For the last few years over at ACT | The App Association HQ, we’ve had a recurring bit about every year being the “year of privacy.” After earnestly saying it in 2019 and having our hopes dashed (partially at least), we kept repeating it to ourselves, half in jest, half in sincere hope that sending positive vibes into the universe would help will something into existence. That’s not to say that we don’t take the issue incredibly seriously, we do – passing a comprehensive federal privacy bill has been a central priority of ours for years (we testified on the issue twice last year before the relevant committees). But as the years ticked by with little substantive progress, we must admit, our “year of privacy” joke has become a bit of a coping mechanism.
Thankfully, recent events dictate that we might get to retire that joke sooner than anticipated. Earlier this month, a bipartisan, bicameral group of lawmakers comprising three of the top four leaders in the committees of jurisdiction (more on that later) unveiled what might be the strongest effort at federal privacy legislation yet. Dubbed the American Data Privacy and Protection Act (H.R. 8152), the bill represents and incorporates years of rigorously negotiated positions into a package well-worth considering. We were invited again to testify in the legislative hearing (delaying this blog post), considering the draft version of this bill on June 14. Here’s a quick summary of what we discussed:
Preemption and Private Right of Action
In general, we think the negotiators have done a fine job threading the needle on the two biggest stumbling blocks of privacy bills to date: preemption and the private right of action. While we don’t think they’ve nailed it (see next section), tangible concessions from both sides make this bill a workable starting point.
On preemption, we are happy to see that all comprehensive state privacy laws would be preempted by the bill (save for the section creating a private right of action for data breaches in the California Consumer Privacy Act/California Privacy Rights Act). While we are encouraged by much of the work in states to advance privacy legislation (and indeed this likely played as big a role in getting us this bill than anything), a preemptive federal law is crucial to many of our members’ continued viability. Emerging state privacy laws, even those that seem facially similar, currently contain too many definitional, structural, and threshold differences to be workable over the long term for small businesses with limited compliance departments (and that’s not even to mention the continuing ambiguities in the states undertaking years-long rulemaking processes to flesh out their privacy laws). Although the preemption section is a great start, we pointed out some opportunities to strengthen it. The bill currently preempts any state “law, regulation, rule, standard, requirement, or other provision” that is already “covered by the provisions of this Act, or a rule, regulation, or requirement promulgated under this Act.” While this language appears strong at first blush, we counseled the Subcommittee to instead use a “related to” construct rather than “covered by,” which federal courts have interpreted more narrowly and could undermine the intended preemptive effect of the Act. Second, we noted that several of the exceptions to preemption listed in the bill were likely broader than intended, unnecessary, and could ultimately subvert the purpose of setting a national set of rules across state borders by introducing the potential for legal challenge as states test the limits of the exceptions. While larger players can likely ride out any temporarily contradictory legal regimes while such disputes are litigated, smaller businesses located in the state or states originating the dispute will struggle to do the same.
On the private right of action, we are happy to see that the bill includes a number of substantive guardrails to prevent a torrent of frivolous lawsuits, the likes of which could single-handedly put some of our smaller members out of business. While the private right of action under the bill (sunrising after four years) is broad, applying to “any person or class of persons who suffers an injury that could be addressed by the relief permitted” in the bill (compensatory damages, injunctive or declaratory relief, or reasonable attorneys’ fees), several conditions must apply. First, the cases must be brought in federal court and only after allowing the relevant state attorney general and Federal Trade Commission (FTC) a chance to take action first. Then, in cases involving injunctive relief or, importantly for our members, small businesses defined under Section 209 (c) of the bill, the litigants must give the business 45 days to cure the alleged violation. Notice of an intent to sue must include a demand letter identifying the alleged violation of the Act with specificity so that a small business understands what a litigant believes it’s doing wrong.
Despite the reasonable guardrails already in H.R. 8152, we think that the private right of action could be tightened up further. One way to further ensure that private claims are of a high caliber would be to empower the FTC to make a “yes or no” determination on the suitability of private claims after 45 days, rather than just permitting it a chance to take independent action on that claim. Ideally, as its enforcement expertise with the statute grows, the FTC will be well positioned to opine on the merits of claims and could help generate a sort of agency jurisprudence that incentivizes legitimate claims while dissuading nakedly exploitative fishing explorations.
Small Business Treatment
We also appreciate the draft’s recognition of the difference between large and small data holders and the ways larger players can structurally affect privacy protections in the marketplace compared to smaller players. For example, algorithmic impact assessments are reserved for large data holders, which make sense given the focus of the assessment on mitigating systemic biases that could be exacerbated through use of algorithms. Likewise, the bill appropriately scopes the privacy impact assessment and privacy protection officer requirements.
We also welcome the provisions that allow qualifying small businesses to create FTC-approved compliance guidelines that meet or exceed requirements under the bill but are primarily enforceable through an independent body created through the guidelines. Many small businesses have become well-acquainted with the type of consumer rights and data minimization standards detailed in the bill and thus may be better served by a self-regulatory regime focused on maintaining those emergent standards, while allowing the FTC to fully focus its limited enforcement manpower towards the most privacy degrading firms in the market.
We do suggest one tweak to clarify the right to cure granted in the legislation. As written, Section 401 (c)(2) may inadvertently limit the right to cure alleged violations for small businesses (as defined in section 209(c)). While Section 401(c)(1) grants small businesses a right to cure all types of alleged violations, the 401(c)(2) seemingly contradicts that by saying the effect of a cure shall only apply to dismissing an action for injunctive relief. A simple amendment to 403(c)(2) to mimic the language from the previous section would restore what appears to be the original intent of the negotiators to create greater protections for smaller businesses.
Remaining Issues
Although the Senate Commerce Committee’s lead Republican, Sen. Wicker (R-MS), has publicly supported the draft of H.R. 8152, it is worth noting that the bill is yet to attain the co-sponsorship of the Committee’s chairwoman, Sen. Cantwell (D-WA). Chairwoman Cantwell’s support or opposition is obviously one of the most important factors in whether a bipartisan bill can grind its way through the traditional committee processes in both chambers. We hope Chairwoman Cantwell’s priorities can merge with H.R. 8152 in a way that results in a bicameral, bipartisan bill that establishes a single set of strong privacy and data security requirements.
Finally, the Supreme Court’s decision reached in Dobbs v. Jackson Women’s Health Organization adds an additional layer of urgency and complexity to negotiations going forward. With the court seemingly abandoning the notion of a constitutional right to privacy for now, lawmakers in the majority are already looking for ways to improve the privacy of women’s sensitive health information, particularly information related fertility and reproductive health. While a separate bill or bills may also be on the table, negotiators may look to tighten the health-related sections of H.R. 8152, including the broad exception to preemption for state laws that “address health information, medical information, medical records, HIV status, or HIV testing.” Obviously, a federal privacy law cannot restore a constitutional right to privacy, but data minimization requirements, closing the coverage gap on non-HIPAA healthcare data, and restrictions on third-party sharing all take on new significance in light of recent events. A strong law would send a clearer signal than ever that the legislative branch does view privacy rights as an issue of national importance.
Bottom Line
This bill is a solid starting point for continued negotiations on a comprehensive federal privacy bill. It represents years of tough negotiations, real concessions from both sides of the aisle, and most importantly, would massively improve the baseline level of consumer protection from privacy harms in this country. We are relieved that Congress is finally moving real substance on this issue and will continue to serve as a constructive resource in this debate so we can get a bill across the finish line.