Nuala O'Connor, SVP and chief counsel of Digital Citizenship at Walmart, bought a candle for her sister on Walmart.com. The simple transaction, she said to the U.S. Senate Committee on Commerce, Science and Transportation last week, was a privacy conundrum.
She made the purchase using a phone number with a New York area code, though she resides in Maryland. O'Connor was unsure which of Walmart's warehouses shipped the candle, but the company is based in Bentonville, Arkansas and its e-commerce service largely functions from California.
"Which state law applies to that transaction?" she asked the committee. "A comprehensive federal standard is the right answer for the American citizen."
Industry sits in a data privacy law purgatory, with fears of patchwork state laws complicating regulation, compliance and consumer satisfaction. While the committee witnesses collectively agreed a federal data privacy is overdue, the means to an end vary.
California came first
With emerging state data privacy laws, companies walk a fine line between state borders. State laws leave the potential for "hundreds of definitions for similar behaviors," said Maureen Ohlhausen, co-chair of 21st Century Privacy Coalition, during the hearing.
California will enact the California Consumer Privacy Act in less than a month. Draft rules were unveiled in October, including broad-sweeping regulations for those who require compliance.
"We are scrambling to be ready for the Jan. 1 compliance date at Walmart in California," said O'Connor.
As more state data privacy laws hatch, keeping up with consumer expectations will be challenging.
Microsoft, in response to the draft rules, said it would apply the CCPA to every U.S. customer. Microsoft's broad application demonstrates its "commitment in the absence of Congressional action," said Julie Brill, corporate VP and chief privacy officer at Microsoft, in the November announcement.
"We have a lot of bills but we have no federal law," said Senator Richard Blumenthal, D-CT, during the hearing.
"People are angry and scared," he said. "They don't care whether it's a federal law or state law. They want a law."
Too much of the responsibility of data privacy falls on the consumer, said Brill, who also testified at the hearing. "Consumer trust hangs in the balance." Consumers want to know:
Who is using the data?
"Cloud computing has transformed how we work … entire industries have been reinvented," said Brill. Opportunities rely on collecting data, which includes "deeply personal" information.
While Brill promotes industry use of data to continue innovation, she recognizes the "profound implications" of its use.
Industry is hyper-sensitive to government regulation. About 20 years ago, Bill Gates essentially told Congress to leave innovators alone. Regulation does have the potential of stifling innovation. Ohlhausen said the impact on innovation isn't theoretical.
GDPR compliance studies show small- to medium-sized enterprises unable to comply, "withdrew from the market," said Ohlhausen. Companies with healthy resources, such as Microsoft, have an advantage in privacy changes.
Logistics of enforcement
The U.S. is lagging behind the rest of the world in terms of regulating data privacy. The U.S. needs enforcement from a "central regulator," like the Federal Trade Commission (FTC), an agency where Brill previously served as commissioner.
The FTC has been clamoring for more authority in "aggressively" pursuing data privacy or security violations. The agency had a historic taste of authority after it handed down a $5 billion fine to Facebook, following the Cambridge Analytica scandal; deceiving the extent of control users had over their data.
However, the agency isn't a central authority. The FTC is limited by Section 5 of the FTC Act, which restricts the FTC from delivering civil penalties for first time offenders. Section 5 also prevents the agency from penalizing non-profits and common carriers.
Relying on the FTC as the central enforcement body could be problematic because "we're talking about an agency [which] really only has 40 people working on these issues," said Laura Moy, executive director and associate professor of law at Georgetown Law Center on Privacy and Technology, during the hearing.
The California state attorney general is equipped with a reasonable staff, but can only bring three to four privacy prosecutions annually.
"We're going to need a greater force multiplier than that," said Moy.
Means to an end
The complexity of existing policies clouds consumers' understanding of their privacy rights. "The idea that you're daily going to opt out of the world is preposterous," said Senator Brian Schatz, D-HI, during the hearing.
A federal law has the potential to mitigate confusion and force companies to clearly outline policies beyond the fine print at the bottom of a webpage.
Most companies provide consumer data to third parties, Senator Maria Cantwell, D-WA, said at the hearing. Though companies outline the relationship with third parties in their privacy policies, she argued for a more explicit description, including what data is shared and with whom.
The CCPA allows consumers to opt out of third party sharing, but focusing on just third party sharing is not "business model neutral" and will have unintended, "severe" effects, said Brill.
Blumenthal argued existing state privacy laws, like California and Illinois' private right of action laws, should be supplemented. Brill said a federal law "focused on consumer redress" is needed, but all the "mechanisms" existing across state laws shouldn't be added on.
Microsoft, like other companies, have interest in sculpting a federal privacy law. Congress needs input though it remains wary of the private sector's interests. Unlike Microsoft, which is purely a technology vendor, its competitors — Amazon and Google — have business outside the technology arena and more motive to protect their use of consumer data.
Collectively, the witnesses and committee members agreed the onus of data responsibility should be on companies, not consumers. Moy wants to see a law with "rulemaking authority for harmful data practices," to account for future use cases of data unforeseen in 2019. Brill suggested the FTC rulemaking authority also give guidance to companies requiring compliance.