We might really do it this time.
That was the takeaway that House lawmakers were eager to impart at a hearing in the Energy and Commerce subcommittee on innovation, data, and commerce (IDC). Comprehensive data privacy legislation is on the table yet again — but this time, it’s different.
Lawmakers also touched on children’s online safety proposals like the Kids Online Safety Act, which recently got a House companion to the popular Senate bill, and COPPA 2.0, which would update and raise the age for protections for a long-standing online privacy bill for children.
But privacy reform was the focus of much of the hearing, as a discussion draft for the American Privacy Rights Act (APRA) revived the issue after years of inaction. This latest draft is being championed by Senate Commerce Committee Chair Maria Cantwell (D-WA) and House Energy and Commerce Committee Chair Cathy McMorris Rodgers (R-WA).
Comprehensive privacy protection has been a shared bipartisan goal for years but has failed to become law due to disagreements on the finer points: Should they preempt state legislation that’s provided some baseline protections in the absence of federal ones? Should individual consumers have a private right of action to sue for violations of their data rights?
This is the closest that Congress has gotten to advancing comprehensive privacy legislation in some time. But legislators have been in a similar position before and then seen their hopes wither.
Most recently, in 2022, Rodgers worked with then-Commerce Committee Ranking Member Roger Wicker (R-MS) and then-E&C Chair Frank Pallone (D-NJ) to introduce the American Data Privacy and Protection Act (ADPPA), which passed with strong bipartisan support out of the House Energy and Commerce Committee. But opposition from Cantwell ultimately stymied that initial momentum, eventually refocusing attention to legislation addressing TikTok’s ties to China and the online safety of children — two problems that many advocates say could be partly addressed through comprehensive privacy protections for all internet users.
“I’m fired up. We’ve got to get this done.”
Even with memories of a failed privacy push still in mind, committee leaders expressed optimism at Wednesday’s hearing that strong nationwide privacy protections could finally become a reality. “With the American Privacy Rights Act, we are at a unique moment in history where we finally have the opportunity to imagine the internet as a force for prosperity and good,” Rodgers said at the start of the hearing. “I’m fired up,” IDC subcommittee Chair Gus Bilirakis (R-FL) said after Rodgers’ remarks. “We’ve got to get this done.”
Pallone, now ranking member of the full committee, echoed that feeling. But he then proceeded to note areas he saw as lacking in the proposal. While he said he’s “pleased” the new proposal adopts many of the same protections as the earlier one he sponsored, he said he hopes to add more specific protections for children, like prohibitions on targeting ads to kids and requiring “privacy by design.” Pallone also wants to create a division of youth privacy at the Federal Trade Commission to ensure it gets the funding necessary to enforce.
Still, Pallone said he’s “optimistic that we’ll be able to get comprehensive privacy legislation across the finish line” and said he’s committed to working with his colleagues to do so.
On the Senate side, Commerce Committee Ranking Member Ted Cruz (R-TX) has already indicated potential areas of opposition to the proposal, saying in a statement after its release that he “cannot support any data privacy bill that empowers trial lawyers, strengthens Big Tech by imposing crushing new regulatory costs on upstart competitors or gives unprecedented power to the FTC to become referees of internet speech and DEI compliance.” The proposal would let individuals sue for alleged violations of their rights but also give companies a chance to correct mistakes.
With Cantwell holding the gavel on that committee, the proposal could still get a chance to move forward once introduced.
At one point, Bilirakis asked each of the five expert witnesses at the hearing if this was the best chance Congress had to pass comprehensive data privacy. He got a unanimous “yes.”
“I think there’s this recognition that things are getting worse, and that they can still get worse.”
In an interview after the hearing, IDC subcommittee Ranking Member Jan Schakowsky (D-IL) said she’s “very optimistic as of today.” She says that, this time, lawmakers are even more aware of the consequences of not passing privacy protections into law. “I think there’s this recognition that things are getting worse, and that they can still get worse,” Schakowsky said. “So if we don’t act, more states are now doing their independent privacy bills. That’s not a good thing. Countries around the world, I mean, we are outliers here not having some kind of protection for consumers. So I think there’s an urgency that’s felt to get this done.”
Schakowsky acknowledges that there are areas of the draft even she’d like to see changed, noting she preferred how the ADPPA handled preemption of laws including the Illinois biometric data protection law. But she said that “overall, the need to get this done is more compelling than the disagreements,” and ultimately, “There is just a real consensus that we just have to work it out.”
Schakowsky is not too concerned about opposition from California lawmakers, who historically have been adamant about maintaining the enforceability of the state’s own data privacy law, noting that only two members voted against the ADPPA in a committee vote.
And as far as tech lobbying goes, Schakowsky says it will only go so far this time around. “People are so fed up with Big Tech, having their way with us in every possible way. I think we’ve kind of crossed that,” she said. “I just think they’re not going to be on strong ground. I’m sure they’re going to be looking at each detail and see how they could do it. But I think people have had it with them and the role that they have in our lives.”