The bipartisan privacy proposal that's reignited a debate about federal protections for internet users is "unworkable," according to a major business group.
The American Data Privacy and Protection Act "as drafted is unworkable and should be rejected," the U.S. Chamber of Commerce wrote in a draft letter to congressional leaders on the issue, in a copy obtained by CNBC on Thursday. The Chamber later updated the letter to say the act is "unworkable at this time," but removed the suggestion that it should be rejected.
The draft letter, which could still change before it's sent to lawmakers, is an early sign of how corporations will seek to use their influence around the renewed privacy negotiations. Lawmakers have spent years stalemated on key questions about how privacy protections should be carried out, but the new proposal introduced on Friday attempts to thread a delicate needle on those hot button points.
The bill would give consumers protections and more control over their data online and require companies to minimize the amount of information they collect on users.
The Chamber doesn't agree with how the proposal deals with those two components: preemption of state laws and the right of individuals to sue over violations.
The ADPPA, a discussion draft released by House Energy and Commerce leaders Reps. Frank Pallone, D-N.J., Cathy McMorris Rodgers, R-Wash., and Sen. Roger Wicker, R-Miss., the Ranking Member on the Commerce Committee, takes a unique approach to the two issues. The proposal would preempt state consumer data privacy laws, with the exception of Illinois' biometric privacy protection act and a section of California's privacy law related to data breaches. But it would allow other adjacent categories of consumer protection laws to remain enforceable, like laws around cyberstalking or facial recognition.
The Chamber took issue with those carve-outs.
"A national privacy law should be a true national standard but the bill's preemption language carves out fifteen different state laws including those in California and Illinois," the group wrote. "This legislation would create a new national patchwork of privacy laws."
The discussion draft also includes a private right of action, which allows individuals who believe their rights were violated to sue companies for that alleged violation. It's something Democrats have advocated for and Republicans have mostly opposed, though Wicker had begun indicating his openness on it in earlier hearings. But the private right of action would take four years from the bill's enactment to become enforceable.
The Chamber argued in the draft letter that would "encourage abusive class action lawsuits against legitimate business made worse by the ADPPA's many subjective standards that would result in massive litigation, costs, and fees which the bill would grant to plaintiffs' attorneys."
Notably missing from that proposal was Senate Commerce Committee Chair Maria Cantwell, D-Wash., who released her own privacy proposal along with other Senate Democrats. In a statement after the ADPPA was released, Cantwell said, "For American consumers to have meaningful privacy protection, we need a strong federal law that is not riddled with enforcement loopholes. Consumers deserve the ability to protect their rights on day one, not four years later."
Sean Kelly, a spokesperson for Rodgers of the House Energy and Commerce Committee, called the Chamber's position "disappointing."
"They are not being constructive by asking Congress to abandon ongoing bipartisan, bicameral efforts on a federal privacy standard," Kelly said in an emailed statement, adding that the legislators are continuing to "welcome and encourage stakeholder feedback."
The Chamber has previously urged Congress to pass a federal privacy law to prevent a patchwork of state laws. But it said this one does not fit the bill.
"Unfortunately, the ADPPA was released with less than two months before the August recess, and we believe that a bill that is so novel, complex and far-reaching into the businesses practices of nearly every industry like the manufacturing, retail, financial services, hospitality, and innovation sectors should not be rushed through the last six months of the 117th Congress," the group wrote. "National data privacy legislation deserves meaningful input from advocates and industry alike."
