Federal Legislation Aimed at Protecting Consumer Data Moves Forward

NATIONAL REPORT — In a 53-2 bipartisan vote, the House Energy and Commerce Committee advanced a comprehensive data-privacy bill that would limit how consumers' online data is collected, processed and transferred.

H.R. 8152, or the American Data Privacy and Protection Act (ADPPA), is intended to set a national standard for how businesses, particularly technology companies, collect and use Americans' data. The bill is sponsored by Chairman Frank Pallone (D-N.J.) and Ranking Member Cathy McMorris Rodgers (R-Wash.), along with Consumer Protection and Commerce Subcommittee Chairwoman Jan Schakowsky (D-Ill.) and Ranking Member Gus Bilirakis (R-Fla.).

In response to the vote, the Main Street Privacy Coalition, of which NACS is a founding member, sent a letter to the committee leaders thanking them for including changes made to the bill that ensure that customer loyalty programs are protected, as well as a bipartisan amendment to ensure service providers appropriately protect consumer privacy under the bill.

However, the coalition noted that there are other issues of concern that have not been addressed and said that the current ADPPA is not yet in a workable form for Main Street.

"Main Street businesses — many of whom have struggled to remain open to serve consumers during the COVID-19 pandemic and are now facing historic pressures from the confluence of inflation, supply chain constraints, and labor shortages — will bear the full burden of complying with the regulatory obligations under the ADPPA that the committee is considering and are not exempt from its provisions," the coalition wrote in the letter.

Last month, NACS General Counsel Doug Kantor testified on behalf of Main Street Privacy Coalition during a House Committee on Energy and Commerce hearing on strengthening data privacy and security.

"Having data privacy and security laws that create clear protections for Americans while allowing our members' businesses to serve their customers in the ways they have come to rely upon is a key goal. Achieving that goal, however, has been elusive," said Kantor in his testimony before the committee.

According to Kantor, privacy law needs to work for Main Street, noting that one of the challenges that has been central to this effort is the overwhelming focus on the data practices of technology companies. The "Main Street" Kantor refers to includes businesses such as convenience stores, gas stations, grocery stores, hotels, and home builders, among many others.

"Simply to ensure that business occurs as intended on a daily basis requires large volumes of data to be used and exchanged by a multiplicity of different actors," he said. "The ways in which this happens are incredibly diverse across the economy and therefore quite complex. That diversity and complexity is one of the reasons that writing legislation to cover privacy is so challenging."

Kantor's full testimony can be read here.

The National Retail Federation (NRF) Senior Vice President for Government Relations David French commended the adopted provisions of ADPPA, noting they "are important steps forward," but said the "legislation fails to provide the strong and effective uniform national standard for data privacy law that is so badly needed."

In a letter to sponsors, NRF said that the bill needs to do more to ensure that it will truly preempt state privacy laws — which are currently on the books in California, Virginia, Colorado, Connecticut, and Utah — with more expected regardless of congressional action. Without effective preemption, the nation could eventually see 50 state privacy laws, the association argued, adding that the bill also lacks an adequate "notice and cure" provision that would give organizations time to correct alleged violations before enforcement actions may be brought.

"Consumers need to know their privacy is protected no matter who is handling their personal information or where they are located. Failure to effectively preempt the growing number of inconsistent state laws will keep that critical goal from being achieved. In addition, the bill would let bounty-hunting trial lawyers file frivolous lawsuits over dubious claims rather than leaving enforcement to government officials like state attorneys general and the Federal Trade Commission," French said.

"And refusal to give organizations sufficient time to correct violations once they're put on notice puts the primary focus of enforcement on litigation and penalties rather than ensuring privacy protection and compliance, which is the foundation of consumer protection," he continued. "Getting preemption and enforcement right is the touchstone of an effective federal privacy law. While this measure has robust provisions in both respects, it needs much more work, and the House needs to take a very close look at these provisions before moving toward a final vote."

NRF is based in Washington, D.C.