On June 3, the House Committee on Energy and Commerce posted a press release, legislative language, and a section-by-section analysis for a federal online privacy bill, the American Data Privacy and Protection Act (ADPPA), with both bipartisan and bicameral support. It’s always a good bet that broad privacy legislation will fail to pass, and any law is difficult to pass in this Congress. With that said, the new bill language is significant for at least two reasons.
First, the key congressional players have strong reasons to seek to finish the bill this year. Sen. Roger Wicker, R-Miss., ranking member of the Senate Committee on Commerce, Science, and Transportation, has worked hard on privacy for several years and won’t be on the committee next year, and Commerce Chair Maria Cantwell, D-Wash., who appears to be close to the published bill on many provisions, will no longer be chair if the Republicans win the midterms. In addition, if the Republicans win, then Sen. Ted Cruz, R-Texas, will likely chair the committee next year and would not pursue a privacy bill. On the House side, the key players thus see this year as the best chance to pass a bill with meaningful privacy protections.
Second, this bill is significant even if it does not pass this year. For big pieces of legislation, once there is bicameral, bipartisan agreement on bill text, final passage may happen in the next Congress or two, and the final bill tends to look a lot like the first full draft. For privacy, this happened, for instance, in passage of the Gramm-Leach-Bliley Act in 1999 and the HIPAA amendments in the 2009 HITECH bill.
In addition to the merits of the proposed privacy protections, there are important other reasons for the U.S. to enact federal legislation. Over 145 countries have now passed privacy legislation with at least the scope of the new proposal, including recent laws in Brazil and even China. In the global context, the U.S. risks becoming a privacy pariah unless it creates baseline legislation. More specifically, as I have detailed in Senate testimony, “enactment of comprehensive commercial privacy legislation would greatly improve the overall atmosphere in Europe” for ensuring lawful flows of personal data between the EU and U.S. In March, President Biden and the European Commission announced an “agreement in principle” for a Trans-Atlantic Data Privacy Framework. Privacy advocate Max Schrems has already announced that he plans to challenge the framework in EU courts. A new U.S. privacy law would strengthen the hand of U.S. allies in Europe during the political and judicial scrutiny that the new framework will undergo.
This post describes the history of earlier attempts at federal privacy legislation and the long-standing, difficult issues of federal preemption of state law and private rights of action. (Other helpful analyses already exist here and here about important provisions of the bill—including its limits on data collection, use, and sharing; new civil rights provisions; and algorithmic transparency and accountability.)
Previous Attempts at Federal Online Privacy Legislation
The late 1990s saw significant privacy legislation and regulation, such as HIPAA for medical privacy, Gramm-Leach-Bliley for financial services, and the Children’s Online Privacy Protection Act. By 2000, Senators John Kerry and John McCain introduced a bipartisan bill for comprehensive online privacy protections, with many provisions similar to the bill announced on June 3. Federal legislation seemed distinctly possible. With the attacks of 9/11, however, the public debates shifted from “need to know” to “need to share”—security concerns trumped privacy.
Along with other causes, new momentum for federal online privacy legislation emerged as California passed the California Consumer Privacy Act in 2018, followed by the stricter California Privacy Rights Act in 2020. Other online privacy laws passed in Connecticut, Colorado, Utah, and Virginia. Important parts of industry switched to favoring federal privacy legislation, but only if the new federal law preempted the burgeoning number of state online privacy laws.
Thus, for a variety of reasons, the passage of state privacy laws increased the possibility of a bipartisan federal bill. There have always been tendencies within both political parties favoring privacy legislation, with many Democrats supporting regulation to protect individuals’ privacy rights, and Republicans sometimes using the language of property to argue that individuals own their data and that these ownership interests should be protected. More recently, there has also been skepticism of large tech companies from within both parties. In addition, members of Congress have their own families and personal privacy concerns, and they know from personal experience how supposedly private matters can become public, including in 30-second attack ads.
As documented by Cameron Kerry, who led many privacy initiatives during the Obama administration, both Republicans and Democrats have been working on federal online privacy legislation since 2019 (after passage of California’s first law). Already then, there was important convergence between legislation supported by Senate Commerce Chair Cantwell and Ranking Member Wicker, and they have continued to negotiate on and off since. Now, Wicker has published the bill with the chair and ranking member of the House Energy and Commerce Committee, with limited issues apparently between that draft and text that Cantwell has developed.
Many observers have flagged federal preemption of state laws as the most difficult and complex issue in the legislation. Many businesses are now ready to support a set of federal online privacy requirements, but only if that means one set of federal requirements rather than multiple and increasingly numerous state rules. At the same time, as shown in previous federal privacy legislation, privacy advocates and many Democrats have long supported federal protections as a floor but not a ceiling. Under HIPAA, for instance, many states set requirements beyond the federal minimum, for HIV, mental health, and other topics.
As a policy matter, one possible resolution has always been a trade-off: Businesses (and many Republicans) get federal preemption if privacy advocates (and many Democrats) get somewhat stricter privacy rules. That trade-off arguably exists in the proposed bill. The new bill preempts the recent state laws targeting online privacy, including the two California laws (with a small exception for security breach claims under the California law). On the side of stricter privacy rules, the bill includes both individual and class actions as a remedy for privacy violations, despite long-held concerns in the business community about such suits.
Apart from the policy compromise, preemption could easily be an enormous mess as a matter of legislative drafting. U.S. privacy law is incredibly complex. For example, state tort law around privacy invasions dates back well over a century, and most observers agree that it should continue to apply even if a federal privacy law is enacted. In addition, innumerable contracts exist under state law, such as business associate and other contracts where one company relies on a written contract to ensure the other company follows good security and privacy practices. Surely a new federal privacy law should operate with precision, without disrupting innumerable settled expectations based on many types of state law.
In 2020, Pollyanna Sanderson and I published a proposal for how to draft a preemption provision. The proposal was based on the work of the late Robert Ellis Smith, who last updated his “Compilation of State and Federal Privacy Laws” in 2018. Smith’s book painstakingly collected state privacy laws, organized into 21 chapters. His compilation is a neutral resource for what types of privacy laws states have already enacted.
The new federal bill appears to track this approach, listing 16 categories of state law, many of them drawn from the compilation’s chapter headings. States can continue to have stricter laws, for instance, for health care, student records, identity theft, biometrics, wiretaps, and other topics. State contract and tort law is explicitly protected.
Keen-eyed observers should scrutinize the 16 categories. Although the approach shows attention to important details, there may be other sorts of state laws that deserve to continue to apply. One concern is that the bill seems to freeze categories of state laws into place, even though new privacy threats are guaranteed to emerge along with new technologies. Some provision for new technology, perhaps after fact-finding by the Federal Trade Commission, might be included in the bill.
But although the bill’s details deserve public scrutiny, and some changes may well be warranted, there is no published proposal that does a better job at implementing a policy compromise on preemption, while honoring the complex and important existing protections afforded by state laws.
Private Rights of Action
Section 403 of the proposed bill contains a private right of action—“any person or class who suffers an injury” under the bill can sue in federal court. The awards are defined as “(A) an amount equal to the sum of any compensatory damages; (B) injunctive or declaratory relief; and (C) reasonable attorney’s fees and litigation costs.” There are no statutory or punitive damages. Before a suit can be filed, plaintiffs must give notice to the potential defendant about the alleged privacy violation. Defendants will then have time (currently in brackets as 90 days) to “cure” the violation and thereby avoid any injunctive relief. Along with this explicit authorization to sue, Section 404(c) contains detailed language to preserve common law or statutory causes of action for civil relief. There is also a provision limiting some pre-dispute arbitration provisions, but the Cantwell draft reportedly contains a broader ban on such provisions.
If the bill progresses as its supporters hope, much ink will be spilled about the details of the private right of action. One topic of disagreement will be about the delay in enforcement, with no suits for the first four years after the law goes into effect. Those who favor such suits have argued that the entire law will have little effect unless such suits can proceed. The U.S. Chamber of Commerce disagrees. In the aftermath of state online privacy laws, the Chamber has supported federal privacy legislation. It recently warned, however, that it will oppose any privacy bill that creates a blanket private right of action. Fighting will likely be fierce about the details of any private right of action.
The June 3 bill contains numerous substantive privacy protections that in my view are long overdue. The bill breaks with important orthodoxies—many Democrats have long opposed preemption, and many Republicans have long opposed private rights of action. Almost everyone will find something objectionable in the proposal. Perhaps, in classic legislative fashion, that is a sign of a good overall compromise.