Key Points
- On Sunday, April 7, Senate Commerce Committee Chair Maria
Cantwell (D-WA) and House Energy and Commerce (E&C) Committee
Chair Cathy McMorris Rodgers (R-WA) struck a deal on a
comprehensive federal bill, the American Privacy Rights Act (APRA), marking
the first such proposal to gain bipartisan, bicameral support with
the backing of Chair Cantwell. - The introduction of the APRA marks significant progress in
negotiations, building off of progress made last Congress with the
introduction of the American Data and Privacy Protection Act
(ADPPA; H.R. 8152). Specifically, the latest
discussion draft reflects agreement by the two committee chairs on
two key issues: (1) the timeline for a private right of action for
enforcement, which was previously opposed by some Republicans, and
(2) preemption of existing state privacy laws, which faced
opposition from some Democrats, particularly those from
California. - While the draft proposes terminating the Federal Trade
Commission (FTC)’s 2022 Advance Notice of Proposed Rulemaking (ANPRM)
on commercial surveillance and data security, the FTC is expected
to proceed on the rulemaking and the Biden Administration is
expected to continue exploring executive action absent additional
Congressional momentum on privacy.
- Chair Cantwell and Chair McMorris Rodgers are expected to
quickly move to formally introduce the bill, and the House E&C
Innovation Subcommittee has noticed a legislative hearing on April 17 to consider
the draft, along with several other privacy and children’s
online safety measures. While Chair McMorris Rodgers will be
retiring this Congress and has outlined her continued focus on
advancing bipartisan privacy legislation, it’s unclear whether
the measure will gain traction this Congress, particularly given
the upcoming 2024 elections and expected opposition from Senate
Commerce Committee Ranking Member Ted Cruz (R-TX).
Introduction
On Sunday, April 7, Senate Commerce Committee Chair Maria
Cantwell (D-WA) and House Energy and Commerce (E&C) Committee
Chair Cathy McMorris Rodgers (R-WA) released a discussion draft of a comprehensive
national data privacy and security bill—dubbed the American
Privacy Rights Act (APRA)—marking the first bipartisan,
bicameral privacy proposal to gain the support of Chair
Cantwell.
The bill is the product of years of negotiation, beginning in
the 116th Congress in 2019 with the formal introduction
of competing proposals in the Senate by Chair Cantwell and
then-Commerce Committee Ranking Member Roger Wicker (R-MS), and
followed by the release of a bipartisan discussion draft in the
House by the E&C Committee. Notably, this draft did not contain
legislative language on controversial provisions such as preemption
of state laws and a private right of action for enforcement,
instead leaving the areas in brackets for stakeholder input.
Bipartisan discussions tapered off with little progress,
culminating in-house Republicans unveiling their own draft in
2021—the Control Our Data Act.
The 117th Congress subsequently featured the introduction of the
American Data and Privacy Protection Act (ADPPA; H.R. 8152)—the first proposal to gain
bipartisan, bicameral support after years of disagreement on the
correct approach to preemption, private right of action and
arbitration. While the ADPPA marked significant progress made in
negotiations, it notably lacked the support of Chair Cantwell as a
result of her preference for prohibiting the use of mandatory
pre-dispute arbitration agreements by covered entities, in addition
to her objection to the four-year delay in effect of the private
right of action. Chair Cantwell’s opposition ultimately
prevented the legislation from moving forward in the legislative
process, even after the bill cleared the House E&C
Committee.
Because Chair Cantwell did not support last Congress’
bipartisan proposal and had previously begun circulating a revised
version of her privacy bill first unveiled in 2019—the
Consumer Online Privacy Rights Act (S. 3195)— her collaboration with Chair
McMorris Rodgers on the new agreement this Congress is particularly
noteworthy. E&C Ranking Member Frank Pallone (D-NJ) has also
issued a positive statement on the framework, while noting there
are key areas he thinks the bill could be strengthened,
particularly with respect to children’s privacy.
However, Senate Commerce Ranking Member Ted Cruz (R-TX) has signaled opposition to the bill’s private
right of action and delegation of enforcement authority to the
Federal Trade Commission (FTC), voicing concern about the resulting
impact on competition, internet speech and diversity, equity and
inclusion (DEI) compliance.
Key Provisions
As previously noted, the American Privacy Rights Act (APRA) strikes a
compromise with regard to the longstanding sticking points of
federal preemption and a private right of action, in addition to
the issue of pre-dispute arbitration.
While the bill would generally preempt state privacy laws, the
language does provide for some exceptions via an enumerated list of
state laws, including consumer protection laws, civil rights laws,
provisions of laws that address the privacy of employees or
students and provisions of laws that address data breach
notification. The draft provides that California residents may
recover statutory damages consistent with the California Privacy
Rights Act for an action related to a data breach, as well as those
consistent with Illinois’s Biometric Information Privacy Act
and Genetic Information Privacy Act for an action involving a
violation of the affirmative express consent provisions for
biometric and genetic information where the conduct occurred
substantially and primarily in Illinois.
Similar to the ADPPA, the discussion draft’s preemption
language would also carve out state trespass, contract or tort law,
although the new draft differs from the ADPPA in that it does not
carve out laws addressing facial recognition technologies. While
the bill recognizes compliance with other federal statutes such as
the Gramm-Leach-Bliley Act (GLBA) and the Fair Credit Reporting Act
(FCRA) for purposes of the Act’s privacy and data security
requirements, other provisions such as executive certification
would still be applicable.
The legislation would allow for enforcement by the Federal Trade
Commission (FTC) and state attorneys general, also providing for a
private right of action. Last Congress’ ADPPA allowed
individuals to, four years after the date of enactment, generally
bring a civil action in federal court seeking compensatory damages,
injunctive relief, declaratory relief and reasonable attorney’s
fees and litigation costs. However, under the new draft, this
provision would kick in 180 days after the date of enactment. The
discussion draft also shortens the ADPPA’s 45-day cure period
to 30 days.
Like the ADPPA, the discussion draft prohibits covered entities
from enforcing mandatory pre-dispute arbitration agreements or
joint action waivers with respect to minors. The new draft also
allows claims alleging a violation that resulted in a substantial
privacy harm within the scope of the prohibition and removes
language precluding pre-dispute joint action waivers for
arbitration or administrative proceedings regardless of age. The
bill would cover any entity that collects, processes or transfers
covered data and is subject to the jurisdiction of the FTC,
including nonprofits and telecommunications common carriers.
“Covered data” is defined as information identifying,
linked or reasonably linkable to an individual or device linkable
to an individual, carving out de-identified data, employee data or
publicly available information. The latest discussion draft also
carves out information in a library, archive or museum collection
subject to specific limitations. “Sensitive covered data”
is defined to include the following:
- Government-issued identifiers not required to be displayed in
public such as social security and passport numbers; past, present
and future health, diagnosis, disability or treatment information;
financial account, debit card and credit card numbers along with
any access code, password or credentials. - Biometric information.
- Genetic information.
- Precise geolocation information.
- Private communications such as voicemail, email, text or
information identifying parties to communications. - Any account or device log-in credentials.
- Information revealing race, ethnicity, national origin,
religion, union membership status, sexual orientation or sexual
behavior that violates an individual’s reasonable expectations
on disclosure. - Information revealing online activities over time and across
third-party online services. - Calendar, address book, phone, text, photos, audio and video
recordings maintained for private use on a device. - Photos or videos of naked or undergarment-clad private
areas. - Information revealing individuals’ access to or viewing of
TV, cable or streaming media services. - Rather than solely relying on a “notice and consent”
regime, and in an aim to avoiding placing the burden for privacy on
the consumer, the bill utilizes “duty of loyalty”
provisions, barring covered entities from collecting, processing or
transferring covered data beyond what is reasonably necessary,
proportionate and limited to provide specific products and
services.
The measure establishes several user rights, including rights to
access, correction, deletion and portability, as well as the right
to opt out of targeted advertising and data transfers. Further, the
bill would prohibit the transfer of sensitive covered data to third
parties without the consumer’s affirmative express consent.
Just as the ADPPA, while the discussion draft imposes additional
requirements and responsibilities on “large data holders”
similar to those in the ADPPA, the new draft includes a more
prescriptive definition. Such data holders are defined to include
covered entities with gross revenues above $250 million that
collected, processed, retained or transferred (1) covered data of
over five million individuals or devices, 15 million portable or
connected devices reasonably linkable to an individual, and 35
million connected devices reasonably linkable to an individual; or
(2) the sensitive covered data of 200,000 individuals or devices,
300,000 portable or connected devices reasonably linkable to an
individual and 700,000 connected devices reasonably linkable to an
individual in the most recent calendar year. These entities must
provide short-form notices of their covered data practices (such
requirements will be established in FTC guidance now due within 180
days of enactment), in addition to assessing their algorithms
annually and submitting annual algorithmic impact assessments to
the FTC. Such entities would also be subject to additional
corporate accountability requirements, including annually
certifying that they maintain reasonable internal controls and
reporting structures for compliance with the Act.
With regard to data security, the legislation requires covered
entities to implement and maintain data security practices and
procedures that protect and secure covered data against
unauthorized use and acquisition. In determining whether such
protections are reasonable, factors such as the entity’s size,
complexity and activities related to covered data would be taken
into consideration.
Like the ADPPA, the discussion draft provides a carve-out for
certain small and medium-sized covered entities, under an adjusted
threshold. Under the new draft, the term “small business”
encompasses an entity that, for the prior three years, (1) earned
gross annual revenues of $40 million or less (adjusted from $41
million in the initial ADPPA), (2) did not collect or process the
covered data of 200,000 individuals in a year, except for
processing payments, and (3) did not derive
any revenue from transferring covered
data (adjusted from allowing such businesses to derive less than
half their revenue from transferring covered data in the initial
ADPPA). These entities would be exempt from the Act’s data
portability requirements and most of the data security
requirements. They may also choose to delete, rather than correct,
an individual’s covered data upon receiving such a verified
request.
The legislation would treat violations of the Act as violations
of a rule defining an unfair or deceptive act or practice under the
FTC Act, allowing the agency to obtain civil penalties for initial
and subsequent violations. Within one year of enactment, the bill
directs the FTC to establish a new bureau to carry out its
authority under the Act that is comparable to the current Bureaus
of Consumer Protection and Competition.
The discussion draft notably removes provisions establishing
data protections for children and minors, including the requirement
that the FTC create a Youth Privacy and Marketing Division, which,
under the ADPPA, was directed to submit annual reports to Congress
and hire staff that includes children’s privacy experts.
The draft retains the ADPPA’s language requiring large data
holders to, under certain circumstances, conduct impact assessments
of “covered algorithms”—defined to encompass
computational processes that use machine learning, natural language
processing, artificial intelligence (AI) techniques or other
similar computational processing techniques, making a decision with
respect to covered data.
Outlook
Chair Cantwell and Chair McMorris Rodgers are expected to
quickly move to formally introduce the bill, and the House E&C
Innovation Subcommittee has noticed a legislative hearing on April 17 to consider
the draft, along with several other privacy and children’s
online safety measures. While Chair McMorris Rodgers will be
retiring this Congress and has outlined her continued focus on
advancing bipartisan privacy legislation, it’s unclear whether
the measure will gain traction this Congress, particularly given
the forthcoming 2024 elections.
Of note, the draft would expressly terminate the FTC’s 2022
Advance Notice of Proposed Rulemaking
(ANPRM) on commercial surveillance and data security.
However, the agency has expressed interest in proceeding on the
rulemaking in the absence of Congressional action on privacy. Thus,
should the legislation fail to advance this Congress, we would
still expect developments on the rulemaking from the Commission, as
well as the exploration of further executive action by the Biden
Administration.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
#Lawmakers #Reach #Landmark #Agreement #Bipartisan #Bicameral #Comprehensive #Privacy #Legislation #Privacy #Protection
