The Leadership Conference on Civil and Human Rights Views on Discussion Draft of The American Data and Privacy Act
June 14, 2022
The Honorable Frank Pallone
Chairman
House Committee on Energy and Commerce
Washington, DC 20515
The Honorable Janice Schakowsky
Chairman
Subcommittee on Consumer Protection and Commerce
House Committee on Energy and Commerce
Washington, DC 20515
The Honorable Cathy McMorris Rodgers
Ranking Member
House Committee on Energy and Commerce
Washington, DC 20515
The Honorable Gus Bilirakis
Ranking Member
Subcommittee on Consumer Protection and Commerce
House Committee on Energy and Commerce
Washington, DC 20515
Dear Chairman Pallone, Ranking Member McMorris Rodgers, Chairman Schakowsky, and Ranking Member Bilirakis,
On behalf of The Leadership Conference on Civil and Human Rights, a coalition charged by its diverse membership of more than 230 national organizations to promote and protect the rights of all persons in the United States, we thank you for the opportunity to submit our views on the discussion draft of “The American Data Privacy and Protection Act.” The measure is intended to hold companies accountable for the data they collect and use through establishing long overdue privacy and civil rights protections. We ask that this statement be entered into the record of the subcommittee hearing entitled “Protecting America’s Consumers: Bipartisan Legislation to Strengthen Data Privacy and Security” on June 14, 2022.
The Leadership Conference is encouraged by the bipartisan discussion draft of privacy legislation, “The American Data Privacy and Protection Act,” which was released earlier this month. Last month, more than 70 civil rights and privacy organizations signed a letter calling on Congress to pass a strong law to protect all American’s privacy and civil rights. At that time, we stated that “privacy rights are civil rights.”[1] We also noted the importance of enacting a strong law, recognizing that privacy legislation can empower communities of color and open doors for marginalized populations. Simply put, well drafted comprehensive federal consumer privacy legislation will protect civil and human rights.
We have been clear on what needs to be included in privacy legislation:
- Civil right protections: With data-driven AI systems becoming more ubiquitous, those systems should not result in discriminatory outcomes or exacerbate existing biases.
- Privacy protections: The law should require companies to minimize the data they collect; define permissible and impermissible purposes for collecting, sharing, and using personal data; prohibit discriminatory uses of personal data; and provide for algorithmic transparency and fairness in decision-making.
- Enforcement: Protections are only meaningful if they can be enforced, including by the Federal Trade Commission (FTC), state attorneys general, and individuals.
The civil rights protections in the discussion draft are strong and will protect communities by:
- Applying protections to the digital age: The bill prohibits the use of personal data to discriminate based on protected characteristics. This will address data practices and automated decision-making systems that have led to discrimination in housing, employment, credit, education, finance, and other economic opportunities, which has negatively impacted communities of color.
- Prohibiting algorithmic bias: This bill will prohibit algorithms from reproducing patterns of discrimination in recruiting, housing, education, finance, mortgage lending, credit scoring, healthcare, vacation rentals, ridesharing, and other services.
- Requiring companies to perform impact assessments: The bill’s impact assessment provisions require companies to identify biases and mitigate harms; large companies like Google and Facebook will be required to assess their algorithms annually and submit annual algorithmic impact assessments to the FTC. Impact assessments must seek to mitigate harms related to: (1) advertising for housing, education, employment, healthcare, insurance, or credit; and (2) access to or restrictions on places of public accommodation, and any disparate impact on the basis of an individual’s race, color, religion, national origin, gender, sexual orientation, or disability status. The FTC is granted rulemaking authority to adopt rules establishing processes for submitting algorithmic impact assessments.
- Requiring algorithms to be audited for bias: The bill requires companies to evaluate their algorithms at the design phase, which will help identify potential discriminatory impacts before they are deployed. Training data, which can be a cause of bias in AI systems, must be included in the evaluation. Companies are also required to engage in independent audits during their algorithmic evaluations.
In addition to the civil rights provisions, the discussion draft addresses the remaining elements we believe should be included in privacy legislation:
- Empowers enforcement by the FTC and state attorneys general and includes a private right of action.
- Preserves state civil rights laws and other types of state laws that are important for the protection of consumers and marginalized communities.
- Requires companies to minimize the data they collect and give clarity on permissible and impermissible data uses.
- Provides individuals rights, including to access, correct, and delete their personal data.
- Addresses the data broker industry.
- Creates transparency mechanisms that are helpful to consumers and enable robust oversight, research, language accessibility, and accountability.
While the discussion draft includes a solid framework, it is imperative that the protections in the provisions are resilient and robust. That means ensuring there are no loopholes that will allow covered entities to avoid compliance and appropriate recourse mechanisms.
The need for a privacy law is more urgent than ever. Americans want their data protected. A recent study concluded “just about everyone wants government to play a bigger role in data security with 87 percent of the people in the US and 76 percent of business leaders agreeing that there should be more rules and regulations around data collection and management.[2] Another recent survey echoed those results, finding 86 percent of consumers “care about data privacy” and want more control. The survey noted that “many consumers don’t trust private companies to follow their own policies and treat data responsibility, so they look to the government to provide enforcement and protection.”[3]
Industry agrees that Congress should pass a national law to protect people’s privacy rights. Fifty-one companies, including IBM, Amazon, Dell, General Motors, and Salesforce have called for a comprehensive consumer data privacy law, noting it would enable continued innovation and growth.[4] They joined companies like Microsoft[5] and Apple,[6] who have also advocated for a federal privacy law.
We look forward to working with the Chairman, Ranking Member, other Committee members, and stakeholders on improving the draft’s provisions to ensure that the bill that is introduced is as strong as possible and includes the strongest possible civil rights protections and enforcement mechanisms. Congress has a unique opportunity to pass a landmark law, hold companies accountable, and protect the American public.
Thank you for the consideration of our views. If you have any questions about the issues raised in this letter, please contact Anita Banerji, Senior Program Director, Media & Tech, at [email protected], or Frank Torres, Civil Rights and Technology Fellow, at [email protected].
Sincerely,
Maya Wiley
President and CEO
Jesselyn McCurdy
Executive Vice President of Government Affairs
[1] https://civilrights.org/resource/support-a-comprehensive-consumer-privacy-law-that-safeguards-civil-rights-online/
[2] Corporate Data Responsibility: Bridging the Trust Chasm (kpmg.us) (August, 2021)
[3] Cisco 2021 Consumer Privacy Survey
[4] US business leaders voice strong support for federal privacy laws, Letter from the Business Roundtable to Congressional Leaders (Dec. 12, 2019). brt-ceoletteronprivacy-2.pdf (privacylaws.com)
[5] Written Testimony of Julie Brill, Corporate Vice President and Chief Privacy Officer, Microsoft Corporation, before the US Senate Committee on Commerce, Science, & Transportation on Examining Legislative Proposals to Protect Consumer Data Privacy (Dec. 4, 2019). A01E3A8C-0BC4-4B84-A425-8AFDB0F08F2F (senate.gov)
[6] Tim Cook Delivers Keynote Speech to Privacy Group – MacStories (April 12, 2022).