(Updates throughout with additional reporting.)
Bloomberg Government subscribers get the stories like this first. Act now and gain unlimited access to everything you need to know. Learn more.
House lawmakers, seeking to pass a landmark bipartisan privacy law, punted on a pair of sticking points: whether individuals should be able to sue technology companies directly, and whether federal law should supersede state privacy laws.
The Energy and Commerce Committee’s consumer protection panel unanimously advanced the bill to the full committee Thursday, leaving the two provisions in the legislation for future discussions.
The private right of action and preemption issues have been “the most difficult” and lawmakers are still working on changes, Energy and Commerce Chair Frank Pallone (D-N.J.) said, adding he hopes to reach consensus soon.
Rep. Kelly Armstrong (R-N.D.) offered amendments he said would ensure preemption can withstand legal challenges and improve the private right of action mechanism so that it doesn’t maximize litigation. He then withdrew the language, with the understanding negotiations would continue. “We need to move forward,” he said.
Modifications to the American Data Privacy and Protection Act (H.R. 8152), since its unveiling last month and testimony from outside witnesses last week, have raised hopes among many consumer rights and industry groups that Congress could enact long-stalled federal privacy protections.
The bill, formally introduced Tuesday by the leaders of the full panel and subcommittee — Pallone, Cathy McMorris Rodgers (R-Wash.), Jan Schakowsky (D-Ill.), and Gus Bilirakis (R-Fla.) — has the backing of Senate Commerce, Science, and Transportation ranking member Roger Wicker (R-Miss.).
`Seize This Moment’
“Let us seize this moment to return control of their data back to the American people,” Schakowsky said as the subcommittee took up the bill.
Key Democrats in the Senate aren’t satisfied, however. Commerce Chair Maria Cantwell (D-Wash.) has her own proposal (S. 3195) and believes the House bill lacks adequate enforcement provisions, spokeswoman for Commerce Committee Democrats Tricia Enright said.
Senate Finance Chair Ron Wyden‘s (D-Ore.) concerns haven’t been addressed in the new House version either, spokesman for Finance Committee Democrats Keith Chu said.
Wyden, in a June 17 letter to Wicker, Pallone, and McMorris Rodgers, said he wanted stronger language limiting how much customer information companies can collect and use. The modified bill toughened the restriction, limiting companies to gathering only the minimum amount of data needed to provide the service consumers want. It also decreased the number of times consumers are prompted to give consent, which advocates say can be confusing and distracting. Consent would now primarily be needed for transfers of sensitive covered data to third parties.
Those changes weren’t enough for Wyden, who also said a ban in the House bill on “dark-patterns” that influence consumers to make decisions against their interest is inadequate. Wyden took further issue with exempting “de-identified” data from certain protections because he said he does not believe the claim that a person’s identity can be safely detached from data before its sold.
Wyden is reviewing Cantwell’s proposal, Chu said.
Changes to the data minimization language did garner praise from groups such as the Lawyers’ Committee for Civil Rights Under Law, Electronic Privacy Information Center, and Center for Democracy & Technology though they said more work needs to be done.
“While there are many lingering issues that need to be addressed, particularly how to craft a private right of action that will allow for individuals to effectively enforce their rights under the bill, the overall structure and substantive provisions of the bill are moving in the right direction,” Center for Democracy & Technology President and CEO Alexandra Reeve Givens said.
Groups also praised stronger civil rights protections, including language requiring companies and the Federal Trade Commission to make their notices and mechanisms for exercising rights accessible to people with disabilities who face barriers to many online services.
The bill also bolstered language in the draft to prohibit companies from targeting ads at, and transferring the data of, individuals younger than 17 if they have “actual knowledge” of the person’s age. Kids’ privacy advocates say that’s a loophole that allows companies to claim ignorance. They stressed companies shouldn’t collect additional data to determine a customer’s age, and instead use the information they have for legal compliance, not just marketing.
New language in the bill requires companies to determine an individual’s age based on the data they already are collecting in the normal course of business. David Monahan, Fairplay campaign director, said the kids’ advocacy group was still reviewing the provision and others.
To contact the reporter on this story: Maria Curi in Washington at firstname.lastname@example.org