Bolstered by a call from the president this week to strengthen data privacy protections for children, Connecticut lawmakers heard both praise and concern Thursday for a long-gestating bill intended to curb data collection by tech companies.
President Joe Biden targeted social media companies during his State of the Union address Tuesday, accusing them of experimenting on children for profit.
“It’s time to strengthen privacy protections, ban targeted advertising to children, demand tech companies stop collecting personal data on our children,” Biden said, according to a transcript of his remarks.
Although data privacy for children and adults remains largely unregulated on the national front, California, Colorado, and Virginia have all adopted varying policies on the issue in recent years. During a Thursday hearing of the General Law Committee, Consumer Reports policy analyst Maureen Mahoney told lawmakers that more than 20 states were considering following suit.
“Increasingly, states are trying to step into the gap provided by the federal government with respect to privacy protections and their reluctance to act,” Mahoney said.
Connecticut counts itself among the jurisdictions weighing regulation as Senate Democrats have raised legislation on data privacy for the second year in a row. The complex issue prompted hours of testimony before the committee Thursday.
Generally, the bill seeks to limit the collection of user data by digital companies and establish a consumer’s right to view, delete and opt out of the collection of their personal information by online businesses.
Sen. James Maroney, a Milford Democrat who co-chairs the committee, said Biden’s remarks reinforced the urgency of the issue.
“Given the president’s comments at the recent State of the Union address, this is going to take on new significance,” Maroney said.
However, several speakers worried the legislation may have unintended consequences including impacting small or medium-sized businesses and requiring companies to honor global opt-out requests, which they may not have the technological means with which to comply.
Scott Dolch, executive director of the Connecticut Restaurant Association, told lawmakers he was concerned the regulation would require restaurants, still reeling from the COVID-19 pandemic, to invest time in resources in complying with the law.
Although a section of the bill stipulates it would not apply to businesses that process the personal data of less than 65,000 consumers per year, Dolch said a medium-sized restaurant may quickly reach that threshold when third-party apps used to order food, make reservations, or access menus are considered.
“I just worry about any burden on any restaurant in Connecticut, even if it’s less than 50 grand — if it’s 5,000 or 10,000 to get into compliance,” Dolch said. “We aren’t the culprits here. We aren’t the ones that are out there trying to collect and sell data. We’re just trying to serve food.”
During the hearing, Rep. Holly Cheeseman, R-East Lyme, also had concerns about a provision of the bill giving consumers the right to use a global setting to opt of having their personal data tracked and processed.
Cheeseman questioned whether the technology currently existed for businesses to comply with the legislation. She received varying answers from the speakers who testified. Mahoney, the policy analyst at Consumer Reports, said the tools existed but it was difficult to force businesses to comply with the request.
“You could enable it in Connecticut but businesses wouldn’t be required to honor it as a global opt-out,” Mahoney said. “They could do so if they wanted to but they wouldn’t be required to.”
Meanwhile, Nancy Libin, a lawyer who testified on behalf of Comcast, asked lawmakers to delay implementation of the provision from 2023 to 2025. Libin, who once served as a privacy and cybersecurity advisor to then-Sen. Joe Biden, said there were still many policy and technical issues to resolve.
“It’s a very appealing idea but I think there’s a misconception too…. A consumer would think they’re opted out across all browsers and platforms,” Libin said, adding that would not be the case. “There’s just a lot more to do here. It’s been portrayed as a panacea and we don’t believe it is.”
At times during the hearing, Maroney, the bill’s main proponent, seemed open to continuing to work on the legislation and adjust the bill to address the concerns of stakeholders. But he said businesses may ultimately benefit from enacting the sort of policies the committee was weighing.
“We don’t want to slow down innovation, but I think in some ways we need to look at the big picture and I think in the long run, strong privacy protections can also help. They’re actually good for business,” he said.