Christine Wilson, a commissioner at the Federal Trade Commission in Washington, D.C., said in a fireside chat hosted by the Regulatory Transparency Project on Monday that Congress should continue to work toward a federal privacy bill that preempts state law.

The discussion was moderated by Svetlana Gans, vice president and associate general counsel at the NCTA – The Internet and Television Association. Wilson said the FTC has been calling on Congress to pass federal privacy legislation for years. A law governing how data can be used would have been helpful during the current pandemic as companies and governments work to track location and health care data, she said.

"It would have been incredibly helpful to have federal privacy legislation in place as we are navigating these new and incredibly complex issues," Wilson, who previously served as in-house counsel at Delta Air Lines Inc., said.

Because of the many complex issues surrounding the use of data, Wilson said that any federal data privacy law should get rid of the idea of consent for how data is used and the burden should be placed on businesses to responsibly use consumer information.

"I think that consumers do not understand all of the data that is collected and how it is used, monetized, shared and handed off to third parties," Wilson said. "I would like to see Congress say businesses need to be accountable in the ways they handle consumer data and information."

Those who are advocating for a federal data privacy law are also advocating for that law to preempt state laws such as the California Consumer Privacy Act, which is being seen as an outline of how other states are drafting privacy legislation.

"At a broad-level preemption is appropriate," Wilson said. "The internet does not stop at state or national boundaries."

Consumers should be on equal footing for the rights and benefits they receive under federal law, Wilson explained. Without preemption, there will continue to be a patchwork of different laws that businesses have to comply with.

"Businesses should have the certainty and predictability that they need. That will allow them to make the investments in new technology and systems they need," Wilson said.

Personally speaking, Wilson said that she would not permit private rights of action in any kind of federal data privacy law. Right now, the CCPA does provide for a limited private right of action for the unauthorized access and exfiltration of certain types of personal information.

"I have seen on too many occasions where private rights of action are used as a way to line the pockets of plaintiffs attorneys and not the consumers themselves," Wilson said.

She said the FTC and state attorneys general should be the ones enforcing federal privacy legislation and not the plaintiffs bar.

Any kind of data privacy law should be focused on where harm is done. Currently, data privacy law such as the Health Insurance Portability and Accountability Act, better known as HIPAA, is enforced when the "harm is high."

"When the FTC has thought about to enforce its Section 5 authority, which is broad and general, the FTC has always been careful to tie it to specific harm," Wilson explained.

She said tying enforcement to specific harms would "cabin" the FTC's authority.