Dear Chairman Graham & Ranking Member Feinstein:

We at the R Street Institute (“R Street”) commend you and the Committee for holding this hearing on “GDPR & CCPA: Opt-ins, Consumer Control, and the Impact on Competition and Innovation.”1 Given the changing nature of the economy and recent legal developments, both abroad and among the various states, a comprehensive review of the United States’ approach to consumer privacy is both appropriate and timely.

R Street’s mission is to engage in policy research and outreach to promote free markets and limited, effective government. As part of that mission, R Street has researched and commented upon multiple policy issues relating to consumer privacy. Recent comments provided to the National Telecommunications and Information Administration aptly summarized this work.2 A full review of that work is beyond the scope of this hearing, but we offer the following points to guide the Committee’s examination of these important issues:

Only Congress can establish a uniform national privacy framework.

Motivated by recent legislation in California and elsewhere, there have been increasing calls for a national privacy framework to preempt state laws and establish uniform privacy protections throughout the United States. The Federal Trade Commission (“FTC”) has the ability to make privacy rules under its general consumer-protection rulemaking authority3—as privacy abuses are surely now “prevalent” enough to satisfy the demands of (b)(3)4—but they would merely set a floor, not a ceiling. Such rules would preempt state laws that conflict with or frustrate the purpose of the federal framework, but would likely not preempt state laws that go above and beyond the federal framework, potentially leaving consumer privacy protections inconsistent from state to state. Thus, if Congress wants to establish a national framework that preempts the field and establishes truly uniform privacy protections, it must take action.

Data privacy and competition issues are intertwined.

When properly balanced, the relationship between data privacy and competition is symbiotic— with strong consumer protections that promote fair competition and in turn promote innovation and consumer welfare. But pushing too far in either direction may generate harms that far outweigh any benefits. For example, laws like the General Data Protection Regulation in Europe may offer stronger privacy protections for consumers, but they may also impose costs on industry that are ultimately manifested in higher prices, increased consolidation and reduced innovation. Similarly, prohibiting certain data-driven business models or practices may result in higher prices and fewer choices for consumers. Thus, when considering any potential changes to the current privacy framework, Congress should recognize that data privacy and competition issues are intertwined. Protecting consumer privacy in the era of big data will require a careful balance between the two.

Existing institutions can be improved significantly.

Before making wholesale changes to the current privacy framework, Congress should first try to identify the strengths and weakness of the current approach and look for ways to make incremental improvements. For example, commenters have criticized the FTC for relying too heavily on consent decrees and failing to provide adequate guidance for industry or redress for affected consumers. Many of these criticisms could be addressed through internal process reforms and additional appropriations.5 Additional staff for the Bureau of Consumer Protection’s Privacy and Identity Protection Division would surely help, and the role of state attorneys general should not be discounted. A uniform federal framework would necessarily limit the influence that state legislatures wield over consumer privacy, but it could also utilize the resources and experience of state attorneys general to supplement and reinforce efforts at the federal level. These ideas deserve thorough consideration, as the optimal framework for consumer privacy must efficiently utilize all available resources.

Any grant of new authority should be carefully limited.

The debate over consumer privacy covers a wide variety of issues, but Congress should try to focus its review on specific harms and practices that are not adequately covered by existing law. History shows that unbounded administrative rulemaking authority can cause serious problems for both industry and consumers,6 so any grant of new authority to the FTC (or any other agency) should be carefully limited in order to minimize the potential for future abuse.

***

We again commend you for your efforts to protect consumer privacy. We look forward to working with you and the rest of the Committee as you consider potential legislation in this area.

Sincerely,

Charles Duan, Technology and Innovation Policy Director R Street Institute

Sasha Moss, Federal Government Affairs Manager R Street Institute

Tom Struble, Technology and Innovation Policy Manager R Street Institute

Jeff Westling, Technology and Innovation Policy Associate R Street Institute