The path toward a federal privacy law in the U.S. took another turn late Thursday, after lawmakers released an updated draft version of the American Privacy Rights Act. The new draft comes ahead of a scheduled June 27 markup by the House Energy and Commerce Committee.
Punchbowl News first published the draft text. House Energy and Commerce Committee Chair Rep. Cathy McMorris-Rodgers, R-Wash., and Rep. Frank Pallone, D-N.J., the ranking member on the panel, released the draft, which is bipartisan and bicameral like its predecessor, the American Data Privacy and Protection Act.
The updated draft text has expanded to 184 pages and contains several key changes from the earlier discussion draft.
The APRA's alterations
Perhaps most notably, the updated APRA no longer features sections on civil rights and algorithms or the section on opt-out rights for consequential decisions. This removal will no doubt get the attention of privacy and civil rights advocates.
There are also significant changes in definitions related to targeted advertising, which now include definitions on contextual advertising, direct mail targeted advertising, email targeted advertising and first-party advertising. Under sensitive covered data, the language that stated "online activities over time and across third-party websites, or over time on a high impact social media site," was replaced by "online activity profile," which is considered sensitive data under the definition.
The strong data minimization standard remains robust in the new draft, with some small updates, including the addition of medical research in the permitted purposes section, though this still requires affirmative express consent.
There is added language for privacy by design that states "covered entities and services providers shall establish, implement and maintain reasonable policies, practices, and procedures that reflect the role of the covered entity or service provider in the collection, processing, retention, and transferring of covered data."
The bill retained its section on executive responsibility, with a minor clarification by switching an "or" to an "and," emphasizing the importance of both privacy and security, meaning covered entities will still need to designate one or more employees to serve as privacy and data security officers.
Preemption, a major sticking point for legislators in the modern history of federal privacy law, also underwent some changes in the draft text, most notably with state laws involving children and teens. Language about existing federal laws was also clarified.
The other significant change to the APRA involves data protection for covered minors and the Children's Online Privacy Protection Act, and it also would amend Title II of COPPA. Children's privacy has been a focal point for Ranking Member Pallone.
In May, the IAPP published an APRA Cheat Sheet that includes quick references to key definitions and obligations.
Markup June 27
Last month, a House Energy and Commerce Subcommittee marked up and passed a version of the APRA. The updated draft comes as the full committee plans to mark it up 27 June.
Politico reported House GOP leaders vowed not to hold a full floor vote on the previous version of the APRA. According to the report, Brett Horton, the top aide to House Majority Leader Rep. Steve Scalise, R-La., said the bill "would not come to the floor in its current form ... even if it passed out of the powerful Energy and Commerce Committee."
Several unnamed Republican leaders are concerned about the breadth of the bill, that it would involve most industries instead of a sectoral approach. The inclusion of a private right of action is another major sticking point, especially for lawmakers concerned about its effect on small and medium sized businesses.
Speaking to the previous draft bill, one senior Republican aide told Politico, "There's no real conservative wins. And the (PRA) is absolutely horrible for mainstream businesses."
Will the new bill address Republican concerns?
The new bill appears to have included some of the Republican concerns, but it is not yet clear whether the changes will be enough to put the bill over the hump.
Partisan divides on Capitol Hill may play a role in the fate of the APRA. A spokesperson from the committee panel remained optimistic, however, saying members of the Energy and Commerce Committee "have long worked to make online privacy a right for Americans and put them in control over their personal information. It’s a choice between individual liberty or continuing the massive commercial data surveillance happening on Americans every day. We look forward to continuing to move this bill through our regular order process."
Even if the bill makes it to a full floor vote, it still must go through the Senate. In a LinkedIn post, Goodwin Proctor Partner Omer Tene questioned whether Sen. Maria Cantwell, D-Wash., one of the major architects of the APRA, will support the new changes.
Though Tene applauded the "very strong data minimization mandate," he characterized the targeted advertising portion of the bill as "incoherent," noting the newly introduced online activity profile is considered sensitive data, but the bill "then proceeds to permit first party and targeted advertising ... except with respect to sensitive data. But since sensitive data includes the online activity profile, the exclusion gives with one hand what it taketh away with the other."
While Washington battles over the fate of a federal privacy law, the states continue to add to a patchwork of privacy laws. Earlier this week, Gov. Phil Scott, R-Vt., vetoed Vermont's recently passed consumer privacy legislation, prompting outcry from privacy advocates, including law professors Neil Richards and Woodrow Hartzog.
Rhode Island is the latest to join the state privacy law fray with a bill that awaits the governor's signature, though, unlike the now-vetoed privacy-progressive Vermont bill, it may only add to the unwanted complexity for businesses.
Jedidiah Bracy is the editorial director of the International Association of Privacy Professionals.