Sen. Dianne Feintsein (D-Calif.) made it clear Tuesday (March 12) that her state's tough privacy legislation will have to be the floor for any federal privacy legislation.
That came at a Senate Judiciary Committee hearing on that California Consumer Privacy Act (CCPA), as well as the General Data Protection Regulation adopted by the European Union last year.
Feinstein suggested the California bill should be even tougher, make more privacy control decisions opt in, rather than the opt out in which CCPA is based.
"I won't support any privacy bill that weakens the California standard," she said, and added that a federal bill would also need to include data breach notification, legislation she pointed out she has been trying to get passed since 2003.
ISPs and edge providers, and their Republican allies in Congress, have issues with the California bill as it stands, so Feinstein appeared to be drawing a line in the sand only minutes after committee chairman Lindsey Graham (R-S.C.) said he believed there was bipartisan support for learning more and doing something constructive.
Graham talked in more broad strokes about the need to educate consumers about how their information is being monetized by media companies, and the fact that while a TV station or print publisher is responsible for the information on their platforms, Web content providers have a legal carveout that gives them liability protection as so-called neutrality platforms.
Feinstein was more focused on what needed to be in any federal legislation, ticking off a list of breaches and unaccountable third-party sharing that demanded tough action.
She talked of the thermometer that collected information about where there were more fevers and selling that to Clorox so they could target disinfectant wipes. She conceded that could have pro-social benefits, but also has serious privacy implications, particularly since it involved health information. She said consumers are just becoming aware of how insecure their information is.
Witness Gabriel Weinberg of DuckDuckGo said his search engine tracks no user information, uses contextual advertising, is profitable, and is compliant with both CCPA and GDPR, so it can be done. But he still advocated for a data collection opt-out regime in privacy legislation.
Will DeVries, senior privacy counsel for Google, said his company was all for national privacy legislation, but along the following lines: 1. reasonable data collection and use. 2. transparency; 3. choice and control; 4. portability; and 5. accountability."