Technology

Tech privacy bill pits GOP chair against House leaders

Rep. Cathy McMorris Rodgers (R-Wash.) is seen during a House Energy and Commerce subcommittee hearing to examine bias at National Public Radio on May 8, 2024.

A bipartisan data privacy bill is splitting House Republicans and pitting the chair of the powerful House Energy and Commerce Committee against House GOP leadership.

House Energy and Commerce Committee Chair Cathy McMorris Rodgers (R-Wash.) and Senate Commerce Committee Chair Maria Cantwell (D-Wash.) are spearheading the American Privacy Rights Act, a long-awaited bill that would create federal comprehensive data privacy regulations.

The legislation would be a major career accomplishment for McMorris Rodgers, who is retiring from Congress at the end of the year. But top GOP leaders have made their opposition to the bill in its current form known to GOP members, raising doubts about it ever coming for a vote.

“There have been a lot of concerns expressed about different parts of the bill for months now,” House Majority Leader Steve Scalise (R-La.) told The Hill.

The Energy and Commerce Committee was scheduled to consider the American Privacy Rights Act at a Thursday markup that was abruptly cancelled after the publication of this article.

While both McMorris Rodgers and House leaders indicated Wednesday the markup could proceed, visible signs of conflict were apparent leading up to the cancelled hearing.

McMorris Rodgers and Speaker Mike Johnson (R-La.) were spotted in what appeared to be a tense conversation off the House floor Wednesday.

“I’m committed to working with leadership and hoping to continue to take steps to move it forward,” McMorris Rodgers had earlier told The Hill. 

“It is urgent for Congress to act on behalf of our children and on behalf of our nation to protect people online,” she added.

Johnson said that while the objective of the bill is important, the details have given people concerns. 

“I told her I’m committed to working with her to try to find a solution to those concerns, and it’s going to take a little bit more work,” Johnson said. “If they do the markup, that’s not the end of it. We’ll address the marked up version and go back to back to further discussion and bring in the interest groups and the people who have concerns about it and see if we can alleviate this concern.”

Scalise added that he hopes the issues with the bill are resolved in committee.

The American Privacy Rights Act would establish data privacy rules, seeking to create one federal law rather than the patchwork emerging of state rules and to bring the U.S. in line with other countries that have pushed ahead with data privacy regulation. The bill would give people more control over their data, including adding requirements that would let users opt out of targeted advertising and data transfers.

A key bipartisan balance the bill sought was between allowing for preemption of state laws, which Republicans had been pushing for, while allowing consumers to seek financial damages through court, which Democrats had sought. 

But that ability to take legal action — known as a private right of action — is a main point of opposition for leadership.

“The private right of action is a big concern — the fact that you can unleash trial lawyers on every small business in America,” Scalise said. “We saw the abuses under the patent troll issue we had for years, small businesses getting attacked by trial lawyers over things that they never did wrong, and yet they had to spend thousands of dollars each to make it go away.”

Rep. Gary Palmer (R-Ala.), an Energy and Commerce Committee member and lower-ranking member of leadership as chair of the Republican Policy Committee, also said fear of excessive lawsuits is driving GOP opposition to the bill.

“It’s one of those things where maybe there’s a lot of unintended consequences that could result,” said Palmer, who added that he was still assessing the bill. “But the intent is right in trying to protect people, particularly children, in their privacy.”

The version of the bill the committee will debate Thursday has been updated since it advanced out of a subcommittee meeting last month. Some of those changes have sparked other criticism of the legislation, in addition to concerns raised by Republican leadership. 

Dozens of civil society organizations, including the American Civil Liberties Union, NAACP and the Human Rights Campaign, sent a letter to the committee chairs Tuesday urging them to postpone the markup and reverse an update that removed “key civil rights protections and algorithmic auditing provisions.” The groups underscored the need for the protections, given the lack of artificial intelligence (AI) regulations.

“The deletion of these provisions is an immensely significant and unacceptable change to the bill and its scope. They should not have been removed. Even worse, they were removed without prior stakeholder consultation and without studying the impact to the bill’s ability to address data-driven discrimination in housing, employment, credit, education, health care, insurance, and other economic opportunities,” the groups wrote. 

“Failing to include sufficient safeguards means Congress will leave all people in America unprotected from harmful AI technology.”

The Center for Democracy and Technology, which has funding from large tech companies, was among signatories of the letter. The CDT also raised concerns about the current text of the bill including an exclusion for “on-device data” from the bill’s regulations. 

Eric Null, co-director of the CDT’s Privacy & Data Project, said the exemption is “far too broad” and “seems to be a giant loophole in the bill.” 

Business and advertising groups are also pushing back on the legislation, adding to the many hurdles McMorris Rodgers and Cantwell face to get a privacy bill passed before the end of the session in a contentious election year.

The bill has support, however, from the Heritage Foundation, a highly influential conservative think tank. Kara Frederick, director of Heritage’s Tech Policy Center, said in a statement last week that unrestricted collection of data “is at the root of nearly every challenge we face as conservatives” and “has given rise to a host of threats that undermine our fundamental rights and values.”

The legislation on track for debate Thursday kept in place provisions on state preemption, which may trigger backlash from members of the California delegation, who have raised concerns about federal laws preempting the regulations put in place by the state. The updated version of the text, though, does include an exemption regarding laws about minors.

The bill would put in place an exemption that any state law that “provides greater protection to children or teens” will not be prohibited, setting a floor rather than a ceiling for state-level protections for minors.

Kids’ online safety has emerged as a rare point of bipartisan agreement in Congress. During Thursday’s meeting, the committee will also mark up the Kids Online Safety Act, a bill that would regulate how tech platforms operate for minors online.

A Senate version of the Kids Online Safety Act has more than 60 co-sponsors but has yet to get a vote in the Senate.

Updated at 10:59 a.m. ET. Mychael Schnell contributed.