U.S. Representatives Frank Pallone Jr. (D-N.J.), Cathy McMorris Rogers (R-Wash.), and Senator Roger Wicker (R-Miss.) recently unveiled a draft of the American Data Privacy and Protection Act. This draft legislation provides a national standard on what data companies can gather from individuals and establishes parameters for data usage.
The draft legislation represents a historic compromise between Democrats and Republicans on two main issues that have killed previous data privacy legislation efforts: whether a federal privacy law can preempt state laws and whether individuals should have the right to sue companies that illegally share or misuse data.
In a statement on the legislation, chairman and ranking member of the U.S. House of Representatives Energy and Commerce Committee Frank Pallone Jr. and Cathy McMorris Rogers, as well as ranking member of the U.S. Senate Commerce Committee Roger Wicker said that “this bipartisan and bicameral effort to produce a comprehensive data privacy framework has been years in the making, and the release of this discussion draft represents a critical milestone.”
Currently, data privacy in the United States is governed by a patchwork of state laws and regulations. The state of California leads the nation in stringency of privacy protections with the 2018 California Consumer Privacy Act (CCPA). The CCPA gives consumers more control over the personal information that businesses collect about them, including the right to delete shared personal information and the right to opt-out of the sale of personal information.
The American Data Privacy and Protection Act includes an agreement that the federal privacy legislation would preempt state laws by default—with notable exceptions for California and Illinois state laws—and the legislation also includes a provision that would allow limited rights for individuals to sue for monetary damages if a company violates their privacy. This practice is called “private right to action” and has been a point of disagreement for the tech industry, who have fought against the private right to action in numerous state bills.
If passed, the legislation would require that groups gathering data minimize what they collect. According to a summary of the bill provided by the authors, “covered entities are prohibited from collecting, processing, or transferring covered data beyond what is reasonably necessary, proportionate, and limited to provide specific products and services.” According to the draft legislation, authority would be granted to the Federal Trade Commission (FTC) to determine what sort of data collection is “reasonably necessary, proportionate, and limited to provide specific products and services.”
The legislation would also require groups gathering data to acquire “express affirmative consent” from individuals before their data is sold to a third-party. In addition, the proposed bill increases online privacy protections for children under the age of 17, including prohibiting targeted advertising to children under 17.
Notably, U.S. Senate Commerce Chair Maria Cantwell (D-Wash.) has not signed on to this proposed legislation. In her statement, Sen. Cantwell said, “For American consumers to have meaningful privacy protection, we need a strong federal law that is not riddled with enforcement loopholes.” Senator Cantwell will be a key player in ensuring that this legislation has bipartisan support in the U.S. Senate.
Other groups opposing this legislation include the U.S. Chamber of Commerce, which does not support the private right to action, citing the many legal pitfalls this provision would generate, including the creation of class action lawsuits. IBM and other tech groups also oppose this legislation.
Time is running short in the Congressional schedule to achieve passage of a national privacy bill. U.S. Senate Majority Leader Chuck Schumer has urged the speedy passage of a bipartisan agreement on privacy legislation before the midterm elections in November.
Read the draft American Data Privacy and Protection Act here.
