Despite historic milestone, US privacy legislation may need tweaks to become law

In a scenario that seemed far-fetched just three months ago, a comprehensive US national privacy bill is speeding through Congress, and changing rapidly, with a vote expected in the House as early as next week.

But it could stop short. Two key hurdles loom: an unhappy delegation from California, whose 53 representatives dwarf the total of any other state and include House Speaker Nancy Pelosi, who will control when the measure comes to a vote — and influential Democratic Senator Maria Cantwell from the state of Washington.

The most contentious issue is the legislation’s extensive preemption of state privacy laws, including California’s first-in-the-nation, sole-purpose privacy regulator: the California Privacy Protection Agency.

A “compromise” drafted by backers of the American Data Privacy and Protection Act and adopted by the House commerce committee yesterday appears to be one in name only, and confirms enforcement powers that the California agency likely already had under the proposal.

Representative Anna Eshoo, a California Democrat, was unconvinced, and introduced an amendment that would allow states to continue drafting privacy laws. It was overwhelmingly rejected.

The bill emerged from the Commerce Committee with the backing of every Republican, due largely to stronger privacy protections for children and teens on social media platforms.

There’s also a sense among committee members that it’s “now or never,” given the uncertainty of who will control Congress after the November elections. The bill isn’t perfect, several members noted, but that shouldn’t stop them from moving forward.

“The time is now to establish one strong national standard to protect consumer data privacy and security and give Americans more control over their personal data,” a senior aide to Representative Gus Bilirakis of Florida, a Republican sponsor who has touted the augmented protections for children, told MLex today.

CPPA ‘compromise'

The original version of the bill introduced June 21 said state enforcement could be performed by state attorneys general or another “State Privacy Authority,” defining that term as including any “state consumer protection authority with expertise in data protection.” The version approved Wednesday simply added the words “including the California Privacy Protection Agency.”

The CPPA, which is currently developing complex enforcement regulations for the California Privacy Rights Act due to take effect Jan. 1, would clearly qualify as having “expertise in data protection.” So simply making explicit that the definition includes the agency would appear to have little significance.

The US Federal Trade Commission would be the preeminent enforcer, with the ADPPA mandating that the FTC significantly expand and reorganize itself by establishing a new Privacy Bureau, which “shall be of similar structure, size, organization, and authority as the existing bureaus within the Commission related to consumer protection and competition.”

States could enforce the federal law — provided they first inform the FTC of an enforcement action. Another key enforcement change in the newest version of the ADPPA is that the private right of action would become effective two years after the law takes effect, instead of four years under the original version.

While private right of action and state preemption were seen as the two most thorny issues for drafters of the privacy legislation to conquer, there was little discussion about a private right of action during Wednesday’s debate, a signal of a settled compromise.

Representative Frank Pallone, the committee chair, argued Wednesday that the preemption issue shouldn’t be a deal-breaker because the proposed federal law is stronger than any state law, including California's. But he signaled there could be further compromise on preemption.

“You’re asking us to look at it; the California agency would like us to look and it and we’ll work with both you and California to try to clarify that, because we certainly don’t want any unintended consequences,” Pallone, a New Jersey Democrat, told a North Carolina Republican who was concerned about regulatory overlap between state and federal agencies.

Kids

Adding stricter privacy protections for children helped win the support of Republicans on the committee, who have repeatedly expressed concerns about TikTok in particular, and news reports that the app has been sharing data with the Chinese government.

“Big tech companies like TikTok who have abused the privacy rights of children for far too long must now abide by a new tough legal standard that helps prevent abuse for the sake of their profits, or worse for the sake of foreign interests such as China,” Bilirakis, the Commerce Committee’s top ranking Republican, said Wednesday.

It includes requirements under a newly minted definition of the “covered high-impact social media company” — a concept added to Wednesday’s text that would apply only to a handful of the largest platforms with at least $3 billion in annual revenue and 300 million regular users. That is a short list, including companies such as Meta Platforms, Snap, Twitter and TikTok.

The bill includes a constructive knowledge standard for these so-called high-impact social media companies, as well as a willful disregard standard for any large data holder.

The bill bans targeted advertising for children under 17. It also would create a new “Youth Privacy and Marketing Division” within the FTC’s new Privacy Bureau, which would make recommendations to Congress about ways to strengthen online safety for children.

Loopholes

Eshoo also signaled concern about a “major loophole” that would allow enforcement to access private data “that must be addressed.”

The bill includes a carveout for data collection needed to comply with state laws, which could include laws criminalizing abortion, Eshoo said.

That data could be used to prosecute women who seek an abortion after the US Supreme Court’s decision in Dobbs, she said, adding that “a sinister prosecutor in a state that criminalizes abortion could use against women their intimate data from search histories or from reproductive health apps.”

The American Civil Liberties Union echoed those concerns in a letter to Congress this week, calling the carve out “deeply problematic and misguided.”

Companies could “leverage” that blanket exception to use data in ways the ADPPA doesn’t allow, the ACLU argued, that would be “often outright harmful to the data subject’s interests.” It would let controversial companies like Clearview AI compile a faceprint database from any source, whether “publicly available” or not, and profit from the sale of that information, the ACLU said.

Privacy groups also raised concerns about the bill’s exemption for de-identified data, calling the provision “ripe for abusive interpretations.” Companies could “evade obligations under the law by classifying information as ‘de-identified’ while retaining the ability to re-identify such data in the future,” the ACLU said.

Senator Maria Cantwell, Pallone’s Senate counterpart as chair of that body’s Commerce Committee, has also voiced concerns about “major enforcement holes” in the original version of the ADPPA last month.

“People who want to get a bill know that you can’t preempt states with a weak federal standard, so hopefully they’ll come back to the table,” Cantwell said in a media interview in late June. Where she stands on the newest version of the bill passed out of committee this week is unknown.

There are signs, though, that the sweeteners added since June may be enough for privacy advocates to overcome the bitter pill of state preemption.

While the newest draft “did not make substantial changes to ADPPA’s preemption provisions, the text of the new bill offers a more compelling argument that ADPPA’s protections may be worth the substantial cost of preemption," Justin Brookman, director of tech policy for privacy advocate Consumer Reports, wrote Pallone this week.