Members of U.S. Congress appear to be full-steam ahead in their pursuit of finalizing comprehensive federal privacy legislation by year's end. A day after revelations of a draft bill circulating, a bipartisan group of lawmakers published a discussion draft for the proposed American Data Privacy and Protection Act for full public consumption.
U.S. Senate Committee on Commerce, Science, and Transportation Ranking Member Roger Wicker, R-Miss., and House Committee on Energy and Commerce's Frank Pallone, D-N.J., and Cathy McMorris Rodgers, R-Wash., co-authored the bill, which comes with a detailed section-by-section summary of provisions.
The proposal has three thresholds for covered entities based on the size of a given business. There are provisions for enhanced children's protections, limits on targeted advertising, preemption over facets of state laws, and a limited private right of action. The draft also proposes a chief privacy officer requirement and other organizational requirements related to data minimization and scaled-back data practices.
In a press release, the co-authors touted the draft bill as striking "meaningful balance" with its "robust set of consumers’ data privacy rights" and "appropriate enforcement mechanisms."
"We believe strongly that this standard represents the best opportunity to pass a federal data privacy law in decades, and we look forward to continuing to work together to get this bill finalized and signed into law soon,” Wicker, Pallone and Rodgers said in a joint statement.
The bill has the support of some factions of the U.S. Federal Trade Commission, the agency that will be tasked with enforcing the bill if it passes. FTC Commissioner Noah Phillips tweeted that the commission "will be there to carry out the law and protect American consumers" while Commissioner Christine Wilson also backed the proposal in a tweet.
No small feat
The groundwork put toward the draft bill was laid years prior but picked up substantially in recent months. Now with a potential final product in place, stakeholders and onlookers have begun digesting and bracing for the reality of what this bill brings to the table if finalized.
"After almost four years of serious bipartisan discussions and in a very polarized political environment, any bipartisan agreement is a huge deal," Brookings Institution Tisch Distinguished Visiting Fellow Cameron Kerry told The Privacy Advisor. "But it is an even bigger deal where it includes civil rights protection in the use of personal data that key civil rights organizations have received favorably, and a private right of action."
Seeing parties come together on privacy certainly adds to the positivity around potentially reaching the finish line this time around. Bipartisan discussions have been faint since 2019, when Senate Commerce Committee leadership — previously Wicker as chair and current Senate Commerce Chair Maria Cantwell, D-Wash., as ranking member — saw strong bipartisan will fizzle into separate partisan privacy proposals.
Kelley Drye & Warren Of Counsel Jessica Rich told The Privacy Advisor the new proposal represents less of a first step and more consolidation of deep thinking put into prior bills, like those proposed by Wicker, Cantwell and others in years prior.
"The draft builds on prior bills and reflects a lot of detailed analysis and thoughtful drafting," said Rich, the former director of U.S. Federal Trade Commission's Bureau of Consumer Protection from 2013 to 2017. "Given that this is an election year and time is tight, Congress will definitely need to rush to get this passed."
"This draft shows that there is a bipartisan path forward on long-overdue legislation to protect consumer privacy," Center for Democracy and Technology President and CEO Alexandra Reeve Givens told The Washington Post. "Americans want and desperately need legislation to protect their personal data and promote trust in the online world. While it’s not perfect, the draft is a hopeful first step."
The substance
The most notable and much-discussed inclusions in the proposal continue to be preemption and the PRA. The partisan division on both topics has been stymieing, but WilmerHale Partner Kirk Nahra, CIPP/US, told The Privacy Advisor that the compromise reached on each "targeted" issue is a product of parties realizing the "short windows of legislative opportunity" in front of them.
"I think there is a recognition among folks on Capitol Hill who are very interested in this issue that they needed to get past these major areas of concern," Nahra said. "This is a reasonable effort to do that."
Specifically on preemption, Nahra said the draft hits on points that are "both useful and still likely to lead to meaningful concern," noting the difficulty in navigating "all the overlaps and how laws that say different things actually fit together or not." Kerry said that Congress had "struck the tune" with a "jigsaw approach."
The PRA has long been a point of contention for Republicans and industry. That doesn't appear to be changing from an industry perspective with the U.S. Chamber of Commerce coming out before the release of the discussion draft with their opposition.
"A national data protection law including a private right of action would encourage an influx of abusive class-action lawsuits, create further confusion regarding enforcement of blanket privacy rights, harm small businesses, and hinder data-driven innovation," U.S. Chamber of Commerce Executive Vice President and Chief Policy Officer Neil Bradley said in a statement.
The limits on and general inclusion of the right of action remain debatable, but Rich pointed to a de facto bailout for Congress in the proposed bill if it so chooses.
"The PRA has a number of limits but could still lead to a lot of litigation when it kicks in," Rich said. "I suspect the four-year delay is partly to allow for further consideration of the issues, allowing Congress to potentially change course on this issue."
In a broader view of the proposal, Kerry found many inclusions that he otherwise wasn't expecting.
"Surprises? I'd say the extent to which the draft will affect existing businesses practices in the boundaries on collection, use, and sharing; the Sarbanes-Oxley-style executive certification for large data holders; the data broker registry; and the restricted practices," Kerry said. "Also, the incorporation of privacy by design that incorporates a thoughtful risk assessment but can be flexible and adaptable."
Not a sure thing
Though it's bipartisan and bicameral, there's still a need to get important Congressional players on board. There's at least two unsettled members of Congress thus far with Sen. Brian Schatz, D-Hawaii, and Commerce Chair Cantwell.
The Washington Post reported Schatz, a regular voice in federal privacy talks, wrote a letter to Senate and House commerce leaders outlining his opposition to the latest proposal, which he said would "will only result in more policies to read, more cookies to consent to, and no real change for consumers." He added he does not support preempting existing state privacy laws or taking away state legislatures' abilities to legislate on privacy matters in the future.
Cantwell had some definition to her opposition as well.
In a statement to Politico, she said, "meaningful privacy protection" requires a federal proposal that's "not riddled with enforcement loopholes." She added that consumers "deserve the ability to protect their rights on day one, not four years later."
Cantwell has made clear that she wants to act on privacy this session and has the go-ahead from Senate Majority Leader Chuck Schumer, D-N.Y., but her lack of authorship with fellow Congressional commerce committee leaders on the new draft bill suggests a stalemate still exists for her somewhere in negotiations.
Photo by Harold Mendoza on Unsplash