The bipartisan data privacy bill has divided House Republicans, pitting the chairman of the powerful House Energy and Commerce Committee against House GOP leadership.
House Energy and Commerce Committee Chair Cathy McMorris Rodgers (R-WA) and Senate Commerce Committee Chair Maria Cantwell (D-WA) are leading the effort to create the American Privacy Rights Act, a long-awaited bill that would establish comprehensive federal data privacy regulation.
The bill would be a career highlight for Sen. McMorris Rodgers, who is leaving Congress at the end of the year, but top Republican officials have signaled to fellow Republicans that they oppose the current version of the bill, casting doubt on whether it will ever get a vote.
“A lot of concerns have been expressed over the last few months about different parts of the bill,” House Majority Leader Steve Scalise, R-Louisiana, told The Hill.
Despite leadership opposition, the Energy and Commerce Committee is scheduled to consider amendments to the American Privacy Rights Act on Thursday.
Rep. McMorris Rodgers and House Speaker Mike Johnson (R-Louisiana) were spotted having a tense conversation outside the House chamber on Wednesday.
“I am committed to working with leadership and continuing to take steps to move forward,” McMorris Rodgers previously told The Hill.
“It is urgent that Congress act on behalf of our children and our nation to protect people online,” she added.
Johnson said the bill’s aims are important, but its details are causing people concern.
“I told her I would work with her to find a solution to those concerns, but it’s going to take some more work,” Johnson said. “Once they mark it up, that’s not the end of it. We’re going to address the marked-up version and have some more discussions, and engage interest groups and people who have concerns to see if we can mitigate those concerns.”
Scalise added that he hopes issues with the bill can be resolved in committee.
The US Privacy Rights Act seeks to establish the rules for data privacy, creating a single federal law rather than a smattering of state-by-state rules, and bring the US in line with other countries that have pushed for data privacy regulation. The bill gives people more control over their data, including adding requirements to allow users to opt out of targeted advertising and data transfers.
The key bipartisan balance the bill sought was to allow state law preemption, as Republicans had insisted, while allowing consumers to seek monetary damages through the courts, as Democrats had sought.
However, the ability to take legal action (known as a civil right of action) is a major argument against leadership.
“Civil right of action is a big concern because it throws a litigation lawyer at every small business in America,” Scalise said. “We’ve seen the abuse from the patent troll issue for years. Small businesses have been attacked by litigation lawyers for things they’ve done no wrong, and they’ve had to spend thousands of dollars each to put an end to it.”
Rep. Gary Palmer (R-Ala.), a member of the Energy and Commerce Committee and the ranking member of leadership as chairman of the Republican Policy Committee, also said concerns about excessive litigation are a driving force behind Republican opposition to the bill.
“This is one of those things that could possibly have a lot of unintended consequences,” Palmer said, adding that the bill was still being evaluated, “but it’s well-intentioned in trying to protect people’s privacy, especially children.”
The bill the committee will debate Thursday has been updated since it was passed at a subcommittee meeting last month. In addition to concerns raised by Republican leadership, some of those changes have prompted other criticisms of the bill.
Dozens of civil society groups, including the American Civil Liberties Union, the National Association for the Advancement of Colored People and the Human Rights Campaign, wrote to the committee chairs on Tuesday urging them to delay the markup and reverse updates that removed “key civil rights protections and algorithmic audit provisions.” The groups highlighted the need for protections given the lack of artificial intelligence (AI) regulation.
“The removal of these provisions is an extremely significant and unacceptable change to the bill and its scope. They should not have been removed. Worse yet, these provisions were removed without any prior consultation with stakeholders or consideration of their impact on the bill’s ability to address data-based discrimination in housing, employment, credit, education, health care, insurance and other economic opportunities,” the groups wrote.
“By failing to provide sufficient safeguards, Congress will be leaving all Americans unprotected from harmful AI technologies.”
The Center for Democracy and Technology, which receives funding from major tech companies, was among the signatories to the letter. The CDT also expressed concerns about the current language in the bill, including the exclusion of “on-device data” from the bill’s provisions.
Eric Null, co-director of the CDT’s Privacy & Data Project, called the exemption “overbroad” and said it “seems like a major loophole in the bill.”
Business and advertising groups also oppose the bill, adding to the many obstacles McMorris Rodgers and Cantwell face in passing privacy legislation before the end of the session in a hotly contested election year.
But the bill has the backing of the highly influential conservative think tank, the Heritage Foundation. Kara Frederick, director of the Heritage Foundation’s Technology Policy Center, said in a statement last week that unlimited data collection “is at the root of nearly every challenge we face as conservatives” and “creates many threats that undermine our fundamental rights and values.”
The bill, set to be debated Thursday, retains the state preemption provision, which could draw backlash from members of California’s delegation who have expressed concerns about federal law superseding state-enacted regulations, though the revised text includes an exception for the law regarding minors.
The bill would create an exception that would not prohibit any state laws that “provide additional protections for children and teens” and would set a floor, not a ceiling, for state-level protections for minors.
Children’s online safety has emerged as a rare issue of bipartisan agreement in Congress. During Thursday’s meeting, the committee is also set to consider the Child Online Safety Act, a bill that would regulate the operation of online tech platforms targeted at minors.
The Senate version of the Child Online Safety Act has more than 60 co-sponsors but has yet to be voted on in the Senate.
Michael Schnell contributed.
