Is the U.S. Finally About to Enact a Federal Data Privacy Law?
It feels like a million years ago, but before the current spike in gasoline prices — and before inflation hit levels the nation hasn’t seen since the 1970s — Americans were worried about gasoline supply for reasons unrelated to inflation or a Russian invasion of Ukraine. If you can recall, back in May 2021 a cyber gang called DarkSide paralyzed Colonial Pipeline servers, which meant the largest system for refined oil products in the country was forced to shut down.
Gas prices at that point hit a now-quaint-seeming $3.04 gallon, but Americans were up in arms. Politicians were outraged and pledged to finally consider major cybersecurity and data privacy legislation. They did not, of course, due to longstanding ideological differences between the two parties.
But now there might be a breakthrough — at least on data privacy. Last week, a small bipartisan group of House and Senate lawmakers released draft legislation they hope to enact in the waning days of the current Congress. (“Waning” because there are less than 40 legislative working days remaining before the 2022 midterm elections.)
What are the chances this legislation will make it to President Joe Biden’s desk by the end of 2022. Let’s take a look. But, first, let’s revisit the ideological sticking points that have made it seemingly impossible for Congress to enact data privacy legislation up until this point.
Why Can’t Republicans and Democrats Get Along on Data Privacy?
Data privacy law is unquestionably complex. But, at the risk of oversimplification, there have historically been two key areas of friction between the parties: federal preemption and a private right of action. Republicans have insisted any federal data privacy bill preempt state laws to provide for a singular, uniform, national data privacy framework. What use, they argue, is a federal data privacy standard if a couple dozen states enact their own, disparate statutes with which companies must comply? Democrats have pushed for language that would allow states to enact laws that go beyond the framework established by Congress. In their view, states can generally move more quickly than Congress, and Washington shouldn’t be an obstacle to heightened consumer data privacy standards as technology and the market evolve.
Democrats also have insisted any federal data privacy bill include a broad private right of action — meaning individuals could sue organizations for mishandling their private data. Republicans strongly oppose this idea. In 2019, for example, then-Senate Commerce, Science, and Transportation Chair Roger Wicker (R-Miss.) said, “We do not need a whole raft of new lawsuits … If we want the law enforced, we can get the law enforced, without a bunch of damage suits.”
Business groups also have outlined their opposition to a private right of action. Last week, before introduction of the bipartisan draft bill, the U.S. Chamber of Commerce (USCC) warned “a national data protection law including a private right of action would encourage an influx of abusive class action lawsuits, create further confusion regarding enforcement of blanket privacy rights, harm small businesses, and hinder data-driven innovation.” The USCC noted “more than 130 countries have enacted general privacy protections, and five state legislatures have passed comprehensive data protection bills” without a private right of action for privacy.
What Would the Bipartisan Draft Data Privacy Bill Do?
On June 3, congressional negotiators, including Sen. Wicker, reached agreement on federal preemption and a private right of action. House Energy and Commerce Committee Chair Frank Pallone (D-N.J.) and ranking member Cathy McMorris Rodgers (R-Wash.) joined Sen. Wicker in announcing the compromise.
The American Data Privacy and Protection Act (ADPPA) would preempt most state laws, with some limited exceptions, and includes a limited private right of action with relatively narrowly defined remedies for individuals who seek damages through litigation for privacy violations. The bill also includes a focus on protecting children. Children’s privacy became a major bipartisan concern after whistleblower Frances Haugen, a former employee of Meta Platforms Inc.‘s Facebook, testified before Congress in 2021 that social media was harming underage users.
Specifically, to address private rights of action, the legislation would allow people to sue technology companies directly four years after the bill’s enactment to allow businesses to get up to speed with the new requirements, and to give consumers time to understand the law. On preemption, the bill calls for a national federal privacy framework except in certain circumstances, including consumer protections around unfair or deceptive practices or laws that address notification requirements in the event of a data breach, whereby more stringent state laws can apply.
The legislation also would:
Establish a strong national framework to protect consumer data privacy and security;
Grant broad protections for Americans against the discriminatory use of their data;
Require covered entities to minimize on the front end, individuals’ data they need to collect, process, and transfer so that the use of consumer data is limited to what is reasonably necessary, proportionate, and limited for specific products and services;
Require covered entities to comply with loyalty duties with respect to specific practices while ensuring consumers don’t have to pay for privacy;
Require covered entities to allow consumers to turn off targeted advertisements;
Establish regulatory parity across the internet ecosystem;
Promote innovation and preserve the opportunity for start-ups and small businesses to grow and compete;
Bar companies from targeting advertising at children 17 and younger, and from transferring the data of kids aged 13 to 17 to third parties without their express affirmative consent; and
Establish a Youth Privacy and Marketing Division at the Federal Trade Commission to enforce its provisions.
The Missing Piece of the Puzzle: Sen. Maria Cantwell
While last week’s movement was meaningful, the bipartisan group is missing one key person: Senate Commerce Committee Chair Maria Cantwell (D-Wash.). Chair Cantwell often has criticized efforts to preempt state laws, stating that in many cases, state laws provide more protections against privacy violations than any federal bill could do.
Unless Chair Cantwell relents, it’s hard to see how even this newly-reached bipartisan compromise bill can advance in the Senate, where 60 votes will be required to pass the bill. Moreover, even if there were 60 votes for this new data privacy bill (and there are not, at least not yet), as noted above there are precious few legislative days remaining in either chamber of Congress before the midterm elections.
Chair Cantwell also has her own draft bill, which she notes has been lauded for allowing consumers the opportunity to sue. Chair Cantwell’s press release outlining her legislation quoted University of Washington Law School Professor Ryan Calo who said, “This legislation represents a sea change, particularly in the way federal law thinks about privacy harm. As the bill makes abundantly clear, violating the privacy rights and expectations of consumers is harmful in and of itself, a harm that must be redressed by regulators and courts.”
In a statement the day the ADPPA was introduced, Chair Cantwell criticized the bill’s four-year waiting period for a private right of action and overall said the legislation was “riddled with enforcement loopholes.”
How Likely Is It Data Privacy Legislation Will Be Enacted This Year?
Technology companies and consumer groups alike are eager for a uniform data protection regime in the country, as people fret over how their data is used. The ADPPA’s introduction reinvigorates the prospects for a federal privacy law. It is a step forward in addressing some of the key issues that have plagued talks around federal data privacy and addresses the desire for more stringent regulations of the privacy practices of big tech, which has grown in influence and financial power since the pandemic began.
But states are still where the real action is happening. The Senate Republican Policy Committee recently stated that at least 15 states are preparing to consider, or have already supported, data privacy legislation in 2022. In other words: the ADPPA’s introduction is best interpreted as raising the probability of a federal data privacy bill becoming law at some point in the next 12-18 months, but not imminently.