Federal privacy law faces new hurdles ahead of markup
Lawmakers have a difficult needle to thread when they convene Thursday to mark up a landmark federal privacy proposal, legislation that represented a breakthrough when it was announced but that now faces new barriers to becoming law.
Since the bipartisan leaders of two key House and Senate committees unveiled the American Privacy Rights Act in April, the bill has undergone further revisions — and gathered opposition from industry groups and civil rights advocates.
The House Energy and Commerce Committee will mark up the bill Thursday in hopes of moving it to the floor. GOP leadership is reportedly skeptical of the measure, but the APRA represents the most promising proposal in recent years for Congress to finally pass a federal privacy standard — something the United States is nearly alone among developed nations in lacking.
Industry groups have for years clamored for federal privacy laws that would preempt the patchwork of state privacy laws in favor of a single, uniform standard. The APRA is designed to create such a federal consumer privacy framework, but some industry organizations now complain that it doesn’t go far enough to preempt state privacy laws and that it would open the door to too many lawsuits.
The latest revision to the bill has also removed protections against data-driven discrimination and bias in artificial intelligence, worrying civil society groups.
The tweaks regarding preemption and civil rights will require that both privacy hawks and pro-business groups make concessions, and that raises serious questions about whether lawmakers will be able to navigate between Capitol Hill’s warring privacy factions or whether the effort to finally pass a privacy bill will crash out on the rocky shoals of the congressional privacy divide.
“One of the challenges with ever reaching compromise and consensus around a privacy bill is, as we tend to shift one aspect of the bill, it may inadvertently or perhaps intentionally alienate some group,” said Brandon Pugh, policy director of the cybersecurity and emerging threats team at the R Street Institute think tank. “If we generally want a comprehensive privacy law, how much are we willing to move and potentially compromise in areas where we may be a little more hesitant to do unilaterally?”
The idea of stronger regulation to protect privacy has significant support from U.S. adults, with 72% saying they favored it in an October poll. But that’s done little to inspire congressional action, with a stream of federal privacy proposals dying on Capitol Hill in recent years.
The APRA represents the most promising federal privacy bill yet, but getting the law across the finish line will turn on the nitty-gritty of its language.
“We’ve heard loud and clear from our constituents, parents, businesses big and small, and advocacy groups across the political spectrum about how critical it is that we empower Americans with the right to privacy,” said a spokesperson for the bill’s sponsor, House Energy and Commerce Committee Chair Cathy McMorris Rodgers, R-Wash. “We are fully committed to doing the hard work necessary to get it done.”
One change to the latest version of the privacy bill expands the situations in which the federal privacy law would preempt state versions, but not to the degree favored by the U.S. Chamber of Commerce and other groups that have sought full preemption.
“We still think the bill is unworkable because of the fact that it has weak preemption,” said Jordan Crenshaw, senior vice president of the chamber’s Technology Engagement Center. “Second, the private lawsuit section is ripe for abuse, and we don’t think that any fixes have been made that address our concerns on that.”
Crenshaw said he was particularly concerned about the potential harm of lawsuits against small businesses, but a group that represents small businesses, NFIB, praised the bill’s protections for them.
“While many larger businesses may have teams of legal and compliance staff, the smallest business owners handle all compliance work themselves,” Andrea McGee, the NFIB’s principal of federal government relations, wrote in public comments. “If small businesses had not been excluded these small business owners would have struggled to comply with this legislation and potentially found themselves in court defending themselves against enforcement actions.”
Some civil rights and civil liberties groups, meanwhile, have called on the panel to delay its markup until it restores the original bill’s civil rights protections. Eric Null, co-director of the privacy and data project at the Center for Democracy and Technology, said the latest draft did include some positive changes, such as how the bill approaches advertising.
“Had the civil rights protection stayed, we would be having a very different conversation,” Nu/ll said. “Unfortunately, the conversation we’re having is whether this bill should still move.”
Passing the bill is a major priority for McMorris Rodgers, who is retiring at the end of the year. The legislation covers a lot of ground, including language to rein in data brokers.
Amendments on some or all of the sticking points are likely. It would be unlikely that McMorris Rodgers would put the bill on the markup agenda if she thought it would not win the panel’s approval. What happens next is up in the air, although the fact that the lawmakers have gotten a privacy bill this far after years of inaction suggests that its backers have at least the potential to overcome the latest hurdles.
