House Republicans Begin In-Person Meetings on Privacy Bill

Monday was the deadline for public comments on the Republican working group’s privacy bill effort (see 2502240055). The Computer & Communications Industry Association (CCIA), Center for Democracy & Technology (CDT), Association of National Advertisers (ANA), Electronic Frontier Foundation (EFF), USTelecom and the Software & Information Industry Association were among groups commenting Monday.

Chairman Brett Guthrie, R-Ky., is focused on getting the process right for crafting a comprehensive privacy bill, the staffer said. While Republicans would like Democratic buy-in, this is primarily a Republican effort now, the staffer said.

Guthrie has made clear the effort will begin as a “clean slate,” without using the committee’s bipartisan American Privacy Rights Act as a starting point. In-person meetings will help build out legislative principles and a framework and then a draft bill, the staffer said.

The committee is further along in advancing online safety legislation, the staffer added. House Commerce on Tuesday will mark up the Take It Down Act, a deepfake porn bill that passed the Senate unanimously and has the support of President Donald Trump, First Lady Melania Trump and House Republican leaders (see 2503260068). Other kids’ safety bills, like the Kids Online Safety Act, are in consideration for future markups.

CDT in its comments urged Republicans to build on the committee’s past bipartisan work, including key definitions in APRA for personal and sensitive information. Any federal privacy law should grant enforcement authority to federal agencies, state agencies and state attorneys general, with an emphasis on the FTC as a federal enforcer, it said. “State agencies and attorneys general have already begun enforcing their own privacy laws, and can supplement the FTC’s role given their expertise in the issues that most impact their constituents.”

CDT argued in favor of a private right of action for consumers to sue and fill enforcement gaps. The organization also supported letting Congress allow states to continue passing privacy laws in specific areas, which was envisioned in the non-preemptive APRA.

EFF argued for a private right of action, a “tailored” ban on targeted advertising, continued regulation at the state level, opt-in consent for data collection and sharing, data minimization requirements and prohibitions on deceptive platform design. Eliminating the “incentive to collect and sell as much of our behavioral information as possible would reduce the temptation for bad actors to violate the privacy of American consumers,” said EFF.

Industry groups argued against allowing a private right of action or implementing heavy restrictions on targeted advertising. Granting enforcement authority solely to federal regulators “gives the best chance of uniform interpretation, application, and enforcement of the statute,” said CCIA. The association said “high-quality state legislation should also serve as a model for federal privacy law,” citing Virginia’s Consumer Data Protection Act as a “useful guide.” Virginia’s law provides data correction and deletion rights, opt-out rights for data collection in specific cases of heightened risk of harm and the ability to opt out of targeted ads based on third-party data, said the association. CCIA called for a federal privacy law that broadly preempts comprehensive privacy laws at the state level.

ANA urged Congress to limit enforcement to federal and state regulators without the inclusion of a private right of action. The association noted it has long argued for a federal preemptive privacy law. However, it said any federal framework could use consensus state law definitions for targeted advertising and allow consumers to opt out of such advertising. Many state privacy laws exclude several practices from the scope of targeted advertising, “including first-party advertising, contextual advertising, advertisements directed in response to individual requests, and processing for measuring or reporting advertising performance, reach, or frequency,” said ANA. “States widely agree that these exclusions help to preserve routine and responsible practices unrelated to personalized advertising, and such an approach should be incorporated in any federal framework.”

USTelecom said a federal preemptive privacy law is “better for businesses and consumers than the current fragmented approach.” The FTC should be the sole federal enforcer of the new law, said USTelecom.

SIIA emphasized the need for a “preemptive federal privacy law to promote consistency for consumers, uniformity and efficiency for U.S. companies, and clarity for both American citizens and businesses.”