The proposed American Privacy Rights Act is on the move in the U.S. House legislative process, but the pressure points among key lawmakers are becoming more clear and present.
The U.S. House Committee on Energy and Commerce Subcommittee on Data, Innovation and Commerce approved the updated APRA draft on a voice vote 23 May, advancing the bill to full committee consideration. A new version of the bill was released 36 hours before the markup session and reflected a range of notable changes since the subcommittee last saw the initial discussion draft introduced in April.
There was no indication when and how the full committee will proceed with the bill, but subcommittee members commited to ongoing work with an eye toward a polished bipartisan bill. Lawmakers continued to tout their willingness to work across the aisle to achieve what many of them described as long-overdue legislation to put individuals back in control of their personal data.
"If the founders were here today, they would know as we know that this digital tyranny is not the American dream. The (American Privacy Rights Act) is an opportunity for a reset," Energy and Commerce Committee Chair Cathy McMorris Rodgers said. "Today is not the end of the road, but it is certainly another milestone in giving Americans the privacy rights they want and deserve."
Given the recent arrival of the updated bill, lawmakers did not submit amendments during the markup under the presumption they can get items addressed in the leadup to the full committee markup.
Despite the approval, perceived cracks in the proposed legislation are beginning to show. Subcommittee members were more candid during the markup than they were in April regarding specific reservations they have on the bill. Notably, the long-debated topics of the proposed private right of action and provisions for federal preemption of U.S. state privacy laws were not among the issues raised.
The COPPA 2.0 conundrum
Arguably the biggest change to the latest APRA proposal was the inclusion of the Children's and Teens' Online Privacy Protection Act, which was tacked on to the end of the bill instead of a more detailed incorporation. The April discussion draft featured few mentions of children's privacy with the expectation that COPPA 2.0 would ultimately find its way into the bill.
However, the addition of COPPA 2.0 may now represent the most controversial aspect of the APRA. Reps. Tim Walberg, R-Mich., and Kathy Castor, the COPPA 2.0 House co-sponsors, made very clear the children's protections they landed on in their targeted bill were not fully included in the updated APRA text.
Walberg explained the standalone bill raised the coverage of COPPA to children 16 and under, ban targeted advertising to covered minors and works to modernize the "actual knowledge" standard related to companies collecting, using, or disclosing personal information belonging to covered minors. He opined the children's provisions added to the APRA "has the skin, but not the meat and the bones" of COPPA 2.0.
"I understand APRA includes teenagers for a covered minor under Title I, but raising the age of protection specifically for COPPA is a necessary update that allows greater clarity and targeting for the unique protections and options that should be granted to minors and their parents," Walberg said, adding also the APRA definition for targeted advertising presents loopholes that leave minors vulnerable to negative impacts.
Castor led a handful of subcommittee Democrats who specifically raised their discomfort with the watered down version of COPPA 2.0 being added to the comprehensive bill.
"I am so very disappointed with how ineffective and weak the APRA discussion draft is when it comes to kids," Castor said. "The discussion draft completely fails to include important protections. It removes the COPPA 2.0 (actual) knowledge entirely and would now only apply to websites and apps that are directed to children, excluding those platforms that know a user is a minor. ... These issues are critical to modernizing current law to reflect the tech-driven world we live in."
In response to colleagues' criticism, Chair Rodgers promised continued work to "get as much as we can" when it comes to a more complete incorporation of COPPA 2.0.
Other crossroads
The markup was not the first time subcommittee members showed dissatisfaction regarding the APRA proposal. Energy and Commerce Ranking Member Frank Pallone, D-N.J., was openly down on aspects of the bill during the April hearing, which came as surprise given his prior partnership with Rodgers on the APRA's predecessor, the proposed American Data Privacy and Protection Act.
His rationale for targeted opposition boiled down to the perception that areas of the APRA did not meet or improve upon how the ADPPA treated certain provisions or issues. The key issues were children's privacy protections, data broker rules and a closer look at appropriate artificial intelligence provisions that meet the moment.
Pallone acknowledged that some of his concerns were alleviated in the latest APRA draft. But the appreciation was followed by a list of fresh issues that have come to his attention in a limited review of the new draft. The children's privacy issues haven't been full addressed, according to Pallone, who also cited the loose definition of targeted ads and the need to uphold the Federal Communications Commission's privacy authority in the bill.
"Great progress has been made at this point, but we're not there yet," Pallone said. "I have no doubt that we can get this done. ... Everyone on this committee has a strong track record of producing results for the American people. Nobody has a better record of reining in Big Tech."
Beyond Pallone's callouts, there were two additional reservations raised by subcommittee members from Illinois.
Rep. Jan Schakowsky, D-Ill., urged Chair Rodgers on two occasions to revisit biometric privacy provisions in the update APRA draft without noting specific issues. The latest draft preempts carries specific provisions for biometric data protection but they come with permissible purposes that can override consent. It also preempts the Illinois Biometric Information Privacy Act, which may arguably provide stronger consumer protections.
Rep. Robin Kelly, D-Ill., called for a review of potential limitations around state attorney general prosecutorial powers the APRA may bring. She explcitly stated those provisions as currently written would prevent her from supporting a full committee vote on the bill.
Stakeholders react
Many subcommittee members joined stakeholders in getting a very minimal review of the new APRA draft before the markup. A majority of the steps taken to improve the bill were received positively by onlookers.
Hunton Andrews Kurth Centre for Information Policy Leadership Director of Privacy and Data Policy Matthew Reisman indicated the addition of privacy-by-design principles to the bill could go a long toward "prioritizing establishment of accountable privacy programs grounded in privacy by design." Reisman added the CIPL was also receptive the inclusion of "the ability for large data holders to engage certified, independent auditors to assist with algorithmic impact assessments."
New America's Open Technology Institute Senior Policy Analyst David Morar said the "delete my data" option in the proposed data broker opt-out mechanism was a welcomed addition to the bill. However, Morar said the OTI aligns with Pallone's preference to uphold the FCC's privacy powers as the current preemption approach to that enforcement may prove "untenable" when holding telecom provider accountable for privacy violations.
"Many of the FCC’s core functions and its ability to protect consumers involve regulating activities that relate to 'collection, processing, retention, transfer, or security of covered data.' Although not perfect, the text of ADPPA took a much narrower attempt to preempting FCC authority," Morar said.
In contrast to the subcommittee conflicting opinions on how to handle children's privacy, Public Interest Privacy Center's indicated the new version of APRA may wind up being more protective for children than COPPA 2.0 would be as standalone legislation.
"Added protections for teens under COPPA 2.0 should be added to the APRA since many state laws that APRA would be preempting already provide additional protections for minors under 18, including Connecticut, Colorado, and Florida," the advocacy group said in a statement. "Almost all of the provisions cut from the (February) Senate version of COPPA 2.0 that went into APRA are effectively retained by APRA’s general provisions. Many of the rights provided only to children in COPPA 2.0 are provided to all individuals under APRA."
