American Privacy Rights Act passes E&C subcommittee

The House Energy and Commerce subcommittee on innovation unanimously advanced the updated discussion draft of the American Privacy Rights Act on Thursday out of committee. Some Democrats and Republicans took issue with provisions of the new privacy proposal, such as its failure to include all of the safeguards in Children Online Privacy and Protection Act (COPPA 2.0). Other concerns raised included the definition of small businesses, the definition of targeted advertising, and a provision that could limit the authority of state attorneys general to bring cases under the law.

Chair of the full Energy and Commerce Committee Cathy McMorris Rodgers, R-Washington, who is the author of the bill, repeatedly stated to her colleagues that the new draft remains open to revision before the full committee markup.  

May 22

The House Energy and Commerce subcommittee on innovation will mark up a new draft of the American Privacy Rights Act (APRA) on Thursday. The committee submitted the changed draft late Tuesday night, leaving stakeholders scrambling to spot the differences. 

Energy and Commerce Chair Cathy McMorris Rodgers, R-Washington, introduced the discussion draft in April. APRA would create a national data privacy standard, which would likely make it easier for corporations to comply with privacy laws that currently vary from state to state. The privacy proposal stands on a foundation of data minimization, which would require companies to only collect necessary data on consumers rather than the status quo of notice and consent privacy policies. 

Changes have been made to the discussion draft based on stakeholder feedback. 

The new draft adds a section on privacy by design and adds language from COPPA 2.0. Contrary to some statements made since the reveal of the new discussion draft, APRA still includes a private right of action, a representative of the Energy and Commerce Committee told Fierce Healthcare. 

The following is a list of the high-level changes to the legislation: 

  • Includes a new section on privacy by design which requires policies to mitigate privacy risk and add internal safeguards. 

  • Adds language from the Children’s Online Privacy Protection Act 2.0 to the discussion draft, which formerly was a standalone bill. Ranking E&C Democrat Frank Pallone called for kids' online privacy protection language to be added to the discussion draft of APRA during the legislative hearing on the bill in April. 

  • Clarifies that entities will not be subject to double enforcement of the Health Insurance Portability and Accountability Act and APRA. A lawyer said new language in the discussion draft clarifies that entities that violate federal privacy laws will either be subject to penalties under HIPAA or APRA, but not both. 

  • Adds more research exclusions to the privacy legislation.

  • Broadens the definition of targeted advertising and targeted advertising to minors.

  • Changes the language around private right of action (PRA) from "enforcement by individuals" to "enforcement by persons," which a lawyer said expands the PRA. The App Association said in a statement that the revision does not fix concerns it had about the broad PRA and would promote a "sue and settle business model." 

  • Narrows the definition of a covered algorithm to one that makes consequential decisions, which would likely mean that AI used for administrative tasks would be excluded while clinical decision support would be covered by the privacy law.

The App Association is also concerned that the privacy proposal does not adequately protect small businesses and startups because it does not offer federal preemption for small businesses. 

"Contrary to what we believe are the sponsors’ aims on privacy, large businesses or those companies that sell user data would benefit from preemption as they would only have to comply with this new federal law. Small businesses that do not sell user data would find themselves at the mercy of 19 different state privacy bills—ironically, the best path for small businesses that currently refuse to sell users’ data would be to change course in order to benefit from the bill’s preemption language," the App Association wrote in a statement.