Privacy G(ains): Takeaways from the House Privacy Bill’s Markup
On June 23, the American Data Privacy and Protection Act (ADPPA) passed—through an amendment in the nature of a substitute (AINS)—to move from its subcommittee to the main House Energy and Commerce Committee for further consideration.
This moment, however routine for Hill procedure, was significant for the privacy legislation debate as a whole, as a bipartisan privacy bill jumped up the steps after years of stagnation on privacy legislation. Last week’s markup indicated that a critical ingredient for legislation—political will—continues to persevere, even with the changes called for by stakeholders on and off the Hill.
The markup touched on areas for the bill’s improvement and highlighted positive developments over the course of its three versions. This trajectory includes everything from preemption, which is an established part of the debate, to more niche questions like customer loyalty programs, which members called for the preservation of in a privacy law. They also highlighted how a law could create barriers for medical research and development and, of course, the intricacies of the bill’s enforcement regime. But despite the diversity of broached topics and commitments from members to push for changes to the bill, the sponsors’ remarks expressed the continued intention of improving it. Other subcommittee members added that it is important to not lose sight of the bigger picture: passing the first U.S. federal privacy law.
This isn’t to say that good will and pure intentions are enough to get a bill across the finish line, but it is an indicator that stakeholders understand, well, what’s at stake. And the list couldn’t be longer: consumer privacy, streamlining regulation for businesses and defense against foreign adversaries who continue to swipe U.S. datasets by the tome.
To build on this good will, the following would help advance the bipartisan bill:
-
Clearing the weeds on a duty of loyalty.
A duty of loyalty, or the concept that creates a fiduciary relationship between two entities, has gained traction as thought leaders have explored its applicability to a privacy law. But clarity is needed over the details of what a duty of loyalty would entail. Currently, the section’s language focuses more on data minimization provisions. While these contribute to other aspects of data privacy, the bill should clarify whether it supports a duty of loyalty in privacy according to its academic definition: “Data collectors bound by this duty of loyalty would be obligated to act in the best interests of people exposing their data and online experiences, up to the extent of their exposure.” Doing so will help clear the weeds on what negotiations still need to work through, especially regarding the responsibilities of covered entities to their consumers.
For example, the newest draft of the bill added a section especially on loyalty duties to restrict certain data practices for sensitive data. While this is not exactly what a duty of loyalty outlines, it is closer than past bill language. Sponsors should continue to move in this direction for the sake of the bill’s trajectory.
-
Refining a limited private right of action.
Mentioning a private right of action (PRA) can instantly make people uneasy. Some see it as an open door to frivolous lawsuits, while others see it as a critical pillar to ensuring consumer protection and enforcement. Right now, a PRA is still pretty contentious. That said, there are a variety of options, including 11 outlined by R Street, to sculpt an effective and limited mechanism.
Because of this, an ideal limited PRA is about compromise based on a give and take dynamic. Consider one of the right’s proposed facets: a four-year waiting period for the PRA to go into effect (known as a sunrise clause). On the one hand, skeptics argue that a clause devalues a PRA. On the other hand, a waiting period could soothe industry concerns of an overly broad right and may help garner more support for the bill. But debating the different contours is far more constructive than considering the less nuanced options of a fully-fledged PRA versus none at all. Because of this, it is key to take advantage of the different options and build consensus.
-
Balancing language to calibrate specificity with applicability.
The bill’s latest version turns up the dial on language clarity—following feedback from the privacy community. But some provisions now border on the arcane, and as a result, the new language may not always cover relevant processes. For example, the term security incident is defined in the latest draft to mean “network security” along with “intrusion, medical alerts, fire alarms, and access control security.” But this may be slightly too far in the other direction, since network security is a part of the greater cybersecurity field. An improved scope could use a term like “information security” to better encompass security provisions.
There is a tricky balance here: making sure that the bill is broad enough in scope to achieve its goals, but is also specific enough for companies to understand what they have to implement. The answer is not clear yet, but finding the right scope is critical to garnering support, both on and off Capitol Hill.
Whether this is the one to make it across the finish line, it is important to note the persistent good will on behalf of stakeholders thus far. However, it is even more important that good will continues among all decision makers, especially as they work to improve the bill’s provisions and language. Without it, members will not be able to get through the questions that stand between them and the first U.S. federal privacy law.