Federal Privacy Legislation – An Imminent Reality or Much Ado About Nothing?
Insights
8.04.22
There’s been a lot of buzz in privacy circles in recent weeks over proposed bipartisan federal privacy legislation that has advanced from policy committee and now awaits further action on the floor of the House of Representatives (read our prior summary of this federal bill here). While these recent events may represent the closest we have ever been to comprehensive federal consumer privacy legislation, a high-powered dispute over how this proposed law would interact with a bevy of state privacy laws threatens to torpedo the entire effort. Moreover, it appears that the legislation has little chance of advancing through the Senate this session, leading some commentators to conclude that the current effort is really more about drawing lines in the sand regarding any future legislative efforts. What do you need to know about the state of affairs when it comes to a possible federal privacy statute?
The American Data Privacy and Protection Act
Consumer privacy legislation has been a hot topic in recent years, particularly at the state level. Five states – California, Connecticut, Colorado, Utah, and Virginia – have enacted state comprehensive consumer privacy protection laws in recent years.
However, the United States currently lacks comprehensive privacy protection at the federal level – something that has raised concerns for several reasons. First, key stakeholders have expressed concern about the increasing complexity for businesses in trying to comply with a “patchwork” of different state rules. Second, many commentators have argued that the lack of federal privacy legislation places the U.S. at a competitive disadvantage in comparison to Europe and other regions that either have adopted or are moving forward with comprehensive privacy regulation.
Enter the American Data Privacy and Protection Act (H.R. 8152), or ADPPA, which represents the first real bipartisan effort to advance federal privacy regulation in recent memory. Among other things, the ADPPA would do the following:
- impose a number of obligations on covered entities, including requirements to abide by data minimization principles and special protections for certain types of data, such as geolocation information, biometric information, and nonconsensual intimate images;
- require covered entities to disclose the data they collect, what they use it for, and how long they retain it;
- give consumers various rights over covered data, including the right to access, correct, and delete their data;
- prohibit most covered entities from using data in a way that discriminates on the basis of protected characteristics and would require large data holders to conduct algorithm impact assessments;
- require covered entities to adopt data security practices and procedures that are reasonable in light of their size and activities; and
- specifically define covered data to exclude employee data.
The “P” Words – Preemption and Private Right of Action
Most of the debate and controversy over the ADPPA in recent weeks has focused on two issues: (1) whether it would preempt state privacy laws, and (2) whether it would be enforceable by consumers via a private right of action.
First, the ADPPA would generally preempt any state laws that are “covered by the provisions” of the law or its regulations. For those unfamiliar, preemption is a legal doctrine that allows the federal government to limit the ability of states to pass laws on certain topics if it introduces a law in the same area. The ADPPA would, however, expressly preserve 16 categories of state laws, including laws of general applicability and data breach notification laws. So, for example, it would preempt laws like the California Privacy Rights Act (CPRA) but would not preempt the Illinois Biometric Information Privacy Act (BIPA).
Second, the ADPPA would create a delayed private right of action (two years after enactment) limited to compensatory damages, injunctive relief, and attorneys’ fees. Individuals would have to notify the Federal Trade Commission and their respective state attorney general before bringing suit, who would have 60 days to decide “whether they will independently seeks to intervene in such action.” In addition, small and medium-sized businesses would have an opportunity to “cure” an alleged violation prior to any private right of action.
Fight Over State Preemption and the Wrath of California
As one might expect, the notion of federal legislation potentially preempting the CPRA did not go over well with California lawmakers – including the California Congressional delegation – and other stakeholders.
California Governor Gavin Newsom recently sent a letter to the Chair of the House Committee on Energy & Commerce, urging the committee to remove the language preempting the CPRA. Similarly, California State Assembly Speaker Anthony Rendon reached out to House Speaker Nancy Pelosi raising the same objections. And California Attorney General Rob Bonta (along with nine other State Attorneys General) appealed to Congressional leadership asking for similar changes to the ADPPA to preserve California’s law.
The California Privacy Protection Agency even got in on the action itself, convening a special meeting on July 28 to vote to oppose the ADPPA or similar federal privacy legislation that would preempt the CPRA.
What Comes Next?
Despite the high-profile dust-up over the state preemption issue, the ADPPA advanced out of the House Committee on Energy & Commerce and now sits on the House floor. This represents the farthest that any federal privacy legislation had made it through the process. For that reason, there has been significant buzz that enactment of the ADPPA is “imminent” or likely to occur in the near future.
However, passage of the ADPPA anytime soon is far from certain. Primarily, if language remains in the bill that preempts the CPRA, passage on the House floor would be improbable based on the size of the California Congressional delegation. Moreover, even if by some chance the ADPPA were to pass the House, passage in the Senate currently seems unlikely. Senate Commerce Committee Chair Maria Cantwell has publicly stated that she does not believe the ADPPA goes far enough, which signals a difficult road may lie ahead should the bill somehow pass the House.
While there had previously been indications that stakeholders were trying to push through comprehensive privacy legislation before the November 2022 midterm elections (and speculated changes in House or Senate control), the latest word from insiders is that the federal proposal is likely dead for the year.
So, what’s all the continued buzz about? Stakeholders and lawmakers may be simply drawing lines in the sand for future legislative efforts. If the ADPPA does not advance this year, it nonetheless will likely represent the “starting point” for any future draft of legislation. Therefore, key stakeholders are likely trying to make sure that key issues – most significantly the preemption of state privacy laws – are addressed to their liking to establish the precedent for future legislative efforts.
Conclusion
Fisher Phillips will continue to monitor developments on state and federal privacy legislation. Make sure you are subscribed to Fisher Phillips’ Insight System to get the most up-to-date information. For further information, contact your Fisher Phillips attorney, the authors of this Insight, or any attorney on our Consumer Privacy Team.
Related People
-
- Benjamin M. Ebbink
- Partner
-
- Usama Kahf, CIPP/US
- Partner