Washington—Senate Judiciary Committee Ranking Member Dianne Feinstein (D-Calif.) today spoke at a hearing on the need to secure consumers’ personal data from breaches and cyberattacks and reiterated her support for the California Consumer Privacy Act.
“I want to be clear, I think protecting individual privacy is critical and we must do all we can to give people control over their data. The two laws that we’re reviewing today are the European Union’s General Data Protection Regulation and California’s Consumer Privacy Act.
Our goal in this hearing should be to understand what impact these laws are having and how well they’re protecting our consumers. It’s useful to remember, I think, what has brought us to this point.
In the past few years, hundreds of millions of consumers have had their sensitive personal data stolen as a result of data breaches. The Equifax breach in 2018 compromised data for 146 million individuals. The Yahoo! breach in 2014 and the Marriott/Starwood breach in 2018 each affected half a billion people worldwide.
Consumers are now just becoming aware just how insecure our personal information is with the expansion of smartphones, online services and even appliances in our homes and offices that we regularly use.
For example, programs on smartphones can use geographic information to figure out where we are at any given moment and then sell it to nearby retailers and restaurants, vying for business, that want to promote coupons and discounts to entice individuals to buy from them. This can be a good thing – if it's done with the approval of the consumer.
Last year, the New York Times revealed that there is now a thermometer to collect fever and symptom information from families and then sell that user data, and it was sold to Clorox. Clorox identified which zip codes were showing increases in fevers, and directed more ads for products like disinfecting wipes to those areas.
While this kind of targeting may have a benefit for consumers, it also has serious implications for personal privacy – especially when the data involves medical information. The reason this was in the news at all is that it crosses a murky line on how we reasonably expect online services to use very sensitive information that we entrust to them.
I represent the state of California, birthplace to some of the most innovative companies in the world at the heart of the Internet revolution. California, though, is also home to some of the most heavily criticized companies for their collection of personal data. And as a result, California is home to the strongest state privacy law in the nation. In fact, one of our panelists, Alastair Mactaggart, seated before us today, assisted with the drafting of this law.
Europe’s law went into effect last year, impacting virtually every company of any size operating in Europe. Companies are also gearing up to comply with California’s law which will go into effect next year, and that must happen.
There has been some pushback against these laws with companies saying the requirements are too cumbersome to comply with and the penalties too stiff for even unintentional violations.
In addition, some complain that the opt-in consent requirements in the European law result in confusion to consumers.
Others have complained that California's law is too narrow and does not go far enough to limit abuses by companies that collect data from the consumer directly.
Let me say again, it’s my belief that individuals should have as much control as possible over their personal data. I commend the California law for protecting most California residents.
But I also believe affirmative opt-in consent should be the standard, and that’s a position I have taken for years – not opt-out.
Companies should also be required to protect their customers’ personal data with a heightened degree of care, and should be held responsible should that data directly or through cyber breach end up in the wrong hands.
I will not support any federal privacy bill that weakens the California standard. I also believe that any federal legislation should include data breach notification requirements. I have had legislation on this issue – Mr. Chairman, going back to 2003, and we can’t get it through – and that’s notifying people when their data is breached.
Consumer data privacy is a fundamental issue facing all of us. I welcome the discussion from our panelists to hear about their views on the pros and cons of these laws.
And Mr. Chairman, I want to thank you for this hearing and having the Judiciary Committee begin to hear more about this important topic. You know, as all of the high tech spreads, the protection for peoples’ rights increases – and medical data protection, I think, heads the list. Thank you very much.”