WASHINGTON – California’s new law providing consumers with more protections againt data
collected by Internet and other companies highlights the need for better federal data privacy
laws, a senior Democratic lawmaker and several experts say.

Current federal laws require telecommunication carriers to protect customers’ privacy when
using a wireless cell service, but does not protect them when they use a third-party service such
as an Google or Facebook.

Extension on Section 222 CPNI Protections (Athena Liu/MNS)

And internet providers can access sensitive personal information of users, said Laura Moy, the
deputy director of the Georgetown Law Center on Privacy and Technology, at a hearing of the
House Subcommittee on Communications and Technology congressional hearing this week.
“Consumers, unfortunately, have no choice but to share this information with those providers,”
said Moy.

In 2016, the law was expanded to require voice service providers and internet providers to obtain
opt-in consent from consumers before using and disclosing sensitive customer information.
However, the Federal Communications Committee late reclassified and narrowed “service
provider” to voice telephone companies, not internet-active services.

“It was a big regulatory change, and it really narrowed the reach of privacy protections,” said
Ernesto Falcon, a legislative counsel at the Electronic Frontier Foundation, in an interview.

The implementation of Europe’s General Data Protection Regulation and the data-privacy bill
passed in California last month indicate that strong data privacy regulations are needed for
Americans, said Pennsylvania Rep. Michael Doyle, the top Democrat on the committee.

“I believe we can and must do more to protect Americans’ privacy and sensitive information,” he
said. “We in Congress and this committee need to take that to heart as we are addressing this
pressing issue.”

California’s law, passed last month, gives residents the right to be informed about what kinds of
personal data companies have collected and why it was collected, and consumers can request
deletion of personal information. The bill will have an outsized influence on the rest of the
country, said Joseph Jerome, a policy counsel at the Center for Democracy & Technology.

A quick look at California’s Consumer Privacy Act of 2018. (Athena Liu/MNS)

“The fact that this California law happens at all I think is sort of an indictment of the failure of
Congress to actually do something,” said Jerome.

All businesses should be subject to a uniform privacy framework administered by a single
federal agency for the sake of consistency to avoid anticompetitive consequences, said Hance
Haney, director of the technology and democracy project at Discovery Institute.

“The California bill may be little too burdensome,” Haney said. “I’d like to see the highest level
of protection apply to the most sensitive information and not the least.”

The requirement to get opt-in consent, which is an obligation by companies to obtain affirmative
express customer consent, is too broad, Haney said. A federal privacy bill should focus on
protecting sensitive information such as information on children, financial, and health
information, geolocation data.

But Falcon said the California law is targeted only at companies that sell customers’ personal
information to the third parties.

“To solve this problem and give the American people what they are demanding, we are going to
need a comprehensive solution that includes more resources, more manpower, more authority to
go after the bad actors, and the ability to set the rules for the road for the digital economy,” said

Subcommittee Chairwoman Rep. Marsha Blackburn said she introduced a proposal to enact
broad privacy protection last year.

“As we discuss these important issues today, we need to consider innovation and consumer
privacy needs across the entire internet ecosystem so that we can arrive at a solution that works
for everyone,” said Blackburn.