In a surprise development first reported late 5 April, two key members of U.S. Congress released a draft bipartisan, bicameral federal privacy bill.
Little more than two years removed from the last significant attempt to forge national privacy law, U.S. House Committee on Energy and Commerce Chair Cathy McMorris Rodgers, R-Wash., and Sen. Maria Cantwell, D-Wash., chair of the Senate Committee on Commerce, Science and Transportation, went on the record Sunday to discuss the newly released draft legislation. The bill is also available in a section-by-section discussion draft.
Committee Chairs Rodgers and Cantwell also published a press release Sunday afternoon. "This bipartisan, bicameral draft legislation is the best opportunity we've had in decades to establish a national data privacy and security standard that gives people the right to control their personal information," Rodgers and Cantwell said. "It strikes a meaningful balance on issues that are critical to moving comprehensive data privacy legislation through Congress."
Journalists from Punchbowl News were the first to report on the expected federal deal.
At 53 pages, the proposed American Privacy Rights Act includes requirements on data minimization, consumer rights to opt out of targeted advertising and view, correct, export or delete their data. Additionally, the bill carries data security provisions, a section on "executive responsibility," and a national data broker registry. There is also provisions to prevent organizations from enforcing mandatory arbitrations when there is significant privacy harm.
In a section on civil rights, companies would not be allowed to use people's personal information to discriminate against them. It would allow individuals to opt out of a company's use of algorithms making decisions related to housing, employment, health care, credit, education, insurance, among others.
In an interview with The Spokesman-Review, Rodgers said, "Online privacy protections shouldn't differ across state lines. What we see is a patchwork of state laws developing, and this draft that Sen. Cantwell and I have agreed to will establish privacy protections that are stronger than any state law on the books."
"The information age has continued to evolve," Cantwell said in Sunday's interview. "And so it's important that we get a federal law that makes privacy a consumer right, and that's what this does. It basically is putting a policeman on the beat that doesn't quite exist right now."
Significantly, the bill would preempt state privacy laws, long seen as an obstacle by many Democrats, and in particular, from policymakers in California. In 2022, House Speaker Nancy Pelosi, D-Calif., prevented the American Data Privacy and Protection Act from reaching a full House floor vote.
Cantwell also rejected the proposal, which effectively put an end to prospects for the ADPPA in June 2022.
In her interview Sunday, however, Cantwell said the APRA incorporates parts of other state laws, including California, Illinois and Washington. State laws that regulate civil rights, consumer protection, contracting and other categories would not be preempted. It also includes a California provision that lets consumers sue organizations when affected by a data breach.
Also significant in the APRA, setting it apart from its ADPPA predecessor, is the language around a private right of action, which can be brought by the Federal Trade Commission, state attorneys general and individual citizens. The ADPPA provided a two-year grace period before a PRA applied following the law's effective date. The proposed APRA reduced the grace period to six months.
Cantwell has seen a private right of action as a key feature in a national standard, while Republicans have traditionally balked at inclusion of a PRA.
In comments provided to the IAPP, Microsoft Chief Privacy Officer and Corporate Vice President for Global Privacy, Safety, and Regulatory Julie Brill said that though she could not provide comments on behalf of Microsoft on the specific bill, "Generally speaking, we have advocated for a federal privacy bill for two decades, and we believe all Americans deserve the comprehensive privacy protections that so many other jurisdictions across the globe now enjoy."
"A matrix of state privacy laws has been a challenge," Brill said, "and it is confusing and not helpful in the long term for consumers as well. I'd like to see consistent and robust protections for individuals and clarity for organizations who have otherwise faced varying obligations across state lines."
Political state of play
According to Sunday's interview, McMorris Rodgers is "a close ally" of House Speaker Mike Johnson, R-La., and she is "having conversations with both House and Senate leadership right now."
Other key lawmakers have not been directly part of the negotiations, including Sen. Ted Cruz, R- Texas, and Frank Pallone, D-NJ, but McMorris Rodgers said, "I've had many conversations with both Mr. Pallone and Sen. Cruz on this topic, and we all recognize that people want and need privacy rights."
She said that she and Cantwell are "still open to constructive feedback."
"Most people wrote 2024 off as a year for federal data privacy and security movement outside narrower efforts like the sale of data to adversaries and kid-specific legislation," said R Street Institute Cybersecurity and Emerging Threats Director Brandon Pugh, who applauded Chairs Cantwell and Rodgers for working toward "a solution to data privacy and security."
The APRA emerges as more states pass comprehensive privacy legislation, including most recently by Kentucky and, over the weekend, Maryland. The latter state's legislature passed its bill Saturday, which now awaits the governor's signature.
States have stepped into the void left by federal inaction
With no comprehensive privacy law at the federal level, states across the U.S. have jumped in to fill the void. Since 2018, when California lead the charge with the California Privacy Protection Act, the total number of states with a comprehensive privacy law sits at 15 and counting.
Last updated 22 March, the IAPP Research and Insights team has been tracking U.S. state privacy legislation. In addition to 15 comprehensive state privacy laws, Florida also passed a more targeted privacy law, covering large tech platforms, last year, as well.
Comprehensive federal privacy legislation in the U.S. has been the "white whale" for those seeking a national standard since the early days of the internet. However, a consensus between Democrats and Republicans has been elusive. The proposed ADPPA came closest to realization in 2022, but Democratic concerns about federal preemption of stronger state privacy laws, particularly for California's CPPA, which was amended to the California Privacy Rights Act, proved insurmountable.
Why now?
At this early stage, it is unclear why this compromise proposal suddenly emerged.
Though omnibus federal legislation has largely remained stalled since 2022, lawmakers on Capitol Hill have been drafting a panoply of privacy-related laws, including an update to the Children's Online Privacy Protection Act, and children's safety law known as the Kids' Online Safety Act, as well as laws that would require TikTok to diverge from it is Chinese ownership or be banned in the U.S. and a bill that would outlaw the sale of personal data collected by data brokers to a list of adversarial nations, which includes China, Russia, North Korea and Iran.
With a national election set for November, several experts following privacy policymaking expected this to be an off year for a bipartisan federal bill. In Congress, partisan divides have even made passing a federal budget a tall task.
However, in recent weeks, policymakers have floated a number draft bills, from children's privacy to reauthorization of Section 702 and new obligations for data brokers.
Earlier this year, in another change from 2022, McMorris Rodgers announced she would not seek reelection in Washington, and Rep. Anna Eshoo, D-Caflif., a powerful representative in Silicon Valley, home to many of the world's largest technology firms, also announced she would not seek reelection.
"I think there are a few things that are colliding to make a federal privacy bill more plausible today than it has perhaps ever been," said Microsoft's Julie Brill.
"First, we are in an era of rapid innovation," she said. "The acceleration of AI, including generative AI, has driven increased awareness of privacy, data protection, and data management issues by companies, consumers, and policymakers. There is a general recognition that these protections are crucial to help advance the innovation we see in the marketplace today."
Brill also said "it's time for the U.S. to catch up" with other parts of the globe in terms of having a comprehensive privacy law. "As governments around the world continue to regulate technology, the U.S is without a seat at the global policy table on privacy in the absence of our own set of comprehensive protections. A federal privacy bill will demonstrate to the world that we take this issue seriously and are aligned and committed to developing common approaches that advance privacy as a fundamental right."
On privacy law needing to precede AI law
Though 2023 saw the rise of AI governance policy initiatives across sectors — from financial to health to national security — Rep. Susan Del Bene, D-Wash., opined that "before we build the second and third story of this regulatory house, we need to lay a strong foundation and that must center around a national data privacy standard."
In looking ahead, R Street's Brandon Pugh, who also wrote an analysis of the draft bill, said "there is still a long path forward" in the legislative process. "There will undoubtedly be many thoughts from civil society, everyday Americans, industry, and other members of the House and Senate. ... Compromised are critical to make a federal bill a reality and to ensure it best balances the needs of consumers, industry, innovation and security."
This is a developing story and the IAPP will continue to track the latest.