WASHINGTON, D.C. —U.S. Senator Maria Cantwell (D-WA), Chair of the Senate Committee on Commerce, Science, and Transportation will convene a hearing titled “Protecting Consumer Privacy” at 10:00 a.m. on Wednesday, September 29, 2021. This hearing will examine how to better safeguard consumer privacy rights, including by equipping the Federal Trade Commission with the resources it needs to protect consumer privacy through the creation of a privacy bureau; and the need for a comprehensive federal privacy law.
- David Vladeck, Professor and Faculty Director the Center on Privacy and Technology, Georgetown Law; former Director of the Federal Trade Commission Bureau of Consumer Protection
- Morgan Reed, President, The App Association
- Maureen Ohlhausen, Partner and Section Chair (Antitrust & Competition Law), Baker Botts; former Acting Chairman of the Federal Trade Commission
- Ashkan Soltani, Independent Researcher and Technologist; former Chief Technologist of the Federal Trade Commission
Wednesday, September 29, 2021
10:00 am EDT
Commerce Committee Hearing Room, Russell 253
WATCH LIVESTREAM: www.commerce.senate.gov
Due to current limited access to the Capitol complex, the general public is encouraged to view this hearing via the live stream. Social distancing is now lifted for vaccinated members of the press who wish to attend. The Office of the Attending Physician recommends that all individuals wear masks while in interior spaces and other individuals are present.
Chair Maria Cantwell
Senator Maria Cantwell Opening Statement
WASHINGTON, D.C. – Following is U.S. Senator Maria Cantwell’s opening statement at today’s Senate Committee on Commerce, Science, and Transportation Cantwell hearing titled, “Protecting Consumer Privacy:” Today’s hearing was the first of three hearings examining the growing urgency to protect consumer privacy and safeguard our data, as well as the need to ensure the Federal Trade Commission is equipped with the authorities and resources to fight digital harms and hold bad actors accountable for increasing privacy violations, data breaches, internet scams, ransomware assaults and other harmful data abuses.
“Good Morning. Today we are having a hearing on ‘Protecting Consumer Privacy.’ We will hear from a panel of experts, three of whom have previously been on the front lines of fighting to protect consumer privacy, at the primary agency charged with protecting consumers’ privacy and data security, the Federal Trade Commission.
“We all know the challenges of the information age..and it’s brought us new products and services. But it has also exposed and threatened consumer privacy by unnecessarily collecting, storing, selling, and exposing consumers’ most personal data to theft and harm.
“Every year, for the past five years, more than 140 million people have been affected by data breaches exposing their personal data to thieves and fraudsters. And from July 2019 through July 2020, more than 650,000 residents of my state, Washington, were victims of data breaches, including the release of their healthcare information, banking records, social security numbers, and credit card information.
“Last week, it was reported that last May, Simon Eye’s chain of optometry clinics had been data breached exposing 144,000 individuals’ sensitive medical data. This past April the personal data of over 500 million Facebook users, including phone numbers, full names, locations, and email addresses, were posted in a hacking forum. 32 million records were from the United States, providing key information with people who would want to use those in various ways. And last June, Volkswagen announced a data breach that exposed phone numbers and email addresses of 3.1 million Americans who had shopped for cars.
“So it isn't a surprise that with all this data being stolen and exposed, that more people have become victims of identity theft. Identity theft complaints have increased 375% between 2017 and 2020. The harms are causing real damage to consumers. According to a May 2021 report by the Identity Theft Resource Center, victims of identity theft are turned down for loans, unable to rent houses, they have their credit damaged, they are billed for medical services they never received, and they can't find unemployment benefits because their name was basically stolen.
“Our precise locations, fitness regimens, computer strokes, and even our friends and family networks have basically been turned into commodities. The fact is that companies collecting this information are not doing enough to safeguarding information that they collect or keep their privacy promises. Unfortunately, the Federal Trade Commission, which is tasked with preventing consumer data abuses, has not been given the resources to keep pace with this tech based economy.
“Professor Vladeck, we will hear from you, but I think you have in your opening remarks that basically now the FTC’s docket is dominated by these technology issues. The truth is that our economy has changed significantly and the Federal Trade Commission has neither the adequate resources, nor the technological expertise to adequately protect consumers from harm.
“While the commission is responsible for keeping up with the latest technology companies in the world, according to today's testimony, quote, “It has fewer than 10 employees on staff with the right technology expertise,” end quote. The FTC simply does not have the tools to fend off privacy attacks, data breaches, internet scams, and ransomware digital abuses that threaten consumers and our economy. It's not to say the FTC hasn't done some good work. But when we look at the volume of what we're facing, it's clear they’re under resourced.
“Even where the FTC has taken enforcement actions against companies, the companies continue to violate those FTC orders, which is beyond frustrating. Even though the FTC has been able to use their current authority of unfair and deceptive practices, companies like Facebook or others may gladly pay a $5 billion fine, when actually, they can still make over $70 billion a year from some of these same practices.
“So we need compliance. Compliance with existing laws, or compliance with new rulemaking, or compliance with the new privacy law will be insufficient if the FTC is not well resourced, technologically sophisticated, and the policeman on the beat of the information age.
“The U.S. Department of Commerce estimated that the digital economy accounted for 9.6% of GDP in 2019 and it grows annually at a rate of 5.2%. This means we're just going to continue to be ever-dependent on this [digital] economy. I'm not even going to spend time talking about it at length, the great effect of state actors attacking our systems. The fact that consumers are left vulnerable to these events. But the economy of today is that the digital economy generates $2 trillion annually. So it will continue to be a target.
“As the economy grows, the volume of data collected about Americans, and the amount of data that will be stored is staggering. Last Congress, I introduced the Consumer Online Privacy Act alongside my colleagues, [Senators] Schatz, Klobuchar, and Markey, that would have established a new privacy bureau at the FTC to serve as a consumer privacy watchdog. And I'm pleased that the Budget Reconciliation Act that we're now considering in both the House and the Senate, has [responded to] a call for action here by giving a billion dollars to the FTC to establish this bureau over 10 years, to hire the technologists and the data scientists needed to keep pace with these digital threats.
“I know my Republican colleagues in the Safe Data Act also called for a similar amount of money to be spent by the FTC for privacy and data security. And as such, companies like Microsoft and others have called for greater investments. Today's witnesses, I know, will also underscore this need. Two of our witnesses, Professor David Vladeck and Ms. Maureen Ohlhausen, have served in senior positions at the FTC and have been on the front lines of enforcement actions against companies that misused or neglected the security of personal data.
“We value their insights in how harm can be done, and that tools and resources are needed at the FTC to hold companies accountable. Mr. Vladeck, in your written testimony, you said the new Privacy Investment Bureau could be a real game changer. Mr. Soltani, who's going to be joining us virtually, was one of the first technology experts hired by the FTC, and I know he's been sounding the alarm for years about the need to get the right resources. More technologists so the FTC can deliver more. So I look forward to asking him questions about that.
“And Mr. Reed, I was pleased to read in your testimony, that you have a strong statement in support of first time civil penalty enforcements for the FTC in cases of privacy violations. So thank you all for being here. Thank you for all the work all of you have done on this important issue. And now I will turn it over to my friend and colleague, Senator Wicker, the Ranking Member, for his opening statement.”
Ranking Member Roger Wicker
Thank you, Senator Cantwell, for convening this hearing.
We do have a distinguished panel, and I look forward to your testimonies.
Last Congress, this committee heard from multiple stakeholders representing diverse views on how best to protect consumers’ data privacy and security in the United States. We received testimony from current and former officials from the Federal Trade Commission (FTC), representatives from the business community and academia, and privacy advocates who all testified about the vast economic and social benefits of data. They also spoke about the need for strong, clear, and consistent data protection rules for the nation’s job creators and shortcomings in our existing data privacy and security laws.
Since the full committee last convened on this topic over a year ago, the need for strong data privacy rules has become more urgent. In response to the COVID-19 pandemic, millions of Americans have shifted their normal activities to online. This has resulted in more consumer data and personal information flowing throughout the economy than ever before. Without a national data privacy law in place, Americans will continue to face a growing risk of having their personal data exposed and potentially exploited.
We are already seeing this happen, as the chair has mentioned. Earlier this year, the FTC reported that identity theft increased by almost 3,000 percent during 2020. Cyberattacks and data breaches are also on the rise. Recent news reports show an uptick in exploitative data practices by social media targeting children and teens, and there are near-daily accounts of entities misusing consumers’ personal data or attempting to process their data in discriminatory ways. These developments are deeply troubling and further highlight the need for strong data protection rules. Without these safeguards, we risk losing consumers’ trust in the internet marketplace and undermining our national security and technological leadership abroad.
Fortunately, Congress still has an opportunity to act to develop bipartisan national privacy legislation. In doing so, the United States would join more than 100 countries who already have a baseline privacy law, including China. In July, Senator Blackburn joined me in reintroducing a data privacy bill, the SAFE DATA Act, as a starting point to resume negotiations – I am encouraged that this morning the chair of this committee spoke favorably about a provision in that Act. Once again, I invite the Administration to work with Senator Cantwell and me to make a comprehensive data privacy law a reality. I call on the President to appoint someone – a specific person – among his senior staff to be a liaison to Congress on this issue and to prioritize the enactment of a data privacy law this year. This is not only essential to a thriving digital economy, but it would also demonstrate to our allies around the world a serious and sincere commitment to the value of data protection as we seek to replace the EU-US Privacy Shield, preserve transatlantic data flows, and enter into the new bilateral partnership on trade and technology.
Today’s hearing is an opportunity to discuss how to address certain issues in privacy legislation, such as data security and enforcement.
I hope our witnesses will speak to ways in which Congress can materially improve data security without imposing a costly, one-size-fits-all mandates that would ignore an entity’s unique data collection practices.
I also hope witnesses will speak to what enforcement mechanisms offer the best way to ensure that requirements in a privacy law are met and data protections are enforced. Last Congress, I proposed incorporating a narrow private right of action into bipartisan privacy legislation, and I remain open to that idea. I welcome feedback from witnesses on how a narrow private right of action could be constructed without stifling innovation and marketplace competition or leading to unjustified financial windfalls for plaintiff attorneys.
Today’s hearing is also an opportunity to discuss how to ensure the FTC is properly resourced to enforce a data privacy law. I am sure witnesses will want to discuss what additional funding, staff, and technology expertise the Commission will require to enforce the law effectively.
Finally, it is worth emphasizing that Congress, not the FTC, is responsible for developing a comprehensive national data privacy law. Only Congress can develop longstanding data protections for consumers that meaningfully safeguard their personal information. Anything short of congressional action would create significant regulatory uncertainty for businesses and confuse consumers about the scope and durability of their privacy rights.
Americans deserve to have their data protected. The time for Congress to act to pass federal data privacy legislation is now.
Witness Panel 1
David VladeckProfessor and Faculty Director the Center on Privacy and TechnologyGeorgetown Law
Morgan ReedPresidentThe App Association
Maureen OhlhausenPartner and Section Chair (Antitrust & Competition Law)Baker Botts
Ashkan SoltaniIndependent Researcher and Technologist