The sudden shift from speculation to action on federal comprehensive privacy legislation had policymakers and policy wonks alike scrambling for purchase this week. The American Data Protection and Privacy Act, though not yet introduced in either chamber, is now available for review as a public discussion draft, released by three of the four leaders of the House and Senate commerce committees. A hearing on the draft is scheduled for Tuesday in the House Subcommittee on Consumer Protection and Commerce. Senate Commerce Chair Maria Cantwell, D-Wash., remains a holdout on the draft and is expected to release a separate updated draft of her Consumer Online Privacy Rights Act in the near term.

Over the past days, the IAPP has provided up-front analysis of the draft three-corners bill. IAPP Senior Westin Research Fellow Müge Fazlioglu, CIPP/E, CIPP/US,  wrote an insightful piece “distilling the essence” of the discussion draft with helpful comparative context to other recent legislative proposals. Meanwhile, inveterate newshound Joe Duball reported the early reactions from stakeholders. For analysis of the draft bill’s scope and application, including how it conceives of different types of covered entities, see this article by your friendly D.C. columnist.

Reactions from civil society and industry stakeholders to the three-corners draft are continuing to trickle in. In initial news releases, the Center for Democracy and Technology called the draft a “hopeful first step,” while EPIC’s Caitriona Fitzgerald said it was “very encouraging to see a bipartisan proposal that recognizes that we are facing a data privacy crisis in this country and requires changes to Big Tech’s harmful business practices.” The U.S. Chamber of Commerce continues to oppose any bill with a private right of action, including both draft bills. Constructive commentary from all sides on the substantive provisions is likely to emerge in the coming weeks.

Policymakers looking for ideas for building consensus might consider consulting reports from D.C. think tanks such as R Street, which, after speaking with dozens of stakeholders, released a series of white papers this month recommending common ground on the known sticking points for federal privacy law: a private right of action, preemption, and the role of the FTC. Another timely paper from professors Woodrow Hartzog and Neil Richards, Legislating Data Loyalty, was also just released. Whoever titled Section 102 of the draft ADPPA “Loyalty Duties” may do well to read their analysis. Though data minimization is a core tenet of a duty of loyalty regime and the provision in the bill includes strong substantive limitations on collecting and transferring certain types of sensitive data, the responsibilities imposed may not rise to the level of the Hartzog-Richards definition of a duty of loyalty: a relational duty that prohibits self-dealing at the expense of a trusted party.

Here's what else happened since the last roundup:

Under scrutiny

Axon, a weapons and technology company, experienced the resignation en masse of nine advisors on its artificial intelligence ethics advisory board after announcing plans to develop taser-equipped police drones.

Privacy people on the move

Christopher Hoff, CIPP/E, CIPP/US, CIPM, finished his stint as Deputy Assistant Secretary for Services at the U.S. Department of Commerce’s International Trade Administration and has joined Julie Brill’s team as Assistant General Counsel, Privacy and Regulatory Affairs at Microsoft.

Need a break from federal privacy? A few good reads:

  • A researcher let a racist AI bot run rampant on 4chan. As Brookings TechStream reports, “the deployment of large language models pose a variety of potential harms—ranging from the automation of disinformation to spam to fraud to astroturfing—and gpt-4chan encapsulates many of these concerns. ... Trained on /pol’s toxic language, gpt-4chan reproduced this language in an original way with sufficient authenticity that it sparked an intense debate on the platform about its identity.”
  • Professor Cranor described her vision for virtual privacy assistants. The idea of an app that learns privacy preferences and automatically opts in or out when users use new services is “unlikely to happen on a wide scale,” Lorrie Cranor, CIPT, wrote in a The Wall Street Journal report, “without laws that not only require companies to provide information about their data practices in plain English and in standardized forms, but also in a standardized computer-readable form so that personal privacy assistants can read them automatically."
  • Unity’s CEO laid out his vision of the metaverse. It’s a lot more than virtual avatars, apparently.

Upcoming happenings

  • June 14 at 10:30 a.m. EDT, the House Subcommittee on Consumer Protection and Commerce of the Committee on Energy and Commerce holds a legislative hearing on Protecting America’s Consumers: Bipartisan Legislation to Strengthen Data Privacy and Security (hybrid virtual and in the John D. Dingell Room, 2123 of the Rayburn House Office Building).
  • June 15 at noon EDT, ITIF hosts Children’s Privacy in Review: The Future of COPPA (virtual).
  • June 16 at 2 p.m. EDT, the IAPP hosts Women Leading Privacy Virtual Roundtable.
  • June 16 at 6 p.m. EDT, IAPP Knowledge-Nets for Northern Virginia and D.C. host Academia’s Privacy Pros: A discussion on the intersections of privacy, power and free speech (virtual).
  • June 22 at 3 p.m. EDT, Wirewheel hosts a panel on Preparing for Federal Regulations Coming Down the Pipeline as part of its SPOKES virtual conference.
  • June 23 at 1 p.m. EDT, The Office of Science and Technology Policy and the National Science Foundation host a virtual listening session on the interim report of the National Artificial Intelligence Research Resource Task Force.

The View from D.C. will be on hiatus next week, but will return Friday, June 24. In the meantime, please send feedback, updates and tips for unplugging on vacation during this hot privacy summer to cobun@iapp.org.