IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Questions Remain as Lawmakers Craft National Privacy Law

Legislators, advocacy groups and industry experts have spoken at length about the draft national data privacy legislation, raising questions about its chances of success and what it could mean for states' privacy rules.

Earlier this month, a bipartisan group of legislators in the House and Senate proposed the American Data Privacy and Protection Act that would allow users to opt out of targeted advertisements and sue companies that misuse their data.

To get a better sense of things, we spoke with industry experts to understand the bill and where it currently stands.

However, before getting into it, one of the first things to note about the bill is that it’s actually a draft. Legislators are in the early stages of working with stakeholders on proposed language, meaning it’s far from being finalized.

With that understanding, let’s dive in.


According to the draft legislation, the proposal would cover the following areas: consumer awareness, transparency, individual data ownership and control, right to consent and object, data protection for children and minors, third-party collecting entities, civil rights and algorithms, data security, protection of covered data, general exceptions, and unified opt-out mechanisms.

It would also enforce specific requirements. For example, covered entities must provide individuals with privacy policies detailing their data collection, processing, transfer and security activities. These policies must also share how individuals can exercise their rights and how long an entity intends to retain covered data.


Under the bill, individuals would have the right to access, correct and delete covered data that pertains to them.

It also outlines rules for data protection for children and minors. In this case, targeted advertising is prohibited to any individual under 17. It would also prevent the transfer of covered data for individuals between the ages of 13 and 17 to third parties without express affirmative consent.

Outside of that, the bill also addresses civil rights and algorithm concerns. For example, covered entities cannot collect, process or transfer protected data in a manner that discriminates based on race, color, religion, national origin, gender, sexual orientation or disability.

As for algorithms themselves, large data holders would be required to assess their algorithms annually and submit annual algorithmic impact assessments to the FTC.


During a Consumer Protection and Commerce Subcommittee hearing, legislators and industry experts further discussed these concepts along with ways to improve the bill.

“For far too many years, Congress has tried and failed to advance comprehensive federal privacy protections,” said Rep. Frank Pallone, D-NJ, during the hearing. “This proposal is the first serious bipartisan, bicameral, comprehensive national privacy bill that directly confronts the sticking points which derailed earlier efforts.”

The bill also presents a fundamental shift in how data is collected, used and transferred, Pallone said. “It rejects the coercive notice-and-consent system that has failed to protect America's data privacy and security. At its core, the draft legislation requires relevant uses of personal data to be reasonably necessary, proportionate and limited to the services consumers request.”

As the hearing progressed, Reps. Cathy McMorris Rodgers, Jan Schakowsky, Gus Bilirakis, Anna Eshoo, and several witnesses shared their thoughts, questions and concerns regarding the draft.

For example, John Miller, senior vice president of policy and general counsel for the Information Technology Industry Council, pointed out three specific concerns.

First, Miller explained, “the definition of sensitive covered data is overly broad in numerous respects. Perhaps the most problematic subsection appears to subject all online activity relating to individuals to opt-in consent, rendering many critical Internet functions difficult — if not impossible — to perform in areas ranging from routine browsing to preventing cyber attacks.”

Second, he said, the draft does not carefully distinguish the types of entities that use data or their obligations. Nor does it differentiate the responsibilities of covered entities, data controllers, service providers or data processors.

Thirdly, he said, “we have concerns that as presently drafted, the definition of targeted advertising would prevent the ad-supported Internet business model from continuing. Any federal privacy law should protect the privacy of Americans but also seek to preserve data innovation in the business models that have helped power the growth of the Internet economy.”

Another concern voiced during the hearing was inconsistencies surrounding existing and future state privacy laws.

“This draft stops an unworkable patchwork of state laws, ensures protections don’t change across state lines and provides certainty to Americans and businesses,” McMorris Rodgers said during the hearing.

Essentially, if the draft is adopted and passed, all currently enacted state privacy laws would become null and void except for a few portions of specific bills.

Five states currently have privacy legislation in place. Those states include California, Colorado, Connecticut, Virginia and Utah.

“There is definitely some discussion to be had,” Elizabeth Schweyen, senior manager of global privacy and compliance at California-based software company Druva, said. “I guess my one concern with it being passed is that they have to get buy-in from those states that have already passed privacy regulations, which go beyond this federal regulation.”

Another concern pertains to private rights of action. The legislation provides strong enforcement measures that would allow the FTC and state attorneys general to act against any data holders violating provisions in the act, but it also allows limited private rights of action, meaning individual citizens could litigate perceived violations in limited circumstances.

This could create an environment for frivolous lawsuits, critics warn.

"It does seem that the private right of action will present obstacles for consumers to approach organizations that they feel have abused their data in some ways," Schweyen said, "But there’s also some concern that it could lead to individuals abusing this power and maliciously seeking out lawsuits against organizations where it’s just going to create an influx of lawsuits within the system.”

Despite these concerns, legislators and advocacy groups seem to agree the draft is a step in the right direction.

“Let’s keep building on these principles and make progress on this draft so people can trust how their data is collected and used, so America wins the future in technological innovations that raise our standard of living and improve people’s lives across the globe,” McMorris Rodgers said.

From an advocacy group perspective, Alexandra Reeve Givens, the CEO and president of the Center for Democracy and Technology, said, “This draft shows that there is a bipartisan path forward on long-overdue legislation to protect consumers’ privacy. Americans want and desperately need legislation to protect their personal data and promote trust in the online world. While it’s not perfect, the draft is a hopeful first step. We urge Congress to move forward with the legislative process and pass legislation by the end of this year.”
Katya Diaz is a staff writer for Government Technology. She has a bachelor’s degree in journalism and a master’s degree in global strategic communications from Florida International University.