After a number of start-and-stop efforts, and an essential halt to the issue brought about by the Covid-19 pandemic and various other ensuing political issues, American lawmakers may once again be ready to seriously take up the idea of a federal privacy law.
The “American Data Privacy and Protection Act,” co-authored by a group of Republicans and Democrats from the Senate and House, has reportedly been circulating privately in draft form for at least several weeks. A report in Politico about the bill was quickly followed by publication of a discussion draft for public view.
Some of the key takeaways include pre-emption of most state laws, limited private right of action, required annual assessments of algorithms and restrictions on targeted advertising. The draft bill has a number of hurdles to clear, however, not the least of which is entrenched resistance from other members of Congress that are regularly involved in federal privacy issues.
US looks to establish first federal privacy law after nearly a half-decade of debate
Serious discussion of a federal privacy law has been going on since 2018, when members of both sides of the aisle in Congress committed to developing a bipartisan bill in the wake of California’s adoption of its own privacy regulations. Roughly a year of missed deadlines followed before several competing bills were introduced; then the Covid-19 pandemic hit in early 2020, and seemed to sideline the issue for an extended period of time.
This new federal privacy law proposal would apply its full slate of regulation to companies that have earned annual revenues of $41 million over the prior three years, that collect or process the data of over 100,000 people in a year (minus payment processing and certain exceptions for customer requests), or make more than half their revenue from transferring covered data.
Certain exemptions are made for small- and medium-sized businesses that do not meet these thresholds but “collect, process or transfer” covered data. There are also some special rules for “Large Data Holders,” entities with annual revenues of $250 million and that transfer the data of five million people (or the sensitive data of just 100,000).
On the subject of covered data, the “sensitive” category includes much of the personal information that is expected to receive special handling: Social Security and passport numbers, biometrics, health information, financial information, geolocation and so on. It also includes demographic categories that generally receive special treatment from privacy regulations: race and ethnicity, religious belief, sexual orientation and union membership. Explicit pictures of individuals are also covered by this category, including “undergarment-clad private areas,” as well as information about what individuals are watching on television or streaming media services.
Rights established under the proposed federal privacy law
The bill’s first order of business is to establish data minimization requirements of “reasonably necessary, proportionate, and limited” collection of personal information. The Federal Trade Commission (FTC), which would ultimately be the enforcement body for federal privacy law, would be tasked with developing further guidance on this. There is also a “privacy by design” mandate, also for further development by the FTC, which requires special protections for users under the age of 17.
The bill also offers a right to data export (also subject to further guidance), right to withdraw or opt out of data transfer to third parties, and special restrictions on targeted advertising. Individuals must be offered the ability to opt out of targeted advertising before it occurs, and it is prohibited entirely when covered entities have reason to believe the subject is 17 or younger. Any covered data of users between the ages of 13 and 17 also cannot be transferred at all without express permission.
Third-party data collection and processing outfits will still be able to do business under the new federal privacy law, but with significant new restrictions. They must place an FTC-designed message on their sites and apps making clear they are a data collector, and if they collect information from more than 5,000 individuals annually they must register with the FTC and provide a public website that makes rights clear to data subjects. The FTC will also retain a public and searchable database of this type of business.
All covered entities will be required to appoint at least one privacy and data security officer, and “large” data holders are required to have a reporting structure that links these individuals directly to the top of the food chain. Companies in the “large” category will also be required to conduct biennial privacy impact assessments.
Can the federal privacy law proposal pass?
Though it has bipartisan support, that does not mean that everyone on either side of the aisle is ready to pass it.
Notable resistance from Democrats includes Senator Brian Schatz of Hawaii, who has already written a letter to Congress opposing the new federal privacy law, and Washington Senator and Commerce Chair Maria Cantwell, who has expressed reservations about enforcement loopholes and lack of consumer privacy protection in the draft.
There is also general Republican resistance to any bill that includes a private right of action, even one as limited as is described in this draft. This has been a firm line in the past for the U.S. Chamber of Commerce, which has the ears of many Republican members of Congress.