A federal data privacy bill has remained elusive for years, but now a pair of Washington lawmakers are taking their shot at getting legislation over the finish line. Rep. Cathy McMorris Rodgers (R-Wash.) and Senator Maria Cantwell (D-Wash.) have yet to formally introduce their bill, the American Privacy Rights Act, but have released a discussion draft. A formal introduction is expected later this month. The proposal would limit what data companies can collect and use and create consumer data rights, including the right to sue companies for privacy violations.
Significantly, the legislation would preempt existing state laws and establish a national standard, though state attorneys general would be responsible for enforcement along with the Federal Trade Commission. A patchwork of state regulations has emerged in recent years, some of which have been pushed by the business community. However, the tech industry’s preference has remained a national standard to ease the compliance challenge of meeting the different state-level rules. Notably, the law would end the FTC’s data privacy rulemaking, which the agency has pursued in the absence of legislation to create some new federal rules.
McMorris Rodgers and Cantwell’s sponsorship of the legislation is significant because they lead the committees of jurisdiction in the House and Senate, respectively. The best chance in recent years, back in 2022, faltered partly due to Cantwell’s opposition. That legislation, the American Data Privacy and Protection Act, cleared the House Energy and Commerce Committee, which McMorris Rodgers now chairs, in a 53-2 vote. However, the bill never received a vote on the House floor as then-House Speaker Nancy Pelosi (D-Calif.) was concerned it would weaken California’s data privacy regulations. These worries about preemption could be an issue again for lawmakers, particularly Democrats, whose home states have more stringent rules.
While Cantwell’s buy-in is a step toward passage, the bill does not appear to be on a fast track to becoming law. According to Punchbowl News, the ranking members in both the House and Senate, Rep. Frank Pallone (D-N.J.) and Senator Ted Cruz (R-Texas), were not closely involved in the drafting process. Pallone stated that he was encouraged by the proposal but is seeking several changes. Cruz has taken a more negative stance, saying that while he is still reviewing the bill, he will not back a proposal that allows consumers to sue for privacy violations or empowers the FTC, which are common complaints among Republicans. Cruz’s resistance threatens to sink the legislation before even having a real opportunity to get off the ground.
The bill is expected to go through regular order, meaning committee hearings and markups in both chambers. This process will be lengthy and likely stretch past the August recess, which could mean its best chance of passage is at the end of the year after the elections. If this timing does happen, the bill will likely have to be noncontroversial enough to be attached to a must-pass measure, such as appropriations legislation or the annual National Defense Authorization Act.
McMorris Rodgers will likely push hard to get this proposal over the line as she is retiring at the end of the session and seeking as many legislative victories as possible before leaving. She was also a lead sponsor on the bill restricting data brokers’ ability to sell to foreign adversary countries and entities based in those countries, which passed the House in a 414-0 vote. That proposal may have a better chance at being signed into law, but its fate in the Senate is uncertain and is viewed as being more closely linked to the bill that could result in a TikTok ban than this federal data privacy bill.
Even amidst this renewed federal push for data privacy legislation, states continue to act. Most recently, the Maryland Legislature passed two data privacy bills: one restricting how companies can collect and use personal data and one creating more stringent regulations for users under 18, based on California’s Age-Appropriate Design Code Act. Maryland Governor Wes Moore still needs to sign the proposals to become law and has not publicly indicated his stance. The legislation has garnered significant opposition from the tech industry, and legal challenges are possible if Moore does approve the bills.
Other state lawmakers will likely closely monitor this effort in Maryland as it is the first data privacy bill modeled after the ADPPA. If this stricter standard does become law and survives any court challenges, it could provide a template for other state lawmakers looking to impose tougher rules. Of course, it will not matter if McMorris Rodgers and Cantwell’s bill becomes the law of the land, but that is a risky bet.