Latest Federal Data Privacy Bill Has Bipartisan Support | Digital Guardian

The Industry’s Only SaaS-Delivered Enterprise DLP

Our unique approach to DLP allows for quick deployment and on-demand scalability, while providing full data visibility and no-compromise protection.

No-Compromise Data Protection is:

  • Cloud-Delivered
  • Cross Platform
  • Flexible Controls
DATAINSIDER

Digital Guardian's Blog

Latest Federal Data Privacy Bill Has Bipartisan Support

by Chris Brook on Monday June 6, 2022

Contact Us
Free Demo
Chat

There’s been countless data privacy acts introduced over the years but the American Data Privacy and Protection Act, introduced Friday, is the first with bipartisan promise.

The proverb "If at first you don't succeed, try, try again" has been kicking around since the 1800s but it's also an apt summation of Congress’ attempts over the years to pass comprehensive federal data privacy legislation.

A bill introduced last week that has bipartisan support - a first for these type of bills - is giving hope for those seeking a national standard for what companies can and can't do with Americans' data.

A discussion draft of the data privacy bill, simply titled the American Data Privacy and Protection Act - touted as ADPPA in some circles - was introduced by U.S. Representatives Frank Pallone, Jr. (D-NJ), Cathy McMorris Rodgers (R-Wash.) and U.S. Senator Roger Wicker (R-Miss) on Friday.

As part of the legislation’s requirements, companies would have to limit the data they collect on consumers. While the details still need to be ironed out, under the act, organizations would only be able to collect data that's “reasonably necessary, proportionate, and limited” in relation to the products or services they offer.

Like other data privacy bills of late, it would also empower individuals by giving Americans the ability to access their own data, request that it be deleted or corrected, and to export that data.

Save for two states, California and Illinois, the bill would also preempt data privacy state laws already on the books, something that's proven to be a sticking point for both parties to agree on.

"State laws covered by the provisions of the Act are preempted, subject to a list of specified state laws to be preserved," reads the act's draft summary.

The list is lengthy but includes consumer protection laws, civil rights laws, and data breach notification laws to name a few. It also includes the Illinois Biometric and Genetic Information Privacy Acts and part of the California Consumer Privacy Act (Civil Code Section 1798.150) that says California residents whose non-encrypted or non-redacted personal information is breached can sue organizations for damages.

Like California’s landmark data privacy law, if it’s passed, the American Data Privacy and Protection Act would also grant a private right of action, giving people the power to sue companies for violations, something tech companies have long fought against.

If there’s any consolation here for them, it's that if passed, it won’t happen for a while.

In its current iteration, the bill will require four years to pass after the act takes effect for consumers (or groups of consumers) to bring a civil action seeking compensatory damages. Individuals will still need to notify the Federal Trade Commission - violations of the Act will be treated as violations of a rule defining an unfair or deceptive act or practice under the FTC Act -and their attorney general to do so.

Speaking of the FTC, the bill would task the agency - the chief federal agency on privacy policy and enforcement - with creating a new bureau, similar to the Bureaus of Consumer Protection and Competition, to enforce the act and hold companies in compliance. The FTC would also have to carry out a study and devise a mechanism for consumers to opt out of targeted ads across websites and out of data collection practices carried out by brokers.

It’s of course too early to know what the actual outcome of the bill and the effort behind it will be but the fact that there’s a bipartisan push behind it could mean it may see movement sooner than later.

Still, there will be hurdles. The private right of action will continue to be a thorn in the side of tech companies and some politicians, Sen. Brian Schatz (D-Hawaii) and Sen. Maria Cantwell (D-Wash.) in particular, seem less keen on the bill. That's in addition to the fact that it's an election year, something stereotypically can pose a challenge to laws getting passed.

While we're not exactly closer to seeing a comprehensive data privacy bill get passed, it certainly feels like more of a possibility than it did last week at this time.

Tags: Data Privacy

Recommended Resources


  • Why Data Classification is Foundational
  • How to Classify Your Data
  • Selling Data Classification to the Business
  • How to simplify the classification process
  • Why classification is important to your firm's security
  • How automation can expedite data classification

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.