House Republicans unveil data privacy law that would override state protections

House Republicans on Wednesday introduced a federal comprehensive data privacy bill that would preempt at least 20 state laws, alarming privacy advocates who urged lawmakers to vote against it because they believe the protections it offers are too weak.

The bill, known as the SECURE Data Act, is backed by top Republicans on the House Energy and Commerce and Financial Services committees and is the result of 14 months of work by a Republican-only Privacy Working Group tasked with drafting it.

Congress has tried for years to get comprehensive data privacy legislation enacted with no success. The new bill tears up a tougher proposal that was introduced in the last Congress to bipartisan support but opposition from House Republican leaders.

Republican supporters of the new bill said in a press release that it has a robust data minimization clause since it limits the collection of personal data to what is “adequate, relevant, and reasonably necessary” for the purposes disclosed to consumers. 

They hailed the bill for requiring that sensitive data only be processed with a consumer’s consent and for giving consumers the right to know their data is being collected and used, to delete their data and to access a portable copy of it.

Key Republicans also praised the bill for requiring the Federal Trade Commission (FTC) to set up a data broker registry that would include a search function so that consumers can look up data brokers and see their privacy policies.

The proposed legislation “establishes clear, enforceable protections so that Americans remain in charge of their own data and companies are held accountable for its safe keeping,” Committee Chairman Brett Guthrie (R-KY) said in a statement. “We look forward to working with our colleagues to build support for this bill and advance data privacy protections fit for our 21st century economy.”

Privacy advocates balk

Privacy advocates said the bill’s limited protections are rendered toothless by overly broad language, narrowly defined categories and several caveats.

The bill’s definition of sensitive data does not include important elements, according to Eric Null, director of the Privacy and Data Project at the Center for Democracy and Technology. 

The only health data counted as sensitive involves diagnoses, meaning data collected by period tracking apps and other health tech is exempt. The proposed legislation also does not protect the contents of consumers’ communications or financial data held by non-financial institutions, Null said in an interview.

The data minimization provision is weak, Null added , because the “adequate, relevant and reasonably necessary” language is broad and therefore easy for companies to work around. 

Nineteen states now have similar minimization language in place and “nothing has changed as far as the privacy practices of online companies,” Null added.

The bill’s lack of a private right of action — which allows consumers to sue companies that violate its provisions — and the fact that it will preempt several strong state privacy laws makes it even more important that lawmakers oppose it, he said.

Null also took issue with the provision requiring the FTC to create a data broker registry, saying it is not worthwhile because consumers will still have to approach hundreds of data brokers individually if they want to request that their data not be collected or that it be deleted. 

The comprehensive data privacy legislation introduced in the last Congress, the American Privacy Rights Act, had a much stronger requirement for the FTC to create a “Do Not Collect” registry so that consumers could sign up and block all data brokers from collecting and selling their data all at once, he said.

Significant exemptions

The bill includes a series of exemptions for categories of data it won’t apply to.

These include exemptions for data collected when users have requested a service, when data is collected as part of a contract and when a company is developing and improving products and services. The latter exemption will allow data collection for AI training, Null said.

He called the exemptions a “big enough loophole to make the law completely toothless.”

“Companies may very well argue that essentially all of their data practices are designed to provide products and services requested by consumers, or are provided under a contract — privacy policies can be considered contracts as well as B2B enterprise contracts — meaning all of that data would in theory be exempt from the other weak protections in the bill,” Null said.

Cobun Zweifel-Keegan, a managing director at the IAPP, noted in a LinkedIn post that the bill adds some elements to the state law from Kentucky that it draws heavily from. 

“It has some big additions from the state framework, including treating teen data as sensitive (opt-in consent), a section on cross-border data transfers, and a code of conduct section,” the post said.

But Zweifel-Keegan also noted that the bill makes no mention of automated decision making technology and only recommends a study on whether to have rules for universal opt-out mechanisms instead of requiring them.

“This bill is a ‘privacy’ bill in name only and could cause real harm,” Cody Venzke, a senior staff attorney at the ACLU, said in a statement. “It places the onus on regular people to wade through reams of privacy policies and ask tech companies to stop abusing our data, and it leaves us without real recourse — even blocking us from going to court — if our requests go unanswered.”

The committee also released a second bill focused on financial data on Tuesday. That bill, the GUARD FInancial Data Act, includes many of the same protections as the SECURE Data Act and applies them to financial institutions.