After promising momentum last Congress, some had written off 2024 as a year for federal action on data privacy—especially a comprehensive data privacy and security framework. However, the new American Privacy Rights Act (APRA) discussion draft released by Rep. Cathy McMorris Rodgers (R-Wash.) and Sen. Maria Cantwell (D-Wash.) re-energized that momentum. The latest action came on April 17, when the House Committee on Energy and Commerce’s Subcommittee on Innovation, Data, and Commerce held an all-privacy hearing titled “Legislative Solutions to Protect Kids Online and Ensure Americans’ Data Privacy Rights.”

Topics included the absence of a comprehensive federal data privacy and security law in the United States and the implications of that, provisions of the APRA discussion draft, and the debate over child-specific privacy laws. Six experts shared their views: Ava Smithing from the Young People’s Alliance, Kara Frederick from The Heritage Foundation, Katherine Kuehn from the National Technology Security Coalition, Samir Jain from the Center for Democracy and Technology, David Brody from the Digital Justice Initiative, and Maureen Ohlhausen from the 21st Century Privacy Coalition. All witnesses agreed that APRA is the best chance to pass a comprehensive federal law. Members were very vocal in supporting APRA, even if some wished to see changes to the discussion draft. Relatedly, Vice Chair Tim Walberg introduced R Street’s statement for the record, which explored preemption and data security.

While a lot was (or was not) covered, four aspects are worth flagging.

Children’s Privacy

Rep. Frank Pallone (D-N.J.) asked if a comprehensive federal data privacy law that protects all Americans would better protect children than child-specific legislation while also stating his wish to see additional children’s measures in APRA, such as those present in the American Data Privacy and Protection Act (ADPPA) from the 117th Congress. Jain responded that creating legislation that protects both adults and children makes sense because it would ensure children do not receive less privacy protection than adults. R Street has also said that a comprehensive bill would benefit all Americans, especially because many privacy issues are applicable regardless of age.

Pallone pointed out that COPPA 2.0 is based on a “notice and consent” regime to protect children’s privacy, whereas APRA is not. Several witnesses commented that notice and consent is ineffective in protecting children’s privacy. Pallone also highlighted COPPA 2.0’s data minimization provision. Jain explained that COPPA 2.0 provisions cover data collection, whereas APRA governs data collection, transfer, and processing.  

McMorris Rodgers voiced concerns over companies’ use of algorithms, which could become addictive to children. Stating that APRA is “foundational” to protecting children online, she also asserted that KOSA and COPPA 2.0 are important to provide robust privacy protections for children.

Data Minimization

Highlighted by many members, key features of APRA are its data minimization standards and 15 categories of permitted purposes for data collection, which includes a broader exemption for criminal activity than the ADPPA. Rep. Debbie Dingell (D-Mich.) drew attention to the privacy and security risks faced by individuals whose data is over-collected without a specific purpose and can then be exploited for malicious purposes.

Witnesses touched on the data minimization structure, which included some saying APRA adequately covers data minimization and some saying it could use refining. (One example was the permissible purpose of collecting and processing data to prevent fraud.) However, all witnesses agreed that data minimization is one of the most significant provisions in APRA to help protect Americans’ privacy. While R Street has explored the benefits of a data minimization structure, we have also stressed the need to do it right to avoid inadvertently limiting current and future legitimate uses and needs.

Data Brokers

In his opening statement, Pallone mentioned that the ADPPA would have “reign[ed] in the shadowy world of data brokers.” However, he noted a change to APRA that omitted the ADPPA’s provision that consumers could access a centralized mechanism to request that all data brokers delete their information and prohibit future collection. Both this committee and the White House have addressed the sale of data to countries of concern—notably, through data brokers.

Rep. Lori Trahan (D-Mass.) discussed her bill, the Data Elimination and Limiting Extensive Tracking and Exchange Act (DELETE), which would also allow Americans to request that data brokers delete their data and prohibit future collection. It is very similar to the Delete Act, a California law passed in 2023.

Law Enforcement Access to Data

One concern during the 2023 congressional hearings on privacy was that certain provisions in the ADPPA might impede law enforcement’s ability to conduct investigations. However, no concerns were voiced in this hearing—likely because APRA removed and revised some of the language that law enforcement deemed problematic. R Street has explored the delicate balance between law enforcement’s level of access to personal data and the potential trade-offs between privacy and security.

Overall, there was a strong bipartisan consensus among subcommittee members and witnesses on the urgency of enacting comprehensive federal data privacy and security legislation. Encouragingly, both sides of the aisle made a firm commitment to work together to advance a comprehensive federal privacy and security law.

string(2) "50"

Data Privacy and Data Security

R Street’s Cybersecurity and Emerging Threats team works on data security and data privacy at the federal and state levels. Our team has long supported a federal comprehensive data privacy and security law.