00:05This is the first of our hearings that are going to look at this virtual space.
00:10And as you all know, Senator Klobuchar and I've done a lot of work in trying to secure the American citizens' privacy in the virtual space.
00:21And as we work through this on this committee, I think that foundational to the conversations is who owns an Internet user's data and what is the scope of that ownership?
00:38Where does it begin?
00:39Where does it end?
00:40And let's just go down the line.
00:42Ms. Goodloe, starting with you.
00:45And everybody, keep it under a minute and answer that question so that we've got that for the record.
00:53Thank you for the question.
00:55Our companies provide business-to-business technologies to other companies.
00:59In many cases, their business customers own the data that they store with B2B providers.
01:05And yet, there may be personal data that individuals own as well.
01:10And those individuals should have rights to access, correct, and delete that information, no matter whether it's stored with a consumer-facing company or the business-to-business provider processing it on behalf of that consumer-facing company.
01:23Okay.
01:24Mr. Thayer.
01:26Given the lack of appropriate consent regimes, I would say that the user owns that data.
01:31Because I don't think that the way we have things set up right now, the data subject doesn't even know that they've given over some of that data.
01:38And so, at the end of the day, I think the reality is that we have to have privacy regimes in place to ensure that the ownership, to outline those particular contours.
01:49But it is 100% who owns, you own your data, and it shouldn't be the other way around.
01:55Okay.
01:57Thank you, Senator, for your question.
02:00It's a very good question.
02:01There are some nuances here, I think, that are important.
02:05First, you know, Main Street businesses, you know, understand it's the user's data.
02:11And the user has the right to correct it, delete it, remove it from their system.
02:16But there is some kinds of data, there are some kinds of data that is considered shared.
02:21And so, for example, if you make a purchase in a store, well, the store needs to keep a record of that purchase if you want to do a return or an exchange for their inventory.
02:33So, you know, is it the consumers, that this consumer made this purchase on this date, is that personal information?
02:39Yes.
02:40Is it also information the business needs and can't just get rid of?
02:44Yes.
02:44And so, I think when it comes down to ownership, we just have to understand that in modern, you know, commerce and e-commerce, you know, some information will need to be retained, but only for as long as it's necessary to retain it.
02:58And I think hopefully that answers the question.
03:01Yeah.
03:02Thank you for the question, Chair Blackburn.
03:05And we believe that we all have a fundamental right to control when our data is used and how it is collected.
03:12But individual mechanisms of consent and control don't provide a complete solution to this problem.
03:18And that's why we feel that it is so important to have rules of the road that protect people's privacy by default and align business collection and use data practices with what consumers reasonably expect.
03:32Okay.
03:32Thank you, Senator.
03:34I very much agree with Mr. Butler.
03:37Data about people should be owned by people.
03:39But at the same time, as Alan said, we don't want a world in which people are solely responsible for protecting their own privacy.
03:46That's why we need strong federal protections that don't put the onus on people, but put the onus on companies to make sure they're not abusing people's privacy.
03:53It was over a decade ago that now Senator Welch and I were in the House at Energy and Commerce Committee.
04:04I know Mr. Martino remembers all of this.
04:08And we had bipartisan legislation to establish a data privacy framework.
04:16And, of course, big tech fought it just all the way to today we still don't have it into law.
04:29So, Mr. Thayer, talk for a minute about why big tech has found it so vitally important to kill any effort to have federal online privacy.
04:40Because it's against their financial interest to actually be regulated.
04:44I mean, that's the obvious answer.
04:47But in reality, what you're pointing out, and I think everyone on this subcommittee has experienced, it doesn't matter how tailored you make your legislation.
04:57It doesn't matter how measured.
04:58They will find some reason and put something forward.
05:01If you want to do any trust reform, for instance, they'll say there's a privacy violation.
05:04If you say there's privacy, then we don't have to worry about competition.
05:08It's always this game of whack-a-mole.
05:10And so, at the end of the day, they like the way things are because it benefits them.
05:14The market is basically created for them.
05:17And so, I think this is exactly why we have strong advocates fighting for things like the Kids Online Safety Act, where you have parents begging Congress to do something.
05:28And we're seeing the harms play out right in front of us.
05:31I think at this point, we've recognized that big tech is in the emperor has no pants moment.
05:38And we're all starting to see that we absolutely need the reforms.
05:44And so, things like the Open App Markets Act are going to be very helpful to quell any of those privacy concerns.
05:49The Kids Online Safety Act, I think, will do a lot to find measure-targeted approaches that will ultimately help kids.
05:57But, again, I think that the waves are changing.
06:01And I think that I'm very hopeful.
06:04And things that I'm seeing at the DOJ, especially from the Trump administration to the Biden administration, out the gate to the new Trump administration, it seems as if everyone has identified that these companies are bad actors and they should not be trusted.
06:19So, I hope whatever advocacy I can provide would be to outline that this is really just – don't fall for the red herrings.
06:31Ultimately, the side of right is to protect consumers, and big tech has no interest in doing that.
06:38Ms. Goodloe, I want to come back to you.
06:40In your testimony, you talked about state laws and the importance of some of those state laws.
06:48I want you to define a couple of the common elements that you have seen in the state laws that could be transferred into a federal law that should be broadly supported and accepted.
07:05Thank you for the question.
07:07I think the states provide a lot of common ground for Congress to look to as it works toward federal privacy legislation.
07:14That common ground exists on things like the consumer rights that we've talked about today, rights to access, correct, delete, and port your data to another service, rights to opt out of the sale of your data, targeted advertising, certain types of profiling.
07:28And states are unanimous on recognizing there are different types of companies that handle consumers' data.
07:33One set of obligations should be assigned to controllers who decide how and why to collect a consumer's data, how to use it.
07:40And one set of obligations should be put on the processors that handle the data on behalf of controllers.
07:46I also want to take a moment to respond to something that Mr. Martino brought up about what those processors do when they employ other subprocessors.
07:55Because in many cases, what processors do is they collect a series of other subprocessors, package it together, and are able to provide it to business customers at scale.
08:05So that small businesses can enjoy the economies of scale of being able to use cutting-edge technologies.
08:13That means you're providing the same service to hundreds or thousands of business customers, and letting one object to a package of subprocessors doesn't work.
08:22That's why we haven't seen the majority of states adopt that, which could actually increase security risk to consumers when one of those subprocessors has a breach,
08:30and they have to go and ask permission to change over the data.
08:33But I think we do see broad agreement among the states about the right set of consumer rights and obligations on businesses to safeguard consumers' data
08:41and to do so effectively, along with a common enforcement system that is a regulatory-led enforcement system
08:47to ensure we have consistent expectations for companies that want to comply with privacy and security obligations.
08:54Mr. Martino, you wanted to respond?
08:57Yes.
08:57Just on the subprocessor point, and one thing to keep in mind, with the ADPPA that was the predecessor to the APRA,
09:05the way the definitions worked, a subprocessor was also defined as a processor.
09:09So once it got to a processor, there could be this endless train of data sharing that the Main Street business has no control over.
09:17Well, that might be great for efficiencies of the services that the main processor is providing.
09:23You know, there's no check on the downstream.
09:28And so that's why, you know, all that we've been pushing for was a simple notice to the Main Street business of the subprocessor you are using
09:39and the right to object.
09:41It's not like an opt-in that, you know, that they can't go to them and they can't provide these efficiencies.
09:46So that's just, I mean, an in-the-weeds point, but I think it's an important point because it's the Main Street businesses
09:52that will be held liable under most of these constructs because the same requirements aren't applying to the processors
10:00and the same enforcement mechanisms aren't applying.
10:03I'll make one last point.
10:04In the APRA, the private right of action largely applied only to what are called the controllers,
10:11but, of course, these Main Street businesses that can't really control the big tech companies.
10:15And it hardly applied to the processors and it didn't apply at all to the third parties.
10:21So I think we have to look at not just that these state laws have requirements,
10:25but who's subject to them and who's liable for those violations.
Be the first to comment