US Bipartisan Privacy Proposal Has Cybersecurity MandatesLawmakers Impatient With Hands-Off Approach to Industry Cybersecurity Practices
A discussion draft of a federal privacy bill carrying key bipartisan endorsements could also mark the return of a regulatory approach to cybersecurity that has been avoided by U.S. lawmakers for a decade.
The last major congressional attempt to impose a regulatory regime for private sector cybersecurity failed in the Senate in 2012 amid pushback from industry. Since then, the Washington consensus has eschewed national mandates in favor of voluntary partnerships. That consensus is wearing thin amid an uptick in cyberattacks with real-world consequences including a ransomware-sparked dayslong shortage of gasoline last year in America's Southeast.
The American Data Privacy and Protection Act is principally a bipartisan and bicameral attempt to move forward with long-stalled privacy legislation by offering a compromise on hot-button issues that have slowed momentum. Backlash in Congress and elsewhere is mounting against what critics dub the internet-fueled rise of "surveillance capitalism."
The draft has the backing of House Energy and Commerce Committee Chair Frank Pallone, D-N.J., ranking committee Republican Cathy McMorris Rodgers of Washington and Senate Commerce Committee ranking Republican Roger Wicker of Mississippi. The bill would guarantee consumers new rights, such as consent prior to having sensitive data collected or shared.
It would preempt state privacy laws, with exceptions for state statutes limiting facial recognition and the many privacy laws governing matters such as employee information, tax records and the confidentiality of library records. Illinois' Biometric Information Privacy Act would be preserved, but the bill would mostly gut a California privacy law approved by state voters in 2020.
The proposal also calls on the private sector to maintain "reasonable" cybersecurity practices. Among the specific requirements is the ability to assess vulnerabilities, including a plan for receiving and responding to unsolicited reports from researchers.
The Federal Trade Commission would be charged with enacting new implementations for regulations and with enforcement under its existing authority to sue companies for unfair and deceptive trade practices. State attorneys general could likewise take violators to civil court.
After waiting four years from the proposal's passage into law, individuals and class action representatives could sue for damages, with some limitations. Lawsuits seeking injunctive relief or against small businesses could be subject to dismissal if the company resolves the underlying violation within 45 days.
Low Prospects for Success
Whether the proposal's assembly of heavy-hitting backers can convert it into law is an open question.
Notably lacking from the roster of supporters is Senate Commerce Chair Maria Cantwell, D-Wash., who immediately released a statement critical of the bill.
"For American consumers to have meaningful privacy protection, we need a strong federal law that is not riddled with enforcement loopholes," she said.
"Consumers deserve the ability to protect their rights on Day 1, not four years later. Americans also deserve a law that imposes a duty of loyalty on the companies that collect and monetize personal data so that the companies cannot abuse that data," Cantwell says.
Without her backing and the support of other committee Democrats, the proposal would be unlikely to become law. The draft bill may not even have the full support of Democrats within the House Energy and Commerce Committee, given its treatment of California privacy law.
"Federal privacy legislation cannot undermine California's groundbreaking privacy laws," Rep. Anna Eshoo, D-Calif., said during a Tuesday subcommittee hearing.
Industry lobby the U.S. Chamber of Commerce has signaled opposition to any bill authorizing private right of action, which gives private citizens the ability to enforce their rights under a statute. Tech industry association NetChoice criticized the bill for not preempting enough state laws, adding that the proposal "leaves a fractured and complex national privacy environment."
The summer can be a productive time for federal legislation, and some members may urge their colleagues onward given an anticipated change in Senate Commerce Committee leadership in which Texas Sen. Ted Cruz could assume the role of most senior Republican.
In a joint statement, Pallone, McMorris, Rodgers and Wicker vowed they will work "on both sides of the aisle to build support and finalize this standard to give Americans more control over their personal data."