After months of tinkering and negotiations, the outlines of a federal privacy law are finally starting to crystallize, but lawmakers continue to quibble over the details.
Two primary proposals are now being discussed among the members of the Senate Commerce Committee, one led by Chairman Roger Wicker, R-Miss., and one by Ranking Member Maria Cantwell, D-Wash. Several other lawmakers have proposed bills aimed at more specific aspects of online privacy, like regulation of algorithms that create filter bubbles and requiring companies to clearly disclose their privacy policies.
While committee members continue to debate whether the national law should preempt state bills and if individuals should be allowed to sue companies they believe have violated their rights, there is one thing they agree on: federal privacy legislation is urgently needed.
"We have a lot of bills, but we have no federal law. I want a law," said Sen. Richard Blumenthal, D-Conn., at a hearing Wednesday aimed at discussing the proposals. "People are angry and scared more than ever before and they don't care whether it's a federal law or a state law. They want a law. And you will see state laws all around the country, hopefully they won't create too much inconsistency, but that's where we're going if we fail to act."
The committee heard from an all-female panel of witnesses at Wednesday's hearing that included representatives from Walmart and Microsoft as well as privacy law experts. Two former commissioners for the Federal Trade Commission were represented on the panel, including the Microsoft representative.
Enacting a federal privacy law has become a more urgent concern for lawmakers as California's privacy bill is set to go into effect Jan. 1. Tech companies have been among those warning that a patchwork of state laws will make it harder for consumers to understand their rights and for smaller, upstart companies to ensure they're in compliance.
Senators on both sides of the aisle said that only a bipartisan bill had a chance of passing. As Sen. Jerry Moran, R-Kan., put it, the questions comes down to: "What are we willing to accept to have something different than what we are going to have without federal legislation?"
Here are some of the key issues senators sought clarity on at Wednesday's hearing:
The inclusion of a private right of action, or the ability for individuals to take legal action against companies they think have violated their rights, has remained a point of contention between Democrats and Republicans. The Democratic proposal includes the right, while the Republican one omits it.
Sen. Dan Sullivan, R-Alaska, said that including a private right of action could allow startups to be squashed by one "frivolous" lawsuit, while larger companies are more likely to be able to take on the extra burden. Some wondered if lawsuits under such a policy would overwhelm an agency like the FTC or attorneys general offices if they are tasked with enforcing the federal law.
But Democrats have argued that the policy is necessary to ensure consumers can seek appropriate recourse for violations.
"We know that consumers should be able to protect their rights in court when state or federal agencies fail to do it for them," Blumenthal said.
Another key split between Republicans and Democrats is on whether a national bill would override state laws that have already been or would later be enacted on privacy. The Democratic bill would allow state laws to prevail, but the Republican bill would preempt them.
While Democrats have argued that allowing state laws to retain their power could lead to more innovation in those laws and greater protections, critics have argued it would create a patchwork of laws that would be confusing for customers and costly for companies, especially smaller ones that may not have compliance specialists.
"There's an opportunity here to do better here than what we're seeing at the states," said Michelle Richardson, the director of privacy and data at the Center for Democracy and Technology. Richardson said federal law could be more comprehensive than state law and ensure protections are in place in a timely manner.
Nuala O'Connor, senior vice president and chief counsel of digital citizenship at Walmart said preemption would give consumers of large businesses like hers clarity around their rights when they purchase an item online and across state lines.
Enforcement is another important element of federal privacy legislation. While the idea of an independent agency to handle privacy complaints has been floated, senators mainly discussed the idea of strengthening the Federal Trade Commission to deal with these claims. Both Wicker and Cantwell's bills grant authority and resources to the FTC, though Cantwell's is more expansive, establishing a new bureau within the department to work on digital privacy issues. Both establish victim relief funds.
Witnesses said the FTC needs more staff and resources to effectively monitor privacy claims. Julie Brill, a former FTC commissioner and current corporate vice president and deputy general counsel at Microsoft said the FTC could use about 500 people working on this, rather than the roughly 40 or so she said are currently staffed.
Maureen Ohlhausen, another former commissioner and current co-chair of the 21st Century Privacy Coalition, said it's not just about staff, but also a bigger budget to hire technical and legal experts.
Senators also asked about how they should determine the scope of the FTC's rule-making authority, or its ability to develop guidelines around the law. Brill said she "would have appreciated having rule-making authority for the entire bill, not [just] for specific sections." Richardson said she would prefer to see Congress make the primary definitions on the law and give the FTC targeted rule-making authority where there is a lack of clarity or technical advances could introduce ambiguities.
Senators are also trying to determine whether state attorneys general should be allowed to enforce the federal law, which both proposals currently allow for and many experts agreed. Executive director of the Georgetown Law Center on Privacy and Technology Laura Moy said it would be "problematic to rely on the FTC alone" to enforce the privacy law since it is already stretched thin.