National data privacy law for the US clears first hurdle

America took a step closer to getting a federal privacy law: a bill proposing just the thing is headed to the House of Representatives to debate after clearing an early hurdle. 

The House Energy and Commerce Committee on Wednesday approved the American Data Privacy and Protection Act (ADPPA), which would limit how companies could collect personal information and what they could do with said data. 

The bill [PDF] imposes a baseline "duty of loyalty" on businesses dealing with customer data, saying that they can't collect data "beyond what is reasonably necessary, proportionate, and limited to provide specific products and services requested by individuals." The bill says it's up to the FTC to determine what that means. 

The ADPPA also requires businesses to transparently ask and receive explicit consent for each piece of data collected. Businesses can only use the data for stated purposes consumers agree to, and requirements are stricter for "large data holders" like Facebook and Google. 

The bill achieved a mostly bipartisan consensus, with the Energy and Commerce Committee voting 53-2 to advance the bill to the full House for consideration; a similar bill is currently working through the Senate.

The only two holdouts in the Committee vote were Representatives Anna Eshoo and Nanette Diaz Barragán, both Democrats from California - which has stronger data protection laws than those contained in the ADPPA. Eshoo expressed concern that, while the bill would advance privacy protections for Americans in most of the country, "I can't say the same for my constituents and all Californians," Eshoo said. 

According to The Hill, Eshoo proposed an amendment to the bill that would make it a baseline standard that would allow individual states to impose additional restrictions. The amendment failed to pass during Wednesday's markup session that preceded the vote. 

Could the ADPPA pass?

According to the Congressional Research Service, which issued a review of ADPPA in late June, Congress regularly proposes federal data privacy bills that fail. What makes ADPPA different from previous privacy bills is compromises it strikes regarding preempting state privacy laws and creating a right to private action, such as suing companies violating laws, instead of requiring the government to enforce them. 

ADPPA in its current form would preempt state laws, but preserves 16 categories of state protections "including consumer protection laws of general applicability and data breach notification laws," the CRS said. It also allows private action, but only after four years have passed. 

• America edges closer to a federal data privacy law, not that anyone can agree on it
• San Francisco cops want real-time access to private security cameras for surveillance
• Brave roasts DuckDuckGo over Bing privacy exception
• SCOTUS judges 'doxxed' after overturning Roe v Wade

The Senate version of the bill may be in trouble before discussions have even begun, however, with Senate Commerce Committee Chair Maria Cantwell saying ADPPA had "major enforcement holes."

Privacy advocates have also expressed dissatisfaction with the ADPPA. The Electronic Frontier Foundation said it was disappointed by the draft that passed Committee, and noted three initial objections: The bill's overriding of state privacy laws, changes the EFF said would make it hard to enforce an existing federal privacy law that applies to telecommunications companies and an abundance of exceptions written into the bill's right to private action.

Compromises might be necessary, though: Representative Cathy McMorris Rodgers (R-WA), the Republican leader of the Energy and Commerce Committee, said in a statement that 80 percent of Americans reportedly support the priorities in the ADPPA. 

"As I said before, this is the best chance we have ever had to achieve a strong national standard that protects Americans, no matter where they are or if they travel across state lines," Rodgers said. ®