Revamped privacy bill sails through House subcommittee

Even as the legislation advanced through a key subcommittee, members from both parties raised concerns with the measure, indicating that it faces an uncertain road toward passage and may still be significantly altered. 
WASHINGTON, DC - MARCH 23: Representative Cathy McMorris Rodgers (R-WA), chair of the House Energy and Commerce Committee speaks during the hearing with TikTok CEO Shou Zi Chew before the House Energy and Commerce Committee in the Rayburn House Office Building on Capitol Hill on March 23, 2023 in Washington, DC. (Photo by Chip Somodevilla/Getty Images)

A revamped draft of a proposal to overhaul federal privacy rules was unanimously approved by a House Energy and Commerce subcommittee Thursday, an important step forward in breaking a long-standing congressional logjam to pass comprehensive privacy legislation. 

Lawmakers on both sides of the aisle have expressed a desire for years to pass a measure instituting a federal privacy standard — something the United States is a global outlier in lacking — and the measure that advanced Thursday, the American Privacy Rights Act, represents the leading proposal for doing so. 

But even as the Innovation, Data and Commerce subcommittee advanced the legislation, its members — from both parties — raised numerous concerns with the measure, indicating that it faces an uncertain road toward passage and may still be significantly altered. 

The APRA would establish baseline data privacy protections around a wide swath of Americans’ personal data. It would also impose new restrictions on how U.S. businesses can collect, retain, and use that data when it is sold to advertisers or collected for purposes that aren’t reasonably necessary to provide a product or service. It would also create new reporting requirements and consumer opt-out mechanisms for information collected and sold by data brokers.


Rep. Cathy McMorris Rodgers, R-Wash., who chairs the full Energy and Commerce Committee and is the APRA’s chief sponsor in the House, introduced a reworked version of the bill just 36 hours before Thursday’s markup that brought a number of changes.

“I believe we have a moment here to change the status quo and reset what the online ecosystem looks like,” Rodgers said during Thursday’s markup.

The most notable alteration was the addition of major provisions from a bill that would update the Children and Teen’s Online Privacy Protection Act, part of a bill introduced by Sens. Ed Markey, D-Mass., and Bill Cassidy, R-La., last year. That bill, known as COPPA 2.0, would implement a range of new restrictions on how companies collect and use data on minors and teenagers. It would also create a Youth Marketing and Privacy division at the Federal Trade Commission, prohibit the collection of personal information from users between the ages of 13 and 16 and establish a digital marketing bill of rights for teenagers.

Brandon Pugh and Steven Ward of the right-leaning R-Street Institute argued that merging this bill with the APRA may be an attempt by Rodgers to expand overall support for the package in the House and Senate, where support for data privacy protections for children and teens enjoys broad bipartisan backing.

However, Rep. Tim Walberg, R-Mich., chief sponsor of the House version of COPPA 2.0, indicated during Thursday’s markup that the reworked draft bill for APRA has “the skin, but not the meat and the bones” of the bill he introduced and worried that its inclusion in APRA could harm efforts to pass a more robust, standalone version in the Senate.


Walberg said that while he appreciates the effort to include provisions from the bill, “more of COPPA 2.0 needs to be included or advanced separately to better increase privacy protections for young people.”

Other changes to the APRA include looser restrictions on transferring privacy data for public or peer-reviewed research projects, a broader “Delete My Data” mechanism that would require data brokers to delete all covered data when requested by a user, and a change in lead agencies — from the FTC to the National Telecommunications and Information Administration and independent auditors — for assessing the data privacy impact of algorithms.

Rep. Gus Bilirakis, R-Fla., chair of the Innovation, Data and Commerce subcommittee, said that more changes and alterations to the package are likely to come as the House and Senate continue to work through the legislative process, but he urged his colleagues to move quickly to pass the measure before November’s elections undermine appetite on Capitol Hill for passing bipartisan legislation.

“This is certainly not the last opportunity to deliberate and refine this draft further, but time is of the essence,” Bilirakis said. 

Efforts to pass privacy legislation in the past have faltered in a legislative quagmire of partisan disagreement, and it’s far from certain they will be resolved expeditiously. 


Rep. Jan Schakowsky, D-Ill., the ranking Democrat on the subcommittee, praised many of the changes included Thursday’s markup but lamented the exclusion of stronger restrictions around the collection of biometric and genetic data, such as fingerprints and photos used in facial recognition systems.

Rep. Robin Kelly, D-Ill., echoed similar concerns around biometric data collection and algorithmic bias and suggested that further changes would be required to secure her approval in a full committee vote.

Rodgers indicated her support for incorporating some version of those protections in future versions of the legislation.

“I am committed to working together on addressing the concerns around the collection of biometric data as well as continuing efforts to make this bill as strong as possible,” Rodgers said.

Rep. Larry Bucshon, R-Ind., called for the bill to expand data transfer allowances for industry-led research efforts, clearer definitions around what constitutes a data broker and exemptions for data that remains on devices like automobiles that aren’t accessed by the manufacturer or sold to other entities.


While the bill’s backers hailed Thursday’s vote as an important milestone in passing a comprehensive data privacy bill, the legislation will need to be approved by the full House Energy and Commerce Committee, as well as the House and Senate, before it could potentially be signed into law by President Joe Biden.

Cobun Zweifel-Keegan, managing director of the International Association of Privacy Professionals, told CyberScoop that “this will not be the end of the conversation” and said he expects further alterations in the future as Republican and Democratic leaders seek to build support for the measure.

“Almost every member of the subcommittee promised to work to add amendments of some kind to the final bill now that it has reached the full committee,” Zweifel-Keegan said. “Protections for kids, in particular, are likely to go through significant future changes.”

Latest Podcasts