The framework for a U.S. federal data privacy law took clearer shape at a Senate committee on commerce, science and transportation hearing Wednesday.

Lobbyists representing Google, Facebook and other tech companies discussed state law pre-emption, violation penalties, notification requirements and special protections for children with members of the committee. Data breaches at Uber, Facebook and Equifax and the implementation of the European Union's General Data Protection Regulation are turning American regulators on both sides of the aisle toward a federal privacy law.

Tech companies have also pushed for a federal law. That's in part an effort to pre-empt the state-level California Consumer Privacy Act before its 2020 implementation date; some have criticized the act, claiming its definition of personal data is too broad.

“Are we here just because we don't like the California law and we just want a federal preemption law to shut it down? Or do people think you can have meaningful federal privacy legislation without that [pre-emption]?” asked Sen. Maria Cantwell, D-Washington. She said the committee “cannot pass a weaker federal law just at the expense of states.”

Jon Leibowitz, the co-chairman of the 21st Century Privacy Coalition, which represents telecom companies, and Michael Beckerman, the president and chief executive officer of the Internet Association, which represents tech giants Google, Facebook, Amazon, Inc. and others, both responded that their groups wanted pre-emption of the CCPA in federal law.

Victoria Espinel, the president and CEO of The Software Alliance, said companies she represents, including Apple Inc. and Microsoft Corp., want a federal law that goes further than the CCPA, requiring consumers opt-in to sharing personal, sensitive data. Apple CEO Tim Cook has publicly called for an American version of GDPR, as has Cisco Systems Inc. chief legal officer Mark Chandler.

“Enacting federal privacy legislation is necessary in light of the patchwork of privacy bills being produced in legislatures around the country,” Leibowitz said. He said CCPA and other state privacy laws are being drafted “in haste” with “multiple drafting flaws.”

Sen. Shelley Moore Capito, R-West Virginia, noted that even with U.S. federal pre-emption of the CCPA, companies operating in Europe would need to comply with GDPR, which has faced similar criticisms.

Committee members also discussed fines for companies violating the future bill, proposing an increase in the Federal Trade Commission's ability to penalize first-time offenders. The FTC currently cannot fine for first-time violations, but that could change under a federal data privacy law. Espinel said the companies she represents are strong proponents of this proposal.

Sen. Ed Markey, D-Massachusetts, also raised concerns about privacy rights for children under a federal law. Markey, who drafted the Children's Online Privacy Protection Act that protects those under 13, proposed data collectors require opt-in consent for users under 16 years old. He noted the CCPA and GDPR both require special protections for minors.

“Without protections for children, it makes no sense to pre-empt California law,” he said.

Other proposals included simplifying privacy notifications that inform users of their data privacy rights in a clear, concise way free of legalese and moving to a legitimate interest model of data collection rather than relying on user consent.

GDPR uses a legitimate interest model, requiring companies to establish a reasonable cause for collecting and storing user data. Tech representatives also pushed for a “tech neutral” bill, which would place the same restrictions on all data collectors, regardless of industry.

Sen. John Thune, R-South Dakota, predicted a federal law will come in the “next couple years.” A similar hearing was held by the U.S. House of Representatives' consumer protection and commerce subcommittee Tuesday.

|