House Energy and Commerce Chair Frank Pallone (D-N.J.), ranking member Cathy McMorris Rodgers (R-Wash.) and Sen. Roger Wicker (R-Miss.), ranking member of the Senate Commerce Committee, the authors of the new privacy bill, said in a statement that, “this bipartisan and bicameral effort to produce a comprehensive data privacy framework has been years in the making, and the release of this discussion draft represents a critical milestone.”

Rep. Jan Schakowsky (D-Ill.), chair of the House Energy and Commerce consumer protection subcommittee, said the bill, “will end discriminatory use of your data, it will hold companies to high standards of data security and minimization, and it will prohibit pay-for-privacy practices.”

Right now, Americans’ data are protected — in places — by a patchwork of state and sector-specific privacy laws, like a 1999 law that protects financial information, a 1996 law that protects health information and a 1974 law that protects information gathered by the government.

Legislators have been attempting to pass a national privacy law since the 1970s. The most recent time things looked promising was in late 2019, when bipartisan House Energy and Commerce staff shared a privacy draft bill, and leaders of the Senate Commerce Committee introduced separate measures along partisan lines — but none have advanced out of their committees.

Consumer advocacy and civil rights groups applauded the discussion draft. “Privacy rights are civil rights,” said David Brody, Managing Attorney of the Digital Justice Initiative at the Lawyers’ Committee for Civil Rights Under Law, in a statement. He said the group is encouraged the bill would “curb the rampant data-driven discrimination that occurs due to a lack of privacy protections.”

Industry representatives are also optimistic. “We’re more hopeful than we have been in years that a bipartisan privacy bill can make its way to the president’s desk this Congress,” Carl Holshouser, senior vice president of TechNet, a lobbying group that represents Google, Meta and Amazon, said in a statement.

The compromise bill includes an agreement that the federal law will preempt state laws by default — with exemptions for California and Illinois laws in particular, as well as broad classes of state laws — and certain limited rights for individuals to sue for monetary damages if a company violates their privacy, a setup referred to as “private right of action.” Republicans had previously wanted to preempt all state laws while Democrats wanted individuals to have a broad private right of action.

The compromise bill includes provisions that would require that groups gathering data minimize what they collect. “Covered entities are prohibited from collecting, processing, or transferring covered data beyond what is reasonably necessary, proportionate, and limited to provide specific products and services,” according to a summary of the bill provided by its sponsors.

The bill would also prohibit the transfer of sensitive data to third parties without the “express affirmative consent of the individual to whom it pertains,” according to the summary. It would also require that “large data holders that use algorithms to assess their algorithms annually and submit annual algorithmic impact assessments to the FTC.” It increases online data privacy protections for children under age 17, and would ban targeted advertising to kids under age 17.

If today’s compromise becomes law, it would bring the U.S. closer to par with Europe, which has several such broad privacy rules, including the General Data Protection Regulation, or GDPR.

To be sure, while the bipartisan privacy negotiations are further than ever before, one key negotiator — Senate Commerce Chair Maria Cantwell (D-Wash.) — is skeptical.

In a statement, Cantwell said, “For American consumers to have meaningful privacy protection, we need a strong federal law that is not riddled with enforcement loopholes. Consumers deserve the ability to protect their rights on day one, not four years later.”

The bill includes a four-year moratorium after enactment before any private lawsuits can be brought.

Meanwhile, Cantwell has shared a revised version of her Consumer Online Privacy Rights Act — first introduced in 2019 — with industry and privacy advocacy groups. The updated version would define a “substantial privacy harm” as an alleged financial harm to an individual of $1,000 or more, or an alleged physical, mental or reputational harm. Cantwell’s draft bill would prevent companies from using user-agreements to force individuals to go through arbitration to settle disputes rather than sue in court, according to a draft obtained by POLITICO.

By contrast, the bipartisan draft does not block companies from forcing customers to use arbitration, except when it comes to children. Businesses regularly include such clauses in user agreements and have pushed to maintain that right.

Tricia Enright, a spokesperson for the majority side of the Senate Commerce Committee, said Cantwell wants to hold a markup this month on a bipartisan federal privacy bill along with bills related to children’s privacy.

However, there is little time left in the Congressional calendar before Congress breaks for its August recess and then heads into the midterms. It is unclear whether Congress could get a federal privacy bill across the finish line this year.

Senate Majority Leader Chuck Schumer last week urged Cantwell to quickly finalize a bipartisan agreement, according to a person familiar with a conversation between them who was granted anonymity because they were not authorized to speak on the record. Leadership support is crucial, given the limited number of legislative calendar days left before the midterm elections.

The timeline for action is limited also due to committee leadership changes. Wicker likely has little time left as ranking member on Senate Commerce as he’s indicated he’d take the top GOP leadership role of the Senate Armed Services Committee after the retirement of Sen. Jim Inhofe (R-Okla.). Wicker’s expected replacement on Senate Commerce — Sen. Ted Cruz (R-Texas) — hasn’t been a leader on federal privacy talks.

“This might be the moment that Wicker really can act to have his kind of stamp on a bill before he leaves potentially out of this committee,” Divya Sridhar, the senior director of data protection policy at tech industry group SIIA, said. “So I think there’s some kind of indication that this could be the moment.”

The U.S. Chamber of Commerce has strongly opposed any bill that includes a private right of action. “We are confused and concerned given the fact that it awards attorney fees for plaintiffs — that has the potential to generate class action lawsuits,” said Jordan Crenshaw, head of U.S. Chamber of Commerce’s Technology Engagement Center. IBM also opposes the legislation. Christopher Padilla, IBM’s vice president for government and regulatory affairs, said in a letter to Cantwell, Wicker, Pallone, and McMorris Rodgers that “The best way to avoid the many pitfalls of a private right of action is to not include it.”

Some advocacy groups are also wary. Justin Brookman the privacy and technology policy director at Consumer Reports called the legislation “promising”, but said he doesn’t want the privacy bill efforts to take focus away from tech antitrust bills that have been vetted and advanced out of committee. “It’d be great if we could do both, but I don’t what this effort to distract from that competition effort.”

Emily Birnbaum contributed to this report.