The draft bipartisan data privacy bill is largely built on the framework of Cantwell’s bill with key differences.
Senate Commerce, Science, and Transportation Committee Chair Maria Cantwell (D-WA) is not on board with the discussion draft titled “American Data Privacy and Protection Act” (ADPPA) even though House Energy and Commerce Committee Chair Frank Pallone Jr (D-NJ), Ranking Member Cathy McMorris Rodgers (R-WA), and Senate Commerce, Science, and Transportation Committee Ranking Member Rocker Wicker (R-MS) used the structure of her “Consumer Online Privacy Rights Act“ (COPRA) (S.3195), she did not join them.
Without Cantwell’s support, Pallone, Rodgers, and Wicker will find it very difficult to pass data privacy legislation given that she controls the agenda for the committee of jurisdiction in the Senate. This is not to say that chairs cannot be bypassed, but it is a rare occurrence. Therefore, Cantwell will hold some sway over what a final data privacy bill will do. As mentioned yesterday, she has made public remarks signaling her acceptance of federal preemption of state privacy laws, a matter made easier for her in light of Washington state’s successive failures to enact a state-wide bill in recent years. Additionally, her comments suggest she opposes the four year wait in ADPPA for a private right of action and will insist that people be permitted to sue sooner after enactment, perhaps 18-24 months sooner.
A more significant sticking point is her insistence that U.S. residents be allowed to sue in the event there is “significant harm,” a concept from COPRA, her data privacy bill. Judging from ADPPA, this concept seems out of play and something that Pallone and other Democratic stakeholders were willing to give way on in the name of reaching agreement on a bill. Another flashpoint is Cantwell’s insistence that the duty of loyalty in ADPPA be more robust and along the lines of the duty of loyalty in COPRA. The “duty of loyalty” in ADPPA is a wan version of what Cantwell and three of her Democratic colleagues proposed. Moreover, given that Cantwell and the Democrats just pushed a bill through committee to restore Section 13(b) of the FTC Act, she will almost certainly press to have this included in any data privacy bill.
Before this piece turns to the substance of COPRA vs. ADPPA, it is useful to recall the history of the former. In late 2019, Cantwell was the ranking member of the committee she now chairs, and she and Wicker released contemporaneous data privacy bills that bore notable similarities but also notable differences. Neither bill saw the light of a markup, and her role and Wicker’s roles switched with the flipping of the Senate in the 2020 election. There were bipartisan talks behind the scenes and positive, hopeful remarks made at committee hearings on the subject. However, a compromise bill did not appear to be close, and Cantwell, Wicker, and others issued a number of bills. Wicker revised and released his “Setting an American Framework to Ensure Data Access, Transparency, and Accountability (SAFE DATA) Act” (S.2499) (see here for more detail and analysis.) As mentioned, later in 2021, Cantwell did the same with COPRA (see here for analysis and detail on the first iteration that is almost the same as the revised bill.)