(Updates with reactions from industry groups.)
A House Democrat is introducing the first comprehensive federal privacy bill of the year after recent state efforts to protect consumer data underscored the need for a broad federal standard.
Legislation unveiled Wednesday by Rep. Suzan DelBene (Wash.) would allow consumers to access and correct their data and opt-in to sharing sensitive personal information, including financial data, biometric information, geolocation data, citizenship and immigration status, and information from children under 13.
DelBene’s Information Transparency and Personal Data Control Act marks Congress’ initial foray into privacy legislation this session, less than two weeks after Virginia joined California in the state-level push to advance broad consumer privacy laws.
At least 15 state legislatures have active privacy bills under consideration, according to data from the International Association of Privacy Professionals. The Senate in DelBene’s home state of Washington advanced a privacy measure last week, the chamber’s third attempt to pass a privacy bill.
“I understand why states are moving forward in the absence of the federal government moving, but I think it is much better to have a federal law versus a patchwork of laws from a consumer standpoint, but also from the standpoint of a small business,” DelBene said in an interview.
DelBene, whose state is home to tech giants Microsoft Corp. and Amazon.com Inc., understands the challenges businesses face with conflicting state laws. She was a former tech executive at Microsoft and the chief executive officer of an information technology startup.
Opportunity for Compromise
The House bill, which updates a version DelBene offered last Congress, would require companies to disclose if personal consumer information is shared. The bill would preempt most, but not all, existing state privacy laws, something Republicans have pushed for in a federal bill.
“I think there is a big opportunity to have it be bipartisan,” she said, although she didn’t name any specific Republican members she’s working with.
The bill has 15 Democratic cosponsors in the House. It has backing of tech policy think tank the Information Technology and Innovation Foundation, as well as BSA|The Software Alliance, whose members include IBM Corp., Oracle Corp. and Microsoft.
Other House efforts are expected this year from Rep. Jan Schakowsky (D-Ill.), chair of the House Energy and Commerce Consumer Protection and Commerce Subcommittee. Schakowsky said she plans to introduce a privacy bill “that holds companies to account for bad behavior, rather than one that rubber stamps the worst industry practices, that validates the lowest common denominator.”
Rep. Gus Bilirakis (R-Fla.), ranking member of the subcommittee, said his goal is to work with Schakowsky to take the best of the state laws and “enact a law that protects all Americans.”
The Senate has yet to introduce any privacy legislation this year. Partisan bills were introduced last Congress by Sen. Maria Cantwell (D-Wash.), who now leads the Senate Commerce, Science and Transportation Committee, and Sen. Roger Wicker (R-Miss.), now the panel’s ranking member. Both bills would allow consumers to access and correct their data, as would DelBene’s effort. Wicker’s measure allowed for broad preemption of state laws, but Cantwell’s only allowed for preemption of directly conflicting state laws.
Wicker said he hopes the state privacy action “brings members back to the table in the Senate to discuss a path forward for a federal data privacy law.”
Increased FTC Enforcement
DelBene’s measure does not include a private right of action, which would allow consumers to sue companies over privacy violations.
Such provisions have been lightning rods for Republicans, who say that legal fees from privacy lawsuits would put start-ups out of business. Cantwell’s effort last Congress included a private right of action.
DelBene’s updated bill instead would beef up the enforcement at the Federal Trade Commission and in state attorneys general offices. The bill would direct FTC to hire 500 new employees, and would authorize $350 million in appropriations to the FTC for privacy and data security enforcement. The bill would also give FTC narrow rulemaking authority. It would require large companies to undergo third-party privacy audits every two years that would be reviewed by the FTC.
Tech policy and industry groups were largely supportive of the bill, applauding the the extra resources for the FTC.
“This would put the agency where it belongs, at the lead of the global regulatory effort to chart privacy policies and enforce data protection laws,” Omer Tene, vice president of the International Association of Privacy Professionals, said in statement.
NetChoice, whose membership includes Facebook Inc., Twitter Inc. and Alphabet Inc.‘s Google, supported the bill’s efforts to preempt the patchwork of state privacy laws and exclude a private right of action. However, Chris Marchese, NetChoice’s counsel, said, “the bill also adopts some European ideas that have been tried and failed, such as an opt-in regime for personalized services.”
DelBene said she made her legislation more narrowly focused than Europe’s General Data Protection Regulation (GDPR). “I purposely wanted to focus just on the consumer data privacy side just so we could get that through and be foundational,” she said.
“I’m hopeful we can make it happen this Congress,” she said. If not, she added, more states will enact laws and could make a federal law even more challenging to pass.
To contact the reporter on this story: Rebecca Kern in Washington at firstname.lastname@example.org