On June 14, the House E&C Subcommittee on Consumer Protection and Commerce held a hearing to consider issues and concerns raised by the “three corners” privacy “discussion draft” released to the public June 3. As we blogged last week, the American Data Privacy and Protection Act (ADPPA) is an historic bipartisan compromise among three key committee leaders in the House and Senate (Sen. Wicker and Reps. Pallone and McMorris Rodgers). So far, it lacks the backing of the fourth, Senator Cantwell.
The hearing came together quickly, reflecting the limited time and challenges in this election year to pass a bill of this significance. The 3+ hour event showcased myriad issues and concerns that the witnesses and other stakeholders have raised with respect to the draft. Still, Subcommittee leaders pledged to keep working on the bill and expressed optimism that they might be able to pass comprehensive federal privacy legislation this year. As of this writing, we understand that there will be subcommittee markup next Thursday and a full-committee markup sometime after the July 4th recess.
The witnesses (eight of them!) included a mix of experts from the public interest and business communities:
- Caitriona Fitzgerald, Electronic Privacy Information Center Testimony
- David Brody, Lawyers’ Committee for Civil Rights Under Law Testimony
- Bertram Lee, Future of Privacy Forum Testimony
- Jolina Cuaresma, Common Sense Media Testimony
- John Miller, Information Technology Industry Council Testimony
- Graham Dufault, ACT | The App Association Testimony
- Doug Kantor, National Association of Convenience Stores Testimony
- Maureen Ohlhausen, appearing for the 21st Century Privacy Coalition Testimony
Big Picture Takeaways
- Virtually all subcommittee members attended (including full E&C Committee leaders Pallone and McMorris Rodgers) as well as some “guests” (Reps. Eshoo and Walberg, who serve on E&C, but not the subcommittee). Most applauded the bipartisan effort and expressed support for it in varying levels of degree. While the Democrats tended to focus their questions on the strength of the bill’s protections, many Republicans focused on whether and how the bill might impair legitimate business activities, particularly with respect to small companies.
- Despite recent criticism by the business community and (reportedly) strenuous lobbying against the bill, the Republican leaders (McMorris Rodgers and Subcommittee Ranking Member Bilirakis) showed no signs of backing away from the bill and stated that they would work hard to address concerns in the coming weeks.
- Witnesses from the advocacy community were generally more positive about the bill than those from the business community, although all applauded the goals and particular aspects of the bill. No witness opposed the bill outright, but all suggested changes, some quite significant.
Key Suggestions from the Witnesses
- Fitzgerald expressed strong support for the bill’s data minimization provisions, which “sets the bill apart” from other laws. She also supported substantive protections for sensitive data that go beyond notice and choice. While citing the “big opportunity” here, she recommended changes, including adding a broad duty of loyalty (a feature long supported by Senators Cantwell and Schatz); strengthening algorithmic transparency; expanding the FTC’s rulemaking authority; authorizing enforcement by, not just state AGs, but other state agencies; and including statutory damages in the PRA.
- Brody praised the civil rights protections in the bill, noting the gaps in current law and the value of requiring impact assessments and addressing online advertising and the platforms. Like Fitzgerald, he also applauded the data minimization standards, stating that data abuses and breaches disproportionately harm people of color. His suggestions to improve the bill focused mostly on the PRA, and included eliminating the 4-year delay; authorizing statutory and punitive damages; eliminating the limits imposed on demand letters and the right to cure; and extending the PRA to the data minimization requirement.
- Lee was very supportive of the bill, saying it compares favorably to global privacy frameworks like the GDPR, and singling out the provisions governing civil rights, privacy by design, corporate accountability, the PRA, youth privacy, and large data holder responsibilities. However, he recommended more funding for the FTC, broader FTC rulemaking to ensure that the law keeps pace with technological changes, and greater harmonization with existing federal laws and the GDPR. Like Miller and Default (below), Lee questioned whether imposing direct legal requirements on service providers and third parties, instead of adopting the GDPR’s controller/processor model, would be workable.
- Cuaresma focused on protecting minors, praising the ban on targeted ads, the creation of a Youth Division at the FTC, and including protections for teens. However, she suggested extending protections to all minors (not just those under 17); giving the FTC more resources; moving to a “constructive” (not “actual”) knowledge standard in the ADPPA and COPPA; and shortening the PRA waiting period. In response to a question from Rep. Lesko, Cuaresma seemed to agree that any consent involving minors should be given by a parent.
- Miller was concerned about the breadth of the sensitive data provision and its effect on marketing and routine business functions. He noted that the bill includes consumers’ online activities as a sensitive data category, effectively turning the opt-out for targeted ads into an opt-in, and potentially impeding everyday functions like search and cybersecurity analyses. He also recommended including a broad carve-out for “first party” activities, consistent with state laws; adopting the GDPR approach to service providers and third parties (to more clearly delineate roles); and rethinking the PRA and preemption provision which, he said, are likely to lead to confusion and excessive litigation.
- Dufault stressed the need to create legal certainty for small businesses. Like Miller, he was critical of the preemption and PRA provisions, and suggested limiting the PRA by preserving fewer laws, confining it to “substantial” privacy harms, broadening the right to cure, and adding a scienter requirement. He also expressed concerns about the breadth and definitions of some of the categories of sensitive data. Of note, he strongly supported the bill’s inclusion of the safe harbor program for small businesses, which could help alleviate burdens on these entities.
- Kantor focused on creating a level playing field for all businesses while minimizing burdens on small entities. As such, he supported the bill’s direct coverage of service providers and third parties (in lieu of allowing certain entities to control others via contract), objected to carve-outs for particular sectors, and suggested changes to the bill’s small business exception. Like other business witnesses, he said that the preemption and PRA provisions would create significant burdens for businesses and that other provisions would impair legitimate marketing activities. For example, he said the bill’s attempt to preserve loyalty programs was confusingly drafted and that the requirements related to sensitive data would interfere with advertising that consumers want and expect.
- Ohlhausen focused primarily on how the bill shifts oversight of telecom entities from the FCC to the FTC. While she strongly supported the shift, she expressed concern that the bill left voice services with the FCC while imposing onerous new requirements on broadband and video (rather than just shifting existing requirements to the FTC). Ohlhausen also recommended that the bill include a broad carve-out for “first party” data uses so as not to restrict routine, expected activities, and that the multiple exceptions to preemption would undermine the goal of creating a national privacy standard.
Other items of interest
- Lesko asked Lee and Ohlhausen whether the algorithmic assessment should address discrimination based on political viewpoint. Neither was supportive – Lee because of potential first amendment concerns, and Ohlhausen because it is outside the FTC’s expertise.
- Pence asked Fitzgerald whether the US should shift to a system that simply compensates people for their data. Fitzgerald said that would disadvantage less wealthy populations.
- Armstrong said the preemption provision was confusing and suggested that future amendments to state privacy laws not preempted would make it more so.
- Fletcher discussed the significance of protecting health and geolocation information in light of the impending Supreme Court decision on abortion rights.
- Castor and Trahan emphasized the importance of protecting kids, citing their own efforts to expand protections for minors over the past two years.
- In response to questioning, Dufault and Kantor expressed strong support for retaining the “actual knowledge” standard for determining who is a minor, stating that “constructive knowledge” is confusing and unworkable.
Where does this leave us?
- Although no one “bashed” the bill at the hearing, the witnesses and members all raised numerous issues and concerns, with differing perspectives on how to resolve them. Subcommittee leaders aren’t giving up, but they have their work cut out for them and very little time to do it. Next step, Subcommittee markup!