Jan
26
Time4:00PM7:00PM EST LocationCTA Innovation House, Washington, DC, 20003
Events hosted by RSI AND In-Person AND Virtual

The Future of Data Privacy and Security in the 118th Congress

Speakers

Tim Kurth, Chief Counsel, Innovation, Data, and Commerce Subcommittee, House Energy & Commerce Committee – Majority

Lisa Hone, Chief Counsel, Innovation, Data, and Commerce Subcommittee, House Energy & Commerce Committee – Minority

Panel

[Moderator] Cristiano Lima, Reporter, The Washington Post

Alexandra Reeve Givens, President & CEO, Center for Democracy and Technology

Brandon Pugh, Director and Senior Fellow, Cybersecurity & Emerging Threats, R Street Institute

Cameron F. Kerry, Ann R. and Andrew H. Tisch Distinguished Visiting Fellow, Governance Studies, Center for Technology Innovation at The Brookings Institution

Transcript

Tim Kurth

Lisa Hone

Panel

Overview

In recognition of Data Privacy Day 2023, join the R Street Institute for a special event exploring the current status of data privacy and security legislation in the United States and the path forward in the 118th Congress. We saw significant interest in data privacy and security in 2022, notably with the American Data Privacy and Protection Act (ADPPA), but the United States is still without a comprehensive data privacy and security law. This directly impacts consumers, industry and national security.


Video


Transcript

(Uncorrected rush transcript, pardon errors and please see the video for accuracy.)

Tim Kurth (Chief Counsel, Innovation, Data, and Commerce Subcommittee, House Energy & Commerce Committee – Majority): 

Thank you for the invite to speak today, Brandon with R Street was a tremendous help last year on our bipartisan privacy and data security legislation. And anyone who has set foot near this issue knows the foundation that Cam Kerry has set on this policy initiative over decades. I also appreciate the input and support from Alexandra and your organization the Center for Democracy and Technology in these negotiations. They all understand the enormity of this discussion from both our economic and national security, our personal devices and the protection for our kids.

It’s a new Congress and that means new opportunities. We have a historic new chair in Cathy McMorris Rodgers, the first woman to lead the House Committee on Energy and Commerce in its 200-plus year history. Our subcommittee also has a new name to reflect the mission the chair has directed and it will now be known as the Innovation, Data and Commerce Subcommittee. We on team CMR are excited about the opportunity, I’m pleased my counterpart Lisa Hone is here today as well to work toward bipartisan successes and I look forward to working together with team Palone and our committee members.

It could be easy to look back at this year at this point and see the ADPPA did not get done. However, at the end of last year, a number of important bipartisan initiatives were enacted. Namely, the Inform Act and the RANSOMWARE Act. Inform will set a new level of transparency and accountability for the e-commerce marketplace to protect its consumers from fraud, counterfeit and stolen goods. The RANSOMWARE Act adds a new level of duties for the FTC’s Safe Web program by cooperating with int’l consumer protection agencies with a specific focus on China, Russia, North Korea and Iran.

I note these accomplishments because they are relevant to the ability of this committee to get things done and with our Senate counterparts. The inform act, led by Rep. Jan Schakowsky and co-sponsored by Rep Gus Bilirakis will be an important check on big tech and the Ransomware act, led by Bilirakis and co-sponsored by Schakowsky, reinforces the need to protect Americans data from china and other foreign threats. These principles are on display in our efforts to enact comprehensive privacy and data security legislation. Protecting data, especially our kids, promoting commerce, defending our country from threats from our adversaries. 

In the coming weeks, Chair Rodgers will be laying the foundation of our work here, by educating new members on the committee on our policies, we’ve connected with stakeholders from a range of civil society to businesses of all shapes and sizes, as we look to revisit ADPPA and build further consensus. 

One thing I’ve learned from being around the boss is she doesn’t look at a matter as one of words on paper, but rather as a mom. That means she’s very proud of the provisions in the bill to protect kids online. These are the strongest measures today at any federal or state level. For any online protections to be successful we need a strong foundation and clear national standard to guide them. I know it is on a lot of minds today as well how many state are already working on their own privacy bills. Some of these states are already in conflict with their own bills being proposed in the state legislature. That should give everyone a flavor of the sort of confusion and conflicting signals on the horizon. Add to that what happens when states are enacting their own bills in California, continuing to layer on regulations outside of the legislative providence. Regardless of what we do at the federal level, I think it’s safe to say at some point there’s also conflict with the Commerce Clause in the Constitution. I expect we’ll all become Supreme Court watchers in the case of National Pork Producers Council vs. Ross, which is the constitutional challenge to California’s Proposition 12, a ballot initiative that requires farms from outside of California to meet criteria for their pork to be sold in the state originally inside of the market. Standing out for everyone’s attention is the FTC’s extraordinarily broad rulemaking process on what Chair Conner refers to as commercial surveillance. Without Congress intervening or getting involved, this will lead to more layers and more litigation and once implemented, will certainly not provide any clarity in the state versus federal role. That will give us all a lot to think about, I would just say I staffed my then-boss who served on the Energy and Commerce committee and on financial services modernization, and then managed that bill while I was in the speaker’s office and it became the Graham-Bleach-Lilley Act. [Garbled audio.]

My point here is no state is going to wait on this, nor is any other country that wants to eat our lunch on artificial intelligence and autonomous vehicles, to find the proper balance of competitiveness and data security. Look no further than China where establishing a national privacy law and championing companies so other countries follow them with standards for where that can then lead.

Bicameral, bipartisan consumer privacy and data protection legislation is one of the most American initiatives right now. Chair Rodgers is excited to do her part to promote U.S.. leadership, ensure consumers have control over their data, and ensure kids are safe online. Thank you.

Lisa Hone (Lisa Hone, Chief Counsel, Innovation, Data, and Commerce Subcommittee, House Energy & Commerce Committee – Minority): 

Thank you so much to the R Street Institute for having me today. As Brandon mentioned, I am Chief Democratic Counsel for the Innovation, Data, and Commerce Subcommittee of the House Energy and Commerce Committee. As Tim already described, then-Chairman Pallone now Ranking Member Pallone worked closely on the American Data Privacy and Protection Act (ADPPA) with then-Ranking Member, now Chair, Rodgers. And we look forward to that bipartisan coordination continuing.

The ADPPA, which was voted out of Committee on an overwhelming and bipartisan basis, is the strongest comprehensive federal privacy legislation ever to have been through a congressional committee. Given that time is short and I know you want to get to the panel, I want to focus on five of those important aspects of the bill:

First, it creates a strong national standard that will minimize personal information [garbled] collect, process and transferred. 

Second, it gives consumers control over their data by giving them access, the right to correct, right to delete, right to import that data. 

Third, it provides tightened privacy protections for particularly sensitive data, including precise geolocation data, health care information and financial information.

Fourth, it creates really meaningful privacy protections for kids. First by prohibiting targeted advertising to anyone under the age of 17 and also by requiring affirmative consent before transferring any data for people under the age of 17. 

Fifth, it provides companies clear and consistent standards for collecting, using and sharing U.S. consumers data regardless of where in the United States a consumer resides.

If I didn’t mention your favorite aspect of the bill, I apologize. There are lots of other parts to the ADPPA and I expect the panel will get into some of them. But I Do want to thank so many people in the room and so many people online and so many other folks for their countless hours you have all put in for working with my predecessors, with Tim and his staff, with other Members and their staffs, each other, your companies, your colleagues, your associations, to help us craft a really strong bipartisan privacy bill that we can all be proud of.

The good news is and I think Tim really highlighted this. We go into this Congress with a really strong bipartisan privacy bill and I know that ranking member Pallone looks forward to working with all of you and with Chair Rodgers in continuing to push that legislation forward. So thank you again for all your work last year, and this year, on the ADPPA. 

Panel

Cristiano Lima, Reporter, Washington Post: The State of Federal Data Privacy 

I’d like to start with something Cameron wrote last June in a piece breaking down the state of play on privacy. You wrote that, “We’re in the endgame now.” Since then we saw legislation, the ADPPA, advance out of Energy and Commerce. But we did not see it reach the floor and we also saw Senate and House leaders pushing for different priorities when it comes to privacy. So I’m wondering – do you think that assessment still stands, are we in the endgame still? 

Cameron F. Kerry, Ann R. and Andrew H. Tisch Distinguished Visiting Fellow, Governance Studies, Center for Technology Innovation at The Brookings Institution: 

I think it’s important to reflect on how far we have come here. I set out more than 10 years ago to develop legislation. We have come an enormous distance since then and had really good contributions from your convening work and Brandon’s work but we really have seen a classic process of legislating that’s very unusual these days. Hearings in which members of Congress and their staffs have gotten pretty deep in these issues and accompanying that, the work by group across the spectrum from the Chamber of Commerce to civil rights groups to conservative groups is really a catalog of people like Tim Kurth and Lisa Hone and their predecessors, other committees in the Senate  have built on that, listened to that and crafted a pretty damn good bill. Really made intelligent compromises and reached a grand bargain. (Poor audio.) There’s not a lot of latitude to change where we are without unraveling everything. 

Cristiano Lima, Reporter, Washington Post: ADPPA 

What do you see as the main issues that remain unresolved  in terms of finding agreement on a privacy bill?

Alexandra Reeve Givens, President & CEO, Center for Democracy and Technology: 

I think we’re exceptionally close. Just to build on what Cam was saying, when you look at the developments that have happened: Educate lawmakers, get national attention, and help people really give the time and energy to understand this. Then there was the push to figure out what issues need to be on the table, what does a package look like? And then we went after the sticky issues: Private right of action and preemption. You and many others wrote article after article saying how are they ever going to resolve it? And they rolled up their sleeves last Congress and figured out a deal. People on each side might have thought it didn’t go far enough but that bargain had been struck and I think they got really very close to something that is – I used to work for Senator Leahy and he always said as long as everybody gets 60% of what they want (bad audio). Now it’s a question of political will. We lost time on the clock last June.

I think the open question is going to be how easily we can pick back up and that the committee now doesn’t lose progress by reopening and relitigating the really important gains that we made last year. Instead, using the moment to move the discussion forward towards the House floor, and then in the Senate.

Brandon Pugh, Director and Senior Fellow, Cybersecurity & Emerging Threats, R Street Institute: 

I largely agree with Alex. I think it is about compromise and trying to reach a consensus. No bill makes everybody happy. It’s not just one party writing this piece of legislation. We need consensus from both sides of the aisle. It’s impossible to make everybody perfectly happy. The preemption and private right of action – they are directly related. It’d be easy to do them one at a time. To Cam’s point, we need a delicate balance. I strongly believe in preemption. I think this bill needs it, I think there’s a harm to consumers, national security, by not having it. But at the same time, I believe it came with a private right of action. I think we’ve done a good job of striking that balance. The risk we run is we open it up, we start from scratch by not starting with ADPPA, I think we’re back to negotiating. Trying to strike a balance between preemption and private right of action. To Cam’s work, they’ve been trying for many years and we are so close. I’d hate to see us stop moving forward because of a couple of sticking points. I think preemption, there’s still issues to work through, to answer your question, But I’m encouraged by how far we came. I think there’s a clear path forward. 

Cameron F. Kerry, Ann R. and Andrew H. Tisch Distinguished Visiting Fellow, Governance Studies, Center for Technology Innovation at The Brookings Institution:

I would echo what Brandon said. I think some of the boundaries on advertising and how we deal with ad tech would be probably better dealt with through agency rulemaking than as set by hard and fast rules. Ad tech is an enormously complex problem, I have a glimmer of understanding but it’s highly technical and changing all the time. By the same token, advertising is also important – it is part of the lubrication of commerce. We need to be careful of unintended consequences to those free services. To me that is made to order for agency ruling. 

Cristiano Lima, Reporter, Washington Post: Comprehensive Privacy Bill vs Children’s Privacy

Alex, you touched on political will. Something we heard from Democratic Senators last Congress is, “If we can’t find an agreement on a comprehensive privacy bill, we should not wait to expand protections to children.” If lawmakers can’t reach agreement on a comprehensive bill, should they refocus that energy on expanding children’s privacy?

Alexandra Reeve Givens, President & CEO, Center for Democracy and Technology: 

There’s no question the kids issue is incredibly high priority for voters across the country and certainly for the Biden administration – president biden talked about this expressly in the last state of the union.I wouldn’t be surprised if he does it again now. For Chairman McMorris-Rodgers as well, we heard Tim talk about it just now. One of the things that CDT has cautioned about is focusing only on harms to kids, is it ignores a massive swath of the country and an opportunity we have to protect consumers across the board. So yes ,while some of those protections certainly are important, but what a hugely missed opportunity it would be if we leave vbehind all of the important security, private, civil rights protections that are part of broader legislation. I actually worry a lot about focusing just on this one subset of issues versus really driving forward this moment of comprehensive, federal privacy legislation that protects everybody in a very meaningful way.

Brandon Pugh, Director and Senior Fellow, Cybersecurity & Emerging Threats, R Street Institute:

Not to get too political and in the weeds but I am concerned if we do something purely on kids, it will take the momentum and interest out of doing something on a broader level to impact all consumers and all Americans. Yes, that is a win for privacy, but is it really? I totally support privacy protections for kids and think it’s important but all Americans need these protections. So by just singling out a small subset, we can debate the age it should start at or go up to, all Americans are at risk. TRuthfully I think the main reason, if not one main reason, is the national security side. I don’t want to drag this into focusing on one app – but it would go a long way to address concerns we have with adversarial countries. Without it, we’re unfortunately all vulnerable.

Cristiano Lima, Reporter, Washington Post: Private Right of Action & ADPPA

One of the particular concerns of ADPPA we’ve heard from Senator Democratic leaders is the delay in the private right of action, which had been four years and I believe it was lowered to two years during the markup. Wondering what you make of that and the extent to which you think the ADPPA has sufficient enforcement powers.

Alexandra Reeve Givens, President & CEO, Center for Democracy and Technology:

That switch from four to two is an important process point because it was one of the real concerns that Senator Cantwell raised as the issue was moving through the house. What we saw was the House committee turned and addressed that and let’s make the agreement and let’s cut it down. Two years I think some consumer advocates might think that’s a long time, others say well there’s time for rulemakings, for business to get their house in order before the mechanism continues. I think that’s actually an example of the legislative process working. And the people taking Senator Cantwell’s concerns seriously and really trying to address them through the House process which is one of the things that really gives me hope for how this moves forwards. A lot of her very important, substantive contributions have been heard, and acknowledged and addressed.

On the overall enforcement mechanism – the way that it works is largely by the FTC, state attorney’s general and then the individual ability to sue for many of the provisions in the bill. Is it everything that consumer advocates wanted? For consumer advocates, a private right of action is hugely important simply because the scope of this – every sector of the economy manages people’s data, the risk of harm is broad and the ability for regulatory agencies to keep up through enforcement actions is hard as well. So we need  consumers to be able to bring their own litigation to ensure that these provisions can actually be enforced. Businesses on the other hand rightly said, wait, we fear a flood of litigation, particularly in these places with evolving norms. And so again what you see is a grand bargain being struck and limitations within that private right of action that were hard fought for by Republican advocates, by businesses, to say, let’s put some limits on damages so that we’re getting constitutional damages but not punitive damages. For example, let’s have it put the FTC and state attorney’s general have the opportunity to sue before an individual brings a lawsuit and get a 60 day window where they can take over the case. And let’s make sure companies get notice before an individual can sue. Basically an opportunity to cure, that’s about 45 days under the current bill. That’s thoughtful legislation. Not everybody loves it, it involves really hard tradeoffs, but what they’re trying to do is reach this balance of having people be able to bring cases, make sure that this law is enforced, but also avoid some concerns about harm to innovation. I think again it’s another example of thoughtful compromise.

Cameron F. Kerry, Ann R. and Andrew H. Tisch Distinguished Visiting Fellow, Governance Studies, Center for Technology Innovation at The Brookings Institution:

What Alex said, a lot of the substance, I completely agree with. I think it’s important to put that in perspective of other laws. The GDPR – two years before it took any effect. Similarly the California law, the Virginia law that is going into effect all at two-year run-ups before they took effect. It does take a period of time. There are also rulemakings that would affect compliance and private rights of action. I want to underscore what she said the impact of Senator Cantwell and members of the Senate have had here. Their thinking, many of the provisions of the bill, really reflect their work. Much of what was in the bill was Cantwell’s negotiations with Senator Wicker and subsequent drafts of bills. We are in the end game. 

Cristiano Lima, Reporter, Washington Post: Privacy and Congress

What is the key to bridging some of these final differences in a way that’s going to win over some of the Senate democratic leaders that have expressed concern without losing support, particularly among House Republicans and Republicans in the Senate?

Brandon Pugh, Director and Senior Fellow, Cybersecurity & Emerging Threats, R Street Institute: 

It’s no surprise the political composition in Washington has changed. Republicans have control of the House while we have a divided Congress with Democrats in control of the Senate. I think it depends on what issue you’re looking at. If we look at preemption, that’s still an outstanding issue. There are concerns we continue to hear from California which in my personal opinion, I think that’s unfortunate, because while California has a privacy bill, the vast majority of Americans don’t have the advantage of a state bill. I hate to overuse the patchwork expression but it’s real. It’s only going to get worse. Obviously with the Speaker transition, I know Speaker Pelosi was very sympathetic to some of the concerns being brought up by California, That’s a different dynamic. I think one concern is – and I hope this isn’t the case – the House continues to do really good work on a privacy bill and I hope that interest continues on the other side. Everything we’ve seen from Senator Cruz is that he is interested in pursuing privacy. But just from a political reality is it worth putting your staff hours and time into it if it doesn’t look like it’s going anywhere? It is a compromise. There’s part of this R Street is not happy with, there’s parts I’m not happy with, I think that’s just common with most pieces of legislation.

Alexandra Reeve Givens, President & CEO, Center for Democracy and Technology: 

Re-opening the substantive provisions is likely going to (bad audio) the effort because there are so many different issues in the tech ecosystem that members have very different opinions that are worthy of debate but get very complicated very fast in terms of trying to find bipartisan agreement and places that are ripe for the legislation right now. I think we risk getting bogged down in some places that they’ve opened versus saying wow, a bird in the hand actually addresses a very wide range of data harms the voters are paying attention to, families are paying attention to, state legislators are paying attention to. This is the moment.

To me the question is less about what the substantive negotiations look like and more a question of timing and staying on the political radar.

Timing is to get started early enough to make progress and use this time. The fact we’re having panels with staff speaking early this year is a great sign. Two is the political radar and hopefully what we’ll see is the continued leadership of the two main House leads showing they want to take this up and they want to push it forward. I think we are looking at some very hard debates in this Congress and very few areas where we’re going to see Republicans and Democrats really making progress across the board, not just in privacy. But here we have an issue that people care about where we actually know what a meaningful answer can look like. So if there’s going to be the political appetite in getting members up to speed and on board and that’s what works.

Cameron F. Kerry, Ann R. and Andrew H. Tisch Distinguished Visiting Fellow, Governance Studies, Center for Technology Innovation at The Brookings Institution: 

What I’ve been saying for two or three years now. I think a lot of the ingredients are here. Groundwork has been laid. The stakeholders understand what it’s going to take to get this done. What was needed was the political will. And we saw last year the political will. That is what is needed now. I’ve already seen that Bidens’ op-ed has injected some energy in some quarters who’ve started talking more. I think some people are sitting on the sidelines. PEople aren’t going to invest unless they think it’s going to happen. But they will be there at that table if people move forward. But it’s going to take the early focused effort that Brandon and Alex have talked about.

Brandon Pugh, Director and Senior Fellow, Cybersecurity & Emerging Threats, R Street Institute: 

I can see the temptation to make this a broader bill, such as adding Section 230 or antitrust in there. I’ve already heard that – if we can make it a huge comprehensive piece of legislation … It’s hard enough to get consensus on a privacy bill. We need to keep it a privacy bill. If the other issues are important to Congress, then consider them separately. I’m not advocating for that but I think at least getting a win on privacy is key. I think it’s also important to keep the privacy-specific provisions in ADPPA. I think there’s a temptation to do more on biometrics and algorithms – not to say they don’t have privacy components – but there is a point where you cross the line and they become less about privacy and more about a tech piece of legislation. 

Cristiano Lima, Reporter, Washington Post: New Congress and Privacy

We’ve touched on that control of the House has shifted. A new speaker that has expressed support for a single, national standard. Senator Cruz stepping into the ranking role on Senate Commerce. How do you foresee those shifting dynamics playing out in the negotiations and what should we be looking for?

Brandon Pugh, Director and Senior Fellow, Cybersecurity & Emerging Threats, R Street Institute: 

I was very curious to see where the new Speaker would fall on privacy legislation. I went back to when he was first elected to Congress and track everything he’d done and what he’d said on privacy in dozens of speeches. It wasn’t that far back, his comments from a few years ago, that privacy is important and specifically we need preemption. I agree with that approach. I was also thrilled to see that as Republicans took the House that this was one of their priority items. I don’t want to say this is happening tomorrow or a committee vote next week and a House vote within a month. I have some degree of reality. But everything I’ve seen shows that Republicans are interested in reality, and I think that’s key, and showing that this isn’t just a Republican bill or a Democrat bill. Everybody in the audience watching that has a constituency, you should be expressing this to them. I think from Republicans especially, and this is something I truly value, is the national security and cybersecurity component to this. Some people say there isn’t any difference between cybersecurity and privacy and you’re conflating the two, and I Realize that, but we can’t diminish the fact that without rules of the road on how we’re collecting data, who’s getting it, how they’re using it, there’s nothing stopping an adversary or a bad actor – a bad company – we have many great companies regardless of size in this country, but other really bad ones, regardless of size, and I think that’s the reason we need this. I think that specifically touching on security and national security has not been part of the debate minus a few niche issues. I’m hopeful that the narrative will continue.

Alexandra Reeve Givens, President & CEO, Center for Democracy and Technology: 

I think another piece another piece that Tim mentioned in his remarks is how this might be part of the competitive conversation and the reality that right now we have ceded our leadership on the global stage on these really important questions of how technology can be regulated in a way that promotes innovation but can also make sure that technology works for people. In the absence of that, what we’re seeing is other regions around the world stepping in making their own measures, but then also the US.. doesn’t have an equal seat at the table. We’re seeing things like the cross-border data flows coming out of Europe, for example, and the US.. doesn’t have a good answer unless we show that we can have strong federal leadership to protect people’s rights. There’s a real opportunity here for the U.S. to get that balance right, to lean into it, and show our leadership on this.

Brandon Pugh, Director and Senior Fellow, Cybersecurity & Emerging Threats, R Street Institute: 

Even China has a privacy bill. It forces American companies to follow bills like GDPR and China, which GDPR, there are positive aspects, but at the end of the day it’s not an American bill. There are better approaches to Alex’s point. We’re forced to follow things like that absent action. I was glad to hear Tim mention China specifically.

Cristiano Lima, Reporter, Washington Post: President Biden on Tech Policy

Cam, you touched on the recent op-ed by President Biden. One of the areas he touched on was data privacy. One thing that jumped out to me is he thought that Congress should “limit targeted advertising and ban it altogether for children.” ADPPA has restrictions around targeted advertising to children but I thought that limiting ad targeting more broadly, wondering what you made of those remarks and to what extent you think the proposals that are on the table address the concerns raised by the President.

Cameron F. Kerry, Ann R. and Andrew H. Tisch Distinguished Visiting Fellow, Governance Studies, Center for Technology Innovation at The Brookings Institution:

I think essentially the biden op-ed was describing the ADPPA. It has a ban on targeted advertising toward children. It has changes in the rules for targeted advertising, primarily in the first-party context, so if you have a direct relationship with a company, versus using other third party cookies or other ways of delivering ads. It would significantly restrict behavioral advertising. The provisions I was talking about when I see rulemaking to adjust some of the questions of what uses of sensitive data might be permissible for certain kinds of advertising and to what extent do you restrict behavioral advertising? So much of this is contextual. That’s one of the big challenges of privacy. Creating a set of rules that maybe allow for a little bit more of contextual variation could be useful to consumers, useful to the ecosystem, useful to obligations to research, etc. 

Cristiano Lima, Reporter, Washington Post: President Biden on Tech Policy

Other thoughts on whether the proposals on the table address the concerns from President Biden specifically? 

Alexandra Reeve Givens, President & CEO, Center for Democracy and Technology: 

I think I was encouraged by all of that, and of the order of priorities in the op-ed and privacy was first, which is notable. It’s great to see the administration leaning into this as an opportunity and  think if they are looking for areas of bipartisan compromise, this is one where they could actually deliver that could be a win for all sides. I think that is really important. The advertising conversation is a rich one to have because there are some people raising concerns about the bill saying, “This is the death knell of all advertising. What is going to happen to the free and open internet? How do we think about what this is going to look like going forward?” That’s just another area where it’s really important that we have a robust conversation about what the bill will and won’t do. And what consumers can expect of advertising in 2023 and hope the rules of the road will be going forward. Then I think the reality is that users, when they understand the extreme level fo targeting that can happen and is used right now in the advertising ecosystem. They’re upset. There’s a reason why states across the country are talking about this. There’s a reason why governments around the globe are talking about this issue too. But I think what’s really important is that one can have ads, you can have limits on behavioral advertising, you can restrict the long term sharing and storage of highly-sensitive information and still have an ecosystem where people see ads. It existed for decades before we moved into the current world we have of extreme targeting. One of the things that I think about – advertisers are one of the most innovative sectors of the economy and they have been for a long time. So what does the future of advertising look like? It’s creative use of contextual ads, it’s thinking more about what users are choosing and how they’re signaling their own preferences. I think it’s a really important creative dialogue to be had that doesn’t need to sound the death knell about how the advertising system operates. I believe very much that we have to keep having free online services. My organization focuses on this all the time – about access to information. But creating this false binary between strong user privacy protections and open, accessible, affordable web is really a false distinction that we need to shut down. 

Cameron F. Kerry, Ann R. and Andrew H. Tisch Distinguished Visiting Fellow, Governance Studies, Center for Technology Innovation at The Brookings Institution: 

I want to be clear. While I see valid important uses in advertising, I have been saying to advertisers for several years now, the system is broken and they need to understand that advertising needs to change. The information ecosystems in advertising are extraordinarily leaky. From the app development APIs, software developer kits, to the ad-tech platforms the way advertising is tracked and shared across the ecosystem enables that and the purchase and sale of data, in particular, is responsible for an awful lot of our information being out there in the wild. So that needs to change. But we need to recognize some of the legitimate uses of those functions, too. 

Brandon Pugh, Director and Senior Fellow, Cybersecurity & Emerging Threats, R Street Institute: 

I’ll start with President Biden’s op-ed and then talk about advertising. There’s parts I liked, and also parts I was concerned with. I was thrilled to see the president place emphasis on privacy. I think we all agree with the privacy aspect. I wish the call for privacy had been months ago. I think it would have helped the ADPPA, some were looking for the president to take a stronger stance last Congress. The concerns are I think some of the positive value of adding privacy were overshadowed by adding other controversial measures like content moderation, antitrust, i don’t think that helped. I think it’d be better off to take a stronger stance on privacy. Secondly, I also don’t think the characterization that the “Big Tech” focus – I’m not saying all big companies are the best actors but it’s not restricted to size. We see many privacy harms from companies of all sizes. Just solely focusing on the largest companies didn’t help the dialogue at all. Not saying there aren’t harms, no matter how big the company is, but it’s a pervasive issue that comprehensive privacy legislation would help solve.

Cristiano Lima, Reporter, Washington Post: ADPPA

A lot of the rhetoric around data privacy is around reigning in big tech. But a lot of these proposals would impact (garbled audio). One interesting way that I think we’ve seen that play out in the privacy discussion is seeing some heightened obligations for larger internet services. So in ADPPA there’s a tiered-knowledge standard that has heightened requirements for larger services. What do you think of that approach in ADPPA and more broadly?

Cameron F. Kerry, Ann R. and Andrew H. Tisch Distinguished Visiting Fellow, Governance Studies, Center for Technology Innovation at The Brookings Institution: 

I think that was the right approach. I think it’s important to remember that in this day and age that almost every company is a tech company in its own mind and using data in some form. The ADPPA would include analog data that still exists. I think it is important to graduate the obligations and that was an important element to a smaller grand bargain when, going on three years ago, laid out some of the contours of compromise on preemption, on private right of action and on other issues was to have tiered obligations. To have a baseline. Everybody is subject to this act. Everybody has some basic privacy obligations, data minimization, security. But that as you get bigger, those can scale up. But recognizing that at the lower levels, there are compliance burdens that result in this. So they should be different. (Garbled audio.) It’s an appropriate and calibrated way to deal with these issues. 

Alexandra Reeve Givens, President & CEO, Center for Democracy and Technology: 

I think that’s exactly right. One of the things to think about is certainly people can worry about the harm by big platforms and that’s a big area of focus, but often small players are incentivized to have data practices that involve the widespread sale of people’s data because it’s an early pathway to monetization. This is why we need baseline rules of the road. I think one of the most famous examples that gets talked about is the flashlight app on people’s phone – but what was the monetization model? It was selling people’s very precise geolocation data because they have that app now installed. That is the exact type of thing that causes users extreme surprise when they learn about it, shock and anger, and it’s this type of behavior we need to see the industry move away from. I think it is important to have baseline expectations no matter your size but then to calibrate some of the higher burdens accordingly.

Brandon Pugh, Director and Senior Fellow, Cybersecurity & Emerging Threats, R Street Institute:

Just to reiterate what Alex said in terms of size. Some of these harms are size dependent. SOme of our most egregious privacy violations have come from the smallest of small firms, like the small data brokers. This would take us into a whole different panel of conversation but they might have only one or two people that work there but they have super sensitive data and they’re exploiting it and sending it to adversarial countries. They’re targeting very sensitive members in our population, whether its members of the military or intelligence community. It’s happening unfortunately and I would caution that. At the same time, we need to make sure we do care about small-medium sized businesses because the small companies won’t have the resources to comply that a large company would have. We don’t like to overuse expressions – but we don’t want every Main Street mom and pop convenience store that doesn’t college much data being subject to everything in ADPPA. I think there’s a good balance there. There are small business exceptions and I think that’s important. 

Cristiano Lima, Reporter, Washington Post: Privacy and Civil Rights

NTIA recently put out a request for comment on the intersection of privacy, civil rights, and equity. What do you see as some of the underlying principles needed in legislation to safeguard those pieces?

Cameron F. Kerry, Ann R. and Andrew H. Tisch Distinguished Visiting Fellow, Governance Studies, Center for Technology Innovation at The Brookings Institution: 

I think the ADPPA makes a good start. First, it has a civil rights provision. That is a groundbreaking element and something that distinguishes it from the California law and from other state laws. It is one way it moves beyond GDPR or other laws around the world is the focus increasingly on technologies and the impact of technology and algorithms. I think the NTIA process will help us inform our understanding of how our nation operates. The OSTP put out the AI bill of rights blueprint but a lot of the real content there is in the fact sheet where it talks about various agencies, the CFPB and how others to look at discrimination in a very specific context, look at the operation of algorithm there. I Think the ADPPA starts us down that right and it has provisions that will help improve the understanding of algorithms both within the organizations deploying them but also more broadly across society. 

Alexandra Reeve Givens, President & CEO, Center for Democracy and Technology:

Cam speaks to a really important value-add as to what the NTIA process is going to do because correctly, ADPPA has provisions on this but this is actually about a lot more than just legislation in a huge effort to protect against discriminatory uses of data. It is educating regulators about how the current civil rights laws apply to online behavior and then educating decision makers, whether employers, product developers, companies about what potential harms might be and how to mitigate them. That’s some of the effort we see happening, Cam mentioned some of the agencies that are focused on this right now. CFPB is one, Housing and Urban Development just had their settlement with Meta, the final details of which were released a few weeks ago. The Equal Employment Opportunity Commission is doing a ton of work on this. That’s an all of the above strategy that we need because it’s not just about  new legislation – though I think those provisions are hugely important – but also just helping a broader swath of people understand what the harms are and the role that they can play in helping to mitigate them. So the NTIA process is going to be really useful in just surfacing more of those examples, surfacing what’s in the existing legal frameworks, how they speak to that, and then helping people understand the role they need to play in mitigating them.

Brandon Pugh, Director and Senior Fellow, Cybersecurity & Emerging Threats, R Street Institute: 

Naturally, I’m not a fan of heavy agency involvement. So far, in NTIA’s defense, it does look like it does look like it will just be a report – but if we extend it to what the FTC is considering doing, it would be a rulemaking that would theoretically (garbled) large parts of our economy. (Garbled audio.) I do think this is a real opportunity for Congress to drive forward and show what privacy should be. At the same time, giving clearly defined lanes for agencies to act. ADPPA clearly says where FTC should do rulemaking, where they should be active, where they should create new lawsuits. Cam is more of an expert on the FTC than I am but I would prefer Congress set the policy, set the direction, then have agencies come back and support – rather than taking a proactive approach in trying to reconfigure privacy, absent anything being done by Congress. 

Cristiano Lima, Reporter, Washington Post: State privacy bills 

States are moving ahead on data privacy while negotiations on Capitol Hill are ongoing. There’s already been dozens of privacy bills introduced across the country this year – some are comprehensive, but there’s also more targeted bills dealing with health data, data brokers, children’s privacy. How do you expect – beyond this idea of a patchwork putting pressure on Congress to act – how do more targeted proposals potentially being passed around the country potentially impact negotiations around preemption, and privacy?

Brandon Pugh, Director and Senior Fellow, Cybersecurity & Emerging Threats, R Street Institute: 

This year is going to be interesting. We had five state laws stated, one new one and one updated one. Three more are coming about. I think that’s only going to continue. In terms of more specific legislation, it depends on the topic. Whether it’s kids vs biometrics, or some of the bills going after data brokers. I think it’s better to take a federal approach no matter what the niche area because ADPPA largely addresses most of that…. I do understand the hesitation from the legislature thinking Congress was going to act and when they didn’t act, they’ve revamped these efforts. I understand that there’s a strong emphasis on helping your state residents, but my natural preference is to see it come from Congress first.

Cameron F. Kerry, Ann R. and Andrew H. Tisch Distinguished Visiting Fellow, Governance Studies, Center for Technology Innovation at The Brookings Institution: 

I think one of the reasons for the activity you are talking about flows from people looking at the ADPPA falling short last Congress. Some state legislatures that were looking at what was happening on the Hill and thinking, ‘Okay, they got it.’ My home state of Massachusetts for example, there’s been a bill pending for several years running, and the legislator who filed that has now introduced a bill based upon the ADPPA. I fully anticipate that that will get a hearing and could advance. I think all of this will complicate not just the compliance issues, the patchwork issue, but politics. We have the California delegation saying, ‘“Wait, wait, wait.” … 

Cristiano Lima, Reporter, Washington Post: 

The last question is a “fill in the blank question.” The U.S. will have a federal privacy law by _____. 

Cameron F. Kerry, Ann R. and Andrew H. Tisch Distinguished Visiting Fellow, Governance Studies, Center for Technology Innovation at The Brookings Institution: 

I’ve answered questions like that too many times and been proved wrong. I sustain my optimism that we can get this done but I’m not going to answer the question.

Alexandra Reeve Givens, President & CEO, Center for Democracy and Technology: 

I’m flipping your question to the question of should. This is the moment where we are in this spot of having good agreement, finding areas of bipartisan compromise, and where we’re in this delicate moment with the states where if it hangs out for longer, more people are going to operate to fill in the void…I don’t know if it will happen and I hope it will. This is the year to see action.

Brandon Pugh, Director and Senior Fellow, Cybersecurity & Emerging Threats, R Street Institute: 

I think the takeaway for everybody here listening is we can’t let the pressure and momentum on this go away. If you’re involved in this space, continue to push it forward. Educate new members. There are so many competing issues in D.C. We need to do something now. I think this is something we need to push forward.

Q&A

(See video.)