House Energy & Commerce Committee Chairman Frank Pallone (D-NJ), along with Rep. Cathy McMorris Rodgers (R-WA) the ranking Republican on the Committee, and Senator Roger Wicker (R-MS) who is the ranking Republican on the Senate Commerce Committee, released a discussion draft of the American Data Privacy and Protection Act which is a comprehensive national data privacy and data security legislative framework. The draft legislation is the first comprehensive privacy proposal to gain bipartisan, bicameral support.
The summary and section by section analysis are below and the draft bill is available here. The bill would be enforced by the Federal Trade Commission (through a new privacy bureau) and state Attorneys General. The draft takes a middle ground on some of the major sticking points:
- Preemption – the bill generally preempts state privacy laws but specifically excludes the California Consumer Privacy Act as amended by Proposition 24 and Illinois’ Biometric Information Privacy Act and Genetic Information Privacy Act.
- Private Right of Action – the bill creates a private right of action for enumerated offenses but it may only be brought sixty (60) days after notice to the Federal Trade Commission and state attorney general. The private right of action would not begin, however, until four years after enactment.
The American Data Privacy and Protection Act would:
- Establish a strong national framework to protect consumer data privacy and security;
- Grant broad protections for Americans against the discriminatory use of their data;
- Require covered entities to minimize on the front end, individuals’ data they need to collect, process, and transfer so that the use of consumer data is limited to what is reasonably necessary, proportionate, and limited for specific products and services;
- Require covered entities to comply with loyalty duties with respect to specific practices while ensuring consumers don’t have to pay for privacy;
- Require covered entities to allow consumers to turn off targeted advertisements;
- Provide enhanced data protections for children and minors, including what they might agree to with or without parental approval;
- Establish regulatory parity across the internet ecosystem; and
- Promote innovation and preserve the opportunity for start-ups and small businesses to grow and compete.