A "fresh wrench", two hearings, and a busy week: Federal Privacy Legislation Update, July 17
With less than a month before Congress leave town again, this will be a busy week on the federal privacy legislation front.
With Congress in session for just a few more weeks before their next recess, this will be a busy week on the privacy legislation front. It starts with two important hearings on Tuesday.
- At 7:00 am Pacific time (10 am Eastern), the House Judiciary Committee's hearing on Digital Dragnets: Examining the Government's Access to Your Personal Data discusses the The Fourth Amendment Is Not For Sale Act, which prohibits data brokers from selling their data to government agencies.
TAKE ACTION: Tell Congress: The Fourth Amendment is Not For Sale using EFF's handy web form
- And at 7:30 am Pacific (10:30 am Eastern) Tuesday, the House Energy & Commerce Committee has a hearing , on Roe Reversal: The Impacts of Taking Away the Constitutional Right to an Abortion. Danielle Citron's The End of Roe Means We Need a New Civil Right to Privacy discusses the role of the Rep. Sara Jacbos' My Body My Data Act and the Warren/Wyden/Murray Health and Location Data Privacy Act in a post-Roe world.
TAKE ACTION: Tell Congress to Pass the “My Body, My Data” Act
House Energy & Commerce is also working on the American Protection and Privacy Act (ADPPA) consumer privacy bill.
UPDATE: ADPPA markup is scheduled for Energy & Commerce's Wednesday morning session, which starts at 6:45 am Pacific time (9:45 am Eastern).
They had originally planned to release a new version early last week and then have a markup session. But it didn't work out that way.
As Maria Curi reports in California Democrats Demand Stronger Privacy Protection Bill on Bloomberg Government:
Momentum has gathered behind a bipartisan, bicameral effort to pass a federal privacy law (H.R. 8152)....
But as the committee gears up to hold a vote next week, a fresh wrench has been thrown in the bill’s path. California Democrats want to make sure the federal standard doesn’t weaken their state law by taking precedent over it.
A "fresh wrench" destroying the bipartisan, bicameral "momentum"!
Take it with a grain of salt. Yes, preemption is a real issue – in general, and specifically for California. Rep. Anna Eshoo (who represents a large portion of Silicon Valley) was very clear about this at ADPPA's first hearing in mid-June: "Federal privacy legislation cannot undermine California's privacy laws."
But a "fresh wrench" it's not.
Lobbyists gonna lobby ...
What's really going on here? The quote from "former FTC chair" Jon Leibowitz arguing that the federal law is better than California's provides a clue.
As the article doesn't mention, Leibowitz is now an industry lobbyist. 2015's The ‘Privacy Coalition’ That Wants to Trim Data Regulations for Telecom Giants and 2017's California’s Internet Privacy Legislation Being Undermined by Industry-Funded Privacy Group have more about the 21st Century "Privacy" Coalition he co-founded, with funding from Comcast, AT&T, Verizon, Time Warner Cable/Charter Communications, DirecTV.
Leibowitz talked about his strategy for getting industry-friendly legislation in a February Wall Street Journal opinion piece How Congress Can Protect Your Data Privacy (which also didn't mention that he's a lobbyist):
Pass a federal law stronger than any of the existing state laws and pre-empt only direct conflicts. That is easily achievable because the three state laws that have passed—in Virginia, Colorado and California—are either weak or riddled with loopholes. Even the strongest of the trio, California’s, largely limits only the transferring of data and not its collection.
In other words, pass something just a bit stronger – but still filled with loopholes – federally, and preempt future stronger laws.
Todd Feathers reported on this strategy in 2021's Big Tech Is Pushing States to Pass Privacy Laws, and Yes, You Should Be Suspicious on The Markup. Feathers' and Alfred Ng's 2022 Tech Industry Groups Are Watering Down Attempts at Privacy Regulation, One State at a Time, also on The Markup, has more discussion. And here in Washington state, Big Tech also used the strategy of comparing the Bad Washington Privacy Act favorably to weak state legislation as a way of shifting the conversation away from the bills weaknesses.*
That escalated quickly
"A memo comparing the measures prepared by three prominent nonprofits and shared with The Technology 202 argues that the federal bill’s consumer protections are equal to or better than the California law in a vast majority of areas." https://t.co/ywuWC7frF2— EPIC (@EPICprivacy) July 15, 2022
The very next day, Cristiano Lima's Federal privacy bill trumps California’s law, advocates say followed up on Leibowitz' talking point.
"Privacy and civil rights advocates are pushing back on criticisms from California officials that a federal privacy bill would weaken protections in the state, arguing that the bipartisan measure recently unveiled in Washington is even stronger than California’s landmark law."
Lima included quotes from Alan Butler of EPIC Privacy and David Brody of Lawyers' Committee on Civil Rights highlighting ways in which the ADPPA is stronger than California's CPRA. He also links out to a nicely-designed side-by-side (from EPIC, Lawyers' Committee, and Center for Democracy and Technology (CDT)) with more details. They sure turned that around fast! It's almost like they expected this "fresh wrench" and had their talking points and collateral ready to go.
So despite the concerns about lost "momentum", the short-term result was a great news cycle for ADPPA supporters. The main message people in DC heard going into the weekend is that privacy and civil rights advocates are defending ADPPA and saying it's "even stronger" than California's.
And then over the weekend, Future of Privacy Form Senior Fellow Omer Tene and "thought leader" Cameron Kerry of Brookings chimed in with threads reinforcing the talking point that ADPPA is stronger than California's law.
From industry's perspective, this a much better conversation to be having have than other thornier issues – for example, the concerns that Wyden and others have raised that ADPPA “unfortunately would not do enough to protect fundamental rights of a woman over her own body and her privacy”.
Just how strong is ADPPA's enforcement?
But regardless of whether or not ADPPA is or isn't stronger than California's law, are its enforcement provisions strong enough to protect us and our data? Here's some of the issues that privacy and civil rights advocates have highlighted:
- EFF, Common Sense and other groups have questioned whether the ADPPA gives the FTC the funding and authority it needs to enforce it. UPDATE: Consumer Reports also highlights this concern in their July 17 letter.
- Public Knowledge discusses how the ADPPA undercuts FCC enforcement authority
- Maine's AG says ADPPA in its current form would set a ceiling below the state's legislation that protects consumers against abuse by Internet Service Providers (like the ones funding the 21st Century Privacy Coalition).
- Privacy and civil rights advocates at Electronic Frontier Foundation and Disinfo Defense League groups including Media Justice, Access Now, Free Press, Common Cause, Muslim Advocates, Kairos Action, and Asian Americans Advancing Justice all oppose federal preemption of state privacy laws. UPDATE: Consumer Reports does too.
- The ADPPA's private right of action won't even exist for four years. Even then is limited, so doesn't cover violations of the data minimizaiton requirements. It doesn't include statutory damages. It puts up significant barriers that mean people have to "jump through arbitrary, drawn-out hoops" to sue. And ADPPA's right to cure is a get-out-of-jail free card for most businesses with an annual revenue up to $41 million/year.**
And a July 1 memo from California Privacy Protection Agency (CPPA) says that the ADPPA takes away nearly all of their enforcement authority:
[W'hile ADPPA states that a State Privacy Authority can take civil action to enforce the ADPPA, the definition of state privacy authority does not adequately identify the CPPA, nor can the Agency take civil action, since it has administrative enforcement authority only.
So on top of all the other isues, the bill in its current form takes away nearly all the enforcement authority of the country's largest and best-funded state privacy agency.
Put it all together and ... well, your mileage may vary, but as of right now ADPPA's "strong enforcement" looks pretty darned weak to me.
I can certainly see why its supports would rather be talking about whether or not it's better than California's law.
What next on preemption?
It could well be that Leibowitz et. al. are just posturing, and the industry plan is to demand concessions on other fronts in return for a "compromise" on preemption: add California's privacy law to the already-long list of preemption exceptions, give the California Privacy Protection Agency the authority they need, and hangs Maine, Washington, and all the other states that also don't want to be preempted out to dry. Then again, maybe they'll make some minor improvements in the ADPPA to address the CPPA's concerns, after which California's legislators can say they've fought for Californians' privacy rights and are now willing to "compromise" for the good of the country and go along with something preemptive.
Either one of thse approaches will let ADPPA's supporters talk about how this dramatic "compromise" has restored the bill's "momentum," and how now's the best time to make further "compromises" to push it over the finish line. They'd also put pressure on Senate Commerce Chair Maria Cantwell, who's been pushing to get state preemption completely removed, to "compromise" and settle for something that protects Californians but not Washingtonians.
But it might not work out that way. Most privacy advocates will continue to press to remove all state preemption. Republicans contine to press to remove ADPPA's current preemption exceptions and make the bill fully preemptive. So another short-term option, probably the path of least resistance, is to keep punting on resolving this issue, and instead hold it open so that they can try to keep the conversation focused on comparing the ADPPA to the GDPR.
We shall see.
TAKE ACTION: If you're on Twitter, like or retweet the Maine AG's concerns about preemption and my tweet asking Washington Democratic members of Congress to follow California Democtrats' lead and fight for their constituents' privacy rights by removing ADPPA's state preemption
What else to look for in the markup
Preemption is only one part of the overall enforcement picture. When the new version of ADPPA drops, will it actually give CCPA the authority it needs? Will it clarify FTC funding and authority? Will it stop undercutting the FCC? Will the private right of action improve – or be further weakened?
And enforcement's only the tip of the iceberg. There's also the elephant in the room: how far will the new version go to address concerns that ADPPA “does not adequately protect against” the privacy threats posed by a post-Roe world? Wyden's statement to the Washington Post focused on the deidentified data loophole, which he says would "make trivially easy to re-identify supposedly anonymous data and put women's privacy at risk."*** And there are also a lot of other loopholes that put people seeking or providing abortions at risk.
UPDATE: Consumer Reports' letter has an excellent discussion of how the subcommittee's amendment weakened the deidentified data language, starting at the bottom of page 4.
A few other issues I'm following closely:
- The subcommittee's markup added new exemptions, including one for companies who are collecting, processing, or transferring data on behalf of government agencies (an approach the military uses this approach to surveil Muslims and ICE uses to target immigrants). Will any of these changes get undone in the committee markup? Or will there be some other new exemptions?
- The algorithmic auditing section still falls short of the much stronger provisions in the Automated Accountability Act of 2020 and the Algorithmic Justice League's "Who Audits the Auditors?" recommendations. How much will the new version improve the language?
- The subcommittee's markup also removed race, religion, ethnicity, and union membership from the list of "sensitive data," so it no longer requires opt-in consent to be shared, sold, or used for some purpose other than it was collected for. What does "sensitive data" even mean if race and religion aren't considered sensitive?
Once the new version drops, there will be a flurry of activity as everybody analyzes it to see what's changed – there's only a short window of time to provide feedback to committee members before the markup session. From there, Cobun Zweifel-Keegan of IAPP has an excellent thread describing the markup process; it ends with the committee voting on an amended version of the bill. If the committee advances it, then ADPPA's next stop will probably be the House floor.
* A few examples:
- Microsoft Chief Privacy Officer Julie Brill described the 2019 version of Bad Washington Privacy Act (Bad WPA) as the "strongest set of privacy protections in the United States" and included a paragraph on "robust enforcement" in her post on Microsoft's blog.
- Brill's 2020 post on how the new version of the Bad Washington Privacy Act "raises the bar for privacy in the United States" also talked about "strong enforcement" – even though the AG had said the law was unenforceable.
- In 2021, a disinformation-filled "quick summary" document industry lobbyists circulated started by asserting "The Bad Washington Privacy Act, if passed, will be the strongest consumer data privacy in the nation."
- From 2021's Criticism and praise for at the hearing for SB 5062 (the Bad Washington Privacy Act):
The Washington Technology Industry Association talked about the "strong privacy protections" in the bill. The CEO of a Seattle online gaming company lauded its "very strong privacy protections for consumers." Microsoft described it as "the strongest privacy protections in the US."
- In 2022, Washington Tech Industry Association lobbyist Michael Schutzler's misleading Seattle Times opinion piece said the Bad WPA would have been "the country's strongest privacy bill."
Hey wait a second, I'm noticing a pattern here.
** California's CPRA doesn't have a private right of action at all for most violations, so rather than focusing on the enforcement questions in general, the EPIC/Lawyers' Committee/CDT side-by-side shows ADPPA's eventual weak, and cumbersome private right of action as a plus because it's better than nothing. It's a great example of how useful it is for industry when the focus is on comparisons to other weak bills rather than the more important question of whether the ADPPA will actually address the problems it claims to.
*** In the same article, EPIC's Alan Butler reassures us that there's nothing to worry about because ADPPA's restrictions on de-identified data are "extremely strict,” but then again he also said that ADPPA has stronger enforcement than it's getting credit for, so without having delved into the details my guess is that Wyden's right.
UPDATE, 7/19: Wyden's right. See Consumer Reports' letter.
UPDATE, 7/25: it's possible that Butler was talking about the version of the bill that was getting negotiated at the time, because the amended version the committee voted on undid the harmful subcommittee changes to decentralized data that Consumer Reports had discussed. However, according to Tonya Riley's reporting Federal privacy legislation progresses, but concerns about data brokers loom, these improvements do not appear to have fully addressed Wyden's concerns.
Image credit: JessicaRodriguezRivas, via Wikipedia Commons. licensed under the Creative CommonsAttribution-Share Alike 4.0 International license.