Last Wednesday, June 1, it was reported that members of the U.S. Senate and House were circulating a bipartisan draft bill which breaks a stalemate on federal data privacy negotiations. The Draft Bill, released on Friday by House and Senate leaders, may suggest that members of U.S. Congress have finally found common ground on comprehensive federal privacy legislation.
The Congress has tried and failed for decades to pass a comprehensive privacy law at the federal level. The current situation has been described as a “patchwork” of state and sector-specific privacy laws which disparately protect Americans’ data privacy. If it becomes law, the ADPPA would provide a uniform standard on what data companies can gather from individuals and how they can use it.
The sixty-four-page discussion draft of a comprehensive data privacy bill, called the “American Data Privacy and Protection Act” (ADPPA), suggests that lawmakers are finally close to making it happen. In prepared remarks, the authors of the new privacy bill said the draft bill represented a “critical milestone”. The development would also bring the U.S. closer to par with Europe, as well as breathing fresh life into ongoing work towards the new Trans-Atlantic Data Privacy Framework which will allow data flows between the two economic areas.
Bipartisan support for the ADPPA makes the draft bill the biggest breakthrough to date for efforts to pass a federal privacy law. Previous efforts to pass a federal privacy law have repeatedly broken down as a result of bipartisan disagreements. A white paper published by the IAPP, which examined the 18 bipartisan federal privacy bills introduced in the 117th Congress, found that none of the federal privacy bills that contain either a private right of action or a state law pre-emption provision have received bipartisan support. For the first time, the bill reaches compromise positions on the two most contentious issues in the federal privacy law debate.
Bipartisan agreement on pre-emption has been the biggest task for legislators, which will affect state legislature’s abilities to address issues in their own way. Republicans have mostly supported the pre-emption of all state laws, fearing a patchwork of standards will make compliance difficult and costly for businesses. Meanwhile Democrats and privacy advocates have resisted the move, for fears that it will limit the ability of states to pass their own privacy legislations and leave consumers unprotected. The ADPPA has reached a compromise by allowing the federal privacy law to pre-empt state privacy laws, with some notable exceptions including California’s California Consumer Privacy Act (CCPA) and Illinois’ Biometric Information Privacy Act (BIPA). The statement has been received poorly by privacy advocates who had hoped that a federal law would be a floor, not a ceiling.
Discussions on a private right of action are clearer, and are mostly around thresholds, which companies can be sued and ensuring lawsuits are for actual damages. Democrats have historically supported a private right of action to give consumers legal tools to protect their rights when government enforcement fails – either as a result of limited resources or regulatory capture. Republicans, on the other hand, have opposed this broad private right of action, citing concerns about the significant resources which would be required to defend every perceived violation and fears that this could open the door to frivolous lawsuits from professional plaintiffs seeking monetary damages. The new draft bill reaches a compromise by including certain limited rights for individuals to sue for monetary damages if a company violates their privacy. The compromise would be a blow for the tech industry who have fought such provisions in states.
The draft bill is not modelled on existing laws, nor the GDPR, however certain concepts and definitions within the bill are familiar. The bill will apply to “covered entities” and “covered data”, but excludes de-identified data, employee data, and publicly available information. The bill also contains an exemption for small businesses. There are provisions that would require covered entities gathering data to minimise what they collect, implement privacy by design policies and procedures, and publish privacy policies explaining their data processing activities. Distinctively, these privacy policies would need to state whether or not covered data is transferred to, processed in, or made available to the People’s Republic of China, Russia, Iran, or North Korea. The bill also includes a list of eight practices that covered entities should not engage in, including the transfer of aggregated internet search or browser history. Impact assessments would be required for a number of processing activities under the ADPPA, including with respect to any algorithm of a large data holder that uses personal information.
The draft bill also includes details on the enforcement of the ADPPA, which would be done by the Federal Trade Commission (FTC) and State Attorneys General. Under the bill, the FTC will be authorised to issue guidance and promulgate rules. The bill is also noteworthy for its broad definition of sensitive data, which includes “information identifying an individual’s online activities over time or across third party websites or online services” (effectively, cookie data). It also increases online data privacy protections for young people under age 19, and would ban targeted advertising to kids under age 17.
So, here’s the bad news: whilst the tech industry has largely been supportive of some form of federal privacy legislation to pass, there is growing concern that the draft bill is a convenient distraction from key anti-trust and consumer protection bills which are closer to becoming law than any privacy legislation. These bills include the American Innovation and Choice Online Act (AICO) and the Open Markets Act (OMA), which are aimed to rein in Big Tech’s extraordinary market dominance and have both received bipartisan support. President of the Digital Progress Institute Joel Thayer has warned the U.S. not to “put the privacy cart before the anti-trust horse.”
Finally, there remain several roadblocks ahead before this legislation can become the law. The bill has still not garnered the support of Senate Commerce Committee Chair Marcia Cantwell, D-Wash, one of the most important legislators working on federal privacy. She has objected to the idea that the private right of action would only begin four years after the ADPPA’s effective date, as well as signalling that she has her own competing proposal: a revised version of her Consumer Privacy Rights Act. Without her endorsement, the bill does not yet have bipartisan support in the Senate. In addition, there is little time left in the Congressional calendar, and it is unclear whether Congress could get a deal done before the midterm elections. The U.S. Chamber has also previously warned that it will oppose any privacy legislation that creates a blanket Private Right of Action.
Despite this, the discussion draft should be seen as an important development in the advancement of federal privacy legislation. If it doesn’t pass, it will frame discussions moving forward.
The House Energy & Commerce Committee is scheduled to hold a full hearing on the ADPPA next Tuesday, June 14, which will be the first opportunity for the bill to be debated publicly.