Sweeping federal data privacy law gains steam

Dive Brief:

General counsel working through data privacy rules taking effect in California, Colorado and other states could be facing a new task as lawmakers in Congress step up efforts on a sweeping federal law that would mostly preempt state efforts.
The House Energy and Commerce Committee this week approved the country’s first major data privacy law, teeing up consideration in the House, where it stands a good chance of passing. Efforts in the Senate are more uncertain, but given the broad bipartisan support given the House bill, which passed out of committee 53-2, approval in both chambers is not out of the question.
“We’re more hopeful than we have been in years that a bipartisan privacy bill can make its way to the president’s desk this Congress,” Carl Holshouser, senior vice president of TechNet, said.

Dive Insight:

The American Data Privacy and Protection Act (H.R. 8152) is largely built around the idea that organizations can continue to track what people do on their websites and mobile apps but only for minimal purposes, a policy the bill calls data minimization. That’s defined as data that’s just enough to accomplish permitted activities and no more.

The bill identifies more than a dozen such activities, including authentication, security protection and fraud prevention, and transactions.

Organizations can still share data with third parties, with user consent, but only for first-party marketing or advertising.

That means, if a person shops for shoes on a store’s website, the store could still use that information to show shoe ads while the person is on another website.

“What it wouldn’t be able to do,” Wired says in its coverage of the bill, “is match your shopping history with everything else you do on the web and on your phone to show you ads for stuff you’ve never told them you wanted. Nor could Facebook and Google continue to spy on you by placing trackers on nearly every website or free app you use, in order to build a profile of you for advertisers.”

What’s more, organizations can’t do any tracking whatsoever of minors.

Consensus approach

There appears to be broad, bi-partisan agreement on the main approach of the bill. Much of the battle to come is over how it will intersect with laws already in place in California and the handful of other states that have been proactive about privacy.

The two no-votes in the House Energy and Commerce Committee were both by California representatives who want federal protections to provide a nationwide minimum standard while allowing states to maintain their own laws.

Attorneys general in the handful of states that have already enacted laws also want the federal bill to provide a floor and not preempt state efforts.

The bill doesn’t do that, although in a partial compromise, it carves out more than a dozen areas of state law that would be exempt from federal preemption, and, in the case of California, hands enforcement authority to the state’s new privacy protection agency.

The other main sticking point is the bill’s allowance for a private right of action, which would expose organizations to individual lawsuits over privacy violations, although subject to limits.

Before people can sue, for example, they have to let either their state attorney general or the Federal Trade Commission (FTC) know, and if they want to sue a small or mid-sized business, they have to give the business a chance to correct the violation first.

In another compromise with California in mind, the bill delays the private right of action for four years and also allows the state to maintain its private right of action against data breaches.