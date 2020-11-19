Former members of the U.S. Federal Trade Commission across the political spectrum urged Congress on Sept. 23 to develop a federal privacy law that emboldens the agency and preserves existing privacy protections.

Four former commissioners of the FTC, which focuses on consumer protection and competition policy, testified before the U.S. Senate Committee on Commerce, Science and Transportation about ideas for a federal privacy law. The committee is revisiting the idea of a bipartisan, comprehensive law in the wake of high profile privacy breaches at major online platforms. Despite optimism in the wake of the Cambridge Analytica scandal around lawmakers' ability to reach a consensus on a federal law, no proposal has emerged in Congress with strong bipartisan support.

Maureen Ohlhausen, a Republican who once served as acting chair at the agency, said in prepared testimony that Congress "must develop a law that guarantees strong privacy rights to consumers and adopts best practices from state laws, while creating uniformity across the nation."

Among the ways Ohlhausen believes Congress should embolden the FTC is to give it the ability to fine companies for first-time violations of a new, comprehensive privacy law.

Current Republican FTC Chair Joseph Simons has repeatedly urged Congress to provide the agency with the ability to fine companies for privacy violations on first-time offenses. Currently, the agency does not have the authority to issue civil penalties for first-time offenders, in most instances.

When the agency announced its $5 billion fine against Facebook Inc. for privacy violations in 2019, Simons told reporters that the settlement sent a message to Congress that the agency could use expanded privacy authority under new comprehensive legislation. The FTC was only able to levy the fine against Facebook because the social media company was already under a 2012 order related to Facebook's user data practices.

One point of contention between Republicans and Democrats in the past has been whether a federal privacy law would or should preempt state laws.

The California Consumer Privacy Act, or CCPA, implemented a range of new privacy requirements compelling companies across industries — including major tech companies, such as Facebook and Alphabet Inc.'s Google LLC — to give consumers more access and control over their data.

Among other provisions, the CCPA gives consumers the right to opt out of having a business sell their personal information to a third party. The law also lets them know why a company wants to collect their data, among other provisions.

Enforcement of the law began July 1.

Ohlhausen supports preemption but said it "should not mean weakening protections for consumers."

Similarly, former Democratic Chairman Jon Leibowitz testified that if he thought that a federal law would be weaker than California's new privacy law, then he would be concerned about preempting state laws.

Sen. Roger Wicker, R-Miss., who chairs the Senate Commerce Committee, told Leibowitz he agreed that he would be concerned about preempting state laws if a federal law were weaker than the CCPA.

Wicker introduced a data privacy bill in May, but the proposed legislation was only co-sponsored by Republicans and does not appear to have bipartisan support.

California's Democratic Attorney General, Xavier Becerra, who is overseeing enforcement of the state's new law, offered the committee his perspective on ways Congress could improve on the CCPA. One suggestion he had was for a private right of action to "complement and fortify" the work of state enforcers.

A private right of action can give private citizens the right to sue, rather than the government.

"Consumers need the authority to pursue remedies themselves," he said.

William Kovacic, a former Republican chairman of the agency, also made an appeal to assert U.S. values in his plea to Congress to pass a federal privacy law. He said if Congress does not adopt a national privacy law, "we will get a national privacy policy, it will be called the GDPR [General Data Protection Regulation] … supplemented by the CCPA."

The GDPR is a privacy law passed by the European Union in 2016. Among other provisions, it requires companies to receive unambiguous consent from a user before collecting or processing the user's personal data, and it instructs companies to alert users of certain types of data breaches within 72 hours of learning of the occurrence. Companies found in noncompliance can face steep fines.

"Do we want our national privacy policy to be the product of a decision made … without contribution of the national legislature to formulate our own collective judgment?" said Kovacic.