market? If not, clearly the present data marketplace would now be dramatically altered. Google, Yahoo, Amazon and Facebook’s names obviously do not signal their business activities, and when they got started they did not have the financial wherewithal to advertise broadly to alert consumers of their products or their services. Nevertheless, due to ease of entry into the internet ecosystem at that time they flourished. Would that now be true today? Therefore, as we consider federal privacy legislation, these types of critical marketplace competition issues need to be carefully examined and considered.

Alastair MacTaggert, who played a key role in fostering the passage of the California Consumer Protection Act, also testified and tried to diminish the potential role that the CCPA might have on small business and the competitive marketplace. He stated that the Act would not impact small businesses because it only covered companies with “gross receipts of $25 million or more.” Many companies with gross receipts of $25 million dollars, particularly if they do not have substantial or any net revenue, however, would certainly consider themselves small businesses.

Far more importantly, the CCPA also covers any company that buys, receives, or sells the personal information of 50,000 “consumers, households or devices,” which would include IP or email addresses. In fact, the CCPA defines “personal information” extraordinarily broadly to include an exhaustive list of specific categories, but, in addition, would cover any information “that is capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.” It is hard to imagine many types of data that would fall outside the encompassing sweep of this definition.

Once a company is covered under the CCPA (early estimates project that as many as 550,000 companies will be swept immediately under its jurisdiction), this will impose on them numerous major compliance costs and greatly expand their risk of facing private rights of action lawsuits. Again, while this will impose major financial burdens on all companies, it will fall disproportionately hard on new and smaller entities creating competitive marketplace problems.

These are just some of the manifold serious issues that the GDPR and the CCPA have raised. We will analyze many others in subsequent blogs. It is essential, however, as the federal government considers more encompassing federal privacy and data security laws, that the existing regulatory regimes in this area get very carefully examined in order that we avoid some of the significant pitfalls that are already becoming all too evident.

You must be logged in to submit a comment.