The Senate Commerce Committee hearing on “Consumer Data Privacy” looked a lot like others held over the last ten years. There was a panel of experts, a quorum of rehearsed U.S. Senators and a shared expression of public concern for the privacy rights of us all.

But unlike those other times when little came of the effort, we now seem to be moving toward comprehensive federal privacy legislation.  What’s happened?

A few things.

There was the creepy use of our data by the companies we trusted with the information in the first place. It’s one thing for Amazon to suggest a product you might like (and usually do), but quite another to window shop for an item on the site then have ads for it pop up everywhere else you go online.

There was the weaponizing of that data by foreign actors’ intent on disrupting our national elections and inflaming social tensions. By all accounts, the interference continues today.

There are the near-continuous breaches showcasing the enormous amount of data that is collected, often without our knowing (from Snowden to Equifax to Facebook to Google+).

But the most significant “inflection points” occurred in Europe on May 25 when the General Data Protection Regulation (GDPR) went into effect and then a month later when the California Consumer Privacy Act (CCPA) was signed with a 2020 effective date. These new, localized privacy laws reach beyond their borders and, more to the point, have teeth. Each has added urgency to federal legislative efforts.

The Senate Commerce Committee hearing offered proof of the point by hosting a four-person consumer privacy panel that included Dr. Andrea Jelinek, chair of the EU Data Protection Board, and Alastair Mactaggart, chair of Californians for Consumer Privacy.

But even though the new laws got much love in the hearing, there was no mistaking that the forward movement had less to do with privacy protections themselves than with creating comprehensive legislation that could interoperate with the European law and pre-empt a patchwork of 50 state laws.

The type, level and enforcement of privacy is open for negotiation because business depends on knowing a common set of rules. Massachusetts Senator Ed Markey said it quite plainly: “Industry is hoping for a federal law to pre-empt individual state actions.” And with that, the hearing was on!

Dr. Jelinek said she hoped the “GDPR may provide some inspiration.” Mactaggart said the CCPA “allowed consumers to say ‘No’ to the resale of their data,” essential because data collection has gotten “out of control” in a world where we live our lives not just online but in the palm of our hands so that “if I know everything about your device, I know everything about you.”

Laura Moy, Deputy Director of Georgetown Law’s Center on Privacy & Technology, made the advocate’s view clear to those listening. “It is not a time to be shy,” she said, adding three “must-haves” for any legislation. There will need to be substantial fining authority, a choice has to be a real choice and create a private right of action, she offered. Each flows directly from the GDPR.

But if Moy was laser-focused at ground level of potential legislation, it was Nuala O’Connor, President and CEO of the Center for Democracy & Technology, who got people to raise their eyes a bit.

“Privacy is about people,” O’Connor said. She stressed that “meaningful baseline legislation” must begin by offering “clarity and constraint on data collection.” Such an approach needs to be mandated because the ease of data collection, the lack of historical scrutiny and the low cost of storage has created target-rich targets for hackers without yielding benefit to consumers.

There was little disagreement (proof, perhaps, of Mactaggart’s comment that “privacy is not a partisan issue”), but there was some shade cast from off-stage.

At the earlier panel of company executives, senators were cautioned to move but not so far or fast as to hamper innovation. Hold data too tightly, it was suggested, and new companies may never get off the ground; it might be an advantage for incumbents. In the current environment in Washington, D.C. that can be a powerful argument.

It was Dr. Jelinek who answered before the others could. “This will give start-ups a chance to get it right from the start,” she said.

Whether a start-up getting it right from the beginning or a large company getting it right now, comprehensive privacy legislation will ask a lot of companies. The smart ones won’t wait because the benefits – reducing the cost of entering new markets, increasing customer loyalty and enhancing corporate reputation that can help close deals more quickly or sell shares more easily.

Imagine that.