House and Senate committee leaders on Sunday evening unveiled a discussion draft of their latest effort to create a national data privacy law via the American Privacy Rights Act of 2024, which notably features provisions that would allow people to opt out of the use of their data for creating algorithms that could impact a host of major life decisions.
The discussion draft of the bill released by Senate Commerce, Science, and Transportation Committee Chair Maria Cantwell, D-Wash., and House Energy and Committee Commerce Committee Chair Cathy McMorris Rodgers, R-Wash., aims to set clear, national data privacy rights and protections for Americans.
Those proposed data privacy rights would limit the ability of big tech companies like Meta and TikTok to use Americans’ data without their permission – including through the use of algorithms that often fuel artificial intelligence applications.
The American Privacy Rights Act of 2024 is similar to legislation introduced during the 117th Congress but failed to make it out of the House.
On the algorithm front, the new draft legislation would allow individuals to opt out of a company’s use of algorithms to make decisions about housing, employment, healthcare, credit opportunities, education, insurance, or access to places of public accommodation – all hot-button issues for Congress when it comes to trying to prevent bias in AI-driven tools.
The draft legislation would require annual reviews of algorithms to ensure they do not put individuals at risk of harm, including discrimination. The Federal Trade Commission (FTC) would be tasked with issuing guidance to comply with this section, the lawmakers said.
“This bipartisan, bicameral draft legislation is the best opportunity we’ve had in decades to establish a national data privacy and security standard that gives people the right to control their personal information,” said Chairs Rodgers and Cantwell.
“It strikes a meaningful balance on issues that are critical to moving comprehensive data privacy legislation through Congress,” the lawmakers said. “Americans deserve the right to control their data and we’re hopeful that our colleagues in the House and Senate will join us in getting this legislation signed into law.”
The draft legislation also would preempt existing state data privacy laws by “setting one national privacy standard, stronger than any state,” the lawmakers said.
They emphasized that the American Privacy Rights Act would put people in control of their own personal data by:
- Giving Americans control over where their personal information goes, including the ability to prevent the transfer or selling of their data. The bill also would allow individuals to opt out of data processing if a company changes its privacy policy;
- Requiring affirmative express consent before sensitive data can be transferred to a third party;
- Requiring companies to let people access, correct, delete, and export their data; and
- Allowing individuals to opt out of targeted advertising.
“This landmark legislation gives Americans the right to control where their information goes and who can sell it. It reins in Big Tech by prohibiting them from tracking, predicting, and manipulating people’s behaviors for profit without their knowledge and consent,” said Rep. Rodgers. “I’m grateful to my colleague, Senator Cantwell, for working with me in a bipartisan manner on this important legislation and look forward to moving the bill through regular order on Energy and Commerce this month.”
The proposed legislation would establish robust enforcement mechanisms to hold violators accountable, including a private right of action for individuals, by authorizing the FTC and individual states to enforce against violations.
“A federal data privacy law must do two things: it must make privacy a consumer right, and it must give consumers the ability to enforce that right,” said Sen. Cantwell. “This bipartisan agreement is the protections Americans deserve in the Information Age.”
The lawmakers noted that the proposed bill will establish strong data security obligations by mandating security standards that will prevent data from being hacked or stolen – which limits the chances for identity theft – and by making executives take responsibility for ensuring that companies take all actions necessary to protect customer data.
Notably, the proposed legislation states that small businesses that make less than $40 million in annual revenue and retain data from less than 200,000 individuals would be exempt from this law.
The American Privacy Rights Act was first introduced in June 2022 on a bipartisan, bicameral basis. It passed the House Energy and Commerce Committee on a vote of 53-2 but stalled in the House after that.
The discussion draft released on Sunday comes just seven months before the 2024 elections – making for a tight timing window to consider the bill during the busy election season. Moreover, Rep. Rodgers is set to leave Congress in January 2025.
As they begin to grapple with AI-related legislation, some lawmakers have made a case that passing a comprehensive data privacy law at the Federal level will be the key to putting successful guardrails around AI.
“AI has so many different applications – from auto filling text messages or Excel spreadsheets all the way to generating unique images and speeches – but at the base of these applications is that need to collect properly permissioned information to train and grow these AI models,” House Energy and Commerce Innovation, Data, and Commerce Subcommittee Chairman Gus Bilirakis, R-Fla., said during a hearing on Capitol Hill last year.
He continued, “Without a data privacy and security standard that dictates the rules for how companies can collect, process, store, or transfer information, bad actors may have unfettered access to use and exploit our most sensitive information.”
