On March 1st, the Innovation, Data, and Commerce Subcommittee of the House Committee on Energy and Commerce held a hearing titled “Promoting U.S. Innovation & Individual Liberty through a National Standard for Data Privacy.” The main subject of the hearing was the American Data Privacy Protection Act (ADPPA) – a comprehensive privacy proposal that made history last year by being the first bill of its kind to make it out of committee. Though the bill did not get a vote in the full House of Representatives or get formally introduced in the Senate, this hearing indicates that Congress once again has an appetite for federal privacy legislation and for the ADPPA specifically.
This hearing on ADPPA also comes at a time when at least twenty states are considering some form of a comprehensive privacy bill. If passed, these laws would create additional compliance requirements for US businesses and build on top of the requirements of the five states that already have such laws in place. This backdrop gets to the heart of one of the major sticking points with ADPPA – to what extent will the federal law preempt competing state privacy laws?
This was one of the key issues that prevented ADPPA from getting additional traction last year, with California Democrats in particular raising concerns that the law would take away from the protections that California residents have under the California Consumer Privacy Act. The California Privacy Protection Agency (CPPA) has already sent Congress a letter stating that it opposes federal preemption, indicating that this will once again be a potential holding point. The subcommittee and witnesses testifying at the hearing also extensively discussed preemption. While some believe that some level of preemption is necessary for uniformity, others argued that preemption would undermine certain Americans’ current privacy rights and should not be necessary to get the bill passed.
The other potential sticking point for ADPPA is how the law would be enforced. Discussion and questions posed to witnesses at the hearing considered who – whether it’s the FTC, state attorney generals, or the federal attorney general – should be responsible for enforcing the privacy protections provided by the ADPPA. In the opinion of at least one witness, ADPPA successfully balances the need for preemption, while still allowing for enforcement by the FTC and state privacy authorities, including allowing CPPA to enforce ADPPA.
The issue of a private right of action in particular has also historically been a source of disagreement for Democrats and Republicans, with the former also preferring the inclusion of a private right of action and the latter opposing such a provision. Some are hopeful that the ADPPA offers a compromise here as well: The latest version of the bill included a private right of action provision that would go into effect two years after the law’s effective date and included a right to cure. Both members of Congress and the witnesses testifying at the hearing agreed that a right to cure was essential to easing fears of mounting litigation that might ensue from a private right of action.
Ultimately, Wednesday’s hearing seemed to reaffirm that there is a general consensus among Congress and consumer advocacy groups that ADPPA can be a viable path forward. In fact, it seems clear from this hearing that, at least in the House, the exclusive current push will involve ADPPA, rather than any substantial modifications or a look at other kinds of legislative approaches to privacy. While certain points of contention still exist, there is certainly agreement that there is a dire need for a comprehensive federal standard regulating how companies can collect, process, and share Americans’ data. Energy and Commerce Committee Chair Cathy McMorris Rodgers emphasized the urgency of reform, stating “Big Tech and data brokers' days of operating in the dark should be over. People should trust their data is being protected.” Witness testimony – even from consumer privacy advocates – also unanimously voiced their call for action.
We will keep you updated on other notable updates about ADPPA and federal privacy legislation. To stay updated on all of our writings, please subscribe to the WilmerHale Privacy and Cybersecurity Blog.