It's becoming increasingly clear the U.S. House of Representatives knows what it wants to do in regards to federal privacy legislation — the only certainty that's shown up in this fast-moving legislative process is the House's willingness to work across the aisle and press forward.

This unity and desire mostly showed through again Thursday as the House Committee on Energy and Commerce Subcommittee on Consumer Protection and Commerce unanimously voted to move the American Data Privacy and Protection Act to a full committee markup. The subcommittee unanimously accepted the "amendment in the nature of a substitute" offered by Energy and Commerce Committee Chair Frank Pallone, D-N.J., prior to the vote to move legislation and released for public consumption Wednesday evening. The AINS is a slightly modified version of the formally introduced bill that made changes to the original discussion draft.

IAPP Managing Director, Washington, D.C., Cobun Zweifel-Keegan, CIPP/US, CIPM, analyzed the three versions of the bill to date and noted the newest changes from the AINS relate to the private right of action, including language adjustments around types of damages a plaintiff can receive and a prohibition on arbitral or administrative pre-dispute joint action waivers for people of any age. The changes adopted at formal introduction and retained through the AINS include service providers removed as covered entities, increased requirements for algorithmic assessments, dialed back categories of sensitive data and new exceptions.

"This markup will add to the growing momentum toward delivering for the American people, in federal law, fundamental digital protection rights," Subcommittee Chair Jan Schakowsky, D-Ill., said. She added "perfect won't be the enemy of the good" as Congress moves this bill and highlighted the "strong enforcement mechanisms" it includes. Both points contrast with the views of U.S. Senate Committee on Commerce, Science, and Transportation Chair Maria Cantwell, D-Wash., a key holdout on the three-corners bill who came out with flat opposition prior to the subcommittee markup.

Preemption, PRA in focus again

Pallone made clear while presenting the AINS that provisions for preemption and the PRA were not changed from the formally introduced bill, but that's not how things will remain. He assured the subcommittee that changes are coming — likely in response to Cantwell's opposition and that of industry players — while noting the two issues "have been the most difficult points of negotiation … for the last decade."

"In this case, the negotiators made substantial progress before the subcommittee, but even still, we needed more time to finalize the language," Pallone said. "We are going to continue to make changes. So this AINS reflects continued efforts to make changes. Always bipartisan and always with the idea of consensus in mind."

Comments beyond Pallone on preemption and the PRA were limited, but Rep. Kelly Armstrong, R-N.D., offered a trio of objective amendments he did not follow through on related to those two issues and the bill's right to cure. Offering amendments and pulling them before consideration was a play aimed at bringing attention to issues Armstrong felt colleagues should be tuned into, while making note that his opposition looms if provisions are not tightened to his liking.

Armstrong's proposed amendment on preemption was intended to ensure the law "actually does what we intend it to do" as far as creating a national standard. With the proposed change to the PRA, Armstrong pitched a "privacy hierarchy" for enforcement to avoid businesses being subject to punishment for potential violations by way of U.S. Federal Trade Commission enforcement, state attorneys general enforcement and individual redress all at once.

Energy and Commerce Ranking Member Cathy McMorris Rodgers, R-Wash., welcomed Armstrong's efforts to highlight pitfalls.

"From the very beginning of this debate, creating a strong preemptive national standard has been one of my top priorities. That hasn't changed," McMorris Rodgers said. "There's tough tradeoffs to build consensus in bipartisan legislation like the one that's before us. Those negotiations don't stop today. This is not a finished product and I want to continue to focus on what Rep. Armstrong has raised.

"With continued member feedback and constructive input from stakeholders, this product can grow into a landmark achievement."

More work to do

Subcommittee members used the discussion draft hearing to get voice agendas and testimony on the record regarding topics that matter to them. Flash forward and the same points raised during the initial hearing revealed themselves again while lawmakers spoke Thursday.

Subcommittee Ranking Member Gus Bilirakis, R-Fla., as well as Reps. Fred Upton, R-Mich., and Larry Bucshon, R-Ind., each recommended further refinement of provisions on customer loyalty programs. All three lawmakers had an eye toward allowing consumers to obtain perks of programs while still enjoying appropriate protections for the data they submit in exchange for the loyalty benefits.

"Customer loyalty programs are a critical and ever-growing facet of the restaurant business model," Upton said. "If Section 104 isn't changed, businesses are going to face the possibility of having to eliminate programs. … Customers shouldn't be discriminated against for choosing to exercise one of their privacy rights outlined within the bill. The legislation, as drafted, would inhibit the ability of customers and businesses to mutually establish mutually beneficial relationships and set the terms of those relationships."

Rep. Kathy Castor, D-Fla., said during the discussion draft hearing that she was pleased to see children's privacy in the bill, and the latest version includes updates to "actual knowledge" standards for data processing regarding minors age 17 and under. However, Castor didn't shy away from desires to have the bill go further for children.

"The data minimization regime and loyalty duties will help limit the types of (data practices) against children and teens along with the harms that result, but I think we can do better," Castor said, pointing to existing proposals to update the Children's Online Privacy Protection Act and the U.K. Age Appropriate Design Code for potential additions. "This is our opportunity to really ensure that online apps are truly appropriate for kids and teens. I trust everyone wants to do what's best for our kids."