Articles C2 Fall 2022

Are we on the path to a National Data Privacy Law?

For years, US lawmakers have avoided making tough calls about what data privacy protections we should give consumers and how they should be enforced. That finally may be changing.

Last week, the US House Energy and Commerce Committee greenlit a watershed privacy bill that strikes compromises on a series of major issues that have long vexed congressional negotiators. It marks the first time a federal consumer privacy bill has made it out of a US congressional committee, a historic feat. The move represents significant progress toward codifying consumer data protections federally in the US — something lawmakers have attempted for years to no avail.

The American Data Privacy and Protection Act (ADPPA), H.R. 8152, seeks to establish national standards for how tech companies and other businesses use consumers’ personal identifiable information (PII).  The ADPPA would override many state privacy laws, which would reduce complexities for businesses. This is called “preemption”.

Perhaps the most distinctive feature of the committee-approved version of the ADPPA is that it focuses on what’s known as data minimization. Generally, companies would only be allowed to collect and make use of consumer data if it’s necessary for one of 17 permitted purposes spelled out in the bill—things like authenticating users, preventing fraud, and completing transactions. Everything else is simply prohibited. Contrast this with the type of online privacy regime most people are familiar with, which is all based on consent: an endless stream of annoying privacy pop-ups that we almost always click “yes” on because it’s easier than going to the trouble of turning off cookies. That’s pretty much how the EU’s privacy law, the GDPR, has played out.

I like the data minimization approach proposed in the ADPPA. Research conducted by Acxiom last year shows 83% of consumers want a clear link between the data they share with organizations and the value they will receive from this exchange. Data trust cannot simply be claimed or assumed – it must be earned, and it requires brands to involve customers in a dialogue about what they are doing with their data and why. Collecting too much data can also be a liability for companies.

Even with bipartisan support and the potential to provide vast new protections for Americans, it’s not all clear skies ahead. Even if the bill passes in the House, there are hurdles to the bill’s success in the Senate. Also, some representing business and industry interests, like the trade group Association of National Advertisers, have already issued statements. Some are also unhappy with ADPPA’s preemption of state data privacy statutes, such as California’s Consumer Privacy Rights Act. The ADPPA also apparently rolls back other protections, including rights to privacy that states have seen fit to enshrine in their state constitutions. Based on the text of the current bill, endangered state privacy rules include those for biometric information (apart from face recognition), genetic data, broadband privacy, and data brokers—or “third-party collecting entities” as the ADPPA refers to them.

I recommend tracking the progress of ADPPA’s journey through Congress. Before a House floor vote, there will be interest groups positioning their amendments/changes to the bill. I just hope that it’s not diminished further since, if passed, the ADPPA will impact the country’s privacy landscape for years to come. But regardless of whether ADPPA passes during this legislative session, the bipartisan support behind it — combined with a wave of new state data privacy laws set to go into effect next year — indicates that the tides are shifting at a more fundamental, cultural level with respect to privacy in the US.

The CyberRes Voltage Data Privacy and Protection portfolio is well-positioned to support the technology needs of privacy programs that may need to comply with the ADDPA. You can also check out this new Privacy Hub from CyberRes to learn how data and identity can power privacy.