After years of negotiations, members of the U.S. Senate and House of Representatives have released bipartisan comprehensive privacy legislation—the American Data Privacy and Protection Act. Democrats and Republicans have put forward separate proposals in the past that have more in common than different. The two main points of disagreement that have historically stalled a comprehensive proposal are whether there should be a private right of action for privacy violations and to what extent federal laws should preempt state laws. Even though this new draft takes novel approaches to both of those issues, division continues. The chances of Congress passing privacy legislation this session or the next will turn on whether a broader consensus can be found in these two areas, especially after outside stakeholders and the business community now have an opportunity to fully engage.
Aside from the private right of action and preemption, there is general agreement on how personal information should be collected, used, and shared. For example, the main Democratic proposal, the Consumer Online Privacy Rights Act (S. 3195) introduced by Senator Maria Cantwell (D-WA), creates consumer rights to delete or correct data and port personal information. Likewise, Republicans, led by Senators Roger Wicker (R-MS) and Marsha Blackburn (R-TN), have introduced the Setting an American Framework to Ensure Data Access, Transparency, and Accountability (SAFE DATA) Act (S. 2499), which would do largely the same. The American Data Privacy and Protection Act unsurprisingly follows along these lines as well. The most notable differences between the parties’ positions have been that the Democratic proposal has a private right of action, while the Republic version has no private right and would completely preempt state law. The challenge continues to be finding a middle ground between these two approaches. In particular, whether there is a way to address concerns about repeated lawsuits and opportunities to preserve at least some ability for states to enact and enforce their own regulations.
The American Data Privacy and Protection Act takes new tacks to both the private right of action and preemption. Under the draft bill, for people to bring a civil claim, they first have to notify the Federal Trade Commission and their respective State’s Attorney General. The Commission and the State Attorney General then have sixty days to decide about whether they are going to bring their own cases. While they decide, and if they do, claimants cannot make demands for monetary payments. These new causes of action would not be allowed until four years after the bill is enacted.
On preemption, the bill provides that federal law would preempt state law, but it lists sixteen areas of law that would not be covered. Those areas include “laws that govern the privacy rights or other protections of employees, employee information, students, or student information” and “laws that address health information, medical information, medical records, HIV status, or HIV testing.” It also makes explicit that it does not preempt specific California and Illinois privacy laws.
At the moment, it appears that only Senator Wicker (as Ranking Member of the Senate Committee on Commerce, Science and Transportation), Representative Frank Pallone (D-NJ) (Chair of the House Committee on Energy and Commerce), and Representative Cathy McMorris Rodgers (R-WA) (Ranking Member of that same House Committee) have reached an agreement. Senator Cantwell’s reluctance to join the others is understood to be based on concerns about the enforcement mechanisms. At the same time, industry has already expressed opposition to any compromise on a private right of action. On May 31, the Chamber of Commerce’s Executive Vice President issued a statement where he said that: “A national data protection law including a private right of action would encourage an influx of abusive class action lawsuits, create further confusion regarding enforcement of blanket privacy rights, harm small businesses, and hinder data-driven innovation.” The Chamber also sent a letter to Cantwell, Wicker, Pallone, and McMorris Rodgers expanding on its position and emphasizing that it “will strongly oppose legislation that fails to provide meaningful preemption or any proposal that creates a blanket private right of action.” The Chamber’s concerns may very well resonate strongly within the Republican caucus.
On preemption, Senator Brian Schatz (D-HI) has sent his own letter to Cantwell, Wicker, Pallone, and McMorris Rodgers urging them to “to refuse to settle for a privacy framework that will only result in more policies to read, more cookies to consent to, and no real change for consumers.” Underlying his concern is his belief that: “Congress should include a duty of loyalty in any privacy legislation and, if it does not, it absolutely should not preempt states from adopting consumer-first online privacy reforms.” Senator Schatz has introduced his own legislation along these lines, the Data Care Act (S. 919), and he will continue to be a strong voice particularly with the eighteen Democrats who have cosponsored his bill.
The time for legislative action this Congress, however, is dwindling. Nonetheless, when Congress does decide to act, it can do so quickly. An additional motivation for federal action could be states like California continuing to move forward with implementation of their own privacy legislation and more states possibly following their lead. It is expected that both the Senate Committee on Commerce, Science, and Transportation as well as the House Committee on Energy and Commerce will each mark up some form of privacy legislation in the coming weeks. Regardless, even if the full Congress does not ultimately act this session, this bipartisan agreement sets the stage for continued discussion next year, particularly since members like Representative McMorris Rodgers will likely become Chair of the House Energy and Commerce Committee. Simply put, even if this Congress ends without passage of any bill, this compromise is a major step forward and it makes eventual passage of comprehensive privacy legislation that much more likely.