A bipartisan bill attempting to end the gridlock in Congress over crafting a federal data privacy law was introduced Friday by a pair of Republicans and a Democrat. But time is running short before Congress takes a break for August.
The American Data Privacy and Protection Act would create a national framework to protect consumer data privacy and security; grant rights to consumers regarding the handling of their personal data by companies; require companies to minimize the amount of personal data they collect; and enhance protections for children and minors.
“This bipartisan and bicameral effort to produce a comprehensive data privacy framework has been years in the making, and the release of this discussion draft represents a critical milestone,” said the bill’s three sponsors in a press release: Sen. Roger Wicker (R-Miss.), Rep. Frank Pallone (D-N.J.), and Rep. Cathy McMorris Rodgers (R-Wash.).
The bill attempts to bridge the gap on two particularly thorny issues that have kept previous data privacy bills bogged down in committee: preemption of state laws and private right of action.
The bill aims to thread the needle on these two issues by creating exemptions. The law would preempt all state data privacy laws except the California Privacy Rights Act (CPRA) and two Illinois laws that set privacy rules for biometric and genetic information.
On private right of action, the bill provides consumers who believe their rights under the law were violated with the option of suing companies in federal court. But the catch is the private right of action would not take effect until four years after the law is enacted.
A federal data privacy bill tracker maintained by the International Association of Privacy Professionals (IAPP) lists 17 other data privacy bills currently being considered by Congress. None of them contain provisions for both preemption and a private right of action.
“Congress, industry, civil society, and the White House have all taken steps toward the creation of a U.S. federal privacy law,” the IAPP said. “What this law will look like—and when and if it will happen—are still very much in question, but day by day it’s looking more likely that a federal law is in the United States’ future.”
In the meantime, four states—Colorado, Connecticut, Utah, and Virginia—have joined California in passing comprehensive data privacy laws. The California Consumer Privacy Act will be updated as the CPRA on Jan. 1, while the other four state laws will also take effect in 2023. California is the only state with its own data privacy agency, the California Privacy Protection Agency (CPPA). The CPPA is set to discuss rulemaking for the CPRA at its regular meeting Wednesday.