With the surprising emergence of the draft American Privacy Rights Act last week, stakeholders are still piecing together the puzzle ahead of the first legislative activity on the discussion draft by the U.S. House Committee on Energy and Commerce's Innovation, Data and Commerce Subcommittee, which will hold a hearing Wednesday.
The House is jumping into its consideration and fact finding, and the Senate is likely not far behind. Senate Committee on Commerce, Science and Transportation Senior Counsel Shannon Smith said during an IAPP LinkedIn Live 15 April that the upper chamber intends to commence its own APRA work despite not having a immediate timetable for its efforts.
"We certainly will take up this bill in committee," Smith told IAPP Managing Director, Washington, D.C., Cobun Zweifel-Keegan, CIPP/US, CIPM. "Introduction is an obvious first step, but I think its possible we will have a legislative hearing on this bill. Obviously we will mark it up at some point. ... We do intend to move forward with this bill in committee."
Bipartisan, bicameral talks on comprehensive federal privacy legislation laid mostly dormant since the House carried the previously proposed American Data Privacy and Protection Act through the House Committee on Energy and Commerce in 2022. Momentum fizzled when then-Democratic House leadership opted against bringing the bill to a full House vote.
The proposed APRA from Sen. Maria Cantwell, D-Wash., and Rep. Cathy McMorris Rodgers, R-Wash., in many ways picks up where ADPPA left off, and preliminary negotiations reflect as much. Smith said talks that led to the proposed APRA materialized from a Cantwell-Rodgers conversation "on other issues not necessarily related to privacy" and a consensus decision to "maybe try something again and another very serious attempt at negotiating."
Smith is the Senate's APRA point person and has been working on the discussion draft with House counterparts since December 2023. The fresh proposal represents "momentum" toward resolving ADPPA "sticking points."
Private right of action
Cantwell's concerns over perceived "major enforcement holes" and specifics around the proposed private right action included in the ADPPA played a role in why that bill stalled on the House floor.
Updated provisions in the proposed APRA contain improvements that garnered Cantwell's support this time around. The delay on a private right of action is six months after the APRA takes effect, down from the two-year wait previously raised in the ADPPA. Additionally, the APRA proposes limits on arbitration agreements between companies and individuals.
"She was willing to compromise on that really broad prohibition against mandatory arbitration agreements (from Cantwell's previously proposed Consumer Online Privacy Rights Act)," Smith said. "(The ADPPA) had some protection from mandatory arbitration, but it was really very narrow. ... We were able to work with our counterparties to really work through that issue."
Smith indicated there were "other hurdles" around the bill's private right of action that were negotiated with a mind on a structure that "wouldn't result in a lot of 'gotcha' moments." The compromise on Senate staff's side included addition of a right to cure and prior notice on filings for damages.
Preemption
The private right of action has long been a challenge for federal lawmakers, but it isn't the most glaring in these particular talks. Preemption of state-level privacy laws has proven more daunting to compromise on.
The proposed APRA and the preceding ADPPA each sought to set a high bar for consumer privacy protection that would otherwise supersede a majority of what states are doing on privacy.
"Businesses have operationalized around those (sectoral) laws while states are enforcing and using those laws in a lot of different ways," Smith said, pointing to state laws around health and employee information as well as public records laws and others that "have been on the books for a long time."
The aim is to tamp down the patchwork of comprehensive state privacy laws. That network has only grown since consideration of the ADPPA in 2022 as 15 states have enacted laws while comprehensive bills in Maryland and Nebraska await potential enactment soon. Such growth and the subsequent increase in compliance costs are leading concerns stakeholders raised in feedback to Smith and her drafting team.
She indicated Senate and House staff "find ourselves in a place of balance" with regard to "thorny" preemption after the two sides were able to "thread that needle."
However, much has been made regarding how the ADPPA and now the APRA set a ceiling instead of a floor for legislation, leaving states with laws perceived to be stronger with less protections for their residents. California in particular pushed back against hardline preemption of the California Consumer Privacy Act, resulting in the ADPPA's major roadblock and has reiterated its argument again with the APRA.
"This bill wouldn't preempt (the California Privacy Protection Agency). The agency would have the authority under this act to enforce the act and conduct investigations," Smith said.
FTC's role and rulemaking
Interestingly, the proposed APRA includes a clause for the U.S. Federal Trade Commission to terminate its current rulemaking procedure on commercial surveillance and data security while simultaneously giving the agency new targeted rulemaking authority. The agency officially kickstarted its existing rulemaking in August 2022 after the ADPPA lost momentum, but hasn't announced updates since the completion of a consultation period in November 2022.
"This is a place where Congress needs to speak. And when Congress needs to speak, it doesn't make sense to have another standard established by the FTC," Smith said regarding termination of the agency's current rulemaking, which was previously viewed as a safety net in the absence of federal legislation.
Under the APRA proposal, the FTC will have the authority promulgate rules that clarify provisions based on its enforcement trends and future market developments. Arriving at the agency's proposed authority took "robust negotiations," according to Smith, acknowledging the Senate and House are "in different places."
Ultimately the two sides landed on rulemaking authority in instances that would be mutually beneficial to consumers and businesses. Smith called out the potential for rulemaking on new permissible purposes for data collection and processing as well as updating the categories of sensitive personal data.
In addition to rulemaking, the FTC will be obliged under the APRA proposal to revamp its privacy division to be "comparable in structure, size, organization, and authority to the existing bureaus." Under the discussion draft, the agency will enforce the law as a trade regulation while also maintaining a new data broker registry.
The FTC has already begun a crackdown on data brokers in recent months. The expanded enforcement and registry requirements will only add increased supervision, which Smith said is warranted in the existing broker landscape where "the chain is broken" in consumer-business relationships.
"Data brokers don't necessarily align with consumers' expectations with their data," she said. "People don't know who (brokers) are, how to get ahold of them and maybe don't know they have their data. Creating a registry that sort of has this public list, and giving consumers a one-stop shop to give a directive to not collect their data, is a way to relieve consumers of the burden."
Editor's note: The IAPP updated this article to more accurately reflect what would be preempted in the draft discussion bill.