Ignore the New Privacy Bill at Your Peril

For years, the business community has been calling for a comprehensive federal privacy law, frustrated with operating under a patchwork of sometimes-conflicting state laws. Now Congress is considering one that’s extremely wide-ranging and that observers say has a legitimate chance of passage.

The American Privacy Rights Act (APRA)—unveiled over the weekend by Senate Commerce Committee chair Maria Cantwell (D-Washington) and House Commerce Committee chair Cathy McMorris Rodgers (R-Washington)—would cover every company with annual revenue topping $40 million, along with nonprofits, a realm previously untouched by the privacy regime.

The measure would restrict how companies can collect, use, and transfer data and would give consumers the right to opt out of targeted advertising and the transfer of data to others. Companies would be severely limited in the amount of information they could collect and use, and would be barred from transferring sensitive data to a third party without express consent.

The bill has a fighting chance, in part because it resolves two critical issues that ultimately derailed privacy legislation Congress considered two years ago, said Daniel Barber, co-founder and CEO of privacy platform DataGrail. “First, they agreed this bill would preempt any state law, and secondly, they finally agreed to allow for private right of action,” he said, referring to a provision allowing consumers to bring lawsuits alleging violations of the law and seeking relief.

He said it also bodes well for the bill that it is starting out with bipartisan backing from influential congressional leaders. Cantwell has been in the Senate for more than two two decades, and Rodgers has been in the House for more than three.

But there’s still much to sort out, privacy experts say. Many industry lobbyists will fight for removal of the private-right-of-action language, for instance, and state law preemption is sure to be hotly debated as well. Political leaders in California, which has the nation’s strictest privacy law, are already expressing displeasure with that provision.

As written, the APRA contains many exceptions to state law preemption, including for statutes that relate to the privacy of employees or students, wiretapping, and electronic surveillance.

Alysa Hutnik, chief privacy and data security architect at privacy software firm Ketch, said it’s notable that the initial version of the bill does not preempt the decades-old California Invasion of Privacy Act, or CIPA, which plaintiffs attorneys have weaponized in recent years to bring a flood of privacy-related lawsuits.

“We have a comprehensive federal privacy framework, but those lawsuits happening now have no end in sight. … There are still privacy-related lawsuits companies are facing today that won’t be eradicated,” she said.

She said the draft also lacks clarity on the ground rules for targeted advertising. One part of the bill says consumers have the right to opt out of their personal information being used for targeted advertising. On the other hand, another provision prohibits the transfer of sensitive covered data to third parties without affirmative express consent—which sounds like an opt-in standard.

“Why hide the ball? If they meant to turn targeted advertising into an opt-in framework, they need to be clear about that because it’s GDPR,” Hutnik said, referring to the General Data Protection Regulation, the sweeping European privacy law that requires explicit opt-in consent for processing personal data.

The discussion draft also heavily emphasizes data minimization and transparency—allowing consumers to request, at any time, the type of data a company and its third-party service providers have on them. This puts the onus on companies to have precise knowledge and control over their data practices.

“There’s the overall theme of ‘don’t collect information unless you really need it,’ but many companies need that data for really legitimate reasons,” Hutnik said. “So they have to defend that the data they’ve collected is legitimate. But also, as part of this transparency obligation, they need to provide the data in a portable form, in a format that consumers can read, and provide a lot more data points that we haven’t yet seen.”

For companies, Hutnik said, “a lot of this stuff requires major infrastructure investment, and you need to plan for revenue-impacting changes. That’s what’s most important to think about: What will this change about business models?”

The law also requires companies to appoint either a chief privacy officer or chief data security officer, and large data holders—those generating at least $250 million in annual revenue and processing data five at least five million people—must have both.

“There are a lot of operational standards and expectations here” for companies, agreed Trevor Hughes, president of the International Association of Privacy Professionals.

Hughes said he thinks APRA has a greater chance of passage than did the American Data Privacy and Protection Act of 2022 (ADPPA), which many thought would make it past the finish line. It failed when House Speaker Nancy Pelosi (D-California) refused to bring it to a floor vote.

Pelosi stepped down as House speaker in November 2022, days after voters handed the GOP control of the House. With Pelosi out, Hughes said, California “doesn’t have the same control over what makes it to the House floor.”

Cantwell also opposed the previous law, saying it was too weak and riddled with enforcement holes. “She stood in the way of the ADPPA, and now here she is as a sponsor,” Hughes said, calling that flip one of the indicators pointing toward passage. “Ignore this bill at your peril. We know it’s an election year, and Congress isn’t getting much through. But the environmental indicators on this bill are notable.

“On top of that, Congress is tackling a number of big policy issues: AI [artificial intelligence], child privacy, and data transfers to China. In many of those discussions on those initiatives, it has been understood or recognized that privacy legislation is a foundational prerequisite. It doesn’t make much sense to move forward with AI policy until there is some foundational privacy legislation in place.”

Even so, lawmakers are sure to push for numerous amendments, said Michael Bahar, a partner at Eversheds Sutherland who co-leads the firm’s global cybersecurity and data privacy practice: “This isn’t even an introduced bill yet. That means there is going to be a lot of change,” with the private-right-of-action language likely to be one of the biggest points of contention, he said.

“The fact that this includes it might mean that it won’t pass in its current form. Companies are already spending a lot to defend or settle CIPA actions,” he added. “That’s probably the most important takeaway—once you have a PRA, the costs of perceived non-compliance go up.”

Also worrisome to the business community is that the bill confers enforcement rights on both the Federal Trade Commission (FTC) and state attorneys general, causing even more headaches for companies around compliance risk. “If it’s true that there is such a multitiered approach to enforcement, I don’t expect most companies are going to be for that, and certain members of Congress won’t be for that as well,” Bahar said.

He added: “Companies want clarity and uniformity. They want to know how best to comply, but they don’t want necessarily 50 state attorney general enforcement actions, the FTC coming after them as well as private plaintiffs.”

The fact that state attorneys general and FTC enforcement actions can be concurrent “is likely going to be the area that legislators struggle with the most, if they have a hope of having this pass into law, said Bahar, a former general counsel for the House Intelligence Committee. “I recognize genuine efforts to legislate instead of just posturing. But there’s still more work to be done, and I think they know that, too.”

---

---

From: Corporate Counsel