There is a clear desire among the co-sponsors of the American Data Protection and Privacy Act to demonstrate substantive progress on the text based on stakeholder feedback, including last week’s hearing. This desire is apparent in the most recent version, which has now been introduced as a bill in the House of Representatives as H.R. 8152. As the IAPP covered, yesterday the bill was reported favorably to the full Energy and Commerce Committee after a markup session in the subcommittee on Consumer Protection and Commerce. The updated draft includes notable enhancements to the text of the bill, including:

  • A re-drafted and clarified set of requirements for service providers.
  • Additions that strengthen the private right of action
  • More robust requirements around algorithm accountability.
  • Tweaks to the requirements related to targeted advertising.
  • A more cohesive approach to data minimization as a central pillar of the bill.
  • A streamlined breakdown of the heightened standards (restricted data practices) for sensitive categories of personal data.
  • New “individual autonomy” provisions around privacy rights (no conditioning services on the exercise of rights, no use of dark patterns).
  • Accessibility requirements throughout the bill.
  • And many more drafting adjustments throughout, some quite substantive.

Despite the changes and movement on the bill, most Hill watchers have not adjusted their opinions about its prospects of passage, whether optimistic or pessimistic. Emphatic press quotes from Senate Commerce Chair Maria Cantwell, D-Wash., reiterated the need for final language to accommodate her concerns. This was underscored by a statement from Senate Majority Leader Chuck Schumer, D-N.Y.,  that he “supports a bipartisan bicameral privacy bill that all four corners agree to."

Here's what else I’m tracking:

  • Inaction is not consent according to a new compliance warning from BBB National Programs’ Digital Advertising Accountability Program, which clarifies that under the Digital Advertising Alliance’s self-regulatory rules for interest-based advertising, “a consumer must act in response to a clear, meaningful, and prominent notice, not merely receive one, for Consent to be real.” Consent is required under these existing targeted advertising standards before the collection of location, health or financial data, as well as when an entity collects data from all or substantially all of a users’ activity on a device (such as web browsers, internet service providers, or cross-application data).
  • Data protection can play a stronger role in safeguarding sexual orientation and gender identity information by continuing to recognize the enhanced sensitivity and risks related to this data, according to a report from the Future of Privacy Forum and LGBT Tech.
  • EU Commission Vice President Věra Jourová visited D.C., meeting with a handful of U.S. legislators to talk policy, including disinformation and the EU’s new digital rulebook. She also met with FTC Commissioner Alvaro Bedoya.

Under scrutiny

    • Face analysis tools based on machine learning, such as supposed “emotion recognition” analysis, will no longer be part of Microsoft Azure’s Face application programming interface, as part of the company’s efforts to implement its Responsible AI Standard, the New York Times reports.
    • TikTok issued a news release clarifying its data storage practices for the data of its U.S. users, in response to a Buzzfeed report.

Upcoming happenings

  • June 29 at 2:00 p.m. EDT, the IAPP hosts a Diversity in Privacy Mentor Q&A (virtual).

Please send feedback, updates, and accountable algorithms to cobun@iapp.org.