Cantwell, McMorris Rodgers strike bipartisan deal on landmark data privacy bill
WASHINGTON – Since the dawn of the internet age, tech companies have developed increasingly sophisticated ways to collect and use vast swaths of Americans’ personal data, while Congress has repeatedly failed to regulate the practice. Now, two Washington state lawmakers have a bipartisan plan to break that impasse and set a national standard for data privacy.
Sen. Maria Cantwell, a Democrat who chairs the Senate Commerce Committee, and Rep. Cathy McMorris Rodgers, a Spokane Republican who leads the House Energy and Commerce Committee, have appeared at odds on data privacy since introducing competing legislation in recent years. But in interviews on Sunday, the two women said they have a compromise bill that can get to President Joe Biden’s desk before McMorris Rodgers leaves Congress at the end of the year.
“This is a historic piece of legislation that we’ve been working on for several years,” McMorris Rodgers said. “Online privacy protections shouldn’t differ across state lines. What we see is a patchwork of state laws developing, and this draft that Sen. Cantwell and I have agreed to will establish privacy protections that are stronger than any state law on the books.”
The draft legislation, obtained exclusively by The Spokesman-Review, would limit the data that companies can collect, retain and use to only what they need to provide their products and services. That would represent a major change from the current consent-based system that forces users to scroll through long privacy agreements and barrages them with pop-ups asking for their permission to be tracked online.
The American Privacy Rights Act, or APRA, would let Americans opt out of targeted advertising and view, correct, export or delete their data and stop its sale or transfer. It would create a national registry of the data brokers that buy and sell personal information, and would require those companies to let people opt out of having their data collected and sold.
McMorris Rodgers and Cantwell plan to release the legislation on Sunday.
“The information age has continued to evolve,” Cantwell said. “And so it’s important that we get a federal law that makes privacy a consumer right, and that’s what this does. It basically is putting a policeman on the beat that doesn’t quite exist right now.”
Tech giants like Google parent company Alphabet and Facebook parent company Meta have built business empires based on collecting data on their users and using it to sell targeted advertising. A spate of news stories in recent years has shown how that information can be used to violate Americans’ privacy and undermine the nation’s security.
In November, researchers at Duke University published a study that found data brokers sell the personal data of U.S. military personnel for as little as 12 cents per record. The New York Times reported in March that automakers share data on drivers, collected by their cars, with insurance companies that use the information to raise premiums. A fertility tracking app shared users’ health information with other companies, including Google and China-based marketing firms, according to a 2023 settlement with the Federal Trade Commission.
APRA aims to standardize how data is regulated across the country, replacing the laws that state legislatures have enacted during years of inaction in Congress. Despite McMorris Rodgers’ claim that the new, nationwide privacy standard will be “stronger than any state,” preempting state laws is likely to provoke opposition, especially from California, which enacted a pioneering data privacy law in 2018.
Cantwell said the bill incorporates parts of state laws, including California’s and Illinois laws protecting genetic and biometric data, to set a national standard that builds on the progress made by those states.
“I think we have threaded a very important needle here,” she said. “We are preserving those standards that California and Illinois and Washington have.”
APRA doesn’t preempt certain state laws, including those related to civil rights, consumer protection, contracting and more than a dozen other categories. Unlike some other data privacy bills, it doesn’t include explicit carve-outs for any state, but it effectively incorporates a provision of the California law that lets individuals sue when they are harmed in a data breach.
After the House Energy and Commerce Committee in 2022 approved a bipartisan data privacy bill championed by McMorris Rodgers and her Democratic counterpart on the panel, Rep. Frank Pallone of New Jersey, then-Speaker Nancy Pelosi refused to bring it to the floor for a vote because it was opposed by Gov. Gavin Newsom, her fellow California Democrat.
McMorris Rodgers is a close ally of current House Speaker Mike Johnson, R-La., and said she is “having conversations with both House and Senate leadership right now.” Cantwell said she hasn’t asked Senate Majority Leader Chuck Schumer for a commitment to bring the bill to the floor for a vote, but she said the New York Democrat knows about the legislation and she’s optimistic that it can pass by year’s end.
“If people like the idea, you can get things done quickly,” Cantwell said.
Neither Pallone nor Sen. Ted Cruz of Texas, Cantwell’s GOP counterpart on the Senate Commerce Committee, were directly involved in negotiating the deal, which caught data privacy experts by surprise when Punchbowl News reported on Friday that McMorris Rodgers and Cantwell had written legislation. While the bill couldn’t pass the Senate without bipartisan support, Cruz wouldn’t necessarily need to back it.
“I’ve had many conversations with both Mr. Pallone and Sen. Cruz on this topic, and we all recognize that people want and need privacy rights,” McMorris Rodgers said. “This is a discussion draft that Sen. Cantwell and I have hammered out, but we’re still open to constructive feedback.”
One thing the California law does not include, with the exception of data-breach cases, is an ability for individuals to sue a company for violating the law, a key demand Cantwell brought to the negotiations. Under APRA, the Federal Trade Commission, state attorneys general and private citizens would all have the right to sue.
That so-called “private right of action” was a sticking point between the Washington lawmakers. McMorris Rodgers was concerned that letting individuals sue without first seeking help from a state attorney general or the FTC could make way for a flood of litigation that would burden companies and stifle innovation. The bill’s provisions don’t apply to small businesses with less than $40 million in annual revenue, as long as they don’t sell data.
Cantwell objected to a two-year delay in the House bill before the private right of action would kick in. Under APRA, that right and every other provision would go into effect six months after the bill is enacted.
Another area of disagreement was restricting how companies use mandatory arbitration provisions to force their customers and users into closed-door deals, which Cantwell initially wanted to ban altogether. The senator ultimately agreed to limit that prohibition, which applies only in cases involving a minor or for “substantial harm,” which means at least $10,000 in alleged damages, physical or mental injury that requires medical treatment, “highly offensive intrusion” into a reasonable person’s expectations of privacy, or discrimination based on race, religion or other protected statuses.
In the current session of Congress, members of both parties have introduced narrower bills aimed at addressing the impact of technology on kids, regulating artificial intelligence and forcing the China-based parent company of TikTok to sell the wildly popular social media app.
Both Cantwell and McMorris Rodgers said they see their bill as a complement to those bills, not a replacement, and they are committed to working to pass other legislation.
Shannon Smith, the lead Democratic aide on the Senate Commerce Committee, said in an interview Saturday that data privacy “underpins” all of the concerns those other bills seek to address.
“If you can restrict the amount of data that’s out there, then you can restrict the amount of data that’s used to train AI,” Smith said. “That doesn’t mean you don’t still need legislation around AI or you don’t need some other enhanced protections for kids, but this does the back-end work that will make those statutes a lot easier to enact and implement.”
Cantwell credited Smith, a Pasco native, and the rest of the staff on both committees for hammering out the compromise bill in a relatively short time. Cantwell had worked with Sen. Roger Wicker of Mississippi, then her GOP counterpart on the committee, on data privacy negotiations in 2022 along with Pallone and McMorris Rodgers.
Those “four corners” talks slowed down after Cruz replaced Wicker as the top Republican on the panel, Cantwell said. The negotiations restarted in earnest in December, she said, when McMorris Rodgers came to her and said, “Let’s try two corners.”
Cantwell said that the negotiations were aided by a strong relationship between her and McMorris Rodgers that had been forged by working through some “really thorny problems,” including wildfires and the Spokane Tribe’s 2020 settlement with the federal government for damage done by the Grand Coulee Dam.
McMorris Rodgers agreed that representing the same state helped their bipartisan data privacy bill become a reality.
“It’s been an exercise in building trust,” McMorris Rodgers said. “We come from a state that has a large tech presence, a state that has led in technology, and I think all of that has played a part in bringing us together at this moment. And it really is a significant moment for us to lead, both for Washington state and for the nation.”