Is there hope for privacy legislation in this Congress?

I have worked to project optimism about passage of comprehensive federal privacy legislation in the United States. In fact, when it appeared in 2019 that U.S. Senate negotiators were at an impasse, I copped to being “ridiculously optimistic” for saying I saw a path to legislation.

I was projecting scenarios of the possible. I was aware of continuing discussions—legislators continuing to invest staff time, talking with each other and with stakeholders to explore solutions. I could see pathways to agreement, and a subsequent report with Brookings colleagues in 2020 on bridging differences among key federal privacy bills was a detailed roadmap for getting there. Four years later, it’s hard to sustain anything like that optimism.

Two years ago, around this time of year, as the privacy world gathered in Washington, D.C. for the annual Global Summit of the International Association of Privacy Professionals (IAPP), there was little sign of progress. Senate negotiators were at an impasse and, if any privacy legislation was going to happen, it seemed it would have to come from the House, despite its members having engaged less in developing legislation. Despite the lack of outward signs of life, when I was asked if I thought legislation was possible, I would say it still had a beating pulse.

Soon afterward, without warning, a scenario for compromise on privacy legislation began to unfold. In the Senate, Senators Richard Blumenthal (D-CT) and Marsha Blackburn (R-TN) reached a private agreement on a bill that included key civil rights language from a House Republican staff draft. They neither filed their bill nor released it publicly, but it showed bipartisan compromise was possible and helped spur what emerged as the “four corners” negotiations among Democratic chairs and ranking Republicans of the Commerce Committees in both houses—Sens. Maria Cantwell (D-WA) and Roger Wicker (R-MS), and Reps. Frank Pallone (D-NJ) and Cathy McMorris Rodgers (R-WA).

These negotiations led to the “three corners” American Data Privacy and Protection Act (ADPPA) agreed to among Pallone, McMorris Rodgers, and Wicker and introduced in the House on June 21, 2022. For a time, the bill appeared to be on a fast track to passage in the House. The ADPPA was ordered to be reported out of the House Energy and Commerce Committee’s Subcommittee on Consumer Protection and Commerce by vote on June 23, 2022. The following month, the full Committee reported out a substitute bill by a 53-2 vote.

The ADPPA never made it to the House floor, though. Then-Speaker of the House Nancy Pelosi (D-CA) declined to bring it up, acting at the behest of California’s privacy regulatory agency and the state’s top officials including Governor Gavin Newsom. Although the ADPPA’s preemption provision left aspects of state privacy laws in place and specifically authorized the California agency to enforce the federal law, agency leaders argued it would lack enforcement authority under state law. And so, the bill died with the last Congress.

The current Congress presented a different political landscape for privacy legislation. With the changeover in control of the House, Reps. McMorris Rodgers and Pallone switched roles, as did Reps. Jan Schakowsky (D-IL) and Gus Bilirakis (R-FL), subcommittee leaders who co-sponsored the ADPPA. As this realigned Congress got under way, McMorris Rodgers publicly expressed her desire to resume bipartisan work based on the ADPPA and held several hearings to inform new committee members about privacy. Last fall, she reiterated her intention. But she has yet to introduce one—whether a new version of the ADPPA or otherwise.

Congress moves on to other issues

On the Senate side, Sen. Wicker left the Commerce, Science and Transportation Committee after patient work on privacy for more than three years, with Sen. Ted Cruz (R-TX) assuming his role as ranking Republican. Committee Chair Cantwell, who proposed several versions of her Consumer Online Privacy Rights Act starting in 2019, has voiced continuing interest but she too has neither introduced a bill nor (so far as I know) previewed one anywhere. Not previously involved in the privacy debate, Cruz has not picked up where Wicker left off.

Instead, congressional attention has turned to artificial intelligence (AI) and data protection for children. After the explosion of public attention last year on OpenAI’s Chat-GPT and other generative AI models and existential questions about AI, Senate Majority Leader Chuck Schumer announced a bipartisan task force to consider AI legislation with a series of “Insight Forums.” And, with unusual bipartisanship, the House this year announced formation of its own task force with co-chairs from each party who are knowledgeable on AI. On the data protection front, Sens. Blumenthal and Blackburn introduced a new version of their Kids Online Safety Act (KOSA) to regulate how platforms interact with children and teens and Ed Markey (D-MA) reintroduced his expansion of the Children’s Online Privacy Act of 1996 (COPPA 2.0). Both bills were reported out the Senate Commerce Committee in July 2023 and, on February 15, 2024, KOSA achieved more than 60 co-sponsors, including Majority Leader Schumer, opening a door to possible passage in the Senate.

Amid the attention on these issues, there was wide recognition that comprehensive privacy protection would go far to provide baselines of protection against risks to individuals from AI and broaden protections against abuses of personal information that affect children and teens. In a previous TechTank post last year entitled “How privacy legislation can help address AI,” I identified some 17 House members, three senators, and several hearing witnesses who had pointed to comprehensive privacy legislation as way to address not only AI, but also TikTok’s data collection and international competitiveness. These included Chair McMorris Rodgers; subcommittee leaders Bilirakis and Schakowsky; Rep. Jay Obernolte (R-CA), the Republican co-chair of the House AI task force; and Open AI’s Sam Altman.

More recently, Sen. Cantwell said at the markup of KOSA that she hoped the bill “isn’t the last of privacy issues that we will consider” and hoped to come back to those in September and later, at a hearing on AI, called out a need to do “whatever we can to make sure that we are protecting Americans’ privacy.” The eighth and ninth Senate AI Insight Forums in December 2023 focused on privacy and AI, and most of the commentary advocated for comprehensive privacy protection. In a speech on AI in February, Sen. John Hickenlooper (D-CO), a member of the Commerce Committee, said, “part of the solution has to be a comprehensive privacy law that will minimize the amount of unnecessary personal data collected and sold by private companies.”

The net result is that, for all these expressions of desire to pass privacy legislation, no vehicle for comprehensive privacy legislation is in sight at this late stage of the 118th Congress.

Then, lo and behold, legislation rockets out of the House in reaction to the data collected by a single app, TikTok. National security-related concerns that TikTok’s parent ByteDance could act at the direction of China’s government are legitimate, but the data that these entities collect is enabled by current U.S. law. Bills passed in the House to deny U.S. platforms to ByteDance and potentially other entities identified by the President as “controlled by foreign adversaries” and to prohibit data brokers from selling personal information to such entities (the latter unanimously) would address some of the risk. China can nevertheless avail itself of vast troves of U.S. data through false fronts, intermediaries outside the U.S., and hacking (as it did with Office of Personal Management data breach discovered in 2014). Comprehensive privacy legislation, like the ADPPA, that places boundaries around collection, use, and sharing of personal information, including placing the transfer of data to a third party like the Chinese government outside permissible purposes, would diminish this virtually unlimited attack surface. The White House executive order restricting data brokers from selling sensitive personal data to “countries of concern” would reduce this attack surface more broadly, but it is just one more piece of patchwork.

In the meantime, since the last Congress, the number of states introducing variations of privacy has nearly tripled to 14. In 2019, while the entry into force of California’s original privacy law was on the horizon, I predicted it could become an obstacle to a preemptive federal law unless that law provided broader protection. After California voters expanded their law in 2020, Caitlin Chin-Rothmann and I wrote that this increased protection “raises pressure to preserve state privacy laws.” While enactment of additional laws may increase demand for a consistent federal framework by making more of a patchwork, it also increases the risk that other state congressional delegations will apply former Speaker Tip O’Neill’s maxim that “all politics are local” and put their state’s interests ahead of national ones. Do I sound frustrated? I am. It has become hard to sustain optimism. There is little sign of energy being invested by legislators, staffers, companies, and advocates in this Congress to advance privacy legislation. Instead, there appears to be a combination of frustration and resignation—perplexity as to why comprehensive privacy can’t be accomplished and little expectation that it can be. Unlike two years ago, any pulse is faint.

Can surprises happen again?

It will take extraordinary measures to resuscitate privacy legislation in this Congress. Maybe some jolt will revive energy. After all, the TikTok legislation materialized despite negligible progress toward a solution to concerns about TikTok over the previous two years and passed the House by a 352-65 vote even though a significant portion of the House Republican Caucus is hostile to bipartisan legislation.

I do see at least one conceivable scenario to passage of broad privacy protection: If the Senate takes up protections for children and teens teed up by the support for KOSA and COPPA 2.0, the House could include more comprehensive privacy protections into those bills, providing privacy protections to all Americans. AI legislation has further to go, but an AI bill from the Senate could be a vehicle for a similar scenario. These may be long shots, but you must look for what is possible.