WASHINGTON — Senate Commerce Committee Chair Maria Cantwell said the panel plans to mark up much-delayed federal data privacy legislation before the August congressional recess — and gave the bill a puncher’s chance even though its House companion has faced setbacks.
“We are going to have a markup when we come back in July,” Cantwell, D-Wash., said in interview late last week.
Asked about the last-minute cancellation of a markup for the House version late last month, Cantwell responded, “I don’t know if it’s failed in the House, because I think Rep. Rodgers has a lot of support over there,” referring to House Energy and Commerce Committee Chair Cathy McMorris Rodgers, R-Wash., the bill’s sponsor.
Industry sources and House Democrats, including Commerce ranking member Frank Pallone Jr., D-N.J., blamed Speaker Mike Johnson, R-La., House Majority Leader Steve Scalise, R-La., and others in Republican leadership for the cancellation.
Cantwell said she couldn’t address specific concerns that Johnson and Scalise might have, but added, “I’ve seen polling that says Republicans think more about privacy than Democrats.” The Senate Commerce Committee plans to address “a lot of the issues that people have … in the next two weeks before we go to the markup.”
The latest version emerged in April after Rodgers and Cantwell announced they had reached agreement on the broad outlines of a bill.
Lawmakers in the House and the Senate have made tweaks to address concerns raised by industry groups and consumer advocates. But the version that was scheduled for a markup before the House Energy and Commerce Committee faced opposition from opposite fronts.
Industry groups criticized provisions allowing people to sue tech companies for privacy violations while failing to fully preempt state laws. Civil society and consumer advocate groups opposed the removal of prohibitions against collecting data on users that results in discrimination on the basis of race, sex, religion and other categories.
State attorneys general led by California Attorney General Rob Bonta have pressed lawmakers not to pass a law that would overrule state privacy standards, arguing that a federal standard should be a floor not a ceiling.
Small-business exemption
Small businesses would be exempted from the proposed legislation. Many, particularly those in the tech industry, say that could hurt rather than help them.
The exemption in proposed federal legislation aims to help small businesses avoid the undue burdens of compliance. But the federal bill’s “specific method of achieving that goal — carving out small businesses from the definition of ‘covered entity’ — could potentially deny them the benefits of preemption and inadvertently expose them to costly state-by-state compliance and unreasonably high litigation risks from differing liability regimes,” Morgan Reed, president of ACT, the App Association, told the Senate Commerce Committee at a hearing last week.
“By excluding small businesses from the definition of covered entity, [the law] would create uncertainties as to whether small businesses would be covered by the bill’s preemption provision — or if, instead, they would remain regulated by existing and future state privacy laws,” Reed testified.
Lawmakers are continuing to balance the needs of the industry and the need to protect people’s privacy, said Sen. John Hickenlooper, D-Colo., chair of the Senate Commerce Subcommittee on Consumer Protection, Product Safety, and Data Security.
“We need to respect their issues,” Hickenlooper said in a brief interview, referring to industry demands. “But we also have got to put together something that creates a legitimate protection for people … basically the fundamental right to privacy of your own information.”
The industry must be willing to accept some restrictions on data collection and how data is used if it wants a national standard and freedom from private lawsuits, Hickenlooper said. Yet the industry is “creating a conundrum, creating a no-win situation,” by pushing for state preemption without acceding to greater protections for consumers, he said.
Industry groups also have pushed back against provisions on data minimization, which specify that companies must only collect consumer information that is essential for a transaction and no more.
In the absence of a federal privacy law, 18 states have enacted privacy laws and additional legislatures are considering them as tech companies push Congress for a uniform federal policy.
There’s also the issue of companies rapidly deploying new generative artificial intelligence systems that are trained on vast quantities of publicly available information. Cantwell said at last week’s hearing, titled Americans’ Privacy in the Age of AI, that such development could result in a “race to the bottom” in the absence of federal law.
“Researchers project that if current trends continue, companies training large language models may run out of new publicly available high-quality data to train AI systems as early as 2026,” Cantwell said. “So without a strong privacy law, when the public data runs out, nothing is stopping [companies] from using our private data.” Nothing is stopping them from using private data now, other than the public data may be free and easier to acquire.
Breaking the stalemate over federal privacy legislation would likely require members of Congress “to look to their brothers and sisters in state legislatures and say, ‘for the betterment of our country we need a bill that covers everyone,’” Reed said in an interview.
Though it wouldn’t be easy, convincing states to accept one national privacy standard is a way to break the inertia, Reed said.