Proposed Data Privacy Bill Stands a Shot at Becoming First Comprehensive Federal Privacy Law
A discussion draft of a comprehensive data privacy bill was released last Friday by a bipartisan group of legislators in the House and Senate. Consumer rights advocates say the proposed compromise legislation is the biggest step to date toward granting individuals meaningful privacy protections.
The draft bill, currently known as the American Data Privacy and Protection Act (the “Data Privacy Act”), would allow users to opt out of target advertisements and to sue Internet companies that improperly sell their data. It is sponsored by US Reps Frank Pallone, Jr (D-NJ) and Cathy McMorris Rodgers (R-WA), who are Chairman and Ranking Member of the House Committee on Energy and Commerce, and US Senator Roger Wicker (R-MS), Ranking Member of the Senate Committee on Commerce, Science and Transportation. However, insiders say the legislation faces an uphill battle without the support of Sen. Maria Cantwell (D-WA), who is chair of the Senate Commerce Committee. Cantwell is believed to support more liberal priorities for online user rights.
BLOOSTONLAW TELECOM UPDATE 4 June 8, 2022
“This bipartisan and bicameral effort to produce a comprehensive data privacy framework has been years in the making, and the release of this discussion draft represents a critical milestone,” Pallone, Rodgers, and Wicker said. “In the coming weeks, we will be working with our colleagues on both sides of the aisle to build support and finalize this standard to give Americans more control over their personal data. We welcome and encourage all of our colleagues to join us in this effort to enable meaningful privacy protections for Americans and provide businesses with operational certainty. This landmark agreement represents the sum of years of good faith efforts by us, other Members, and numerous stakeholders as we work together to provide American consumers with comprehensive data privacy protections.”
As summarized by a House Energy and Commerce Committee press release, the Data Privacy Act would:
- Establish a strong national framework to protect consumer data privacy and security;
- Grant broad protections for Americans against the discriminatory use of their data;
- Require covered entities to minimize on the front end, individuals’ data they need to collect, process, and transfer so that the use of consumer data is limited to what is reasonably necessary, proportionate, and limited for specific products and services;
- Require covered entities to comply with loyalty duties with respect to specific practices while ensuring consumers don’t have to pay for privacy;
- Require covered entities to allow consumers to turn off targeted advertisements;
- Provide enhanced data protections for children and minors, including what they might agree to with or without parental approval;
- Establish regulatory parity across the internet ecosystem; and
- Promote innovation and preserve the opportunity for start-ups and small businesses to grow and compete.
The legislation would give individual users new rights to access, correct and delete their digital data, and companies would be responsible for informing third parties to make changes to the data of users that have submitted a verified request. The Federal Trade Commission (FTC) would be required to maintain a public registry of data brokers and create a mechanism of users to opt out of targeted advertisements and other data sharing practices. Individuals would be permitted to sue companies, but only after a four-year waiting period after the legislation is enacted. They would also need to notify state and federal officials before proceeding, and they could not pursue their legal action of a government prosecutor takes up their case.
Proposed exceptions in the current draft (at Section 209) would generally allow collection, processing or transfer of covered data for narrowly-tailored purposes such as completing transactions, when data is collected to perform system maintenance, diagnostics or when addressing security incidents, among other things. The draft bill also provides exemptions for small entities that earned gross annual revenues of $41 million or less for the prior three years, that did not collect or process the covered data of 100,000 individuals in a year (except for processing payments and promptly deleting covered data for requested products/services) and that did not derive more than half their revenue from transferring covered data. These smaller entities may choose to delete, rather than correct, and individual’s covered data.
The Center for Democracy & Technology (CDT), a nonprofit research group that receives funding from tech companies such as Apple and Google, issued the following statement upon the release of the proposal:
“This draft shows that there is a bipartisan path forward on long-overdue legislation to protect consumers’ privacy. Americans want and desperately need legislation to protect their personal data and promote trust in the online world. While it’s not perfect, the draft is a hopeful first step. We urge Congress to move forward with the legislative process and pass legislation by the end of this year.”