Axios Pro Exclusive Content

Inside the CMR-Cantwell data privacy bill

Illustration of a hand in a suit pulling a shade down on a computer screen

Illustration: Sarah Grillo/Axios

Lawmakers on Sunday unveiled the American Privacy Rights Act, reviving efforts to pass a comprehensive data privacy law.

Why it matters: The discussion draft bill addresses some of the thorniest issues that have plagued previous efforts to pass a data privacy law, including preemption and private right of action, and aims to empower Americans to take control of their data.

  • The bill is bipartisan and bicameral, with Senate Commerce Committee Chair Maria Cantwell and House Energy and Commerce Chair Cathy McMorris Rodgers joining forces.
  • House and Senate aides told reporters on a Sunday call that there's no "target date" for introduction yet.

What's inside: Consumers would be able to sue when companies violate their privacy rights and seek monetary damages, among other forms of relief.

  • In addition to individuals being able to sue, a new privacy office at the FTC and state attorneys general would also enforce the bill.

The federal standard would preempt state laws while preserving sector-specific state laws that protect financial, health, employee and educational data.

  • People in California and Illinois could continue to seek statutory damages under their state laws for violations regarding data that is lost in a breach or biometric information that's been collected.

The bill targets data brokers by establishing an FTC registry with a "do not collect" tool for people to request that all data brokers stop collecting their data.

  • Companies would have to minimize how much data they collect and, for people's most sensitive data, companies would have to get explicit consent before transferring it.
  • People would be able to access, correct, delete and export their data and opt out of targeted advertising.

The intrigue: Big tech players are usually the first to come to mind on data privacy issues, but the bill covers telecom companies and nonprofits that handle troves of data, too.

  • Telecom companies already are under heightened scrutiny as the FCC gears up to boost its regulatory oversight of them, including on privacy matters.
  • The draft bill would bring telecommunications companies under FTC regulation for privacy and security rather than being separately regulated by the FCC.

The bill wades into AI issues, giving people the option to opt out of algorithms that make decisions about housing, employment, healthcare, credit opportunities, education, insurance or access to places of public accommodation.

  • The bill would require annual reviews of algorithms to ensure they don't put individuals, including minors, at risk of harm, including discrimination.
  • House and Senate Commerce staff said they see kids' online privacy and safety legislation advancing in tandem with the comprehensive bill: "I think there's just a way to work all of these things together as we go forward," a staffer said.

What's next: The lawmakers will have to formally introduce the bill in both chambers.

  • Aides told reporters this effort is more significant than past attempts to get privacy legislation passed because of the bicameral, bipartisan nature of this deal, along with mounting concerns about AI, kids' privacy and apps like TikTok.
Go deeper