Still, consumer rights advocates say, the proposed compromise legislation is the biggest breakthrough to date for efforts to pass a federal privacy law. Those efforts have been bogged down amid partisan disagreements. For years, Democrats and Republicans have remained at odds over what extent a federal privacy law should override state measures, such as the landmark California Consumer Privacy Act, and whether it should give consumers the right to bring their own lawsuits against violators.
Republicans support federal preemption of state privacy laws, fearing a patchwork of standards will make compliance difficult for businesses, while Democrats have sought a broad private right of action to give consumers legal tools if government enforcement fails. The legislation unveiled Friday seeks to strike a compromise, including a limit on when and how users can sue Internet companies and measures that would supersede most state digital privacy laws. Politico first reported news of the deal.
The bill would require companies to minimize their data collection practices to only what is necessary for the function of their business. It would also prevent organizations from charging users to access data privacy measures, except for narrow circumstances such as consumer loyalty programs or collecting financial data to complete a transaction.
The Federal Trade Commission would be required to maintain a public registry of data brokers and create a mechanism for users to opt out of targeted advertisements and other data sharing practices. Under the legislation, users would have the right to access, correct and delete their digital data, and companies would be responsible for informing third parties to make changes to the data of users who so choose. Corporate executives would be required to certify annually that their organizations are in compliance with the law.
To enforce the new requirements, the FTC would create a new bureau to protect consumer data privacy, and federal regulators and state attorneys general would be empowered to sue groups thought to be in violation of the law for punitive damages.
Individuals could also sue companies but only after a four-year waiting period from when the legislation is enacted. They are required to notify state and federal officials before pursuing a lawsuit, and they could not pursue the legal action if a government prosecutor takes up their case. The bill would also supersede most state data privacy laws, except for specific statutes on civil rights, student and employee privacy, criminal codes, and financial and health records.
“This draft shows that there is a bipartisan path forward on long-overdue legislation to protect consumer privacy,” said Alexandra Reeve Givens, president and chief executive of the Center for Democracy and Technology, a nonprofit research group that receives funding from companies such as Apple and Google. “Americans want and desperately need legislation to protect their personal data and promote trust in the online world. While it’s not perfect, the draft is a hopeful first step.”
Internet trade association TechNet said the proposal “shows the engines are revving on this issue in a way they haven’t in a long time.” While the legislation “still needs further improvements, it’s an indication that leaders from both parties are committed to action and willing to compromise on key issues like a private right of action and preemption,” Carl Holshouser, senior vice president of the group, said in a statement. “Additional negotiation is needed but we’re more hopeful than we have been in years that a bipartisan privacy bill can make its way to the president’s desk this Congress.”
But major obstacles remain to get a deal signed into law. The draft bill is facing head winds from some prominent Democrats. Sen. Brian Schatz (D-Hawaii), a lead negotiator in past privacy talks on Capitol Hill, warned panel leaders in a letter Wednesday that their latest effort to pass a law was “falling short” in protecting consumers. Schatz urged lawmakers to “refuse to settle for a privacy framework that will only result in more policies to read, more cookies to consent to, and no real change for consumers.”
Schatz urged panel leaders to advance a proposal that imposes a duty of care on companies to protect the personal data of users and said that if they cannot, they “absolutely should not preempt states from adopting consumer-first online privacy reforms.” While dozens of Democrats support creating a duty of care standard for online data, it is widely opposed by Republicans.
In response, Cantwell said in a statement to The Washington Post on Wednesday, “Senator Schatz is right” and “any robust and comprehensive privacy law must protect consumers’ personal data with a clear requirement that companies are accountable for the use of that data and must act in consumers’ best interests.”
Lawmakers also face a dwindling time frame to get a deal done before the midterm elections. Wicker, who has led discussions for Senate Republicans for years, is widely expected to take over as the Republican lead on the Senate Armed Services Committee, which could set back privacy talks on the Senate Commerce Committee as new leadership steps in. Sen. Ted Cruz (R-Tex.), a combative technology industry critic who has focused more on targeting allegations of “bias” by social media companies than on issues like data privacy, is in line to take over for Wicker by seniority.
Staffers on the House Energy and Commerce Committee released a bipartisan discussion draft for data privacy legislation in late 2019, but this is the first time a proposal backed by panel leaders has drawn bicameral support. Little progress had been made since 2019, even as a cascade of data privacy scandals have consumed industry giants like Facebook and Google and infuriated lawmakers on both sides of the aisle on Capitol Hill.