Federal Privacy Legislation Introduced, but Future Unclear
In the wake of calls for Congress to regulate consumer privacy and prevent a “patchwork” of state legislation, six bills have been introduced that would set forth broad federal obligations regarding the collection, storage, and disclosure of consumer data.1 Despite bipartisan support for comprehensive privacy legislation, none of the federal consumer privacy bills listed below has progressed since introduction. And more bills may be added to the mix. Sen. Marsha Blackburn (R-TN) reintroduced the BROWSER Act (H.R. 2520 from the 115th Congress), and the Senate Committee on Commerce, Science and Transportation mentioned they are working on proposed legislation of their own, though details and timing are still unknown.
Disagreement over federal preemption of state law may be one factor delaying advancement of any bill. House Speaker Nancy Pelosi (D-CA) recently drew a line in the sand on this issue during a Recode Decode Podcast on April 12, saying “the Republicans would want preemption
of state law. Well, that’s just not going to happen. We in California are not going to say, ‘You pass a law that weakens what we did in California.’ That won’t happen.” Sen. Feinstein (D-CA) also made it clear that she would not support a federal bill that weakens California’s Consumer Privacy Act. Sen. Klobuchar (D-MN) said there were “a lot of tears shed about the patchwork of bills across the country” in a Senate Judiciary hearing, yet there is no federal preemption in her co-sponsored bill with Sen. Kennedy (R-LA). Sen. Blumenthal (D-CT) noted that draft proposals sent to the Judiciary Committee often undercut existing state protections by using preemption. On the other hand, Sen. Blackburn and Sen. Tillis (R-NC) voiced support for preemptive privacy legislation.
Federal consumer privacy bills introduced to date in the 116th Congress:
| Bill Information |
Title | Description |
| S.1214 Introduced Apr. 11 Sen. Markey (D-MA) |
Privacy Bill of Rights | Would grant consumers rights similar to those under CCPA and require businesses to obtain “opt-in approval” prior to the collection or sale of data, as well as any material changes in practices; contains a private right of action in addition to FTC and state AG enforcement. |
| H.R. 2013 Introduced Apr. 1 Rep. DelBene (D-WA) |
Information Transparency & Personal Data Control Act | A revised bill from the 115th Congress. Changes made to some terms and requirements to include options for cross-platform portability, thresholds for audit requirements, and FTC enforcement. The bill also proposes to require the FTC to hire 50 new full-time employees and provides $35M in funding for data privacy and security. |
| S. 806 Introduced Mar. 14 Sen. Kennedy (R-LA) |
Own Your Own Data Act |
Would prohibit the collection of data or information generated on the internet. A short bill that would require social media companies to create a button for users to obtain or export a copy of their data. Data would be provided to the user with any analysis performed by the company on the data. Would also require annual clean, plain language licensing agreements with the user. |
| S.583 Introduced Feb. 27 Sen. Cortez Masto (D-NV) |
Digital Accountability and Transparency to Advance (DATA) Privacy Act | Would require companies to obtain opt-in consent from individuals to collect their genetic information and to disclose such sensitive data outside of their relationship with the consumer. |
| S.189 Introduced Jan. 17 Sen. Klobuchar (D-MN) Sen. Kennedy (R-LA) |
Social Media Privacy and Consumer Rights Act |
Would protect data privacy of consumers on social media and online platforms. Would require online platforms to provide consumers with greater transparency and control over their data. It would also require notification of an unauthorized disclosure of personal information within 72 hours. This notification requirement would cover disclosure of a broad array of personal information, including email address and location information, and not just sensitive data. In the event of a breach, the consumer would have rights to object to processing by the platform and demand deletion of data. The law would also require online platforms to have a privacy program in place. |
| S.142 Introduced Jan. 16 Sen. Rubio (R-FL) |
American Data Dissemination Act (ADD Act) | Uses the Privacy Act of 1974 as a framework and would require the FTC to submit recommendations for privacy requirements that Congress can impose on covered providers. It would provide consumers with rights to access, correction, and deletion rights as defined by the FTC. Its sole purpose seems to be pre-emption of state privacy laws and is scant on details. |
1 There are three more narrowly constructed, consumer-related bills:
- Blunt (R-MO) and Sen. Schatz (D-HI) introduced S. 847, Commercial Racial Recognition Privacy Act of 2019, on March 14. It would prohibit certain entities from using facial recognition technology to identify or track an end user without obtaining the affirmative consent of the end user. It would also require third party testing of technologies prior to implementation and meeting data security, minimization, and retention standards as determined by the FTC and NIST.
- Richard Durbin (D-IL) introduced S. 783, Clean Slate for Kids Online Act of 2019, on March 13. It would allow for deletion of PI collected by internet operators of activity prior to age 13.
- Edward Markey (D-MA) and Sen. Josh Hawley (R-MO) introduced S.748 on March 12. It would amend the Children’s Online Privacy Protection Act of 1998 (COPPA) to strengthen protections relating to the online collection, use, and disclosure of personal information of children and minors.