Special Alert: House subcommittee hears testimony on privacy bill
Buckley Special Alert
The House Subcommittee on Consumer Protection and Commerce held a June 14 hearing, “Protecting America’s Consumers: Bipartisan Legislation to Strengthen Data Privacy and Security,” to listen to testimony from consumer advocates and industry representatives on the recently proposed American Data Privacy and Protection Act (ADPPA).
The bipartisan initiative faces new headwinds following June 22 remarks by Senate Commerce Chair Maria Cantwell (D-WA), who cited “major enforcement holes” in the legislation on preemption issues — but expressed hope that the sponsors could offer revisions.
The bill also provides general exceptions and the right to cure, and outlines enforcement provisions for the FTC, state attorneys general, and, beginning four years after the law goes into effect, rights for individuals (or a class) to bring a lawsuit in federal court to obtain compensatory and injunctive or declaratory relief, and reasonable attorneys’ fees and costs. The ADPPA takes a “jigsaw” approach that broadly claims preemption of state privacy laws, but preserves certain areas of state law (e.g., civil rights, data breach notification, and general consumer protection laws) and certain state-specific laws.
A House Energy & Commerce Committee memorandum stressed the need for federal regulation, explaining that the current patchwork approach to data privacy often results in companies self-monitoring their data practices, and consumers not having control over the use of their data. The memo also discussed the FTC’s reliance on its UDAP authority under Section 5 of the FTC Act, which is limited in scope as well as in the amount of relief the agency may obtain.
Subcommittee Chair Jan Schakowsky (D-IL) noted that while the road to this point has been “long” and “sometimes grueling,” the draft proposal (which reflects feedback gathered from six roundtables held with a range of stakeholders) provides “transformational privacy protections for all Americans,” as well as “regulatory certainty for the business community while taking care to promote innovation and protect small businesses.”
Committee Chairman Frank Pallone Jr. (D-NJ) stressed that comprehensive federal privacy legislation “is necessary to limit the excesses of Big Tech and ensure Americans can safely navigate the digital world.” He added that Big Tech should face additional requirements and obligations and that data brokers that profit from buying and selling consumer data should be identified.
Ranking subcommittee member Gus Bilirakis (R-FL) opened the hearing by referring to the bill as “historic,” but noting that it is currently a discussion draft and that the committee “should spend our time today learning how we can make it better.” He said the draft “establishes a delicate balance for putting control [of] data back into the hands of everyday Americans, while providing businesses with fair rules of the road and preserving their ability to innovate.”
The subcommittee heard from witnesses who generally agreed that federal privacy legislation is “long overdue” and “urgently needed,” but highlighted several areas of concern:
- The need for Congress to substantially increase FTC staff and funding.
- The importance of clearly delineating the roles and responsibilities of data controllers and processors.
- Defining targeted advertising consistent with recent state privacy laws, “which struck the right balance to enable Internet companies to reasonably advertise to users on their own sites, while protecting their privacy interests.”
- The proposed private right of action, about which one witness said, “remains too broad and misses the mark,” because among other things, “the combination of unclear definitions with the availability of attorneys’ fees seems like a recipe for a flood of lawsuits.”
- Preemption, with one witness observing that courts are reluctant to preempt state laws, especially “where there are a lot of exceptions to a preemption provision,” and another commenting that the draft seems to cover some laws but not others.
- Compliance concerns related to the ADPPA’s restrictions on how companies interact with users under the age of 17, suggesting the act should simply cover anyone under the age of 18 rather than make companies determine who is under 17 versus who is under 13.