On June 3, 2022, members of the U.S. Congress released a bipartisan, bicameral discussion draft of a comprehensive national data privacy and data security framework. The draft is notable in that it reflects a compromise on the two issues that have for years vexed lawmakers angling for federal privacy legislation: preemption and private right of action. The House Energy and Commerce Committee has announced a hearing for June 14 to discuss the draft.
The discussion draft has become widely known as the “three corners” bill, because it has the support of three of the four “corners” of the relevant committees: the Chair and Ranking Member of the House Energy and Commerce Committee and the Ranking Member of the Senate Commerce Committee. Notably, the fourth “corner,” Senate Commerce Committee Chair Maria Cantwell, is circulating her own draft.1 While there are similarities between the two drafts, the differences reflect the likely sticking points among the negotiators.
Overlap and Similarities
Both drafts would apply to all entities within the Federal Trade Commission’s (FTC) jurisdiction, along with common carriers and nonprofit entities. They would both require these entities to do the following:
In terms of the enforcement scheme, both bills would do the following:
The three corners draft includes some provisions not present in the Cantwell draft, but that Senator Cantwell would likely support, including: 1) the creation of a data broker registry and an option for consumers to have data brokers refrain from collecting their data; 2) additional protections for children and teens; 3) an expansive definition of “affirmative express consent,” which includes a prohibition on seeking consent through dark patterns; and 4) a requirement that companies disclose whether they are transferring personal data to Russia, China, Iran, or North Korea. These provisions were likely added by Democratic sponsors, and Senator Cantwell would probably agree with their inclusion; they presumably were added to the three corners bill later in the drafting process and therefore did not make it into Senator Cantwell’s draft.
Differences and Sticking Points
There are some areas where the two bills diverge, signaling likely sticking points in the negotiations:
Takeaways
So, what is the bottom line? Will there be federal legislation this year? Here are some takeaways:
For additional assistance with regulatory compliance regarding privacy, security, and consumer protection laws, please contact Wilson Sonsini attorneys Laura Ahmed, Dan Chase, Maneesha Mithal, or Libby Weingarten.
[1]While Chair Cantwell has not officially released her legislation, we reviewed a widely circulated draft.
[2]Only “large data holders” would have to do this under the Cantwell bill. See discussion of large data brokers below.
[3]Service providers are not considered third parties under either draft bill.
[4]The Cantwell bill preserves “laws related to biometric or genetic information,” whereas the three corners bill specifically preserves Illinois’ Biometric Information Privacy Act and Genetic Information Privacy Act, but it would presumably preempt other laws in the biometrics or genetics space. The Cantwell bill also would preserve state criminal or civil laws “regarding malicious conduct involving use or misuse of personal information.”