In a conversation with CTA Senior Director of Regulatory Affairs Rachel Nemeth during CES 2024 in Las Vegas, a group of experts on consumer affairs and federal regulatory policy delved into the impact of existing and recent legislation on various sectors. Interestingly, they all agreed on one thing: the need for a national privacy law to replace the patchwork of differing state laws. T-Mobile Director of Federal Regulatory Affairs Melanie Tiano noted that currently 13 states have comprehensive privacy laws and that, two weeks into the new legislative session, she’s tracking more than 30 privacy-related bills.

“A federal law is critical,” Tiano stated. “It’s unfair for consumers to have less protection based on what state they live in.” Deven McGraw, lead for data stewardship and data sharing at Invitae, added that companies are faced with compliance at the state level, which makes the marketplace “confusing and difficult.”

She also noted that, “unlike Congress, which acts slowly and seeks consensus, the state legislators are moving way too fast.” “Some of the legislation we see coming through didn’t think about the outcome on the company and consumer sides,” she said.

Simone Hall Wood, privacy and public policy manager at Meta, pointed out one benefit of this patchwork of state privacy laws. “We’ve learned a lot about models that work or get the right balance between certainty and consumer protection,” she said, pointing to Virginia and Connecticut’s legislation as “models of thoughtful regulation.”

“There’s an emerging consensus,” she added. “Organization accountability and strong individual rights are common themes that are quite important and that I think should be part of any data protection framework.”

The two panelists from the federal government shared their thoughts. Kevin Moriarty, attorney/advisor to FTC Chair Lina Khan, stated that a 2021 opinion based on a case tried under the previous administration “deprived the FTC of its authority to get monetary relief for deceptive and unfair practices.”

“That had been a major way to hold companies accountable for deceiving and harming consumers,” he noted. He hopes this year, by legislation of an FTC rule, this will be rolled back.

At the House Energy and Commerce Committee, Chief Counsel for the Innovation, Data and Commerce Subcommittee Tim Kurth noted that, with a different set of regulators in each state, preemption is important. “If they have authority, we want it to be succinct, clear and easy to follow,” he said. “It’s clearly interstage commerce, so it has to reflect that.”

He added that statistics coming from California show that “lack of clarity in the rules creates a burden that drags down capital.” “The state’s own economic reporting says it’s a huge burden to small businesses,” he explained. “We have to be careful not to stifle innovation.”

Moriarty said that he often thinks that the effort to create a national privacy regulation has been “a victim of the FCC’s success in this area.” “In 2000, they began bringing data protection type cases and slowly built up a program,” he said. Kurth said his committee brought legislation forward, although the then-Speaker of the House did not bring it to the floor.

Nemeth asked the panelists if we should be concerned about generative AI “using our personal records.”

“Yes,” answered Moriarty. “Our chair has said that AI is just another tool and all the same FTC requirements that apply to tools apply to AI. There is no exception.”

He pointed to the recent settlement with Amazon over Alexa “indefinitely retaining data.” McGraw summed up the general consensus: “We’re the only developed country in the world without a privacy law and a lot of lesser developed countries have them,” she said. “It’s gone way beyond the point that it’s sustainable.”