House Commerce Committee Advances Privacy Bill 53-2

California has the best privacy protections in the country with inalienable data privacy rights, which might be threatened if Congress passes the American Data Privacy and Protection Act (HR-8152), Rep. Anna Eshoo, D-Calif., said during Wednesday’s markup. Congress historically allows states to enact stronger laws, she noted, saying the Health Insurance Portability and Accountability Act doesn’t override state law. The federal privacy bill could make it harder for California’s privacy agency to enforce its own law, Eshoo said, noting attorneys general in California, Illinois, Washington, New Jersey, Connecticut, Maine, Massachusetts, Nevada, New Mexico and New York share those concerns. Rep. Doris Matsui, D-Calif., said she can’t support the bill because it would hamstring state enforcement.

Eshoo filed an amendment to preserve California’s right to impose stronger privacy protections, which failed 8-48. Chairman Frank Pallone, D-N.J., told reporters after the hearing he opposed the amendment because it would have gutted the bill, but it doesn’t mean he won’t continue working with California members. Eshoo and Rep. Nanette Barragan, D-Calif., voted against final passage.

The committee has been addressing outstanding concerns, so members should be “open-minded” about whether the bill could improve things in California, said Rep. Jerry McNerney, D-Calif.: “I think it actually makes things stronger, so at this point I’m going to be in favor.” Pelosi doesn’t “want to weaken California’s protections,” he said. “If she’s not on board, it’s not going to move forward.” He believes the committee took the strongest elements of California’s law and the committee’s draft and put them together into a “strong” bill. “If we don’t pass it now, I don’t think we’re going to have a chance to pass this for a good, long time again,” he said during Wednesday’s markup. Rep. Scott Peters, D-Calif., supported the bill, saying California helped Congress get to this point, but a national standard would be better than having a patchwork of state laws.

Rep. Tony Cardenas, D-Calif., asked the committee counsel if the bill would allow California’s privacy authorities and its state AG to enforce the bill and whether California could obtain monetary penalties and injunctive relief. The counsel said yes. There’s “no such thing” as “perfect” legislation, said Cardenas.

Sen. Maria Cantwell, D-Wash., who opposes the measure, told us she hasn’t spoken directly with Pelosi but heard “that she wasn’t going to let California be gutted, but I don’t know.” Pelosi’s office didn’t comment.

Pallone highlighted provisions in the bill during markup and thanked ranking member Cathy McMorris Rodgers, R-Wash., House Consumer Protection Subcommittee Chair Jan Schakowsky, D-Ill., and House Consumer Protection Subcommittee ranking member Gus Bilirakis, R-Ill., for their bipartisan collaboration on the bill. Senate Commerce Committee ranking member Roger Wicker, R-Miss., who crafted the bill with House counterparts, told us Wednesday that the U.S. needs a “nationwide, strong data privacy bill that is uniform. There’s got to be a way to work this out.”

Pallone said the bill would set a strong national standard with a data-minimization framework to help ensure companies are limited in what they collect and share. His highlights included: a new youth privacy and marketing division at the FTC, data protection for women in abusive relationships and preventative measures against “shady” data brokers that allow the abuse to happen. He noted the bill’s protected classes covering people of color against housing, employment and other forms of discrimination.

The bill prevents Big Tech from tracking, predicting and manipulating user behavior for profit without consent, said Rodgers. It stops Big Tech from reading email data and tracking online activity, she said. It allows users to turn off targeted advertising, location data and internet search history, she said. And it blocks companies from sharing sensitive data with foreign adversaries like China and Russia, requiring affirmative consent to transfer data to those countries, she said. It designates all data related to children under 17 as “sensitive,” establishing consequences for tracking that data, she said. This is the first time a comprehensive bipartisan privacy bill has been voted out of committee, noted Schakowsky.

An amendment from Rep. Debbie Lesko, R-Ariz., that would exempt the National Center for Missing & Exploited Children as a covered entity, passed by voice vote. Several other amendments passed by voice vote, including a measure from Rep. Lori Trahan, D-Mass., to exempt data companies providing data for specific research purposes. McNerney’s amendment granting the FTC data security rulemaking authority passed by voice vote. A measure from Rep. Buddy Carter, R-Ga., to exempt companies with less than 15 employees from having to hire a privacy officer, passed.

“Congress has a real opportunity to pass meaningful federal privacy legislation with uniform ‘rules of the road’ that will protect individuals while enabling innovation,” said Computer & Communications Industry Association President Matt Schruers. “But legislators must avoid the possibility of a patchwork quilt of state regulations and regulators that would tie up innovators with inconsistent and unnecessary compliance obligations.” CCIA has expressed reservations about the bill’s private right of action provision. USTelecom Senior Vice President-Government Affairs Brandon Heiner welcomed Wednesday’s vote: “While there is more to be done, we look forward to continuing to work with Congress to ensure any privacy law provides all of America’s broadband customers the protection they deserve.”

The privacy legislation that cleared House Commerce Wednesday is stronger than California’s privacy law in “nearly every way,” Future of Privacy Forum Legislative Research & Analysis Director Stacy Gray said Thursday.

The Software & Information Industry Association said that through the approval process the bill has moved away from compromise positions and needs more input from stakeholders before it’s ready for the floor. Gray said the bill’s civil rights provisions are “substantially stronger” than any state law, and it also resolves some of California’s procedural concerns, “including the possibility that it could nullify the state agency’s current enforcement and rulemaking powers.”

SIIA President Jeff Joseph said the bill in its current form could “undermine consumer protection and lead to increased costs or reduced quality services for consumers and open the door to a greater, unworkable patchwork of U.S. privacy laws.” Industry, academic and advocacy groups need more time to provide feedback on the legislation, said Joseph.