Last updated September 15
It could well be that [lobbyist Jon] Leibowitz et. al. are just posturing, and the industry plan is to demand concessions on other fronts in return for a "compromise" on preemption: add California's privacy law to the already-long list of preemption exceptions, give the California Privacy Protection Agency the authority they need, and hangs Maine, Washington, and all the other states that also don't want to be preempted out to dry.
– me, in A "fresh wrench", two hearings, and a busy week, July 17
In July, the House Energy & Commerce committee voted 53-2 to advance the American Data Privacy and Protection Act (ADPPA), a broad consumer privacy bill. It's the first time this century a consumer privacy bill has advanced from committee, and privacy and civil rights groups have justifiably lauded ADPPA's inclusion of civil rights protections as a huge milestone.
The next step for ADPPA is a vote on the House floor. But right before the Labor Day weekend, House Speaker Nancy Pelosi issued a firm statement saying that wouldn’t happen unless there were changes in ADPPA.
California’s landmark privacy laws... must continue to protect Californians — and states must be allowed to address rapid changes in technology.
Republicans have said they're only willing to support a privacy bill if it preempts California!!
And now California's not willing to be preempted!!!
Does this mean that ADPPA is "dead"?
Don’t be silly
The level to which Pelosi's stance affects the ADPPA's chances will depend on what kind of agreement can be reached, if any, to soften preemption.
– Joe Duball, Pelosi opposes proposed American Data Privacy and Protection Act, seeks new preemption compromise
Of course this doesn't mean ADPPA is dead. It's not even news: Pelosi and California Democrats have had this position since 2019. Legislators, staffers, lobbyists, and privacy advocates have all put a huge amount of effort into ADPPA and its predecessors over the last few years. They're not going to give up just because the preemption issue hasn't been resolved yet.
Pelosi's statement made it clear that discussions are continuing. Along with statements from House Energy & Commerce Chair Frank Pallone and Ranking Member Cathy McMorris Rodgers (two of ADPPA's sponsors), it's just part of the negotiating process.
In fact, there's already been a "new compromise" proposed on preemption. But before we get to that ...
Can we talk about something besides preempting California for a second?
There’s been so much focus on preemption and California that a lot of other important questions about ADPPA haven’t gotten a lot of airtime, starting with one that's top of mind for a lot of people right now.
Does ADPPA protect against post-Roe threats to privacy? Probably not.
- Rep. Anna Eshoo says that "under this bill, a sinister prosecutor in a state that criminalizes abortion could use against women their intimate data from search histories or from reproductive health apps."
- Sen. Ron Wyden (who's usually right about stuff like this) says the de-identified data loophole "could allow data brokers to sell location data to the government about visits to reproductive health facilities, for example, or other private information that is trivially easy to connect to individuals.”
- Senate Commerce Committee staffers warn that the bill would force pregnant people to “jump through arbitrary, drawn-out hoops” to sue over privacy violations.
- Kim Clark of progressive feminist non-profit Legal Voice says “This bill, at least from the perspective of pregnant people, it really doesn’t do much”
How well does ADPPA protect against post-Roe threats? goes into more detail, including
A few more topics that could use a lot more discussion
- Do the changes in the latest version of the bill give free rein to government contractors? Quite possibly. In Americans Deserve More Than The Current American Data Privacy Protection Act, EFF says they’re concerned about this, and I haven't yet seen any good responses convincing me otherwise.
- Does ADPPA protect LGBTAIQ2S+ people? No. As WA People’s Privacy pointed out on Twitter, sexual orientation has now been removed from the definition of "sensitive data," and sex and gender were never included. And that's only one of the problems; Stress-testing ADPPA with a queer lens also discusses how ADPPA stacks up against threats to queer people Antoine Prince Albert III wrote about in Hiding OUT: A Case for Queer Experiences Informing Data Privacy Laws,
- Does ADPPA let state Attorneys General enforce the law? Not so much. AGs from states including Connecticut, Illinois, Maine, Massachusetts, Nevada, New Mexico, New Jersey, New York, and Washington warn in a July 19 letter that the current version of the bill appears to “substantially preempt many states’ ability to investigate” and “unnecessarily interferes with robust enforcement capabilities.”
- Does ADPPA let people sue companies who break the law? In many cases, no. As Rep. Donald McEachin of Virginia, Sen. Maria Cantwell of Washington, and EFF have all highlighted, ADPPA allows companies to force people into arbitration. Senate Commerce committee staffers said in a memo that ADPPA makes it harder for people to "seek redress when their sensitive health data has been used against them.” There's often a "right to cure", giving companies a get-out-of-jail free card; the Bad Washington Privacy Act also had a right to cure, and Washington's AG called it "anti-consumer". EFF goes into more detail on how the bill needs stronger individual rights to fight back, including statutory damages, in Americans Deserve More Than The Current American Data Privacy Protection Act.
- Does ADPPA provide sufficient resources and authority for FTC enforcement? Nope. The current version doesn't provide any additional funding for the FTC, but adds substantial new responsibilities (including approval of "compliance guidelines" submitted by companies and trade associations, who can then presumably sue if the FTC doesn't respond within the one-year timeframe).
- Are ADPPA's algorithmic auditing requirements strong enough to make the civil rights protections against anti-discrimination real? I don’t think so, especially after they were significantly weakened in the last version. ADPPA’s algorithmic impact assessments are too weak to protect civil rights -- but it’s not too late to strengthen them and Automated Systems and Discrimination go into more detail on the changes that are needed.
- Does ADPPA provide whisteblower protections? No. In a June 24 letter, Washington's Attorney General Bob Ferguson said "Frances Haugen demonstrates how important whistleblowers are to daylighting abusive practices that violate Americans’ privacy and I encourage you to add whistleblower protections to the ADPPA."
I could go on … what about the “bossware” loopholes? What about the "pay for privacy" regime, where it's okay to charge customers more or provide lower levels of service if you they don't agree to be part of a "voluntary" loyalty program (which can require consenting to data sharing or sale)? A potential loophole allowing ISPs to escape hundreds of millions in fines? What are the implications of lowered protections for location data from photos, surveillance cameras, and license plate readers? But hopefully there’s enough here to make my point.
So yes, It’s a problem that ADPPA preempts California’s law. And as Californians for Consumer Privacy highlight in their Letter to Speaker Nancy Pelosi Opposing The American Data Privacy and Protection Act, the many ways that ADPPA falls short of California's law are also problems.
But those aren't the only problems we should be be talking about!
People in other states and cities have opinions on preemption too!
"In 2019, the Maine Legislature enacted L.D. 946, An Act to Protect the Privacy of Online Customer Information. The law is at the forefront of consumer privacy protection, and it reflects hard-fought progress in Maine to foriify consumer data against unauthorized connection and use by Internet Service Provers."
Aaron Frey, Attorney General, State of Maine, in a July 13 letter
And it's not like Californians are the only ones who oppose preemption. So does AG Frey – and AGs from Connecticut, Illinois, Maine, Massachusetts, Nevada, New Mexico, New Jersey, New York, and Washington, who made similar points in their coalition letter. But all the focus on California's opinion about preemption of their state law frames it as California just being selfish, and obscures both the breadth of the opposition and ADPPA's preemption of local laws.
Seattle's Broadband Privacy Ordinance would similarly be preempted – and so would Seattle's ability to pass future privacy laws. Here's what Derek Lum of Seattle's InterIm CDA had to say about the preemption clause in the Bad Washington Privacy Act in 2021:
"This cuts off one of the few avenues that organizations like mine can use to seek better protections for those we serve. Most of our community members live in Seattle, and they have reason to hope that the city will protect its vulnerable populations’ privacy. To deny them this avenue of protection is not right and would be severely limiting our ability to protect our communities."
Dozens of Tech Equity Coalition organizations and allies made a similar point in a letter to our state legislature: “a preemption provision prevents local jurisdictions from making important privacy decisions for their residents.”
Here's some other opinions about ADPPA's preemption from Washington state.
- Maya Morales of WA People’s Privacy said at the California Privacy Protection Agency’s July 28 special board meeting that “It’s important to be crystal clear about who preemption serves, and who it harms: preemption privileges the needs of corporations over the needs of people.”
- A dozen Indivisible groups said in a June 13 letter that “it is extremely important to us that federal legislation does not preempt Washington state’s own future privacy legislation.”
- In Stress-testing ADPPA with a queer lens, I wrote "From an LGBTAIQ2S+ perspective, this means that if a city like Seattle or a state like Washington wants to better protect its LGBTAIQ2S+ residents by addressing some these problems ... we can't."
And now, back to California ...
What "new compromise" could they possibly have in mind?
"Drawing on lessons from the environmental field, there may indeed be a way forward just as [EPIC Privacy President and Executive Director Alan] Butler suggests, with California as our guide....
The federal bill can provide California with a waiver, which would recognize its unique position as the home of a critical mass of tech companies and a leader in regulating them. (The Department of Commerce or the Federal Trade Commission could be tasked with determining whether California’s innovations offer greater data privacy protections than the ADPPA to warrant the waiver.) The state could continue to create privacy protections that meet evolving problems, and the nation can avoid the confusion that would result if all 50 states made their own privacy laws."
-- Nancy Pelosi Is Blocking Landmark Data Privacy Legislation—for a Good Reason, Danielle Keats Citron and Alison Glocke, Slate
Hey! We've got a critical mass of tech companies in Washington too! What are we, chopped liver?
UPDATE, September 13:
"Another approach lawmakers should consider is a framework similar to the federal Clean Air Act, which allows California to set a tougher standard than the national one and lets states choose which they want to follow."
– LA Times editorial, Congress must fix data privacy bill so it doesn’t hurt Californians
I'm noticing a pattern here ...*
"Tweaking" the "grand bargain"
ADPPA's supporters have argued that they only way to get federal privacy legislation is a “grand bargain”:
- Republicans will support providing some protections to cis straight non-pregnant people all over the country; something called a "private right of action" that people have to jump thrugh hoops to use and doesn't have statutory damages; and exemptions for government contractors
- In return, Democrats will agree states can't provide stronger protections to their residents; AGs and privacy agencies will have a hard time enforcing the law; forced arbitration and a right to cure that can prevent people from suing; and California will give up legislation that had been passed by a referendum in 2020.
As stated, this was never going to fly. California has made it clear since 2019 and at every stage of discussions htis session that they were not on board. Senate Commerce Chair Maria Cantwell has firmly said she's not on board either. And I suspect that most progressive Democratic legislators would have some serious qualms with the "grand bargain" as I've described it here.
And yet, here we are.
EPIC Privacy Executive Director Alan Butler suggests that the path forward is to combine "substantive tweaks to address issues of differences raised by the CPPA and others in California" with possible modifications to the preemption provisions. He's got a lot more visibility into the negotiations than I do, so who knows ... maybe they really can "tweak" the "grand bargain" and piece together a "new compromise" with the votes to at least get ADPPA through the House while still ignoring input from the other 49 states. We shall see.
Keep in mind that Big Tech is playing a long game here. If Congress passes a weak preemptive ADPPA this year, they win.** If not, they'll go back to pushing states to pass weak privacy laws and watering down attempts at privacy regulation, one state at a time.
EPIC's and Lawyers' Committee's strong support for ADPPA is likely to make Big Tech's path through the states a lot easier. One straightforward strategy: use a weakened ADPPA as a starting point, and further weaken it in states where their lobbying is strongest.*** It's similar to the strategy they took after we rejected the Bad Washington Privacy Act and an Amazon lobbyist introduced it in Virginia, only better (from a Big Tech perspetive); with ADPPA they'll be able to tell legislators things like "privacy groups like EPIC and civil rights groups like Lawyers' Committee support the bill and the only reason Congress didn't pass it was those selfish Californians care more about their ego than protecting people who live in other states." Then once it's passed in a few states, they can take another crack at getting a mostly-preemptive bill through Congress.
To be fair, EPIC and Lawyers' Comittee are in a tough position here. They've heard repeatedly that the "grand bargain" is the only path through Congress this session. Depending on how the midterms go, the Congressional landscape might be even tougher next session. Their support for the bill so far resulted in a 53-2 bipartisan vote for the principle that privacy is a civil right, which is a major accomplishment. They probably couldn't have gotten that without advocating so strongly for a bill they know has major weaknesses.
But there's a big cost to that as well. I'm sure they're continuing to push for improvements behind the scenes, but since they've already announced their support for the bill I wonder how much leverage they have. And even though lobbying from Microsoft, IBM and others has significantly weakened the bill and data brokers are lobbying up a storm, EPIC's and Lawyers' Committee's public statements continue to focus on ADPPA's strengths and the ways they see it as better than California's law.
Democrats have other options
“We see an opportunity for asking Democrats to recognize the threats that have become far more acute in a post-Roe worldand to consider using the leverage they have – which is not insignificant – to consider these improvements in that light.”
– Shaunna Thomas of Ultraviolet, quoted in the Spokane Spokesman-Review
Even putting the other 49 states aside, ADPPA's gonna need a heckuva lot of "substantive tweaking" to address Californians' issues. Californians for Consumer Privacy's latest comparison highlights quite a few differences, some of which need substantial tweeking to address. EFF is also California based, and they've got a stack of issues as well. Meanwhile industry will be demanding concessions elsewhere to make up for a preemption waiver for California. How much strengthening will Republicans go along with?
If the answer is "not enough", supporting a bill that leaves pregnant people at risk is very fraught for Democrats who are counting on their strong stance on reproductive rights after the Dobbs decision to motivate voters – and a bill that doesn't protect LGBTAIQ2S+ people puts the 175 members of the LGBTQ Equality Caucus in a very awkward position.
So hopefully Democrats are looking at other options. They have the votes to get something through the House that actually does protect pregnant people if they want to. Perhaps it's time to stop focusing on ADPPA, and instead push the My Body My Data and the Health and Location Data Privacy Act, which have narrower but much stronger protections for reproductive health data and pregnant people. Or, they could remove preemption and significantly strengthen ADPPA by closing loopholes, removing the forced arbitration protection, and adding whistleblower protections.
Conventional wisdom is that if the Dems move forward on My Body My Data, Health and Location Data Privacy Act, or a significantly strengthened ADPPA, whatever the House passes won't have any chance in the Senate. I'm not completely convinced by this,**** but suppose it's true.
After all, if nothing’s going to pass, it’s far better for Democrats to position themselves as having fought for strong privacy protections – and position Republicans as so virulently anti-abortion that they’ll sacrifice everybody’s’ privacy just to be able to let vigilantes and sinister prosecutors get at pregnant people’s health data.
And privacy advocates can play a long game too. The House passing some strong legislation sets up for next year's legislative battles in the states – even if it doesn't pass the Senate. And depending on the November results, it could be a different story in Congress next session. If the Democrats pick up a couple of seats in the Senate and hold the House, they might well remove the filibuster for abortion-related legislation.
Everybody agrees that the Supreme Court's Dobbs decision ending Roe has changed the political landscape when it comes to privacy. Let's hope Democrats seize the opportunity.
It ain't over til it's over
It'll be interesting to see how things play out over the next few weeks. The House is in session again from September 13 to September 30. 25+ disability rights groups have called for ADPPA to be brought to a vote, highlighting the many provisions that will help protect disabled people. So have dozens of public interest groups, highlighting its civil rights protections.
Meanwhile, the FTC's public forum on commercial surveillance last Thursday spotlighted the need for strong regulations. ADPPA supporters will probably try to use it to support their arguments for why it's important to pass something, while avoiding discussions of whether it actually addresses the issues people brought up like protecting pregnant people from post-Roe threats and protecting trans and queer people at a time when they're under attack all over the country.
One of Big Tech's favorite tactics in their incessant attempts to pass weak privacy here in Washington state has been to try to push a "compromise" bill through at the very end of the session. In 2021, the Bad Washington Privacy Act's sponsor tried to hold funding for eviction protection hostage in an unsuccessful attempt to "encourage" his colleagues to support the bill in the last days of the session. 2022's farcical last-minute push included a secret amendment that wasn't even published before the vote. Good times.
So it wouldn't surprise me if there are also some shenanigans in store for ADPPA as well. One thing we've learned time and again in Washington state's legislative battles over privacy: it ain't over till it's over.
September 15: Include LA Times artcile
* Several patterns, actually. As well as the predicted "waiver for California", this is the second major opinion piece the LA Times has published on ADPPA, after David Brody's July 19 op-ed. Most of what these opinion pieces discuss are the very real problems ADPPA is trying to present and the reasons ADPPA is good.
But it's a very different balance than that conveyed by Jennifer Haberkorn's excellent September 6 LA Times news story Congress mulls data privacy bill that would void California’s tougher protections. Haberkorn reports that ADPPA is "e legislation is widely supported by the tech industry." She includes critical perspectives from Ashkan Soltani of California Privacy Protection Agency (CPPA) who flat-out says ADPPA “is weaker than the California law.” She quotes Soltani on ADPPA's absence of California's right to opt out of AI profiling.
And Haberkorn even mentions the elephant!
Critics of the Energy and Commerce bill say it has too broad of a loophole for law enforcement to demand data related to a state crime, something that could open the door to the disclosure of location-tracking information, period-tracking information or messages related to abortion access in states where the procedure is illegal. Another concern is whether third parties can access the information.
I get it, there's a difference between news and opinion. Still, LA Times readers are seeing a lot more positive information about ADPPA than discussions of the questions including the elephant. And all the coverage of preemption (including Haberkorn's) is filtered through a California lens, with nary I mention that I could see of Maine or Washington.
** Of course Big Tech isn't going to admit that. From a negotiating perspective, they've got a lot more leverage if they're perceived as soooo against the bill that they're ready to walk away unless they get more concessions. But if you look at the bill in its current form, there's virtually nothing here that they don't have to do for existing legislation in the EU, California, or Colorado. And while the private right of action gets painted as something that industry will never ever in a million years agree to, the reality is that Microsoft actually did agree to a private right of action in behind-the-scenes negotiations on a bill in Washington a couple of years ago. For big companies, a private right of action without statutory damages is a small price to pay for a bill that gives them so much.
*** Another possible strategy for Big Tech: sprinkle a few improvements into the Bad Washington Privacy Act and continue to use that as their template. It would be easy enough to add algorithmic impact assessments that are just a teensy bit stronger ADPPA's (although still to weak to hold Big Tech accountable) along with a duty of loyalty and data minimization section. Since the Bad WPA already has civil rights protections, these tweaks would make it "even stronger than ADPPA, which has the support of privacy groups like EPIC and and civil rights groups like Lawyers' Committee!" Big Tech and their allies have the resources to pursue both of these paths as well as continuing to push even weaker bills like Utah's, which makes the Bad Washington Privacy Act and ADPPA look good by comparison.
**** The Health and Location Data Privacy acts regulates data brokers, so is a natural complement the Fourth Amendment Is Not For Sale Act -- which prohibits government agencies from buying data from data brokers without a warrant. The Fourth Amendment Is Not For Sale Act has strong bipartisan support, and in its hearing legislators from both parties stressed that it was only a first step. My Body My Data or a significantly strengthened ADPPA would be a tougher sell, but many Republicans in tough election races are already trying to backtrack on their previous anti-abortion statements, so it’s possible that an effective pressure campaign could change some positions.