The measure, a copy of which was reviewed by The Washington Post, would set a national baseline for how a broad swath of companies can collect, use and transfer data on the internet. Dubbed the American Privacy Rights Act, it also would give users the right to opt out of certain data practices, including targeted advertising. And it would require companies to gather only as much information as they need to offer specific products to consumers, while giving people the ability to access and delete their data and transport it between digital services.
Significantly, the deal would resolve two issues that have bogged down negotiations for years: whether a federal law should override related state laws and whether consumers should be permitted to sue companies that violate the rules.
The bill would achieve a Republican goal by preempting over a dozen “comprehensive” state privacy laws that have sprung up amid congressional inaction — including a watershed California measure — while allowing state rules on more-targeted issues like health or financial data to stand. Meanwhile, it would allow an enforcement method championed by Democrats: civil lawsuits that would let individuals seek financial damages if companies fail to fulfill data deletion requests or to obtain express consent before collecting sensitive data.
“We have to have a bright line here where we’re catching bad actors and policing the information age,” Cantwell told The Post in an interview Sunday.
The Post and other news outlets reported Friday on the expected deal, but details of the proposal did not become public until Sunday. Spokespeople for McMorris Rodgers did not offer immediate comment. In an interview Sunday with the Spokesman-Review of Spokane, Wash., McMorris Rodgers called it “a historic piece of legislation” that would “establish privacy protections that are stronger than any state law on the books.”
Even with the support of Cantwell and McMorris Rodgers, whose committees bear primary responsibility for privacy legislation, the measure faces uncertain prospects. It is currently a “discussion draft,” meaning the two committee chairs are likely to solicit input from other lawmakers and outside groups before formally introducing it.
And the window for passing any legislation — much less a complex online privacy bill — is fast closing before the November elections. With McMorris Rodgers set to step down from Congress in January, the need for action becomes even more urgent. But, Cantwell, said: “A deadline is a good thing.”
Over the past half-decade, Congress has held dozens of hearings on data privacy as political scrutiny of technology companies’ alleged privacy abuses intensified, with lawmakers unveiling a flurry of proposals aimed at tackling those concerns. But no sweeping privacy legislation has been adopted by either chamber of Congress, and few measures have even gained significant traction.
During the previous Congress, House lawmakers including McMorris Rodgers advanced a sprawling privacy bill aimed at breaking the impasse. But key leaders — including Cantwell and former House Speaker Nancy Pelosi (D-Calif.) — spoke out against it.
At the time, Cantwell said the House measure would impose a multiyear delay on when consumers can bring their own lawsuits, criticizing that provision as one of the bill’s “major enforcement holes.” She also expressed concern that companies could weaken the law by forcing users into arbitration, a process that can require parties to resolve privacy disputes without going to court.
After the House bill stalled, privacy talks ramped back up in December, Cantwell said, when McMorris Rodgers approached her about reviving negotiations directly between the two of them.
The new legislation mirrors the House proposal in several ways: It would force companies to minimize and disclose their collection practices and let users correct or delete their own data. It also would bar companies from using the data they collect to discriminate against protected classes. And it would require them to appoint executive officers responsible for ensuring compliance with the law.
But the compromise measure also contains key differences: For example, it would not impose a delay on when individuals can file lawsuits and it would bar most arbitration agreements from interfering with the intent of the legislation — changes sought by Cantwell, who called it “night and day” compared to the House version.
A senior aide on the Senate Commerce Committee, who spoke on the condition of anonymity to preview the legislation, said Cantwell and McMorris Rodgers made it a priority to hash out those issues, along with Republican concerns about the ability of small businesses to comply with the measure’s provisions.
To that end, the proposal would exempt companies with less than $40 million in annual gross revenue from its requirements and would place heightened obligations — including a requirement to conduct regular privacy reviews — on “larger data holders” with more than $250 million in annual gross revenue.
The measure would not accomplish some other priorities. For example, it would not prohibit companies from targeting minors with ads, as President Biden called for during his State of the Union addresses. Nor would it create a “youth privacy and marketing division” at the Federal Trade Commission, as the previous House legislation proposed.
While the proposal is meant to offer “comprehensive” privacy protections, the senior Commerce Committee aide said it is seen as “complementary” to other bills on child safety and privacy that are expected to be taken up in the Senate. That includes a measure by Sen. Edward J. Markey (D-Mass.) that would expand federal children’s privacy laws and another led by Sens. Richard Blumenthal (D-Conn.) and Marsha Blackburn (R-Tenn.) that would create new child safety obligations for digital platforms.
The measure would “terminate” the FTC’s efforts to craft new regulations on privacy, though the agency — along with state attorneys general — would be responsible for enforcing the measure. It also would largely strip the Federal Communications Commission of any privacy oversight in the telecommunications sector, bringing those matters under the purview of the FTC — a wrinkle that has in the past troubled consumer advocates.
The privacy compromise is part of a recent surge of activity on new internet policies. In February, Blumenthal and Blackburn announced that they had secured enough support for online child safety legislation to clear the Senate, teeing up a potential vote this year. In March, the House passed legislation to force TikTok to be sold by its Chinese parent or be banned in the United States, kicking the issue over to the Senate. A week later, the House passed a more narrow privacy bill aimed at stopping data brokers from selling U.S. user information to “foreign adversaries.”
“Going to be a very busy few months,” Cantwell said.
She said lawmakers will look to attach the child privacy and safety bills to an upcoming must-pass legislative package, and that her committee plans to take up the House data broker bill. As for the broader privacy bill, Cantwell said she plans to reach out to other lawmakers “in earnest” Monday.
It was not immediately clear whether Rep. Frank Pallone Jr. (D-N.J.) and Sen. Ted Cruz (R-Texas), the minority leaders in Cantwell and McMorris Rodgers’s committees, would back the push. Nor was it clear whether state leaders whose laws would be preempted by the measure would rally against it — something that muddled talks over privacy on Capitol Hill in the past.
“I do think people think a comprehensive policy is better as long as it can reach a strong, beefy standard,” Cantwell said, “which I think this does.”