Pressure increases for US lawmakers on federal data privacy policy

In a landmark move, a US federal data privacy bill was reported out of the House Energy & Commerce Committee last week – the first time a consumer privacy bill has ever made it out of committee. It is timely - the landscape in the US surrounding tech companies’ collection and use of consumer data has never been more active. In recent years, voters have grown increasingly aware of, and concerned about, the idea of their data as a commodity, sold and used to further corporate objectives – evoking complex questions around ownership and user privacy in the digital world. And most recently, the Supreme Court’s decision to reverse Roe v. Wade has, for many, added a sense of urgency to data privacy regulatory efforts – increasing the pressure on Congress to rein in the power certain companies hold over consumers by collecting their data.

Since Europe passed the General Data Protection Regulation (GDPR) in 2018, the US has seen 72 state bills proposed across 35 states regarding the use, collection, and handling practices of consumer data, with five states successfully passing laws. Notably, the bulk of these bills was proposed in 2021, up from only 2 in 2018. At the federal level, Congress introduced 51 bills in 2021 alone focusing on consumer, health, financial, and children’s privacy rights. While industry may not yet view the prospect of a sweeping federal data privacy bill as near-term or realistic -- given ongoing gridlock and, up until very recently, general legislative unfamiliarity with the nuances of tech services --it is clear that Congress has staffed up on technical expertise and quietly taken action.

Last month, a group of bipartisan lawmakers in the House introduced the American Data Privacy Protection Act (ADPPA), beginning the most significant push for US federal data privacy legislation yet. Most notably, the proposal reflects bipartisan terms, such as overriding certain state privacy laws - a Republican-supported measure -- and granting consumers a right to bring lawsuits against business entities that violate privacy laws – a measure favoured by Democrats.

The most recent version of the ADPPA unveiled on Tuesday, July 19, includes several updates strengthening privacy protections. For example, the new draft includes a measure to accelerate the timeline, from four years to two, for consumer lawsuits against companies for privacy violations – a change aimed directly at appeasing Sen. Maria Cantwell (D-WA), the chairwoman of the Senate Commerce Committee who had initially expressed concerns about industry loopholes in the bill text, and whose opposition remains a major obstacle for the bill’s future in the Senate.

The momentum behind ADPPA may be driven in part by renewed pressure on policymakers to act on data privacy following the reversal of Roe v. Wade, which ended the federal right to abortion in the United States and allowed state laws criminalizing the procedure to take effect. This decision raises the stakes significantly – for instance, under Texas's new law, which goes into effect 30 days after the Supreme Court’s decision, providing or aiding an abortion will become a felony carrying a two- to 20-year prison term.

While the most obvious operational impact of all of this for the tech industry appears limited, at first glance, to women’s health tech services and data, the move by some states to criminalize abortion puts all companies who possess potentially incriminating user data - such as location data, internet search, or messaging history – in the unsolicited and precarious position of holding the evidence that may deliver a conviction if requested by prosecutors building a case. Further, as states consider additional legislation to prevent their residents from traveling to other states where abortion is legal, such data will likely play an increasingly central role in efforts to secure convictions.

So far, we have seen limited response from industry to the Roe decision and the possibility that their vast inventories of consumer data might be leveraged in the enforcement of state laws. Google announced it would delete location data for users who visited abortion clinics (though declined to say whether detailed geodata – like GPS coordinates and routing information – would also be purged). And while digital rights advocates such as the Electronic Frontier Foundation (EFF) recommend that companies attempt to retain as little data as possible – a concept known as data minimisation already codified in Europe via GDPR – the path forward is legally and operationally murky for industry, putting the onus on lawmakers to provide guidance.

While the Supreme Court’s reversal of Roe v. Wade is highly partisan, the decision has heightened public awareness over how tech companies collect and use consumer data. It also comes at a time when both parties are moving to fetter Big Tech’s previously unregulated growth. In addition to the ADPPA, other tech bills have received bipartisan support and serious consideration by congressional leadership this year. One notable effort has been by Sens. Amy Klobuchar (D-MN) and Chuck Grassley (R-IA), who introduced the American Innovation and Choice Online Act which would ban companies from favouring their own services or products on their platforms.

While opinions may differ on whether these bills, which have clear bipartisan support, will be able to advance further this year given other Congressional priorities and the looming midterms, there is clear momentum for tech, and particularly data privacy, legislation in the US. It is one of the few issues that command broadly bipartisan support in a polarized Washington and may well serve as the basis of feasible legislative achievement in the near term.