Last week, Representatives Cathy McMorris Rodgers (R-WA) and Frank Pallone (D-NJ) and Senator Roger Wicker (R-MS) introduced a discussion draft of a federal data privacy law, the American Data Privacy and Protection Act (ADPPA). This week, ADPPA has been formally introduced as H.R. 8152 by four members of the House Energy and Commerce Committee and is set to be marked up by the Consumer Protection and Commerce Subcommittee. This marks a major step towards a federal data privacy bill, and lawmakers should move forward deliberately to improve the legislation through a normal and open process.
NTU has advocated for Congress to take action in response to a growing number of states passing data privacy laws, which threatens to create an unworkable patchwork, especially for smaller online businesses. Since the internet does not stop at state lines, it makes sense to have a federal standard. Importantly, this standard should not be overly burdensome or follow the misguided European approach to data privacy.
While the introduction of bipartisan legislation is encouraging, there is room for improvement and clarification in the ADPPA. First, the ADPPA does preempt state law, but it includes numerous exemptions, including specific state laws. For example, the list of exclusions to the preemption includes Section 1798.150 of the California Civil Code and Illinois’ Biometric and Genetic Information Privacy Acts.
One argument in favor of a federal standard that preempts state laws is that it would reduce compliance costs. If exceptions to that standard are too ambiguous or numerous, it could undermine that goal. The preemption of state laws has been a sticking point in negotiations in the past, and there appears to be room for improvement. At the very least, clarification is needed as to why certain laws are preempted.
A private right of action has been another point of contention with data privacy legislation. Much like the state preemption, it appears the somewhat limited private right of action in this legislation is a compromise between the two parties. However, even attempting a more narrow private right of action could still leave the door open for frivolous lawsuits.
Sec. 403 provides for enforcement by individuals or class action beginning four years after the law takes effect and allows for the awarding of injunctive relief and compensatory damages. A private right of action risks frivolous lawsuits and has been a focal point of debate with data privacy in the past. ADPPA attempts to narrow the private right of action by requiring person(s) to notify the Federal Trade Commission (FTC) and attorney general of the state and creates up to a 60 day waiting period for a response. Another limitation is the right to cure. If a covered entity addresses the alleged problem within 45 days, the injunctive relief could be dismissed.
While these limitations are better than a broader private right of action, it still is cause for concern. Ideally, the private right of action would be eliminated. Even with some guardrails in place, there is still potential for meritless lawsuits. Senator Maria Cantwell (D-WA), Chair of the Senate Commerce Committee, notably did not sign on to the discussion draft version of ADPPA in part because she wants a stronger and more immediate private right of action. Sponsors of ADPPA were wise not to follow this approach, but there is still room for improvement and change to enforcement. As the legislation moves through the markup process and hopefully receives several more hearings, lawmakers should eliminate the private right of action.
The FTC is the primary federal enforcement agency in ADPPA, which makes sense given the focus of the agency. However, lawmakers should be wary of how much authority they grant to the agency. ADPPA allows the FTC to create rules about data portability and algorithms. Both of these issues have been frequently discussed in technology and antitrust legislation, but the overlap of algorithms and privacy legislation is less clear. With the current FTC eager to overhaul competition policy, lawmakers should be cautious about empowering the agency further on these topics.
It was encouraging to see the Subcommittee on Consumer Protection and Commerce of the Committee on Energy and Commerce hold a hearing on data privacy and discuss the implications of ADPPA. Several of the witnesses raised areas of concern, as well as some of the positive features of the legislation. In Congress, and especially in tech policy where bills have flown through the Committee process with little time for debate or changes, it was a positive step to see a more thoughtful approach taken with this important topic. Congress should continue to gather input from academics, stakeholders, privacy advocates, outside groups, and others and not rush to pass something without completing its due diligence.
Overall, the drafters of the discussion draft and H.R. 8152 deserve credit for putting together a thoughtful piece of legislation on a contentious topic. While the bill is obviously a product of compromise, meaning both parties are likely not fully satisfied with the current draft, it is encouraging to see lawmakers take up this issue. ADPPA is a decent starting point and hopefully the bill will improve. When it comes to creating a federal standard, slow is smooth and smooth is fast. Understandably, lawmakers want to address this issue quickly, but getting the legislation right should supersede getting it done quickly.