Wicker-House Commerce Privacy Draft Faces Cantwell, Hill Calendar Hurdles

The Wicker-House Commerce draft would require companies to minimize their collection and transfer of covered data beyond what’s “reasonably necessary, proportionate and limited to” what’s needed to provide a “specific product or service requested” or a “communication” by the company to a user that’s “reasonably anticipated within the context of the relationship.” The proposal would bar most collection and dissemination of social security numbers, giving an individual’s “precise geolocation information to a third party” without consent, biometric information, passwords, “nonconsensual intimate images,” genetic information, a user’s internet browsing history and physical activity information from mobile and wearable devices. It bars companies from collecting or disseminating data that discriminates on the basis of race, religion, national origin, gender, sexual orientation or disability.

The proposal would require companies to create “reasonable“ privacy procedures and tasks the FTC with issuing “guidance as to what constitutes” a reasonable policy. It would bar companies from denying, charging a different amount for or otherwise condition providing a service or product based on a user’s agreement to waive any of the measure’s privacy rights. The draft would require companies to provide users with privacy policies outlining their data collection and dissemination practices “in a readily available and understandable manner” and specify how long the company will retain the data. Companies would be required to disclose whether any of the collected data is made available to China, Iran, North Korea or Russia. The measure would require companies to provide “reasonable” security of collected data, including assessing and correcting vulnerabilities.

The draft would give individuals the right to access, alter or transfer collected data that pertains to them and would bar companies from collecting or disseminating that data without a user’s affirmative consent. It would ban targeted advertising to children under age 17 and dissemination of data about children without their consent. The measure would set up a youth privacy and marketing division within the FTC that would have staffers expert in children’s development, digital advertising and data protection issues. Third-party collecting entities would be required to conspicuously disclose their status on their website or mobile app. Third-party collecting entities that process data on more than 5,000 individuals would be required to register with the FTC. The proposal requires the FTC to create an online database of those entities.

The measure includes a limited private right of action that would allow individual and class-action lawsuits for violations of some parts of the proposal beginning four years after its enactment. Those considering lawsuits would need to first notify the FTC and their state’s attorney general, triggering a 60-day waiting period for those agencies to consider preemptively taking civil action against the company. Any demands for compensation sent before that 60-day window ends would be considered to be made in “bad faith.” The draft would establish an FTC privacy enforcement bureau comparable to its existing Consumer Protection Bureau.

The language mandates CEOs and privacy officers at large data holder companies annually certify their compliance with the law and tasks the FTC with providing oversight. The proposal would preempt most state-level privacy laws but exempt generally applicable consumer protection, revenge porn, cyberstalking, cyberbullying and data breach statutes. It would also preclude FCC regulation of ISPs, cable and satellite carriers for collecting and disseminating data covered under the proposal.

“This bipartisan and bicameral effort to produce a comprehensive data privacy framework has been years in the making, and the release of this discussion draft represents a critical milestone,” Wicker, Pallone and Rodgers said. The measure “strikes a meaningful balance on issues that are critical to moving comprehensive data privacy legislation through Congress, including the development of a uniform, national data privacy framework, the creation of a robust set of consumers’ data privacy rights, and appropriate enforcement mechanisms.”

“In the coming weeks, we will be working with our colleagues on both sides of the aisle to build support and finalize this standard to give Americans more control over their personal data,” the House and Senate Commerce leaders said. “We welcome and encourage all of our colleagues to join us in this effort to enable meaningful privacy protections for Americans and provide businesses with operational certainty.” The lawmakers emphasized they sought and incorporated feedback from House Consumer Protection Subcommittee Chair Jan Schakowsky, D-Ill., ranking member Gus Bilirakis, R-Fla., and Senate Commerce members.

Cantwell Concerns

Cantwell’s absence as a backer of the Wicker-House Commerce proposal loomed large Friday as a barrier to its path forward. Senate Commerce staff weren’t able to review the draft until last week and Cantwell had concerns with how it dealt with enforcement, including the decision to delay the start of private rights of action until four years after the measure’s enactment, lobbyists told us. Wicker and Cantwell agreed after restarting meetings on privacy legislation last month on allowing federal preemption but hadn’t reached a resolution on private rights of action (see 2205250066).

"For American consumers to have meaningful privacy protection, we need a strong federal law that is not riddled with enforcement loopholes," Cantwell said in a statement. "Consumers deserve the ability to protect their rights on day one, not four years later. Americans also deserve a law that imposes a duty of loyalty on the companies that collect and monetize personal data so that the companies cannot abuse that data.”

Cantwell is circulating a revised draft of her Consumer Online Privacy Rights Act that would allow private rights of action without any delay nor clearance with the FTC and a state attorney general, lobbyists said. It would allow private right of action against a company for “substantial privacy harm” claims of more than $1,000 to go to court even if the company’s terms of service says disputes will be subject to binding arbitration, lobbyists said. Wicker insisted against barring binding arbitration, which was a major reason Cantwell didn’t sign on to his draft, lobbyists said.

Sen. Brian Schatz, D-Hawaii, also criticized work on the proposal before its Friday release. He wrote the proposal’s backers Wednesday urging them to “refuse to settle for a privacy framework that will only result in more policies to read, more cookies to consent to, and no real change for consumers.” The proposal also should “not preempt states from adopting consumer-first online privacy reforms,” he said.

Aides to Wicker and the House Commerce leaders are still actively trying to court Cantwell, lobbyists said. Cantwell recently indicated she would like to do a markup this month on bipartisan privacy legislation and measures aimed at addressing children’s privacy issues. Senate Majority Leader Chuck Schumer, D-N.Y., also pressed Cantwell last week to swiftly reach a deal on privacy legislation.

Reaction

It’s “refreshing to see bicameral and bipartisan support on this bill,” which “has come a long way” toward reaching a compromise on matters like private right of action, said R Street Institute Cybersecurity Policy Counsel Brandon Pugh in an interview. “It may not be perfect in everybody’s eyes” and “we could keeping waiting out for the bill, but who knows if that will ever come.” The proposal shows lawmakers are “much closer that we’ve been in the past” to a final deal, he said.

Congress is in a “tricky time situation” because active legislative work is unlikely to progress once the August recess begins because of the midterm election campaign, Pugh said. As with “most bills, it comes down to” whether getting a deal on a privacy measure is a “priority for leadership.” There may be pressure to move quickly on the Wicker-House Commerce proposal because Wicker will relinquish his role as top Senate Commerce Republican at the end of this Congress and instead seek the top slot on the Armed Services Committee (see 2203070068), lobbyists said. Sen. Ted Cruz of Texas, Wicker’s likely replacement as lead Commerce Republican, has been less active on privacy matters.

The Electronic Privacy Information Center and Free Press also voiced optimism about the direction of the Wicker-House Commerce draft. "It is very encouraging to see a bipartisan proposal that recognizes that we are facing a data privacy crisis in this country and requires changes to Big Tech’s harmful business practices,” said EPIC Deputy Director Caitriona Fitzgerald. “EPIC urges Congress to act quickly on a strong, comprehensive privacy law with robust enforcement

“We’ve only scratched the surface in our review of the full draft,” but “based on that preliminary look we’re very pleased with the structure and coverage of the bill,” said FP co-CEO Jessica Gonzalez. “Far too often, advocates find ourselves handing out an ‘A’ for effort in circumstances like these, without any hope of passing good new laws. This bipartisan deal between key committee leaders on both sides of the Hill makes it much more likely that we will move beyond praising good efforts to achieving an actual legislative victory on this crucial topic.”

The draft shows that there is a "bipartisan path forward on long-overdue legislation to protect consumers’ privacy,” said Center for Democracy and Technology President Alexandra Reeve Givens. “While it’s not perfect, the draft is a hopeful first step.” The groups recognizes “there will be negotiations that require difficult trade-offs, but now is the time for that work to happen,” she said.

The Computer & Communications Industry Association gave a tepid response that didn’t point to specific elements of the Wicker-House Commerce draft. “Internet traffic crosses state and international boundaries and internet users need basic protections to travel with them,” said CCIA President Matt Schruers. “Strong baseline privacy protections are key to consumer trust and we appreciate members of Congress working toward this goal.”

The 21st Century Privacy Coalition “appreciates the discussion draft’s efforts to achieve a comprehensive national privacy effort” and looks “forward to reviewing the bill in detail and providing feedback. However, we are concerned about the bill’s failure to include certain communications services in the comprehensive framework.”