A recent proposal for bipartisan, bicameral federal legislation is a watershed in a long running national privacy debate. Bipartisan agreement is rare enough with today’s polarized politics but now, for the first time, there is the prospect of comprehensive privacy protection that actually could be enacted into law.
It has been a lengthy journey to this threshold — more than 20 years since the first proposals for such legislation. Ten years ago when I was leading work to put the Obama administration’s Consumer Privacy Bill of Rights into law, I was looking for partners in Congress to collaborate on a bill, but found no takers.
Now, leaders on both sides of the congressional committees that oversee consumer protection and technology issues are moving toward committee votes and markups of privacy bills with a view to passage this year. Having these four key leaders pushing ahead brings the passage of national privacy legislation much closer than ever before.
It would be even closer still if the four leaders of these committee were in complete accord. The bipartisan American Data Privacy and Protection Act, made public as a “discussion draft” on June 3, is proposed by three of the four leaders: Reps. Frank Pallone (D-N.J.) and Cathy McMorris Rodgers (R-Wash.), respectively Chair and Ranking Member of the House Energy & Commerce Committee, and Sen. Roger Wicker (R-Miss.), Ranking Member of the Senate Science, Commerce & Transportation Committee. But, while their discussions continue with the Senate chair, Sen. Maria Cantwell (D-Wash.), she could bring up a further revision of her own 2019 Consumer Online Privacy Rights Act.
Despite this divergence, the bipartisan draft and a widely circulated draft of Sen. Cantwell’s bill are identical in many respects. Both drafts would make crucial changes to existing information-sharing ecosystems in which companies themselves decide what to collect and share without limits and enlarge individual rights to protect personal information.
In particular, both drafts include the most essential information privacy protection: boundaries on collection, use, and transfer of personal information. These would limit information processing to what is “reasonably, proportionate, and limited” as provided by law, while allowing a set of generally accepted uses of personal information like order fulfillment, security, and system maintenance, and enabling individuals to opt out of targeted advertising (as California and other state laws allow). This is a significant break from reliance on meaningless consent check-offs that have become ubiquitous, reserving consent mainly for categories of personal information defined as sensitive, for which specific, standalone disclosures would be required.
The bipartisan draft also prohibits obtaining consent in ways that are misleading or manipulative and adds to these limits a provision for “privacy by design” that would require companies to put in place reasonable data practices taking into account “privacy risks.” While this proposal could be clearer about the nature of these risks, it is an important step toward more considered data use.
Both drafts also agree on groundbreaking extension of civil rights protections to address discrimination in the processing of personal information. They also would require closer examination and increased transparency for algorithms in processing of personal information that would help avoid hidden harms. These measures advance beyond current state laws as well as the European’ Union’s influential data protection regulation. And for Republicans and Democrats to agree on a provision that significantly accomplishes what civil rights advocates seek from a privacy law marks exceptional progress.
Members of Congress have come a long way since Congress focused on privacy legislation in the wake of the Cambridge Analytica stories and Mark Zuckerberg hearings in 2018. The sausage-making ground slowly. There were fits and starts of bipartisan work among different combinations of working groups and committee leaders until, earlier this year, Sens. Richard Blumenthal (D-Conn.) and Marsha Blackburn (R-Tenn.) reached their own bipartisan agreement that provided a template on key issues for the full committee leaders.
Now the leaders can finish the job.
Two years ago, colleagues at The Brookings Institution and I issued a detailed analysis of earlier Cantwell and Wicker bills. We wrote then that those bills were “promisingly similar in many aspects, with general stakeholder agreement on several significant issues” but “polar all-or-nothing positions on the two issues where Wicker and Cantwell are the furthest apart.” Our report charted a path toward compromise on these issues and numerous others.
Now legislators have made many of these compromises and have an opportunity for historic achievement.
Today, as when we wrote our report, “both sides of the policy debate have something to gain from the balance struck — and both have something to lose from continued inaction and stalemate.” Given how close legislators and stakeholders are and the opportunity cost of failure, it would be senseless to miss the opportunity to provide everyone in America the important information privacy protections on which legislators already agree.
Cameron F. Kerry is Ann R. & Andrew H. Tisch Distinguished Visiting Fellow et The Brookings Institution in Washington D.C., and a former General Counsel and Acting Secretary of the U.S. Department of Commerce.