Industry witnesses urge clear controller/processor rules; Main Street groups seek parity with big tech
July 30, 2025 | Judiciary: Senate Committee, Standing Committees - House & Senate, Congressional Hearings Compilation
This article was created by AI summarizing key points discussed. AI makes mistakes, so for full details and context, please refer to the video of the full meeting. Please report any errors so we can fix them. Report an error »
At a Senate Judiciary subcommittee hearing on data privacy, witnesses representing technology vendors and Main Street businesses urged Congress to adopt a federal privacy law that clearly assigns obligations based on an entity’s role in handling data.
Kate Goodlow, managing director at the Business Software Alliance, argued that state laws get the roles right and that a federal law "must recognize different types of companies handle consumers' data" so obligations can be tailored. She told senators the controller/processor distinction "dates back more than 40 years" and underpins privacy laws worldwide.
Paul Martino, speaking for the Main Street Bridal Coalition, pressed for "equivalent requirements, equivalent standards to protect data" across industry sectors. He warned that labeling a consumer-facing business a controller can create a "false impression" that small businesses control how large platform providers operate, and urged parity in obligations and enforcement so processors cannot shift responsibility to smaller businesses.
Joel Thayer of the Digital Progress Institute recommended targeted, goal-oriented federal rules and cautioned against overly broad statutes that, he said, can entrench incumbents. Thayer and others emphasized that enforcement design matters: Thayer and Martino said regulatory enforcement or attorney-general actions can provide consistent compliance incentives, while Thayer warned a private right of action alone could be less effective.
Senators and witnesses also discussed subprocessors and downstream data flows. Martino asked for notice and a limited right for a main-street controller to object to specific subprocessors; Goodlow responded that giving a single customer veto over a bundled set of subprocessors could increase security risks and undermine economies of scale that benefit small businesses.
Those differences underscore policy choices Congress will face: how to define roles, where responsibilities should lie in multi-party data chains, and whether a federal standard should preempt stronger state protections. Witnesses broadly agreed a federal law should not weaken existing state protections but left open how to structure preemption and liability.
Kate Goodlow, managing director at the Business Software Alliance, argued that state laws get the roles right and that a federal law "must recognize different types of companies handle consumers' data" so obligations can be tailored. She told senators the controller/processor distinction "dates back more than 40 years" and underpins privacy laws worldwide.
Paul Martino, speaking for the Main Street Bridal Coalition, pressed for "equivalent requirements, equivalent standards to protect data" across industry sectors. He warned that labeling a consumer-facing business a controller can create a "false impression" that small businesses control how large platform providers operate, and urged parity in obligations and enforcement so processors cannot shift responsibility to smaller businesses.
Joel Thayer of the Digital Progress Institute recommended targeted, goal-oriented federal rules and cautioned against overly broad statutes that, he said, can entrench incumbents. Thayer and others emphasized that enforcement design matters: Thayer and Martino said regulatory enforcement or attorney-general actions can provide consistent compliance incentives, while Thayer warned a private right of action alone could be less effective.
Senators and witnesses also discussed subprocessors and downstream data flows. Martino asked for notice and a limited right for a main-street controller to object to specific subprocessors; Goodlow responded that giving a single customer veto over a bundled set of subprocessors could increase security risks and undermine economies of scale that benefit small businesses.
Those differences underscore policy choices Congress will face: how to define roles, where responsibilities should lie in multi-party data chains, and whether a federal standard should preempt stronger state protections. Witnesses broadly agreed a federal law should not weaken existing state protections but left open how to structure preemption and liability.
View the Full Meeting & All Its Details
This article offers just a summary. Unlock complete video, transcripts, and insights as a Founder Member.
✓
Watch full, unedited meeting videos
✓
Search every word spoken in unlimited transcripts
✓
AI summaries & real-time alerts (all government levels)
✓
Permanent access to expanding government content
30-day money-back guarantee
