The House Energy and Commerce Committee voted Wednesday to advance sweeping privacy legislation with strong bipartisan support.
The American Data Privacy Protection Act (ADPPA) could see a full floor vote as early as next week, moving forward what would become the nation’s first comprehensive privacy law.
But some lawmakers and privacy experts are now alarmed the legislation may not address some of the most pressing issues related to consumer privacy — reining the massive growth in data brokers that buy and sell the public’s information and curbing potential abuse of commercial data such as reproductive health information.
“The bill before us has a major loophole that could allow law enforcement to access private data to go after women,” said Rep. Anna Eshoo, D-Calif., who voted against the bill. “For example, under this bill, a sinister prosecutor in a state that criminalizes abortion could use against women their intimate data from search histories or from reproductive health apps. That loophole must be addressed.”
One of those loopholes Eshoo referred to is a carveout for data collection needed to comply with state laws, which could include laws criminalizing abortion. Data needed to comply with state laws criminalizing abortion could potentially include a wide range of information such as location and message history.
Critics have also drawn attention to the bill’s exemption for de-identified data, which the American Civil Liberties Union called “ripe for abusive interpretations,” in a letter to the committee Monday. While many firms argue such data is anonymous, experts and even the Federal Trade Commission have pointed out that such claims are often dubious and that using information such as advertising identifiers can reveal sensitive behavioral information.
Sen. Ron Wyden, D-Ore., who has previously expressed he would not vote for the House version of the bill, has similar concerns about the exemption of de-identified data.
“[T]his loophole could allow data brokers to sell location data to the government about visits to reproductive health facilities, for example, or other private information that is trivially easy to connect to individuals,” a Wyden aide wrote in an email to CyberScoop. “He strongly believes this must be fixed before any legislation becomes law.”
Commercial data privacy is increasingly impossible to untangle from broader civil liberties concerns about government surveillance, experts have warned. Numerous federal agencies including the Internal Revenue Service and Department of Homeland Security have purchased commercial data services to use in investigations, avoiding warrants and other oversight mechanisms in the process.
“The overall bill is still weak on controlling all parts of the data brokerage ecosystem,” said Justin Sherman, senior fellow in charge of the data brokerage project at Duke’s Sanford School. “For example, companies selling data collected on their own customers and companies which sell data on the side for additional revenue would not be covered as ‘third-party collecting entities.'”
That exception leaves out, for example, Internet Service Providers with questionable advertising businesses.
“We need to do much more to rein in the harms already occurring to civil rights, consumer privacy, and national security from data brokerage,” said Sherman.
The American Data Privacy Protection Act isn’t the only potential mechanism for Congress to crack down on data brokers or the abuse of their services. For instance, Wyden’s bipartisan and bicameral The Fourth Amendment Is Not For Sale Act would prohibit law enforcement from purchasing data that would otherwise require a warrant. House Judiciary leaders called for a markup of the bill at a hearing on Tuesday.
Several House Energy and Commerce Committee members made clear Wednesday that they would like to see additional discussion before giving the bill their support for a full floor vote. And even if it gets to the Senate, the bill faces strong resistance from Senate Commerce Chair Maria Cantwell, D. Wash., who has previously said she would not bring the bill for markup.