A bipartisan bill for digital privacy was introduced after years of disagreement

Towards a Privacy Framework for Consumers based on a Proposal for a New Data Privacy Reduction Act (APRA)

Congress may be closer than ever to passing a comprehensive data privacy framework after key House and Senate committee leaders released a new proposal on Sunday.

APRA includes language from California’s landmark privacy law allowing people to sue companies when they are harmed by a data breach. It gives the Federal Trade Commission, state attorneys general, and private citizens authority to take action against companies when they violate the law.

According to McMorris Rodgers, the legislation gives Americans the right to control who can sell their information. Big Tech is prohibited from tracking, predicting, and manipulating people’s behaviors for profit without their knowledge and consent. Americans overwhelmingly want these rights, and they are looking to us, their elected representatives, to act.”

Congress has tried to protect user data for a long time. Lawmakers have remained divided, though, on whether that legislation should prevent states from issuing tougher rules, and whether to allow a “private right of action” that would enable people to sue companies in response to privacy violations.

McMorris Rodgers told the Spokesman Review that the draft language was stronger than any active laws as an attempt to soothe the concerns of Democrats who have fought attempts to protect state-level protections. APRA does allow states to pass their own privacy laws related to civil rights and consumer protections, among other exceptions.

The earlier bill that required people to notify their states attorney general and Federal Trade Commission before trying to recover their money for privacy rights violations was objected to by Cantwell, an E&C aide said on the call. The new discussion draft doesn’t have the same requirement and includes a strong private right of action, meaning individual consumers can sue companies covered by the legislation if they believe their rights were violated.

“I think we have threaded a very important needle here,” Cantwell told the Spokesman Review. Those standards are the ones that California and Illinois and Washington have.

The bill needs to be introduced into both chambers and advanced by each committee to have a chance of being passed into law. While aides for the committees told a group of reporters on a background call Sunday that there was not yet a target date for introduction, Rodgers said in the statement she expects the bill to move “through regular order” on her committee this month.

It also gives companies the chance to change their behavior. People who want to sue for injunctive relief or damages need to first give notice of the alleged violation, and the company would have 30 days to cure the issue. But the bill does not require notice before filing a claim for “substantial privacy harm,” which could include alleged financial loss of at least $10,000, or certain physical or mental harm.

Pallone released a statement on the proposal Sunday, calling it “a very strong discussion draft,” but said there are still “some key areas where I think we can strengthen the bill, especially children’s privacy.” As Chair Rodgers and I work together to get comprehensive privacy legislation across the finish line, I am optimistic that we will be able to build on the record.

Cruz said in a statement that he will “be carefully reviewing this bill to ensure it doesn’t have the same flaws as the failed American Data Privacy and Protection Act (ADPPA).” However, he indicated some areas where he may take issue with the new proposal. “In particular, I cannot support any data privacy bill that empowers trial lawyers, strengthens Big Tech by imposing crushing new regulatory costs on upstart competitors or gives unprecedented power to the FTC to become referees of internet speech and DEI compliance,” Cruz said.

The draft proposal comes as the House has moved forward with legislation to ban or force a sale of TikTok over security concerns and a separate bill to ban data brokers from selling US consumer data to foreign adversaries. The draft bill is separate from the one about TikTok, but there are no plans to move them in tandem, according to a Commerce aide.