Corporate lobbying could imperil sweeping data privacy bill
Industry lobbying could imperil a comprehensive privacy bill that would fundamentally shift the way companies collect user data online.
Since its introduction in June, the American Data Privacy and Protection Act has been one of the most lobbied bills in Congress, drawing attention from more than 180 corporate clients, including Amazon, Disney and Target, according to data from research group OpenSecrets.
The bipartisan bill, which represents a breakthrough for lawmakers after years of negotiations, would restrict the kind of data companies can collect from online users and the ways they can use that data.
Its provisions would impact companies in every consumer-centric industry — including retailers, e-commerce giants, telecoms, credit card companies and tech firms — that compile massive amounts of user data and rely on targeted ads to attract customers.
“The gist of the bill is to have companies not collect any more data than they need to provide you with the service that you’re engaging with,” said Sara Collins, senior policy counsel at Public Knowledge, an interest group that backs the bill.
Corporate interests have already successfully softened some sections of the bill, which advanced through the House Energy and Commerce Committee by an overwhelming 53-2 vote last month. But other policy battles threaten to completely upend the privacy effort.
Business lobbyists argue that the bill must override state privacy laws so that companies can comply with a national standard rather than a patchwork of regulations. But California lawmakers say they won’t support the measure if it undermines their state’s privacy rules.
California state officials, including Gov. Gavin Newsom (D), sent letters urging the committee against preempting the state’s law. And the only two members to vote against advancing the bill out of committee last month were California Reps. Anna Eshoo (D) and Doris Matsui (D).
“I recognize that this law would be an improvement for much of the country, but I can’t say the same for my constituents and all Californians,” Eshoo said during the markup.
Daniel Solove, a professor at the George Washington University Law School, said in many ways the bill as written is stronger than California’s current data law. He said the concern is that the bill would preempt state laws in a way that locks regulation in, preventing it from advancing within the next decade or so.
“It’s more about the future, it’s about what is going to happen to law over time, because Congress passes laws generally and never does anything with them. So it’s like planting a plant and never watering it,” he said.
While California lawmakers say the bill doesn’t do enough to protect the state’s own laws, business groups say that it fails to create a national standard.
“As of now, the bill’s exceptions to preemption swallow the rule, having the net effect that state laws regulating the same subject matter will remain in effect even if this bill is enacted,” David French, a lobbyist at the National Retail Federation, wrote in a recent letter to lawmakers.
Another key sticking point for some companies is the private right of action included in the bill, which would allow individuals to sue companies for violating their data privacy rights under the new law.
Gary Shapiro, president and CEO of the Consumer Technology Association, wrote to the bill’s sponsors in June asking them “not to burden industry and federal courts with a new private right of action.”
Doing so, Shapiro said, would lead to a “rush of lawsuits that will slow the pace of innovation and embolden trial lawyers seeking to take advantage of a litigious environment under the guise of helping consumers.”
But for Democrats, it’s a critical component of the bill. And for some, including Senate Commerce Committee Chairwoman Maria Cantwell (D-Wash.), it doesn’t go far enough.
The amended version of the bill that advanced out of the House Energy and Commerce Committee last month shortened the delay of enforcement of the private right of action to two years, from the initial four.
Even with the amendments, Cantwell has remained steadfast in her opposition to the bill put forward by Senate Commerce Committee ranking member Sen. Roger Wicker (R-Miss) and House Energy and Commerce Committee Chairman Frank Pallone Jr. (D-N.J.) and ranking member Rep. Cathy McMorris Rodgers (R-Wash.).
Meanwhile, Wicker appears opposed to moving forward any privacy legislation other than the bipartisan bill advancing in the House. Last week, he voted against advancing a bipartisan kids’ data privacy bill, which includes some of the same provisions around minors’ data as his own bill, out of the Senate Commerce Committee because he said the panel should be focused on the comprehensive proposal.
“The agreement itself is quite an accomplishment, but there seems to be a pretty long distance to go. It’s rare to see a bill this big and complicated on policy grounds being passed the first year it’s actually introduced,” said Nick Xenakis, special counsel at Covington & Burling and a former top Democratic aide on the Senate Judiciary Committee.
A wide range of companies, including Toyota, Airbnb, Intuit, American Express, Home Depot, eBay, T-Mobile and Verizon, reported lobbying on the bill in the second quarter of 2022.
In June, Fox Corp. and the Walt Disney Co. hired former Rep. Greg Walden (R-Ore.), who previously chaired the House Energy and Commerce Committee, to lobby on the privacy bill, according to reports filed with Congress.
Business lobbyists have secured some key wins throughout the process.
For example, one provision allowing users to opt out of ad targeting was weakened when lawmakers inserted an authentication process that privacy advocates say would give companies a way to avoid honoring user preferences.
In an apparent gift to telecom giants, the latest version of the bill would take away the Federal Communications Commission’s (FCC) ability to enforce privacy rules for carriers that process billions of text messages and calls. Under current law, enforcement would be handed to the Federal Trade Commission, which has far fewer powers than the FCC.
“The FCC has been handling privacy enforcement for the telecom industry for years and has a long history of doing that, and it seems rather silly to get rid of an effective regulator for consumers,” Collins, of Public Knowledge, said.