Communications and Technology

Is a Federal Consumer Data Privacy Bill Around the Corner? What Your State Needs to Know

When crafting data privacy legislation, Members of Congress should embrace free market solutions that protect consumers online without impeding interstate commerce for thousands of small- and medium-sized businesses across the country.

Will 2024 be the year that Congress enacts a consumer data privacy standard? Over the weekend, two key Members of Congress inched the United States closer to the elusive goal of a uniform, federal data privacy law after nearly two years of stalled negotiations on Capitol Hill.

On Sunday, April 7, House Energy & Commerce Chair Cathy McMorris Rodgers (R-WA) and Senate Commerce Committee Chair Maria Cantwell (D-WA) announced their plans for a new bipartisan data privacy framework: The American Privacy Rights Act (APRA). This new framework revives a failed 2022 Congressional data privacy effort called the American Data Privacy and Protection Act (ADPPA). Despite bipartisan momentum last Congress, even clearing committee markup on an overwhelming 53-2 vote, the proposal stalled amid objections from California Democrats—including then-Speaker of the House Nancy Pelosi—and was never brought up for a vote on the House Floor.

Although the introduction of the APRA represents a significant step forward, many procedural hurdles remain, and final passage is far from guaranteed in this early stage. As deliberations on this new privacy effort develop, ALEC will continue to monitor the situation and provide periodic updates explaining what a federal data privacy law means for you and your state.

How will APRA affect data privacy bills in the states?

To date, at least 14 states have enacted their own “comprehensive” consumer data privacy laws: California, Colorado, Connecticut, Delaware, Indiana, Iowa, Montana, New Hampshire, New Jersey, Oregon, Tennessee, Texas, Utah, and Virginia. Earlier this month, the Maryland General Assembly approved SB 541, the Maryland Online Data Privacy Act of 2024, and sent the measure to Governor Wes Moore for his signature. Several more states, including Massachusetts and Maine, are likely to advance new data privacy bills of their own in the near future.

Importantly, the APRA contains provisions that “expressly preempt [data privacy] laws of a State or political subdivision thereof” and establish one uniform, national data privacy standard that lifts undue burdens on interstate commerce.

ALEC members adopted a model resolution expressing that a single federal standard for comprehensive data privacy is preferable to a 50-state patchwork, protects consumers, and supports American businesses.

Potential sticking points on enforcement

As written, the APRA grants the Federal Trade Commission (FTC) primary enforcement authority, classifying a data privacy violation as an unfair or deceptive practice under the FTC Act. State attorneys general, who are well-positioned to identify and address consumer privacy violations, may also seek relief.

However, according to a section-by-section breakdown provided by the sponsors, the bill currently provides for a private right of action, allowing individuals to file private lawsuits against entities that violate the law, and preserves provisions of some existing data privacy laws in California and Illinois.

Similar to some artificial intelligence legislation moving through states like California and Connecticut, the APRA also installs a regime of algorithmic impact risk assessments when algorithms are used to make “consequential decisions” in certain industry sectors, including credit, education, employment, health care, housing, and insurance. The APRA requires entities to allow individuals to “opt out” of a company’s use of algorithms for such decisions.

In a recent statement, Senate Commerce Committee Ranking Member Ted Cruz raised concerns with how some of these provisions might be abused, saying, “I cannot support any data privacy bill that empowers trial lawyers, strengthens Big Tech by imposing crushing new regulatory costs on upstart competitors or gives unprecedented power to the FTC to become referees of internet speech and DEI compliance.”

When crafting data privacy legislation, Members of Congress should embrace free market solutions that protect consumers online without impeding interstate commerce for thousands of small- and medium-sized businesses across the country.

What is the expected timeline?

The APRA was released as a discussion draft, and early reporting indicates the bill is expected to go through regular order, including hearings and markup at the committees of jurisdiction. With legislative days quickly evaporating from the House calendar before the 2024 campaign season begins in earnest, and with several competing tech priorities like a national TikTok ban on deck, the sponsors still have their work cut out for them.

For continued reading on this subject, and to learn more about the benefits of ALEC’s harms-based approach to consumer data protection, please see our publication: A Framework for Privacy Legislation.