Congress is moving closer to creating a federal digital data privacy standard for consumers. In July, the House Energy and Commerce Committee passed the American Data Privacy and Protection Act (ADPPA) in a 53-2 vote, a resounding show of support for a digital privacy law.
Some lawmakers and data privacy stakeholders are at odds, however, over whether one federal statute is enough to protect the data privacy of all Americans. ADPPA (H.R. 8152) would focus on data minimization, or limiting the amount of data companies can collect to what is necessary to provide a specific service.
Among its other aims, the bill will also prohibit companies from transferring consumer data without the individual’s consent and will require that consumers opt in to targeted advertising. Government agencies, however, would be exempt from ADPPA requirements.
“We have finally come up with a landmark compromise, the key word being compromise,” said Rep. Jan Schakowsky (D-Ill.), chair of the Energy and Commerce subcommittee on consumer protection and commerce. “It’s been a lot of work bringing these stakeholders together. I know almost everyone can probably find something that they wished were different in the bill. On the other hand, I do think we have a Band-Aid for the American people who are just fed up with the lack of privacy online.”
One key issue of contention was what to do with California’s existing privacy laws, which were some of the first and strongest in the nation. ADPPA has provisions to preempt state laws, but drafters weighed whether to exempt the California Consumer Privacy Act and the California Privacy Rights Act from that section.
Supporters of the bill argue that preempting state laws is required to get bipartisan support for the bill. “It’s no secret that preemption of state laws has long been a key sticking point when you’re trying to deal with compromise,” said Rep. Frank Pallone (D-N.J.), a co-sponsor of the bill.
“There are areas, not too many in my opinion, where the California law is stronger, and we have made an exception. But basically this amendment would reject all the efforts to come to a compromise by replacing carefully crafted preemption provisions, mindful of some of the states, with a provision that will not set a true federal standard.”
House Speaker Nancy Pelosi (D-Calif.) raised concerns over preempting current and future privacy laws enacted in her home state, which hosts the country’s largest tech companies. “California’s landmark privacy laws and the new kids age-appropriate design bill, both of which received unanimous and bipartisan support in both chambers, must continue to protect Californians — and states must be allowed to address rapid changes in technology,” Pelosi said in a September statement.
Without Pelosi’s support, the bill is unlikely to move to the House floor.
The Electronic Frontier Foundation (EFF), a nonprofit digital rights group, also voiced concerns over the preemption provisions. “EFF opposes rolling back state privacy protections to meet a lower federal standard,” the organization said in a statement. “ADPPA’s preemption doesn’t only steamroll state data privacy statutes, such as California’s [consumer privacy rights legislation]. It also apparently rolls back protections in a number of other areas. … Based on the text of the current bill, endangered state privacy rules include those for biometric information (apart from face recognition), genetic data, broadband privacy, and data brokers — or ‘third-party collecting entities’ as the ADPPA refers to them.”
EFF advocated for a baseline federal privacy protection law that states could build on if necessary. “While it’s exciting that Congress is considering consumer privacy legislation after literal decades of spinning its wheels, the ADPPA, as written, stops states from innovating on these issues,” the group stated. “The ADPPA should not trade away states’ ability to react in the future to current and unforeseen problems.”
Meanwhile, the minority leader of the House Energy and Commerce Committee, Rep. Cathy McMorris Rodgers (R-Wash.), said the preemption provisions should stay, specifically targeting Pelosi’s objections. “California — the home of Big Tech and the societal ills it has brought —should not be dictating privacy and data security rules for the rest of the country,” McMorris Rodgers said in a statement. “I have been clear for years now that federal preemption is essential in order to protect all Americans no matter where they live. Creating one national standard is necessary to achieving this goal.”
For more background, see the January 2020 issue of Congressional Digest on “Holding Tech Companies Accountable.”