As the August recess commences, it seems an opportune moment to consider the legislative developments around privacy in the 117th U.S. Congress. More than halfway into 2021, dozens of privacy-related federal bills have been introduced that, if passed, would have a major impact on how organizations handle personal data and the rights afforded to individuals.
Yet, these efforts in Congress toward passage of a new federal privacy law have received less attention as state-level privacy legislation has been in the spotlight. In 2021, two more states — Virginia and Colorado — joined California in enacting what the IAPP defines as “comprehensive” privacy legislation, expanding rights for consumers and obligations for businesses. Meanwhile, dozens of other state legislatures have continued working to craft new privacy legislation — although most efforts, such as those in Washington state, have not led to the passage of new laws. Nonetheless, as state laws make their way onto the books, stakeholders demand consistency, making it important to understand the federal landscape and areas of consensus around privacy legislation.
The ongoing COVID-19 global pandemic that began last year has also left an indelible mark on privacy law and policy discussions. As the Center for Information Policy Leadership stated in a report on the privacy lessons learned from COVID-19, the global pandemic “accentuated the need to recognize privacy as a fundamental right and afford it more consistent federal protection.” Moreover, lawmakers are working even harder to more strictly regulate the privacy practices of large technology companies, many of which have grown in influence and financial power since the pandemic began as a significant amount of work, learning and even social relationships shifted into the digital arena.
Therefore, to better understand the state of Congressional legislative activity around privacy, this paper analyzes 30 privacy bills introduced in the current (117th) Congress. These bills cover a diverse range of issues: from consumer rights and protections to the use of emergency health data in the context of the COVID-19 pandemic; from technology use by law enforcement to transportation and cyber/homeland security.
Overview
Twelve privacy bills have been introduced in the House of Representatives and 18 have been introduced in the Senate for a total of 30 privacy bills. Of these, 12 are identical to another version introduced in the opposite chamber. Thus, there are 24 unique federal privacy-related bills included in this analysis.
Of the 12 House bills, seven are sponsored by Democrats and have only Democrat or no other co-sponsors, three are sponsored by Republicans and have only Republican or no other co-sponsors, and the other two have Republican sponsors and at least one Democrat co-sponsor. Nine bills have one or more co-sponsors, while the other three bills have none.
The House bills’ sponsors represent the states of California (3), Michigan (2), Arizona (1), Georgia (1), New York (1), North Carolina (1), Tennessee (1), Texas (1) and Washington (1). The committees the House bills have been referred to include: Energy and Commerce (6); Financial Services (2); Homeland Security (2); House Administration (2); Judiciary (2); Oversight and Reform (2); Education and Labor (1); Foreign Affairs (1); Permanent Select Intelligence (1); Science, Space, and Technology (1); and Transportation and Infrastructure (1).
Of the 18 Senate bills, 11 are sponsored by Democrats, with five of those counting at least one Republican among their co-sponsors. Of the seven Senate bills sponsored by Republicans, only one has a Democrat among its co-sponsors. Thirteen of the Senate bills have one or more co-sponsors, while the other four bills have none. The most active members of the Senate in terms of number of privacy bills sponsored are Sens. Ed Markey, D-Mass., Brian Schatz, D-Hawaii, and Ron Wyden, D-Ore., each of whom have sponsored two bills.
The Senate bills’ sponsors are from Hawaii (2), Louisiana (2), Massachusetts (2), Minnesota (2), Oregon (2), Connecticut (1), Florida (1), Kansas (1), Mississippi (1), Nevada (1), New York (1), Tennessee (1) and Texas (1). The committees the Senate bills have been referred to include: Commerce, Science, and Transportation (9); Health, Education, Labor, and Pensions (5); Judiciary (2); Banking, Housing, and Urban Affairs (1); and Finance (1).
Privacy bills introduced in both the House of Representatives and Senate
This analysis identified 12 bills that have an equivalent version in the opposite chamber (six in the House and the corresponding six in the Senate). Given that both the House and Senate need to vote on a bill before it becomes law, these bills are relatively further along in the legislative process. Each of these bills are described below in order of introduction in the House.
H.R.651: Public Health Emergency Privacy Act (D — 35 co-sponsors)
S.81: Public Health Emergency Privacy Act (D — 11 co-sponsors)
Sponsored by Rep. Anna Eshoo, D-Calif., and referred to the Energy and Commerce Committee, H.R.651 restricts use and disclosure of COVID-19 emergency health data. It contains an explicit “nonpreemption” section as well as a private right of action, being one of four bills to include at least a limited private right of action. This bill has an identical Senate version (S.81) and has drawn the greatest number of co-sponsors of any House bill, with 35 co-sponsors. In the Senate, S.81 is sponsored by Sen. Richard Blumenthal, D-Conn., and was referred to the Committee on Health, Education, Labor, and Pensions. It also has the third-most co-sponsors of any Senate bill, with 11 co-sponsors.
H.R.778: Secure Data and Privacy for Contact Tracing Act of 2021 (D — 11 co-sponsors)
S.199: Secure Data and Privacy for Contact Tracing Act of 2021 (D — 1 co-sponsor)
This bill creates grants to encourage the development of technologies for contact tracing COVID-19 that meet privacy, security and other standards. In the House, it is sponsored by Rep. Jackie Speier, D-Calif., and was referred to the Energy and Commerce Committee, and in the Senate is sponsored by Sen. Brian Schatz, D-Hawaii, and was referred to the Committee on Health, Education, Labor and Pensions.
H.R.847: Promoting Digital Privacy Technologies Act (D — 1 co-sponsor)
S.224: Promoting Digital Privacy Technologies Act (Bipartisan — 1 co-sponsor)
This bill directs the National Science Foundation to support research grants for privacy-enhancing technologies. In the House, it is sponsored by Rep. Haley Stevens, D-Mich., and was referred to the Science, Space and Technology Committee. In the Senate, it is sponsored by Sen. Catherine Cortez Masto, D-Nev., and was referred to the Committee on Commerce, Science and Transportation. It is also one of the five Senate bills with bipartisan sponsorship.
H.R.2039: Protecting Investors’ Personally Identifiable Information Act (R — 4 co-sponsors)
S.1209: Protecting Investors’ Personally Identifiable Information Act (R — 6 co-sponsors)
Sponsored by Rep. Barry Loudermilk, R-Ga., in the House and referred to the Financial Services Committee and sponsored by Sen. John Kennedy, R-La., in the Senate and referred to the Committee on Banking, Housing and Urban Affairs, this bill prohibits the Securities and Exchange Commission from requiring personally-identifiable information be collected for audit trail reporting requirements.
H.R.2738: Fourth Amendment Is Not For Sale Act (D — 1 co-sponsor)
S.1265: Fourth Amendment Is Not For Sale Act (Bipartisan — 19 co-sponsors)
This bill prevents law enforcement and intelligence agencies from “obtaining subscriber or customer records in exchange for anything of value.” In the House, it is sponsored by Rep. Jerrold Nadler, D-N.Y., and was referred to the Judiciary and Permanent Select Intelligence Committees. In the Senate, it is sponsored by Sen. Ron Wyden, D-Ore., and was referred to the Judiciary Committee. The Senate version of this bill has also drawn the greatest number of co-sponsors of any Senate bill at 19 co-sponsors, and it is also one of the five Senate bills with bipartisan sponsorship.
H.R.3868: No Vaccine Passports for Americans Act (R — no co-sponsors)
S.1932: No Vaccine Passports Act (R — 2 co-sponsors)
Sponsored by Rep. Diana Harshbarger, R-Tenn., and referred to the Judiciary, Energy and Commerce, Transportation and Infrastructure, Education and Labor, Foreign Affairs, Oversight and Reform, and House Administration Committees, this bill prohibits establishment of a federal vaccine passport and provides for nondiscrimination in employment, public accommodation, access to federal services and by public entities based on vaccination status. In the Senate, it is sponsored by Sen. Ted Cruz, R-Tex., and was referred to the Committee on Health, Education, Labor and Pensions.
Privacy bills in the House of Representatives
The privacy bills introduced only in the House of Representatives are summarized below, in order of introduction.
H.R.474: Protecting Consumer Information Act of 2021 (D — no co-sponsors)
Sponsored by Rep. Ted Lieu, D-Calif., this bill requires the Federal Trade Commission to review and potentially revise its current privacy standards with respect to whether they are sufficient to protect consumers’ financial information from cybersecurity threats. The bill was referred to the Financial Services and Energy and Commerce Committees.
H.R.1781: PROTECT Kids Act (Bipartisan — 1 co-sponsor)
Sponsored by Rep. Tim Walberg, R.-Mich., and referred to the Energy and Commerce Committee, this bill amends the Children’s Online Privacy Protection Act of 1998 by expanding its scope to include services provided through mobile applications, precise geolocation and biometric information to children up to the age of 16. This bill is one of only two in the House to count both a Democrat and a Republican among its sponsor and co-sponsors.
H.R.1816: Information Transparency & Personal Data Control Act (D — 19 co-sponsors)
Sponsored by Rep. Suzan DelBene, D-Wash., and referred to the Energy and Commerce Committee, this bill requires use of “plain English” privacy policies, stipulates opt-in for sensitive information, imposes transparency requirements and mandates biannual privacy audits. It is one of five bills to include a state law preemption clause. It also has the third-most number of co-sponsors of any House bill, with 19 co-sponsors.
H.R.1871: Transportation Security Transparency Improvement Act (Bipartisan — 2 co-sponsors)
The Transportation Security Transparency Improvement Act is one of two House privacy bills with bipartisan sponsorship. Sponsored by Rep. Dan Bishop (R-N.C.), this bill addresses policies of the Transportation Security Administration related to the definition of “Sensitive Security Information." The goal of the legislation is to bring greater understanding and clarity to how TSA designates SSI, improve its training of personnel regarding SSI, and increase its outreach to external stakeholders who come into contact with SSI. A mark-up session was held by the House Homeland Security Committee regarding the bill in March.
H.R.2384: No Vaccine Passports Act (R — 24 co-sponsors)
Sponsored by Rep. Andy Biggs (R-Ariz.) and referred to the Oversight and Reform and House Administration Committees, this bill prohibits federal agencies from issuing vaccine passports or passes to certify COVID-19 vaccination status, or publishing or sharing COVID-19 records or any similar health information of U.S. citizens. This bill has the second-most number of co-sponsors of any House bill, with 24 co-sponsors.
H.R.2980: Cybersecurity Vulnerability Remediation Act (D — no co-sponsors)
Sponsored by Rep. Sheila Jackson Lee (D-Tex.) and referred to the Homeland Security Committee, this bill amends the Homeland Security Act of 2002 and establish an incentive-based program to encourage industry, academia and individuals to provide “remediation solutions for cybersecurity vulnerabilities.” This bill is the only other in the analysis (alongside H.R.1871) to have undergone committee consideration and been included in a mark-up session.
Privacy bills in the Senate
The privacy bills that have been introduced only in the Senate are summarized below, in order of introduction.
S.24: Protecting Personal Health Data Act (Bipartisan — 2 co-sponsors)
Sponsored by Sen. Amy Klobuchar (D-Minn.) and referred to the Committee on Health, Education, Labor, and Pensions, this bill directs the Department of Health and Human Services to regulate consumer devices, services, apps, and software that collect or use personal health data. It is also one of the five Senate bills with bipartisan sponsorship.
S.47: APP Act (R — no co-sponsors)
Sponsored by Sen. Marco Rubio (R-Fla.) and referred to the Committee on Commerce, Science, and Transportation, this bill requires operators from specified countries that make their software available to U.S. consumers to disclose to the Federal Trade Commission and Department of Justice certain information, including any data protection measures in place. It also prohibits data collection from U.S. users if the operator complies with requests from specified foreign governments to disclose U.S. consumer data. It is one of five bills to include a state law preemption clause.
S.113: BROWSER Act of 2021 (R — no co-sponsors)
Sponsored by Sen. Marsha Blackburn (R-Tenn.) and referred to the Committee on Commerce, Science, and Transportation, this bill requires covered entities to obtain users’ opt-in approval to use their sensitive information and opt-out approval to use their non-sensitive information. It is one of five bills to include a state law preemption clause.
S.500: Stop Marketing And Revealing The Wearables And Trackers Consumer Health Data Act (Bipartisan — 1 co-sponsor)
Sponsored by Sen. Bill Cassidy (R-La.) and referred to the Committee on Health, Education, Labor, and Pensions, this bill prohibits the transfer or sale of consumer health information collected from a “personal consumer device” to entities whose primary business function is to collect or analyze consumer information for profit, unless it obtains the consumer’s informed consent. It is also one of the five Senate bills with bipartisan sponsorship.
S.919: Data Care Act of 2021 (D — 18 co-sponsors)
Sponsored by Sen. Brian Schatz (D-Hawaii) and referred to the Committee on Commerce, Science, and Transportation, this bill imposes various responsibilities on online service providers with respect to their handling of identifying data, including securing it from unauthorized access and preventing harm. It has the second-most number of co-sponsors of any Senate bill, with 18 co-sponsors.
S.1444: Mind Your Own Business Act of 2021 (D — no co-sponsors)
Sponsored by Sen. Ron Wyden (D-Ore.) and referred to the Finance Committee, this bill requires assessments, periodic reporting and opt-out processes by covered entities that operate high-risk or automated-decision making information systems, such as AI or machine learning. It also imposes criminal penalties for false certification of annual reports by corporate officers. This bill has an explicit “no preemption” clause and provides a right of action to “protection and advocacy organizations,” being one of four bills to include at least a limited private right of action.
S.1494: Consumer Data Privacy and Security Act of 2021 (R — no co-sponsors)
Sponsored by Sen. Jerry Moran (R-Kan.) and referred to the Committee on Commerce, Science, and Transportation, this bill provides consumers with rights to access, correct and delete data, requires businesses to implement data security programs, and prohibits collection without consumers’ consent. It is one of five bills to include a state law preemption clause.
S.1628: Children and Teens’ Online Privacy Protection Act (Bipartisan — 1 co-sponsor)
Sponsored by Sen. Ed Markey (D-Mass.) and referred to the Committee on Commerce, Science and Transportation, this bill extends privacy protections to children aged 12-16, including the provision of notice and consent. It is also one of the five Senate bills with bipartisan sponsorship.
S.1667: Social Media Privacy Protection and Consumer Rights Act of 2021 (Bipartisan — 3 co-sponsors)
Sponsored by Sen. Amy Klobuchar (D-Minn.) and referred to the Committee on Commerce, Science, and Transportation, this bill grants users of online platforms the right to opt-out of data collection and tracking, provides users with the right to access, requires “plain English” terms of service agreements, and mandates establishment of privacy and security programs. It is also one of the five Senate bills with bipartisan sponsorship.
S.2052: Facial Recognition and Biometric Technology Moratorium Act of 2021 (D — 4 co-sponsors)
Sponsored by Sen. Ed Markey (D-Mass.) and referred to the Judiciary Committee, this bill prohibits biometric surveillance by the federal government without explicit statutory authorization. It is one of four bills to include at least a limited private right of action.
S.2134: Data Protection Act of 2021 (D — 1 co-sponsor)
Sponsored by Sen. Kirsten Gillibrand (D-N.Y.) and referred to the Committee on Commerce, Science, and Transportation, this bill establishes an independent federal “Data Protection Agency” to regulate high-risk processing and use of personal data.
S.2499: Setting an American Framework to Ensure Data Access, Transparency, and Accountability Act (R — 1 co-sponsor)
Sponsored by Sen. Roger Wicker (R-Miss.) and referred to the Committee on Commerce, Science, and Transportation, this bill requires companies to publish privacy policies, appoint privacy and data protection officers, implement customers’ rights to correction and deletion, and minimize the data they collect to what is necessary and proportional to the services they provide. It is one of five bills to include a state law preemption clause.
Conclusion
This analysis of privacy legislative activities in the 117th Congress (covering January — July 2021) found that a total of 30 privacy-related bills have been introduced so far this year: 18 in the Senate and 12 in the House of Representatives. While the majority of these, 22 in total, are sponsored by members of only one party, eight of them count both Democrats and Republicans among their co-sponsors, indicating several areas of bipartisan agreement around privacy issues at the federal level.
Two of the most contested issues within the federal privacy debate have been the preemption of state law and the private right of action. Of the 30 federal bills examined in this study, five of them contained a state law preemption provision, while another four include some form of a private right of action. However, none of the bills that included preemption or a private right of action received bipartisan support. As these issues have remained polarized roughly along party lines, four of the five bills with preemption are sponsored by Republicans, while all four bills with a private right of action are sponsored by Democrats.
Looking at only the bills that have support from members of both parties would suggest that the bipartisan “consensus” is to include neither: No preemption of state law and no private right of action. Indeed, three bipartisan bills fall within this category: S.500: Stop Marketing And Revealing The Wearables And Trackers Consumer Health Data Act, S.1628: Children and Teens’ Online Privacy Protection Act, and S.1667: Social Media Privacy Protection and Consumer Rights Act of 2021. These bipartisan bills neither preempt state law nor include a private right of action.
Outside of preemption and private right of action, other issues to look for bipartisan consensus around privacy at the federal level include:
- Expanding the scope of COPPA and privacy protection for minors (H.R.1781: PROTECT Kids Act and S.1628: Children and Teens’ Online Privacy Protection Act).
- Regulating consumer devices, apps, and software that collect or use personal health data (S.24: Protecting Personal Health Data Act).
- Providing support for research into privacy-enhancing technologies (S.224: Promoting Digital Privacy and Technologies Act).
- Limiting how intelligence and law enforcement agencies can obtain consumer records held by internet service providers (S.1265: Fourth Amendment Is Not For Sale Act).
- Addressing how SSI is handled by transportation authorities and relevant stakeholders, including airlines and airport operators (H.R.1871: Transportation Security Transparency Improvement Act).
These areas of bipartisan consensus can serve as guideposts for Congress moving forward as it takes stock of the privacy lessons learned from the COVID-19 pandemic, the implementation of several new state-level privacy laws and the always-changing global privacy landscape.
Photo by Quick PS on Unsplash