Endgame On: The narrowing path ahead for privacy legislation

Senate Commerce, Science and Transportation Committee ranking member U.S. Senator Roger Wicker (R-MS) asks a question of Gigi Sohn, who is President Joe Biden's nominee to serve on the Federal Communications Commission, during her confirmation hearing before the Senate Commerce, Science and Transportation Committee, next to Senator Maria Cantwell (D-WA)

After almost four years of effort and in a highly polarized political environment, any bipartisan agreement is a huge deal. That’s why the June 3, 2022 release of a bipartisan “discussion draft” from party leaders on both sides of the Congressional committees that oversee consumer protection and technology issues have galvanized the national privacy debate.

It is an even bigger deal when the agreement is moving toward committee votes and markups with the potential for passage this year. To date, the promising draft includes civil rights protections proposed by key civil rights organizations limiting the use of personal information; significant limits on data collection, use, and sharing of personal information that will affect existing data practices; a private right to sue for injuries caused by privacy violations; as well as significant preemption that still preserves much state privacy law developed over more than a century.

The bipartisan, bicameral proposal, called the American Data Privacy and Protection Act (ADPPA), is offered by three of the four committee leaders: Reps. Frank Pallone (D-NJ) and Cathy McMorris Rodgers (R-WA), respectively Chair and Ranking Member of the House Energy & Commerce Committee, and Sen. Roger Wicker (R-MS), Ranking Member of the Senate Science, Commerce & Transportation Committee. The proposal was received favorably at a June 14 hearing in the Subcommittee on Consumer Protection and Commerce of the House Energy & Commerce Committee, with members on both sides giving serious and collegial attention, and industry and civil society witnesses expressing concrete interest. A subcommittee markup is scheduled for Thursday, June 23.

This agreement is the product of what began as “four corners” negotiations among all four committee leaders. But the absence of the Senate chair, Sen. Maria Cantwell (D-WA), is glaring. Sen. Cantwell, who has had intermittent negotiations with Sen. Wicker since 2019, issued a statement criticizing the ADPPA discussion draft and introduced version, and previously put the brakes on another bipartisan privacy bill between two leaders of a subcommittee. She may also bring further revisions to her own 2019 Consumer Online Privacy Rights Act (COPRA); whether this will narrow or widen the policy gap is still up in the air.

This article is not a comprehensive look at the three corners proposal nor a comparison to Sen. Cantwell’s recent draft of a revised COPRA (with another draft rumored to be in the works). Rather, it focuses on a few highlights, key issues, and key provisions to identify ways to close gaps or fix problems as legislators move toward markups, new bills, and potential broader compromises. As the article was going to publication, a new bill (H.R. 8152) and substitute amendment were filed in preparation for the markup that make changes to the discussion draft. The article reflects this rapid, but incomplete, review.

We’re in the endgame now

Two years ago, colleagues at the Brookings Institution and I issued a detailed report on earlier Sens. Cantwell and Wicker bills that charted a path toward compromise across a range of issues and provided model bill language. A number of the compromises are evident in the “three corners” drafts as well as Sen. Cantwell’s track this roadmap. In particular, they reflect the grand bargain on the preemption of state laws and private rights of action, trading off the preemptive national standard that industry has sought in exchange for the private enforcement that civil society wants. In 2019, I characterized these as “endgame issues”—familiar issues that call for fundamentally political compromises once the substantive terms of a privacy bill are known. The fact that lawmakers have reached bipartisan agreement on these two issues, and that there is broad agreement on substantive terms, indicates that the endgame for privacy legislation in the 117th Congress has arrived.

The gaps between the bipartisan draft and a previous, widely circulated draft of Sen. Cantwell’s bill are not large, and, in important respects, the bills are identical. Both would make crucial changes to existing information-sharing ecosystems in which companies themselves decide what to collect and share without limits, and would enlarge individual rights to protect personal information.

The House Energy & Commerce subcommittee hearing on June 23 is taking place with an eye toward the full committee before or after the July 4 congressional recess. That’s a timetable that could get the bill to a House floor vote before election season takes over. However, without broad agreement among various interests that raise specific issues with the bipartisan proposal (especially those of Cantwell), the ADPPA is not yet on a glide path toward passage.

The three corners bill as well and COPRA both face two realities.

One is probable: without Cantwell, a House-passed bill has a slim chance in the Senate. The other is certain: a partisan bill cannot pass. These realities have moved members of Congress as well stakeholders across industry and civil society toward compromises rather than risk a blank slate in another Congress.

These same realities might also move Senator Cantwell. Between privacy legislation and her role as a co-chair of the 107-member conference committee on the massive U.S. Innovation and Competition Act to fund semiconductor manufacturing and wireless communications and improve competitiveness, she has an opportunity to exercise national leadership in the mold of Sen. Warren Magnuson (1944-81), her Washington State and Commerce Committee predecessor whose impact on consumer protection is still felt more than 40 years later. Success in the passage of comprehensive federal privacy legislation could have a similar legacy.

Finding a path forward

There appears to be a path forward to full agreement on comprehensive privacy legislation in what remains of this Congress, and in the remaining section, I outline key issues in getting there.

Boundaries on collection, use, and transfer of personal information.

Our 2020 report pointed to objective boundaries for the collection, use, and sharing of information as the “paramount issue” for comprehensive privacy legislation, and found the original Wicker and Cantwell bills fell short there because they tied boundaries to purposes specified in companies’ privacy policies. This perpetuated a “losing game” of check-box notices and disclosures that let the companies set their own rules for data collection, use, and sharing. Both the ADPPA and the revised COPRA now get this right.

Both bills would put in place the most essential information privacy protection, objective boundaries that will provide individuals a basis to trust that their personal information will be used and shared in ways consistent with their interests and expectations, regardless of what boxes they check. This would appropriately shift the burden of protecting privacy from individuals to the organizations that collect, process, and share personal information and change current information-sharing ecosystems that operate without limits. Under the heading “data minimization,” the bills limit information processing to what is “reasonable, proportionate, and limited” as provided by law, all while permitting identical sets of generally accepted uses of personal information—such as order fulfillment, security, and system maintenance—and enabling individuals to opt out of targeted advertising (as California and other state laws already require). They reserve affirmative consent mainly for categories of personal information defined as sensitive, for which specific, standalone disclosures would be required.

The ADPPA as filed tightens these boundaries further, prohibiting collection, processing, or transfer that is for a permitted purpose and putting the burden on the covered to demonstrate that is both for a permitted purpose and reasonable, necessary, and proportionate for the purpose.

Unfortunately, each bill has a provision that weakens this protection. COPRA exempts small and medium entities from this fundamental protection (even SMEs would be subject to other obligations that are less important to substantive privacy protection but more administratively burdensome). More egregiously, the ADPPA omits the data minimization provision from the list of provisions enforceable by its private right of action, meaning that individuals could not sue for unexpected and undisclosed data uses that comprise some of the most notorious and intrusive privacy failures.

I suggest adding language in the list of categorically permitted uses (COPRA Section 206(a), ADPPA Section 209(a)) to allow for what our 2020 report called “some play in the joints” to allow for edge cases and innovation. This could allow for additional uses that “are consistent with the reasonable expectations of individuals and the context of the relationship between covered entity and individual.” To prevent this latitude from opening a loophole, covered entities should have the burden to show this consistency and no change in the volume or nature of the personal information collected for the initial products and services.

Duty of loyalty

Much of the differences between ADPPA and COPRA center around the concept of a “duty of loyalty,” a notion of loyalty has been percolating for a while as an element of privacy legislation from a number of privacy thinkers—myself included. It has emerged as a significant sticking point in negotiations, affecting both substantive provisions and the scope of private rights of action.

Both bills put the “data minimization” provision discussed above in a Title I headed “Duty of Loyalty,” but differ in how they express this duty. In its Title I, ADPPA adds: (1) a provision on “restricted and prohibited data practices” that in effect adds another layer for sensitive data, requiring granular consents and severely restricting the transfer of social security numbers; and (2) a provision one on “privacy by design” that would require companies to put in place reasonable data practices taking into account “privacy risks.” While this proposal could be clearer about the nature of these risks, it is a step toward more considered data use.

The duty of loyalty provision in the draft COPRA revision would prohibit “deceptive data practices” and “harmful data practices,” which are defined terms. The first definition simply refers to unfair and deceptive practices and acts under the FTC Act, which adds no substance and seems more concretely addressed by the ADPPA provision prohibiting pretextual consent. The second tracks harms recognized in traditional invasion of privacy torts—financial, physical, or reputational harm or intrusions that are offensive to a reasonable person. This draws on duties framed in Sen. Brian Schatz’s Data Care Act, which was originally introduced in 2018 and drew 17 co-sponsors in 2021 (all Democrats plus Bernie Sanders). The Colorado privacy law also has provisions along similar lines.

In this vein, I wrote in a 2018 Brookings paper that what was missing in earlier comprehensive privacy proposals (including the one I led for the Obama administration) was “a simple golden rule privacy: that companies should put the interests of the people whom data is about ahead of their own.” Privacy experts Woody Hartzog and Neil Richards have explored loyalty and how it can be implemented in information privacy laws, culminating in a final article this year in the Washington University Law Review.

In the end, though, it is not clear how much the loyalty provisions add to the substance of the bills. The harms COPRA specifies are likely to be caused by violations of other provisions—excessive data collection, discrimination, and security breaches. Thus, a violation of either the explicit duty of care in COPRA or the duty implied in the ADPPA’s privacy by design provision is unlikely to be additive. The protections that more directly affect how information is collected, processed, and transferred are what give real force to the legislation. Indeed, in a recent post on the federal bills, Hartzog and Richards observe that “the current federal proposals either focus on a narrow aspect of loyalty, such as data minimization, or they unnecessarily saddle loyalty rules with harm requirements.” While they see data minimization as a key element of loyalty, “[d]ata loyalty rules should also cover manipulation, breaches of confidentiality, wrongful discrimination, and reckless and extractive engagement models.”

Both proposals cover these additional elements. Data security and limits on transfers deal with confidentiality. Discrimination is explicitly addressed. They constrain extractive practices by enabling individuals to opt out of targeted advertising and restricting tracking tools like browser signatures and beacons. The ADPPA definition of “affirmative express consent” prohibits obtaining consent in ways that are misleading or manipulative (sometimes labeled as “dark patterns”), which addresses a key aspect of manipulation. The ADPPA’s privacy by design provision goes further than COPRA in the direction of what Hartzog and Richards call the “core mandate” of a duty of loyalty: “a prohibition on designing technologies and processing data that conflicts with the trusting parties’ best interests[.]”

The filed version of the ADPPA takes an important step toward recognizing COPRA’s concept of privacy harms. The ADPPA privacy by design provision adds “substantial privacy risks” to the required assessment, design, and implementation measures. It also adds a definition of “substantial privacy risks” that includes “reasonably foreseeable material physical injury, highly offensive intrusion into the reasonable privacy expectations of an individual under the circumstances, or discrimination on the basis of race, color, religion, national origin, sex, or disability.” This tracks the recognized privacy harms targeted in COPRA but adds discrimination. The effect would be to create a duty of care through the privacy-by-design provision’s obligation to put in place “reasonable” practices. This is a less explicit duty than COPRA’s—but substantially equivalent. It is the substance of the protections that matter most.

Private right of action

Another key sticking point between the circulating and forthcoming proposals is the extent to which consumers should have a private right of action. This comes primarily around the impact on private cases of clauses in consumer contracts—which the Supreme Court has held are enforceable—that require arbitration of claims and often waive class action suit rights. Both ADPPA and COPRA would allow private claims but within constraints that differ somewhat, limiting the damages recoverable and interposing differing notice requirements prior to beginning any suit.

Sen. Cantwell’s comments on the ADPPA have criticized the delayed effect of the private of action until four years after it takes effect. Four years is a long time to wait, but some appreciable period for the law to be implemented makes sense, especially where compliance with several significant customer-facing obligations will be affected by FTC regulations or guidance. The two most significant and widely applicable privacy laws, the European Union’s General Data Protection Regulation and California Consumer Privacy Act, allowed two years for companies to get ready before they went into effect, and our 2020 model recommended graduated dates, with some provisions effective immediately, and others allowing 180 days, one year, and up to two years. The private right of action was in the two-year group to leave time to complete FTC interpretation. Measured against these benchmarks, four years looks less distant.

More troubling in the ADPPA are the detailed requirements for notices and demand letters that are necessary predicates for bringing a case. Before bringing any action, a prospective plaintiff must give notice of the claim to the FTC and state attorney and allow them 60 days to bring a case, and any demand on a company before then will be deemed “in bad faith” and “unlawful.” In addition, the bill specifies language that must be included in a demand letter, without which a plaintiff and any class that plaintiff represents “shall forfeit their rights under this section.” It is one thing to interpose speed bumps on the way to the courthouse to deter “gotcha” lawsuits (as the right of action in our 2020 report proposed), and quite another to impose “gotcha” traps that risk sanctions and complete loss of rights.

The arbitration issue could be “the endgame of the endgame.” Even more than preemption or the private right of action as such, it involves what are at bottom political choices in the context of privacy legislation that may open or shut the door to passage. The contours of the issue are well-defined: in general, consumer interests oppose mandatory arbitration as contracts of adhesion that deprive consumers of choice and dilute their remedies when they waive class arbitration; many businesses have adopted them to avoid litigation; and the Supreme Court has upheld them.

The original COPRA had a complete ban on mandatory arbitration agreements for any claims under the privacy law. Sen. Cantwell has pushed since then to retain this provision, but the circulated draft revision reduces its scope by limiting the ban to claims involving “substantial privacy harm,” which are similar in kind to the harms defined for “harmful data practices” but more concrete and descriptive. ADPPA in turn contains some compromise in this direction: a ban on mandatory arbitration for claims by claimants under 18.

Whether there is further middle ground on this issue remains to be seen. The positive response to the ADPPA by civil society suggests that, while limits on mandatory arbitration might be desirable on the merits, they may not be worth the price if it means blocking a privacy bill or banning class actions on privacy claims. Legislators face similar choices.

Covered entities

The ADPPA includes recurring references to taking into account their size and complexity of the covered entity are, as well as the scale and nature of the data use for FTC guidance on data minimization, privacy by design, regulations on individual control requirements, and data security. These are accompanied by a “small data exception” that defines small and medium entities and carves them out of certain obligations to ease regulatory burdens on SMEs (which, with the bills including non-profits within their scope, will include small and medium non-profits) and added requirements for “large data holders.” This scaling resembles the tiering of obligations we suggested as a feature our 2020 Brookings report and model legislative text. The COPRA draft has similar large data holder requirements, as well as a small data exception.

However, both bills have baffling choices of provisions to include or exclude in small data exceptions that would reduce privacy protections while not adequately relieving regulatory burdens where needed.

The ADPPA carves SMEs out of the data portability requirements in its individual control section (Section 203), but not from the other requirements for access, correction, and deletion. This is a significant omission: implementing access, correction, deletion, and portability are the most burdensome and complex obligations because of the amount of back-end engineering required and the ongoing costs of complying with requests (as I can attest, having still been in law practice when GDPR and CCPA were being implemented).

COPRA includes all these obligations in its small data exception, but it carves out data minimization (Section 102). Like ADPPA’s exclusion of data minimization from its private right of action, this carve-out undermines the crucial baseline protection of the legislation. It also exempts SMEs from data security (Section 205), another fundamental and necessary protection, even though this provision by its terms must be appropriate to “the size and complexity of the covered entity.” But it does not carve out a requirement for covered entities to appoint a data protection officer, which may be onerous for some SMEs.

Both bills define “covered entities” to broadly include any entities subject to the Federal Trade Commission Act. They also have provisions covering “service providers” that process data in the performance of services at the direction of another entity. These provisions are aimed at confining the service providers’ processing and transfer of data to the performance of their functions within the scope of the obligations of the entity on whose behalf the services are provided. However, the definitions of “covered entity” and “service providers,” as well as the provision on service providers, could impose covered entity obligations on service providers in circumstances where lack of control over data is an obstacle to compliance.

The EU’s GDPR and state laws in Colorado and Virginia address this issue by distinguishing between “controller” and “processors.” Under that scheme, it is possible to be both and to be a “co-controller,” depending on the functions performed and the control over the processing of data under particular circumstances. Federal bills have not adopted this definitional approach, but the ADPPA adds language to its service provider provision to clarify the delineation of obligations between a service provider and the covered entity being served, including requiring contracts between these parties.

Bringing common carriers under the FTC Act for privacy purposes also makes sense to create consistent rules for businesses and individuals, as discussed in our report. But subsections (e) and (g) of Section 222 of the Communications Act—the provision on the privacy of telecommunications data—deal with the transfer of data for directory purposes. These have competitive consequences, and thus should be carved out from the transfer of privacy jurisdiction to the FTC.

Finishing the job

The level of agreement to this point reflects serious legislative work in the four years since several committees hauled in Mark Zuckerberg over the Cambridge Analytica stories.

After dozens of hearings on privacy since, various exploratory bills, and much input from stakeholders, lobbyists, and commentators, lawmakers have noticeably deepened their understanding of the interests and issues involved in privacy legislation. Hearings, like the most recent one in the House, displayed increasingly thoughtful questioning with a minimum of the political point-scoring.

Negotiators and their staffs have invested a much time and effort to get the policy debate to this point, and shrinking differences between bills reflect this. Sen. Wicker will leave the Commerce Committee by the end of this Congress and so could have to write off his office’s investment. Senate Commerce Chair Cantwell could have diminished leverage in the next Congress if Republicans take control.

With the discussions being so close, Members of Congress should not miss this opportunity to get the job done—before election priorities close the window.