U.S. Congress made bipartisan progress on comprehensive federal privacy legislation last year, advancing the proposed American Data Privacy and Protection Act to the cusp of a U.S. House floor vote. The prioritization was no fluke and the 118th Congress is compelled to prove as much with eyes toward finalizing a national standard again this year.
A step forward for 2023 federal privacy law prospects came with the latest Congressional hearing dedicated to privacy hosted by the House Committee on Energy and Commerce's new Subcommittee on Innovation, Data and Commerce.
The hearing sought to clarify the many stakes for consumers and industry tied to the ongoing lack of comprehensive legislation. Lawmakers also used their time to prop up the proposed ADPPA as the preferred framework to address current regulatory shortcomings.
"We were almost there," Subcommittee on Innovation, Data and Commerce Ranking Member Jan Schakowsky, D-Ill., said. "We heard the cry of the vast majority of Americans who are really tired of feeling helpless online. … I think it's time for us to roll up our sleeves and in a bipartisan way. The U.S. is far behind and we need to catch up."
The ADPPA passed out of the Energy and Commerce Committee 53-2 last year. It will require reintroduction and a restart to its legislative path in the House, but talk during the subcommittee hearing all but confirmed there will be no substitute or competing framework considered at this time. Discussion and witness questioning frequently called back to the proposed ADPPA's provisions, aiming to show sufficient coverage or seeking feedback for improvement.
The Energy and Commerce Committee's 2022 work was best characterized by clear bipartisanship and that won't change despite an agenda shift in the now Republican-controlled House. Energy and Commerce Committee Chair Cathy McMorris Rodgers, R-Wash., alluded to "new consideration" with the Republican control, but said letting alleged Big Tech data issues and consumer harms continue "isn't acceptable."
"Big Tech and data brokers' days of operating in the dark should be over. People should trust their data is being protected," Rodgers added. "We're at an inflection point to ensure our personal information is responsibly collected."
Watching the states and preemption
Talking points throughout the hearing were mostly consumer-focused, but Subcommittee on Innovation, Data and Commerce Chair Gus Bilirakis, R-Fla., was among those to raise the industry benefits to a national standard. Chief among those benefits was escaping the burden of a growing state privacy law patchwork that's developed in recent years.
"(Small and medium-sized businesses) should not live in fear of spending their time and resources on legal compliance to survive the digital economy," Bilirakis said. "Unfortunately, the opposite is occurring and the growing state patchwork is unsustainable for the American economy. And California is still adding more layers to its regulation."
Federal preemption remains a point of contention in ADPPA talks.
Bilirakis made clear it is the only path to legal certainty for SMEs while questioning Anonym founder and Chief Product Officer Graham Mudd, who explained how "larger tech companies have armies of engineers that can adjust their technologies state by state or jurisdiction by jurisdiction."
Kelley Drye & Warren Of Counsel Jessica Rich, the former director of U.S. Federal Trade Commission's Bureau of Consumer Protection from 2013-2017, also confirmed the necessity of "some level" of preemption in a federal framework to achieve "as much consistency as possible."
"Many consumer advocacy groups reading all of these (state-level) bills and laws carefully see the ADPPA is stronger for the most part," Rich said. "One provision here and there (for states) are stronger. But this committee carved out certain things, including California's private right of action. As I've said, whatever it takes."
Several states rejected proposed preemption last year, but none more pointedly than California. The disapproval ultimately led to the ADPPA not being heard on the floor due to deference paid to the California Consumer Privacy Act by a majority of the House's California delegation.
New Republican leadership could bring better odds of the ADPPA making it to the floor in 2023, but California will again try to stand in the way. California Attorney General Rob Bonta, California Privacy Protection Agency Executive Director Ashkan Soltani and Gov. Gavin Newsom, D-Calif., sent a joint letter to Congress reinforcing their prior case against preemption while seeking to "protect critical data privacy protections in state law and preserve California’s authority to establish and enforce those protections."
Data brokers in focus
The subcommittee sought to be informational in the first 2023 hearing strictly focused on federal privacy legislation. Members' words followed the previously published hearing memo outlining all the key themes at play, including the intent to regulate the growing data broker industry.
The memo alluded to general consumer privacy issues being "exacerbated" by data brokerage, which was characterized as "a multibillion-dollar economy selling consumers’ data with virtually no restrictions or oversight."
Energy and Commerce Committee Ranking Member Frank Pallone, D-N.J., used his line of questioning to gauge Anonym's Mudd on the depth of data brokers' collection practices. Pallone also sought impressions from Center for Democracy and Technology President and CEO Alexandra Reeve Givens on the general lack of consumer awareness to data brokerage.
"Part of the problem is that they operate in an opaque layer of the digital ecosystem and don't have to interact directly with consumers, meaning they don't need to earn consumer trust," Givens said, adding the ADPPA carries "really important" provisions on broker disclosure and user opt-out obligations.
Pallone called the data broker industry a "shadow world," while Rodgers noted how federal legislation is essential to "ensuring that we aren't just dollar signs" to brokers moving forward.
This IAPP table aims to present a high-level breakdown of the American Data Privacy and Protection Act, a federal comprehensive data privacy bill.
This white paper provides insights on how privacy professionals responded to the Sephora enforcement action, and how they are updating their practices to account for the expansion of “sale.”
If you want to comment on this post, you need to login.