For decades, lawmakers have pushed for a comprehensive federal law protecting user data — but it has never survived the chaos of a deeply divided Congress. But on Tuesday, the Energy and Commerce Committee held its first hearing to discuss a new proposal lawmakers believe could actually cross the finish line.
Called the American Data Privacy and Protection Act, the proposal marks a major step forward in congressional data privacy negotiations. For years now, any measure that would set a national standard for user data protections has fallen short of final approval due to partisan disagreements. From Republicans withholding their support for bills allowing states — like California — to roll out their own rules to Democrats demanding a private right of action, discussions failed time and time again.
But lawmakers on both sides of the aisle made clear on Tuesday that they’re the closest they’ve ever been to passing a comprehensive privacy bill. “This is the closest we’ve come to establishing a national standard — a standard that many have said for a long time is urgently needed,” Rep. Cathy McMorris Rodgers (R-WA) said during Tuesday’s hearing.
The measure allows for Americans to access, correct, and request deletion of any personal data companies have collected on them. It also calls on the Federal Trade Commission to define what forms of data are necessary for companies to collect — a first step in minimizing the amount of data firms are allowed to collect. Civil liberties and child protection are also emphasized in the measure, which would ban companies from serving targeted ads to children under 16 and require them to conduct annual civil rights assessments on their algorithms.
“This proposal is the first serious, bipartisan, bicameral, comprehensive national privacy bill that directly confronts the sticking points which derailed earlier efforts,” Rep. Frank Pallone (D-NJ), chair of the full committee, said in a statement Tuesday. “This legislation represents a fundamental shift in how data is collected, used, and transferred.”
Business groups have opposed many of the measure’s compromises, including a private right of action that would allow for civil lawsuits in response to data privacy violations. When the draft was first circulated last week, the Chamber of Commerce called the measure “unworkable” and that it “should be rejected” in a draft letter, according to CNBC. The draft’s language only allows for users to sue companies up to four years after a violation. If, during that time, the FTC or a state attorney general decides to take up a case, the individual could no longer pursue their own lawsuit.
Still, the proposal includes some wins for businesses. Most notably, the measure would preempt state privacy laws with a few exceptions, like the California Consumer Privacy Act and Illinois’ Biometric Information Privacy Act. Tech leaders, like Apple CEO Tim Cook, have long advocated for a national privacy law. Last week, Cook sent a letter to lawmakers asking them to enact privacy rules “as soon as possible.”
Despite the American Data Privacy and Protection Act’s broad bipartisan support, not all lawmakers are happy with it. Sen. Maria Cantwell (D-WA), chair of the Senate Commerce Committee and an important figure in moving privacy rules to the floor, has been circulating her own draft proposal that includes a stronger private right of action, according to The Hill.