Who says bipartisanship isn’t possible in an election year? Not us. In a previous column, we wrote, “A federal data privacy framework could … become a reality within the next two years.”
And not House Energy and Commerce Chair Cathy McMorris Rodgers (R-Wash.) and Senate Commerce Chair Maria Cantwell (D-Wash.). After years of stalemate at the federal level on data privacy, over the weekend the two lawmakers introduced the American Privacy Rights Act (APRA) of 2024. In a press release issued upon the bill’s introduction, the two lawmakers stressed the importance of the bipartisan bill, noting it “make[s] privacy a consumer right, and give[s] consumers the ability to enforce that right.”
How did we get here, what would the APRA do, and what is the likelihood that both chambers of Congress will approve the legislation this year?
We attempt to answer those questions this week.
The History Of The Data Privacy Debate In Congress
Republicans and Democrats have been divided over data privacy for the last 20 years.
GOP lawmakers, who are typically strident defenders of states’ rights, have argued in this instance for a national system. Industry advocates have sided with Republicans, because they believe compliance across 50 different state frameworks is incredibly difficult, if not impossible. Democrats, meanwhile, have been reluctant to embrace a national standard since they think it could weaken robust state regimes — including California’s, which many Democrats regard as the gold standard for data privacy law. Consumer groups and privacy advocates have sided with them.
This division – and disagreement over whether any data privacy framework should include a private right of action – explains why no federal data privacy legislation has passed either chamber of Congress.
As The Hill explained, to fill the resulting void, “global regulators push[ed] ahead and state laws tr[ied] to fill the gaps, creating a patchwork of regulations for tech companies to follow.”
The current landscape is, indeed, a patchwork.
According to Bloomberg Law, 15 states — California, Virginia, Connecticut, Colorado, Utah, Iowa, Indiana, Tennessee, Oregon, Montana, Texas, Delaware, Florida, New Jersey, and New Hampshire — currently have comprehensive data privacy laws on the books. These 15 “laws generally apply across industries, with exceptions for certain data categories and entity types, and grant rights to individuals pertaining to the collection, use, and disclosure of their personal data by businesses,” Bloomberg notes. Other states also have introduced more narrow privacy bills that address matters like health data or that govern activities of specific entities like data brokers or internet service providers.
Despite their differences, lawmakers from both parties have kept their fingers on the pulse of data privacy and have sought opportunities to move legislation. (We saw this concern rear itself in the recent House vote to ban TikTok.) In short: there are growing bipartisan anxieties about data privacy and national security issues. The APRA comes at an opportune time.
What Issues Does The American Privacy Rights Act Tackle?
As Bloomberg Law notes, the proliferation of state laws is a problem since it poses “compliance and liability risks for companies that have multistate operations.”
To alleviate this concern, the APRA introduces a comprehensive national standard for data privacy, potentially reducing the patchwork of state-level privacy laws. (AXIOS was bolder in assessing the implications of the APRA for states. The Washington, D.C.-based news outlet said the APRA would “override state laws while preserving sector-specific state laws that protect financial, health, employee and educational data.”)
The APRA seeks to establish a uniform and preemptive privacy standard. As noted above, and as The Hill explains, preemption has been a key sticking point in previous data privacy efforts. To mitigate those concerns, The Hill notes, APRA “aims to be stronger than the California state laws.” Specifically, its new standard would grant individuals rights to access, correct, delete, and port their data. The APRA also provides rights against automated decision-making and profiling, and it creates a private right of action, limits companies’ use of consumer data, and gives Americans enforceable data privacy rights.
The legislation addresses many key issues that have, up until now, kept Republicans and Democrats from reaching a compromise. These matters include:
- Consent and Transparency: Requires clear consent for data collection and processing, with special provisions for sensitive data. Entities must disclose their data practices in transparent privacy policies.
- Data Protection Assessments: Mandates risk assessments for practices that pose significant risk to consumer privacy.
- Enforcement: Outlines enforcement mechanisms by the Federal Trade Commission (FTC), states attorneys general, and through private rights of action for individuals. It also establishes a new bureau with the FTC for enforcement.
- Guidance and Compliance: Directs the FTC to publish guidance on compliance and allows for the approval of entity-specific compliance guidelines.
- Privacy-Enhancing Technologies: Introduces a pilot program to encourage the use of privacy-enhancing technologies.
- Exceptions and Limitations: Includes exemptions for the disclosure of information by the FTC under specific circumstances, such as providing information to Congress, enforcing consent orders, issuing compliance guidance, conducting rulemaking for exemptions based on risk assessment, and performing studies to inform further legislative or regulatory action.
Bottom line: for businesses, the APRA would impose new obligations on how personal data is handled, requiring changes to data practices and policies. It also would encourage the adoption of privacy-enhancing technologies. For consumers, the bill would strengthen privacy rights, providing greater control over personal information and a recourse for privacy violations. As AXIOS explained, consumers would be able to sue and seek monetary damages when companies violate their privacy rights.
Does The American Privacy Rights Act Stand A Chance In The 118th Congress?
Chair McMorris Rodgers has said the APRA is the “best opportunity we’ve had in decades to establish a national data privacy and security standard that gives people the right to control their personal information.”
While last week’s bill introduction was a very important breakthrough, it is almost assured that this legislation will not become law before the November 2024 election, due both to substantive and political realities.
Substantively, many Democrats, particularly those from California, will oppose the preemptive nature of this legislation, which they will argue would reduce the data privacy protections their constituents are currently afforded under the California Privacy Rights Act and the California Consumer Privacy Act, to say nothing of future data privacy statutes state legislatures could enact in the future.
On the other hand, some Republicans will vehemently oppose the private right of action afforded under the bill. The discussion draft did not closely involve key congressional leaders, including Senate Commerce, Science, and Transportation Committee Ranking Member Ted Cruz (R-Texas) and House Energy and Commerce Committee Ranking Member Frank Pallone (D-N.J.). Despite calling the APRA “a very strong discussion draft,” Rep. Pallone has suggested the APRA will need to be amended in order to gain his support.
As for Sen. Cruz, Politico reported that, on Monday, the senator said he has reservations about the bill. Specifically, the Texas lawmaker said he would not support provisions that would allow people to sue for privacy violations or give more power to the FTC. That provision is, of course, a key part of the legislation.
From a political perspective, Rep. McMorris Rodgers is retiring at the end of this term and, as a lame duck, does not have many political chits left to cash in with her colleagues to convince them to support the legislation. And, of course, technology companies are likely to come out against several provisions in the legislation and to pressure lawmakers in whose states and districts they operate to oppose the bill.
And, as a reminder, we have been here before.
In a flurry of activity in the leadup to the 2022 elections, the previous Congress made significant strides (relatively) on data privacy. The House Energy and Commerce Committee even approved legislation, the American Data Privacy and Protection Act (ADPPA), on a bipartisan vote. Like the APRA, that bill would have created a comprehensive national privacy standard aimed at protecting consumer data and prohibiting discrimination based on that data.
A wide range of lawmakers and ideological groups supported the ADPPA, including the centrist New Democrat Coalition, which called it “a big step forward in our effort to ensure all Americans have strong data privacy and security protections.” R Street Institute Policy Director Brandon Pugh said the ADPPA was not a perfect bill, but that “it remains the best chance to make federal privacy legislation a reality.”
The last Congress ran out of time, however, and the ADPPA never made it to a full House vote, much less to President Joe Biden’s desk.
Still, bipartisanship may not be dead. The APRA is just the sort of landmark legislation that lame-duck sessions of Congress have enacted in years past. So stay tuned after the elections.