Will DeVries, senior privacy counsel with Google, Inc. (from left); Alastair MacTaggart, chairman of Californians for Consumer Privacy; David Hoffman, director of security policy and global privacy officer with Intel; Gabriel Weinberg, CEO and founder of DuckDuckGop and Tom Lee, policy lead with Mapbox, testify before the Senate Judiciary Committee during a GDPR & CCPA: Opt-ins, Consumer Control, and the Impact on Competition and Innovation hearing Tuesday. (Photo: Diego M. Radzinschi/ALM) Will DeVries, senior privacy counsel with Google, Inc. (from left); Alastair Mactaggart, chairman of Californians for Consumer Privacy; David Hoffman, director of security policy and global privacy officer with Intel; Gabriel Weinberg, CEO and founder of DuckDuckGop; and Tom Lee, policy lead with Mapbox, testify before the Senate Judiciary Committee during the GDPR & CCPA: Opt-ins, Consumer Control, and the Impact on Competition and Innovation hearing Tuesday. (Photo: Diego M. Radzinschi/ALM)

Tech privacy counsel convened in Washington, D.C.. Tuesday morning for a panel on data privacy laws and consumer control at a Senate Judiciary Committee hearing.

Google, Intel and other company representatives and privacy advocates served as panelists for the GDPR & CCPA: Opt-ins, Consumer Control, and the Impact on Competition and Innovation hearing, which analyzed data protection laws in California and the European Union and further shaped a looming U.S. federal privacy law.

Senators and panelists debated the merits of opt-in, consent-focused data protection laws, such as the EU's General Data Protection Regulation vs. opt-out policies, as found in the California Consumer Privacy Act.

“The way one would know that they're protected is they have to be able to opt in as opposed to opt out. And I'm really concerned about that, California is opt-out,”  said Sen. Dianne Feinstein, D-Calif. “Europe is opt-in. So you've got an opt-in standard if you're a country that it's relevant to, in at least 28 countries.”

Panelist Alastair Mactaggart, chairman of the Californians for Consumer Privacy, who helped draft the CCPA, argued that opt-in requirements can cause “click fatigue” for consumers and drive users to mindlessly click “yes” on privacy notices because they feel it's the only way to access a service they need.

He and other panelists, including Mapbox policy lead Tom Lee, advocated for an opt-out feature accessible in web browsers, which would allow consumers to select a one-time button that would remove them from certain data collection processes.

“Opt-in doesn't escape the problem of mountains of fine print. … It standardizes the language to some extent, but it still puts the burden of making that decision, parsing these legal agreements on each individual user,” Lee said. “While opt-in might be appropriate in some circumstances where there's particularly sensitive data between the entities, opt-out with rules of the road that make sense is a better user experience and probably a better way to go.”

Opt-in requirements flood users with lengthy, legalese-filled privacy policies, critics of the policy feature said. Sen. Dick Durbin, D-Illinois, and Sen. John Kennedy, R-Louisiana, both pointed at the length and unclear language of sites' privacy notices and consent forms as a threat to consumers.

Will DeVries Will DeVries

Durbin said “no one reads privacy notices,” adding the burden should be on tech companies to ensure consumers are adequately informed on what they're consenting to. Kennedy questioned Google senior privacy counsel Will DeVries on the company's lengthy terms of use, which he said stretches on for more than five pages.

“You could hide a dead body in there; no one would find it, ” Kennedy said.

He wasn't the only senator who used the hearing to grill Google. Sen. Josh Hawley, R-Missouri, questioned DeVries on the Mountain View, California-based company's location tracking policies.

Hawley, the former attorney general of Missouri, claimed Google collected location history from Android phone users, even when location data services were turned off, something he said is not clearly communicated to consumers.

“ So the consumer cannot meaningfully opt out,” Hawley said.

Google, according to DeVries, only uses data from opted-out users if the information is necessary for the phone's basic functions.

As in previous hearings on a potential federal data privacy law, the topic of preemption arose. Panelists said they would support preemption in a federal law, though many noted they would only back it if California's CCPA standards were used as “the floor” for protection, not the ceiling. Feinstein said she would “not support any federal privacy bill that weakens the California standard.”

David Hoffman

Tech companies have pushed for federal preemption, in part, as a way to override California's law, which goes into effect next year. Critics have called the bill too punitive and claimed it doesn't provide a clear enough definition of personal data. Other proponents for a federal privacy law have cited the challenges of a growing number of state-level proposed privacy bills.

“The patchwork of state legislation will create significant new barriers to the innovative use of data. Only large law firms benefit from this use of data, because business owners of all sizes will need lawyers to offer products and services nationwide,” said David Hoffman, the associate general counsel and global privacy officer of Intel Corp. “These legal costs will slow small, innovative data-oriented startups.”

Correction: An earlier version misstated David Hoffman's title as director of security policy and global privacy officer of Intel. He is associate general counsel and global privacy officer.

Read More:

Dazed and Confused: Gray Areas in the Golden State's New Privacy Law

Tech Representatives, Senators Discuss Framework for US Federal Data Privacy Law

Preemption a Top Issue in Federal Data Privacy Law