Legislators Release Draft Data Privacy Law

WASHINGTON, April 8, 2024 – The chairs of the House and Senate Commerce committees unveiled on Sunday a draft of federal data privacy legislation, which would give consumers broad control over how companies use their personal data and limit which kinds of data companies can hoover up.

Consumers would be able to opt out of targeted advertising and be able to access and delete the data tech companies have collected on them. Those companies would also be limited in the kinds of data they’re allowed to collect depending on the services they offer.

“A federal data privacy law must do two things: it must make privacy a consumer right, and it must give consumers the ability to enforce that right,” said Senate Commerce Committee Chair Maria Cantwell, D-Washington, in a statement. “Working in partnership with Representative McMorris Rodgers, our bill does just that.”

That’s a reference to the proposal, called the American Privacy Rights Act, providing stronger consumer enforcement provisions than House data privacy legislation introduced last year. That bill would have barred consumers from suing companies who misuse their data until four years after its passing, but Sunday’s proposal imposes no such limit.

Universal data privacy regulation has existed in the E.U. since 2016, but federal regulators in the U.S. have been unable to agree on a similar measure, leading to states implementing their own privacy laws.

The proposed bill would, like the House bill, preempt most state data privacy laws aside from targeted, sector-specific rules. That provision caused Democrats from California, which has a comprehensive data privacy framework, to vote against the bill during committee markup. 

The draft has yet to be formally introduced, and could change based on further discussions.

“This is a very strong discussion draft,” said House Commerce Committee Ranking Member Frank Palone, D-New Jersey, said in a statement. “There are some key areas where I think we can strengthen the bill, especially children’s privacy.”

The proposal would also preempt most of the Communications Act and Federal Communications Commission privacy rules – except for some parts of section 222 and the commission’s recently updated data breach notification policies – and transfer privacy enforcement responsibilities of the Federal Communications Commission to the Federal Trade Commission. The FCC data breach rule is currently being challenged in court by telecom and broadband industry groups.

Consumer advocates had criticized last year’s House bill on the grounds that it would have thrown out FCC and Communications Act privacy rules entirely. They argued taking expert regulators off the job would weaken enforcement. 

The bill would apply to telecommunications carriers under Title II of the Communications Act, meaning that it would extend to broadband providers should the FCC adopt its proposed net neutrality rules later this month.

The agency instituted data privacy rules for ISPs in 2016, when broadband was classified as a Title II service, but Congress nullified them the next year.