A new legislative “discussion draft” that aims to create a stronger data privacy and security landscape for U.S. consumers would put the Federal Trade Commission (FTC) in charge of the proposed new rules and would preempt most existing state laws on data privacy and security.
The draft legislation was unveiled on June 3 by Rep. Frank Pallone, D-N.J., chairman of the House Energy and Commerce Committee, the panel’s ranking member Cathy McMorris Rodgers, R-Wash., and Sen. Roger Wicker, ranking member of the Senate Commerce, Science, and Transportation Committee.
Legislation to create stronger Federal rules for the private sector on data privacy and security has been a perennial talking point for Congress for a decade or more, but one that has never made it even close to the finish line. The last serious push for stronger standards dates back to 2019, and the three members of Congress that released the draft cautioned that action on the latest iteration is far from soon, or certain.
“This bipartisan and bicameral effort to produce a comprehensive data privacy framework has been years in the making, and the release of this discussion draft represents a critical milestone,” the members of Congress said.
“In the coming weeks, we will be working with our colleagues on both sides of the aisle to build support and finalize this standard to give Americans more control over their personal data,” they said. The discussion draft, they said, “represents the sum of years of good faith efforts by us, other Members, and numerous stakeholders as we work together to provide American consumers with comprehensive data privacy protections.”
“This bill strikes a meaningful balance on issues that are critical to moving comprehensive data privacy legislation through Congress, including the development of a uniform, national data privacy framework, the creation of a robust set of consumers’ data privacy rights, and appropriate enforcement mechanisms,” the members of Congress said. “We believe strongly that this standard represents the best opportunity to pass a federal data privacy law in decades,” they added.
The discussion draft names the FTC as the prime Federal regulatory for the proposed new rules, and the agency would create a new bureau for that purpose.
Significantly for states that have already adopted data privacy and protection rules, the new Federal rules would preempt the existing state rules.
“State laws covered by the provisions of the Act are preempted, subject to a list of specified state laws to be preserved,” according to an explanation of the discussion draft provided by the House Energy and Commerce Committee.
State laws that would not be preempted include: “generally applicable consumer protection laws; civil rights laws; employee and student privacy protections; data breach notification laws; contract and tort law; criminal laws regarding fraud, theft, identity theft, unauthorized access to electronic devices, and unauthorized use of personal information; laws on cyberstalking, cyberbullying, nonconsensual pornography, and sexual harassment,” among several others.
The discussion draft includes the following provisions that could end up in eventual American Data Privacy and Protection Act:
- Covered businesses would have a “baseline duty” to not “unnecessarily” collect or use covered consumer data regardless of consent or transparency requirements “beyond what is reasonably necessary, proportionate, and limited to provide specific products and services requested by individuals”;
- Consumers would get protection against discriminatory use of their data;
- Consumers would not have to “pay for privacy”;
- Consumers would be allowed to turn off targeted advertisements; and
- Businesses would have to provide enhanced data protections for children and minors.