On June 14, the U.S. House Committee on Energy and Commerce’s Subcommittee on Consumer Protection and Commerce held a legislative hearing on the American Data Privacy and Protection Act (ADPPA) titled, “Protecting America’s Consumers: Bipartisan Legislation to Strengthen Data Privacy and Security.” The hearing made clear that the ADPPA is a culmination of a bipartisan effort to compromise on federal privacy legislation, with Members from both parties praising the draft bill and encouraging its passage. Members and witnesses alike repeatedly emphasized the importance of enacting a federal privacy law in the current legislative session, suggesting the draft bill has momentum and may successfully make it out of Committee.
Notwithstanding the overall support for the bill, witnesses disagreed on the appropriate scope of preemption and the private right of action, signaling that these two issues could potentially block ADPPA’s passage. And notably, the ADPPA still lacks support from Senator Maria Cantwell (D-WA), chair of the Senate Commerce Committee.
As we noted in our initial summary of ADPPA, its potential passage could be a landmark moment for privacy law in the United States. In its current version, the proposal would preempt most comprehensive state laws and create a limited private right of action for consumers. It also goes beyond the state laws currently in effect in a number of ways, including through its provisions on a duty of loyalty and algorithms. This hearing, however, indicates that we may have some modifications before we have a final version of the proposal.
We will continue to keep you posted of updates on this front through the WilmerHale Privacy and Cybersecurity Blog.
Overview of the Hearing
The panel included representatives from industry and privacy advocacy organizations:
- Bertram Lee, Future of Privacy Forum
- John Miller, Information Technology Industry Council
- Caitriona Fitzgerald, Electronic Privacy Information Center
- Doug Kantor, National Association of Convenience Stores
- Jolina Cuaresma, Common Sense Media
- Maureen K. Ohlhausen, 21st Century Privacy Coalition
- Graham Dufault, ACT, The App Association
- David Brody, Lawyers’ Committee for Civil Rights Under Law
Chair Janice Schakowsky (D-IL) opened the hearing emphasizing how ADPPA would begin protecting consumers from day one, while providing more certainty to businesses on compliance. Other Committee Members also described ADPPA as achieving a delicate balance between consumer protection and innovation. Many of the witnesses emphasized how ADPPA is more comprehensive than some state comprehensive privacy laws, due to the data minimization requirement, the private right of action, new data protections for minors, corporate accountability mechanisms, and civil rights protections. Lawmakers from both sides of the aisle emphasized their hope that ADPPA not be unduly burdensome for small and medium businesses. Some Members and industry witnesses also advocated for a federal standard that could supersede a patchwork of state laws that make compliance difficult.
- Preemption. Concerns with the current preemption provision were mostly raised by industry witnesses. These witnesses highlighted how courts do not like preempting state laws, especially when many exceptions are outlined. To ensure that courts do not treat the current preemption provision narrowly, industry has urged for a limit on the number of carve-outs. Currently, the draft preempts state laws “covered by” ADPPA’s provisions or regulations, but multiple groups have suggested that the wording be broadened so as to preempt state laws “related to” ADPPA. There is also concern regarding the static nature of some of ADPPA’s carve-outs, and how these exceptions might evolve with any future expansion of the outlined state laws.
- Private Right of Action. Witnesses from privacy advocacy groups expressed support for the inclusion of the private right of action provision, with some advocating for expanding the right. One witness highlighted how ADPPA’s procedural hurdles could curtail access to the courts, even for consumers requesting refunds from businesses. Many Senate Democrats are especially concerned about what they view as a narrow private right of action. Meanwhile, the industry witnesses all expressed concern about what they viewed as the large scope of the right. In particular, the witnesses pointed to the availability of attorney’s fees and compensatory damages as a recipe for motivating lawsuits, the potential negative impact of the private right of action on small businesses and on pricing and loyalty programs, and the need to maintain ADPPA’s current procedural safeguards. And at least one witness asked whether the private right of action was necessary at all to ensure enforcement considering the authority given to the Federal Trade Commission and state attorneys general.
- Children’s Privacy. Protecting the privacy rights of minors is a strong area of bipartisan agreement, with many applauding the ADPPA’s treatment of children’s data (those under seventeen) as sensitive covered data, and its prohibitions of targeted advertising to children when there is actual knowledge the individual is under the age of seventeen. One witness suggested increasing the current age limit to cover those under eighteen years of age. Witnesses also disagreed about whether the law should require actual or constructive knowledge of age.
- Data Minimization. Privacy advocates view ADPPA’s inclusion of a data minimization requirement as one of the most privacy-protective features of the bill, setting it apart from the notice and consent regimes that have been more common until now. At least one industry witness also appreciated the compromise achieved on this requirement, as it allows for some flexibility.
- Protection for Small Business. Both Republican and Democratic lawmakers expressed concern with how a federal privacy law might impact innovation and small businesses, a concern reiterated by many of the industry witnesses present. While ADPPA currently reserves certain requirements for large data holders, the hearing suggested this might be an area of continued discussion, with industry witnesses raising the importance of ensuring that small businesses are not held liable for the activities of larger companies.
- Civil Rights and Algorithms. Members and witnesses repeatedly noted that data privacy rights are civil rights and should be treated accordingly. The witnesses from advocacy groups praised ADPPA’s civil rights protections and its requirement that large data holders conduct algorithmic impact assessments.
- Controller / Processor Distinction. At least one witness advocated for a clearer delineation between covered entities (or data controllers) and service providers (or data processors), a distinction that appears in the EU’s General Data Protection Regulation and in other laws. The witness urged the Committee to define each type of entity, and to clearly distinguish the roles and responsibilities of each.