National data-privacy legislation quickly gaining support on Capitol Hill and in Silicon Valley had its day in a House hearing Tuesday, paving the way for a possible vote this summer and the first significant tech regulation in more than two decades.
“This is the best chance for a national privacy law,” Rep. Cathy McMorris Rodgers, R-Wash., said at the start of the hearing.
Sharp battle lines have been drawn on the bipartisan American Data Privacy and Protection Act, reflecting a high-stakes showdown over how vast reservoirs of personal data are collected and used by some of the world’s largest companies.
On one side is Apple Inc. AAPL, +0.55%, which has preached strict privacy guidelines as part of its walled-garden ecosystem; the equation is far more nuanced for Alphabet Inc.’s Google GOOGL, +0.36% GOOG, +0.37% and Facebook parent company Meta Platforms Inc. META, -0.33%, both of which are heavily dependent on targeted advertising.
Apple Chief Executive Tim Cook strongly threw his support behind the bill. In a letter to Congress last week, Cook urged U.S. lawmakers to advance national privacy protections as a “fundamental human right.”
A witness list of privacy experts were slated to testify before the House Committee on Energy & Commerce, chaired by the bill’s co-author, Rep. Frank Pallone, D-N.J.
One of the first witnesses, Caitriona Fitzgerald, deputy director at the Electronic Privacy Information Center, cited more than 20 years of unsuccessful attempts to craft a comprehensive federal privacy law. “The system is broken: Technology companies have too much power, and consumers too little,” she said. The prospective bill is an essential building block, she added.
Some technology organizations and privacy advocates, however, see plenty of flaws in the bill, which they argue does not go far enough to mirror stronger state laws and the ability of consumers to take legal action via a private right of action provision.
The Software & Information Industry Association, TechNet and the Computer & Communications Industry Association sent a letter to Congress on Monday with concerns over the American Data Privacy and Protection Act.
“This is a rather weak, watered-down version of [California Privacy Rights Act] and [Europe’s General Data Protection Regulation],” Vuk Janosevic, CEO of data-privacy company Blindnet, told MarketWatch. Still, he remains “cautiously supportive” of it.
The bill’s shortcomings, Janosevic claims, start with its lax threshold for companies that qualify: A minimum of $250 million in annual revenue under the U.S. legislation, compared with $25 million in California. Compounding matters, the absence of an opt-in requirement in the bill “basically says to tech companies that you can do anything you want with your privacy policy and put the onus on consumers to opt-out,” Janosevic said.
A final weakness is the legislation’s reference to vague “best practices” that leave gray areas, while GDPR and CPRA offer tech companies clear guidance on data protection, immunization and governance, according to Janosevic.