Skip to Main Content
Our Commitment to Diversity

New Legislation Would Establish the First US National Comprehensive Privacy Law

Date: 14 May 2024
US Policy and Regulatory Alert

On 7 April, US House Committee on Energy and Commerce (Energy and Commerce Committee) Chairwoman Cathy McMorris Rodgers (R-WA) and US Senate Committee on Commerce, Science, and Transportation (Commerce Committee) Chairwoman Maria Cantwell (D-WA) released a discussion draft entitled the American Privacy Rights Act of 2024 (APRA). If enacted, the APRA would establish the first national comprehensive consumer data privacy rights law in the United States and could have a sweeping impact. In brief, it would preempt current and future state comprehensive data privacy laws, set standards for the minimization of the collection and use of data, and provide for enforcement by the Federal Trade Commission, state attorneys general, and private rights of action.

The US Congress has tried unsuccessfully for many years to pass comprehensive consumer data privacy legislation. However, the APRA represents a major step forward, and we and others believe it offers the best chance yet of getting such legislation enacted. Why? 

First, the legislation is bipartisan and bicameral. Further, Chair Rodgers, who will retire from the House at the end of this year, has made it her so-called “legacy bill,” which means she has made it her top priority and the one piece of legislation for which she most wants to be remembered. Chair Cantwell also appears excited about the legislation and its chances of passage. In addition, she is up for re-election this year, and passage of the legislation would be applauded by most voters in her state. Other key House and Senate members who have tried to move comprehensive privacy bills in the past have also praised the bill. Additionally, President Joe Biden has urged Congress to pass comprehensive privacy legislation. On 24 April, The Washington Post endorsed the APRA, saying, “Lawmakers shouldn’t waste their best chance yet to make Americans’ online lives safer and more secure.”

The legislation is still in the form of a discussion draft, but we expect Chairs Rodgers and Cantwell to formally introduce it after both have held hearings on it in their respective committees. The purpose of the hearings is to provide both committee members and witnesses an opportunity to comment on the draft and propose changes to it. The Energy and Commerce Committee held its hearing on 17 April, and the Commerce Committee held a privacy hearing on 8 May. 

The House hearing focused on the APRA, but also covered a number of other privacy-related bills, including the Children and Teens’ Online Privacy Protection (COPPA 2.0) Act, the Kids Online Safety Act (KOSA), the Algorithmic Accountability Act, the Data Elimination and Limiting Extensive Tracking and Exchange (DELETE) Act, and the Banning Surveillance Advertising Act. We expect many of the provisions in these bills to be added to the APRA when it is marked up by the Committee. 

However, in the case of the COPPA 2.0 and KOSA bills, Chair Rodgers has indicated she would like to move them separately from the APRA. This is, in part, because the Commerce Committee has already favorably reported these bills from Committee, and the bills have enough votes to pass the full Senate and probably the House as part of other “must-pass” legislation. Up until this point, Chair Rodgers and Ranking Member Frank Pallone (D-NJ) have held the line against passing privacy bills that only protect children and teens’ data and insisted that Congress pass comprehensive privacy legislation that protects the data of consumers of all ages. This may be an effort to ensure that at least the children and teens privacy legislation passes in the event the comprehensive legislation does not make it over the finish line. 

Following the hearings and formal introduction of the APRA, the Energy and Commerce and Commerce Committees are expected to mark up the legislation and favorably report it to the full House and Senate for consideration. We expect this to happen in late May or early June. 

While the discussion draft has generally been well-received, there has been some criticism. Some members of Congress and outside groups have voiced their opposition to the APRA, primarily because of the compromise struck by Chairs Rodgers and Cantwell on two of its key provisions—those on the preemption of state privacy laws and private rights of action.

On 16 April, the California Privacy Protection Agency sent a letter to the Energy and Commerce Committee “outlining the ways in which the [APRA] discussion draft seeks to weaken privacy protections for Californians.” Specifically, the letter claims “landmark legislation, including the ‘California Consumer Privacy Act’ (CCPA) and the ‘California Delete Act,’ could be in jeopardy.”  However, it is worth noting that in 2022 when the Committee favorably reported the American Data Privacy Protection Act (ADPPA) on a 53-2 vote, most of the California members voted for it, and the ADPPA contained a preemption provision similar to the one in the APRA. Then Speaker Nancy Pelosi (D-CA) blocked floor consideration of the bill at the urging of California’s governor and attorney general, but she is no longer Speaker. California has been the most vocal state on the preemption issue, but it will be worth watching to see what the governors from the other states that have passed privacy laws do.

Senator Ted Cruz (R-TX), the Ranking Republican on the Commerce Committee, has also raised concerns with the APRA. According to The Verge, Cruz said he will be “carefully reviewing [APRA] to ensure it doesn’t have the same flaws as the failed [ADPPA].” He continued that he “cannot support any data privacy bill that empowers trial lawyers, strengthens Big Tech by imposing crushing new regulatory costs on upstart competitors or gives unprecedented power to the [Federal Trade Commission] to become referees of internet speech and [diversity, equity, and inclusion] compliance.” As the Ranking Member of the Committee, his views carry considerable weight. On the other hand, many of his Republican colleagues on the Committee previously led efforts to develop comparable comprehensive data privacy bills, including Senator Jerry Moran (R-KS), who issued a statement saying he is pleased the two leaders are “tackling this critical issue” and expects the “Committee to respond with hearings and produce a bill that protects consumers and fosters an environment which promotes innovators and job creators.” Thus, we expect some Committee Republicans to support the legislation and provide Chair Cantwell with more than enough votes to favorably report it from the Committee.   

Once the House and Senate Committees have favorably reported the legislation, the next step will be full House and Senate floor consideration. It could move on its own as a “stand-alone” bill, or it could be combined with other “must-do” legislation. Getting floor time could be challenging, but it is possible.

Not only are Chairs Rodgers and Cantwell motivated to see the legislation enacted, but after many years of debate, other lawmakers would like to see it finally enacted as well. 

For questions on this alert, please contact the members of our Policy and Regulatory team listed above. For data privacy and security compliance issues your business may experience, please contact our Data Protection, Privacy, and Security lawyers, and Cybersecurity and Privacy lawyers. 

Pamela J. Garvie
Pamela J. Garvie
Washington DC
Bruce J. Heiman
Bruce J. Heiman
Washington DC
Scott J. Gelbman
Scott J. Gelbman
Washington DC
Abby Dinegar
Abby Dinegar
Washington DC
Whitney E. McCollum
Whitney E. McCollum
Seattle
San Francisco

This publication/newsletter is for informational purposes and does not contain or convey legal advice. The information herein should not be used or relied upon in regard to any particular facts or circumstances without first consulting a lawyer. Any views expressed herein are those of the author(s) and not necessarily those of the law firm's clients.

Return to top of page

Email Disclaimer

We welcome your email, but please understand that if you are not already a client of K&L Gates LLP, we cannot represent you until we confirm that doing so would not create a conflict of interest and is otherwise consistent with the policies of our firm. Accordingly, please do not include any confidential information until we verify that the firm is in a position to represent you and our engagement is confirmed in a letter. Prior to that time, there is no assurance that information you send us will be maintained as confidential. Thank you for your consideration.

Accept Cancel