The surprising news of fresh bipartisan legislation that would set a comprehensive national privacy standard in the U.S. sent ripples through the privacy space, with reaction from several quarters of the policymaking spectrum.
The proposed American Privacy Rights Act, which was shared Sunday by U.S. Rep. Cathy McMorris Rodgers, R-Wash., and Sen. Maria Cantwell, D-Wash., would introduce a significant shift in how organizations collect, process and share personal information and set a high bar for data minimization practices. McMorris Rodgers and Cantwell are respective chairs of the House and Senate committees. Each committee would need to approve the bill prior to any potential floor vote.
Though many stakeholders are still digesting the 53-page discussion draft, Microsoft Vice Chair and President Brad Smith applauded the bill, calling it "a good deal," and adding that it "would give all consumers in the U.S. robust rights and protections." McMorris Rodgers and Cantwell represent Washington state, where Microsoft is headquartered.
Smith's reaction echoed those of Microsoft Chief Privacy Officer and Corporate Vice President for Global Privacy, Safety, Regulatory Affairs Julie Brill, who shared comments with the IAPP after news a bill was forthcoming. "At Microsoft we have been calling for a federal bill for two decades, and we would welcome the clarity and consistency that a federal legislation would provide," she said.
On Tuesday, the Network Advertising Initiative also welcomed the bipartisan effort to help eliminate the confusing and inconsistent patchwork of state privacy laws, but also raised concerns about the draft.
NAI Vice President of Public Policy David LeDuc said the draft legislation "reflects many of the same problems that have stymied previous efforts to pass federal privacy legislation." He also warned that the bill's data processing requirements would "curtail beneficial uses of data" and presents "confusing and conflicting opt-out and opt-in requirements."
Snags in the road
California's newest privacy regulator also criticized the bill.
In comments provided to the IAPP and later made public, California Privacy Protection Agency Executive Director Ashkan Soltani, whose agency enforces the California Privacy Rights Act, said the CPPA is evaluating the bill but is "disappointed that the proposed approach to preemption is substantively the same as the (American Data Protection and Privacy Act's), which the CPPA Board voted to oppose."
In 2022, the CPPA, as well as Congressional representatives from California, most notably then-House Speaker Nancy Pelosi, D-Calif., pushed back on the ADPPA because of its preemption provisions, ultimately sidetracking the bill by preventing a floor vote.
"Americans shouldn't have to settle for a federal privacy law that limits states' ability to advance strong protection in response to rapid changes in technology and emerging threats in policy — particularly when Californians' fundamental rights are at stake," Soltani said.
"Congress should set a floor, not a ceiling," he added.
In an IAPP LinkedIn Live hosted by IAPP Chief Knowledge Officer Caitlin Fennessy, Future of Privacy Forum Director of U.S. Legislation Keir Lamont, CIPP/US, and the Center for Democracy and Technology Vice President of Policy Samir Jain both agreed that the APRA closely resembles its ADPPA predecessor.
"A lot is taken from the ADPPA," Jain said. "Its basic structure and rights is quite similar." Lamont agreed, but added that understanding the details in the changes to the APRA will be crucial.
For its previous opposition to the ADPPA, "California raised valid questions about how ADPPA would be enforced," Lamont said.
The new bill would also have dramatic effects on the federal agency charged with enforcement — the Federal Trade Commission. Notably, the bill as currently written would require the agency to set up a new bureau alongside its consumer protection and competition divisions. It would also mandate the agency terminate its proposed rulemaking on commercial surveillance and data security.
During her keynote address at the IAPP Global Privacy Summit 2022, FTC Chair Lina Khan touted a data minimization approach "rather than just procedural protections, which tend to create process requirements while sidestepping more fundamental questions about whether certain types of data collection and processing should be permitted in the first place. ... Privacy legislation from Congress could also help usher in this new type of paradigm."
In response to the IAPP's inquiry about the APRA, the FTC said it has no comment.
Political state of play
With the surprise release of the draft APRA, several lawmakers may not have been initially looped in, notably Sen. Ted Cruz, R-Texas. "I'll be carefully reviewing this bill to ensure it doesn't have the same flaws as the failed (ADPPA)," Cruz said in a statement.
House Energy and Commerce Committee Ranking Member Frank Pallone, D-N.J., who was also involved in the ADPPA, largely expressed support for the APRA, but said, "There are some key areas where I think we can strengthen the bill, especially children's privacy."
FPF's Lamont noted some child-specific provisions from ADPPA were withdrawn in the new bill, which, he said, leads him to suspect that parallel congressional bills on a so-called "COPPA 2.0" and a separate Kids' Online Safety Act may have factored into how the discussion bill was drafted.
Cruz, who serves as the ranking member of the Senate Committee on Commerce, Science and Transportation, is initially critical of the APRA: "In particular, I cannot support any data privacy bill that empowers trial lawyers, strengthens Big Tech by imposing crushing new regulatory costs on upstart competitors or give unprecedented power to the FTC to become referees of internet speech."
The APRA includes a nuanced private right of action, which can be initiated by the FTC, state attorneys general and individuals.
Lamont pointed out that Texas, Cruz's home state, now has a comprehensive privacy law, which goes into effect in July. He said the office of the attorney general is staffing up. "It's a strong law," Lamont said, "and it goes further than other states, especially with how it applies to small businesses."
Whether the new Texas law plays a role in minimizing Cruz's support for the federal bill is not yet known.
Of the APRA, Cruz also said, "I trust that a measure of this magnitude will be subject to regular order — i.e., committee hearings and a markup — as lawmakers should expect for any significant tech bill."
Legislative road ahead
CDT's Jain said, "I think we'll see a hearing relatively soon, even if it's just on the discussion draft," noting that McMorris Rodgers and Cantwell will likely be looking to "develop some momentum here."
Though no hearings are scheduled at the moment, Lamont said stakeholders are already discussing the draft and he expects there to be a formal bill "maybe in the next month," but it is not yet clear whether it will emerge in the House or Senate.
Lamont also highlighted a key timeline difference between the ADPPA, which was first floated in June 2022, and the APRA. Though it is a presidential election year, the APRA has emerged several months ahead of its predecessor within the calendar year, providing more time for hearings, feedback and political compromise prior to elections in the fall.
"The Energy and Commerce Committee has a proven track record of getting hard things done," Rep. Pallone said Sunday. "I'm optimistic that we'll be able to build on that record as Chair Rodgers and I work together to get comprehensive privacy legislation across the finish line."
Meanwhile, states continue to fill the void. On 6 April, the Maryland Legislature approved a comprehensive privacy bill that now awaits the governor's signature.