As markup nears, knives come out for comprehensive data privacy legislation
With the American Privacy Rights Act (APRA) weeks away from a markup, critics of the bill’s language are ratcheting up pressure on congressional leaders to change the landmark federal comprehensive data privacy legislation.
On Monday, a coalition of business associations and big tech advocacy groups sent House Energy and Commerce Chair Cathy McMorris Rodgers (D-WA) a letter attacking the bill for failing to provide “a uniform national privacy standard.”
The letter’s authors, who refer to themselves as members of the United for Privacy Coalition, wrote that “full preemption of state law is an essential component of any meaningful federal privacy legislative effort.”
“Without full preemption of state laws, APRA will add to the privacy patchwork, create confusion for consumers, and hinder economic growth,” the letter said.
The coalition, which counts TechNet, NetChoice, the Business Roundtable and the Information Technology Industry Council among its 22 members, represents Fortune 500 companies, including most major big tech firms such as Apple and Google.
While APRA would override the 18 comprehensive state data privacy laws which have now been enacted nationwide, it does not currently preempt two aggressive “sectoral” state laws on the books, Illinois’s Biometric Information Privacy Act and Washington’s My Health My Data Act.
APRA also would override most of California’s aggressive state data privacy law, but currently includes a carve out for the data breach portion of it.
Critics within the tech industry say the fact that APRA includes a private right of action with statutory damages for data breach violations in California will be a boon for plaintiffs’ lawyers while hurting business and innovation.
The coalition’s letter does not name those state bills, but privacy experts said that in addition to federal sectoral privacy laws such as the Health Insurance Portability and Accountability Act, the Illinois and Washington laws are the only legislation not preempted by the proposed sweeping new federal standard.
By wiping out the 18 varying state data privacy laws on the books, APRA goes a long way toward streamlining data privacy law, said Joe Jones, the director of research and insights at the International Association of Privacy Professionals.
Jones called APRA a “comprehensive approach to privacy” and noted that specific sectors like healthcare and finance have adapted to federal privacy regulations unique to their portfolios.
“Banks have just genuine consumer protection laws, but they also are very heavily regulated industries, so for them it's still going to be more straightforward [under APRA] because at the moment they're needing to comply with 18 state comprehensive laws plus the sector rules if they operate in all those states,” Jones said in an interview.
Last month, fifteen state attorneys general demanded Congress prevent APRA from preempting the wave of state comprehensive data privacy laws.
Previous federal comprehensive data privacy legislation, known as the American Data Privacy and Protection Act, is thought to have died without a floor vote in part because then-House Speaker Nancy Pelosi (D-CA) opposed the bill’s language overriding California’s trailblazing comprehensive data privacy law.
Data broker language too weak?
On Friday, a coalition of data broker deletion services — companies which help consumers remove data collected about them from the web — sent a letter to McMorris Rodgers decrying APRA’s data broker provisions as too weak, saying the bill’s blocking of third parties from assisting individuals in deleting their information will undercut Americans’ privacy.
“Does anyone think an elderly parent with dementia or a child can figure out how to initiate these requests on the proposed APRA data broker registry site?” the letter said. “Or a recent domestic violence survivor would prioritize or even know to visit an FTC [Federal Trade Commission] website?”
The letter’s authors, which include deletion services like DeleteMe and BlackCloak, also raised concerns about loopholes in how APRA defines data brokers and the lack of fines for
non-registration by brokers. They specifically criticized how APRA allows businesses which make less than half of their annual revenue from data brokerage services to remain exempt from the law.
A broader coalition of California privacy advocates plan to send a separate letter condemning APRA’s data broker language, but that letter was not available by press time.
Editor's note: This article was updated at 4:25 p.m. EST with clarification about which portions California's state privacy law would be preempted by federal legislation.
Suzanne Smalley
is a reporter covering privacy, disinformation and cybersecurity policy for The Record. She was previously a cybersecurity reporter at CyberScoop and Reuters. Earlier in her career Suzanne covered the Boston Police Department for the Boston Globe and two presidential campaign cycles for Newsweek. She lives in Washington with her husband and three children.