The U.S. House is considering the first bipartisan and bicameral bill to protect consumer data collection and privacy across nearly all sectors, including automakers and car dealers.

A discussion draft on the American Data Privacy and Protection Act (ADPPA) was released earlier this month by U.S. Senator Roger Wicker (R-MS), and U.S. Reps. Frank Pallone (D-N.J.), and Cathy McMorris Rodgers (R-WA). The House Consumer Protection and Commerce Subcommittee held a legislative hearing on the act last week. It would take effect 180 days after the date of enactment.

“After failed efforts over many decades, the ‘American Data Privacy and Protection Act’ (the Act) is the first bipartisan, bicameral national comprehensive privacy and data security proposal with support from leaders on the House Energy and Commerce Committee and the Senate Commerce, Science, and Transportation Committee,” wrote Pallone in a June 10 memorandum.

“The consequence of the current approach to data privacy is that most companies monitor themselves and may generally collect, use, share, or sell data without having to notify the individuals to whom that data pertains. Once that data is in the hands of third parties it may be further sold, combined, and used. The lack of a federal standard is more pronounced in the increasingly digital world.”

The Senate Committee on Commerce, Science, and Transportation said in a June 15 news release that the legislation is “the best opportunity to pass federal privacy framework in decades.”

“This bill would protect consumer data privacy and security and prevent companies from over-collecting and misusing American citizens’ data, all while protecting kids, empowering consumers, and providing strong enforcement mechanisms.”

“Covered data” is defined in the bill as “information identifying, linked, or reasonably linkable to an individual or device linkable to an individual. This includes derived data and unique identifiers, but does not include de-identified data, employee data, or publicly available information.”

The legislation would apply to automakers and car dealers because of its applicability to all entities under Federal Trade Commission (FTC) jurisdiction as well as nonprofits and telecommunications common carriers.

As vehicles become more and more akin to smartphones on wheels, the legislation would be vastly important to owners since all “government-issued identifiers” that aren’t required to be displayed in public would be considered “sensitive” and protected by law. These include Social Security, driver’s license, and passport numbers as well as biometric and genetic information, past or present precise geolocation information, private communications, online activities over time and across third-party online services, information related to children under 17; calendar, address book, and phone information; texts, photos, audio, and video recordings, and more.

The bill would prohibit sensitive data from being collected, processed, or transferred to a third party “without the express affirmative consent of the individual to whom it pertains” and individuals must be given “clear, conspicuous, and easy to use means” for withdrawing their consent. Individuals would also have the right to access, correct, delete, and transfer covered data that pertains to them.

During the June 14 legislative hearing, subcommittee Chair Jan Schakowsky, D-Ill., called the legislation “pivotal” for consumer data privacy.

“Americans have been demanding that we act. They have often felt helpless online, but now we are going to be able, I hope, to pass a bill that on the very first day we will be able to protect them from the ‘take it or leave it’ kind of terms so that they’re able to get what they want,” she said, in reference to the bill’s opt-in approach to data collection. “They can access all of their data that they can correct, delete and transfer their data. That we will provide certainty for the data for the business community and that we will have space for innovation and protection for small businesses.”

While the legislation may not specifically apply to repairers, it drives home the importance of shops making sure they do all they can to protect their customers’ personally identifiable information (PII) during repairs, which should include knowing what the third parties they work with collect and use. The Collision Industry Conference (CIC) Data Access, Privacy & Security Committee plans to cover the topic in a presentation titled “Data Control in the Collision Repair Industry” at the July 21 meeting in Pittsburgh. An expert panel will discuss what shops need to know about using customers’ VINs when it comes to privacy and permissions as well as the negative impact third-party reporting of estimate damage can have on shops and consumers.

According to the bill, “a baseline duty” would be imposed on all covered entities “not to unnecessarily collect or use covered data in the first instance, regardless of any consent or transparency requirements.”

“Specifically, covered entities are prohibited from collecting, processing, or transferring covered data beyond what is reasonably necessary, proportionate, and limited to provide specific products and services requested by individuals, communicate with individuals in a manner they reasonably anticipate given the context of their relationship with the covered entity, or for a purpose expressly permitted by the Act.”

Under the bill, the FTC would be required to establish and maintain an online, public, searchable registry of registered third-party collecting entities for use by the public to look up information on them including contact information and a way to request that their data be deleted within 30 days. The FTC would also have to conduct a study “to determine the feasibility of created centralized opt-out mechanisms to ease individuals exercise of their rights to opt-out of covered data transfers” and create a new, fully operational bureau within a year from enactment to carry out its authority under the act.

Violations of the act would be considered an unfair or deceptive act or practice under the FTC Act and would carry civil penalties for initial and subsequent violations in addition to “other relief.” State attorneys general and chief consumer protection enforcement officers would be able to bring cases under the act to court for injunctive relief, to obtain damages, penalties, restitution, or other compensation, and reasonable attorney’s fees as well as other litigation costs but the FTC  would retain the right to intervene.

Four years after the effective date of the act, individuals or classes would be able to sue under the act in federal court for compensatory damages, injunctive relief, declaratory relief, and reasonable attorney’s fees and litigation costs.

State laws covered by the act are preempted except for those on a list defined in Section 404 that would be preserved including but not limited to generally applicable consumer protection laws, civil rights laws, employee and student privacy protections, data breach notification laws, contract and tort laws, and criminal laws regarding fraud, theft, identity theft, unauthorized access to electronic devices.

Pallone wrote in his memorandum that California, Virginia, Colorado, Utah, and Connecticut “have acted to try and fill the federal void” and they “materially vary in their scope, protections, obligations, and enforcement mechanisms.”

“The consequence of the current approach to data privacy is that most companies monitor themselves and may generally collect, use, share, or sell data without having to notify the individuals to whom that data pertains. Once that data is in the hands of third parties it may be further sold, combined, and used. The lack of a federal standard is more pronounced in the increasingly digital world.”

Pallone references a 2019 Pew Research Center survey of 4,272 American adults on data privacy. Fifty-two percent of respondents said they decided not to use a product or service because they were worried about how much personal information would be collected about them. Twenty-one percent said they decided not to use particular websites over concerns about how much personal information would be collected and 11% quit using certain electronics for the same reason, according to the survey results.

Last week, the Senate’s Commerce, Science, and Transportation Committee shared comments of support from organizations and companies. Information Technology Industry Council (ITI) Senior Vice President of Policy and General Counsel John Miller said the technology sectors has for several years had the same goal that the act aims for and called it “tangible progress toward that goal.”

“In terms of both its scope and potential impact, the draft bill represents not only a significant contribution to the evolving domestic and global conversation on privacy legislation, but arguably an inflection point on par with Europe’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), due not only to robust protections it aspires to achieve for the American people but also for its wide-ranging and potentially disruptive impact on businesses across every sector of the U.S. economy and data innovation, including longstanding business models that have helped fuel the internet’s development and corresponding economic growth.”

Graham Dufault — senior director for public policy of The App Association, which represents more than 5,000 app makers and connected device companies — said the association is “pleased that Congress is taking meaningful steps toward a federal privacy framework, which policymakers should pursue to the exclusion of antitrust proposals that would manifestly weaken data privacy and security protections for your constituents.”

IMAGES

Featured image credit: uschools/iStock