A bipartisan bill was introduced Friday by two Republicans and a Democrat in an attempt to break the impasse in Congress over drafting a federal privacy law. However, time is running out before Congress adjourns for the month of August.
The American Data Privacy and Protection Act would establish a national framework to protect consumer data privacy and security, as well as grant consumers rights over how their personal data is handled by businesses, require businesses to collect the least amount of personal data possible, and provide enhanced protections for children and minors.
"This bipartisan and bicameral effort to produce a comprehensive data privacy framework has been years in the making, and the release of this discussion draft represents a critical milestone," said the bill's three sponsors, Sen. Roger Wicker (R-Miss. ), Rep. Frank Pallone (D-N.J.), and Rep. Cathy Rodgers (D-Washington) (R-Wash).
The bill also tries to close the gap on two particularly thorny issues that have stymied previous data privacy bills in committee: state preemption and private right of action.
By creating exemptions, the bill attempts to thread the needle on these two issues. With the exception of the California Privacy Rights Act (CPRA) and two Illinois laws that set data privacy rules for biometric and genetic information, the law would preempt all state data privacy laws.
In terms of private right of action, the bill allows consumers who believe their legal rights have been violated to sue companies in federal court. But there is a catch: the private right of action will not kick in for another four years after the law is passed.
The International Association of Privacy Professionals (IAPP) maintains a federal data privacy bill tracker that lists 17 other data privacy bills currently being considered by Congress. There are no provisions for both preemption and a private right of action in any of them.
"Congress, industry, civil society and the White House have all taken steps toward the creation of a U.S. federal privacy law," according to the IAPP. "What this law will look like—and when and if it will happen—are still very much in question, but day-by-day it’s looking more likely that a federal law is in the United States’ future."
Meanwhile, four states have joined California in enacting data privacy legislation: Colorado, Connecticut, Utah, and Virginia. On January 1, the California Consumer Privacy Act will be renamed the CPRA, and the other four state laws will follow suit in 2023. The California Privacy Protection Agency is the only state with its own data privacy agency (CPPA). At its regular meeting on Wednesday, the CPPA will discuss rulemaking for the CPRA.
By fLEXI tEAM