Federal privacy legislation: a quick ADPPA roundup

One of Big Tech's favorite tactics in their incessant attempts to pass weak privacy here in Washington state has been to try to push a "compromise" bill through at the very end of the session....  So it wouldn't surprise me if there are still some shenanigans in store for ADPPA.

– Who could have predicted? A potential “new compromise” for ADPPA!, September 12

The House Energy and Commerce Committee is considering new consumer privacy legislation that would allow Americans greater control over who can access their personal information online. On Thursday, Sept. 29 at 11:00 a.m. ET, join The Post’s Leigh Ann Caldwell for a conversation with the committee’s chair Rep. Frank Pallone Jr. (D-N.J.) and ranking member Rep. Cathy McMorris Rodgers (R-Wash.), about the prospects for a bipartisan bill and the future of tech regulation.

Watch live: washingtonpost.com/acrosstheaislesept29

– Across the Aisle with Leigh Ann Caldwell

After Energy and Commerce advanced the bipartisan American Data Privacy and Protection Act (ADPPA) by a 53-2 vote in July, hopes were high that it would move to the House floor quickly before the August recess ... but no. By the time the House returned to DC in September, House Speaker Nancy Pelosi's firm pre-Labor Day statement that she wouldn't support a bill that preempts California's laws made it clear that ADPPA's supporters claims of a "consensus" that ADPPA is the best thing since sliced bread are ... exaggerations.  Who could have predicted?

So with the House once again about to leave DC (Friday is their last scheduled day in session until after the midterms), it'll be interesting to see what Reps. Pallone and McMorris Rodgers have to say.  

Pass the popcorn!

UPDATE: well, that was a nothingburger – here's the video, my live-tweeting thread, and an "unrolled" version of the thread.  Key takeaway: Pallone says there's still time to pass ADPPA after the election, and expressed optimism (which of course he has to).

And to whet everybody's appetite, here's a quick look at five recent ADPPA-related articles.

If you want to see some of my other posts on ADPPA, check out the federal privacy legislation section of The Nexus of Privacy.

California leads the nation in privacy protections. Congress wants to end that

Jennifer M. Urban on San Francisco Chronicle (sfchronicle.com)

Prof. Urban is the Chair of California Privacy Protection Agency (CPPA), which is already on record as opposing ADPPA's preemption of state laws, so it's not like anything she says here is a surprise. Still, she says it well!  One important point she makes: it's not just the California Consumer Privacy Act (CCPA) that would be preempted:

[B]y preempting state laws related to consumer privacy, the ADPPA would also prohibit states from acting to protect their residents from future threats. Privacy issues arise quickly, and states can experiment more nimbly, and reflect their residents’ concerns more directly, than Congress can. If passed, the ADPPA would likely be outdated before it goes into effect. Meanwhile, states have been extremely active. Maine adopted landmark broadband privacy rules in 2019. Colorado and Connecticut have adopted comprehensive commercial privacy laws that go into effect in 2023. Washington and Oregon have been working on draft privacy legislation for years. And in recent weeks, the California Legislature advanced legislation to protect children’s privacy* and to strengthen laws regarding in-car cameras and smart speakers.

Yeah really.  As Washington state Indivisibles said in a June 13 letter to Rep. McMorris Rodgers and Senator Maria Cantwell:

Indivisibles have invested a lot of time and energy working with state legislators, the Tech Equity Coalition, and WA People’s Privacy Network on privacy legislation over the last several years....  So it is extremely important to us that federal legislation does not preempt Washington state’s own future privacy legislation. Thanks to the years of work legislators, civil rights and community groups, and tech companies have done on privacy, we believe we are likely to pass strong legislation in 2023. While we appreciate the work that ADPPA has done to explore a “partial preemption” approach, we would prefer the clarity and simplicity of a bill that is fully non-preemptive.

State views on proposed ADPPA preemption come into focus

Joe Duball on International Association of Privacy Professionals (iapp.org)

In People in other states and cities have opinions on preemption too! I observed that "all the focus on California's opinion about preemption of their state law frames it as California just being selfish, and obscures both the breadth of the opposition and ADPPA's preemption of local laws," so it's great to see some other perspectives get some coverage.  Duball has perspectives from three state legislators

• Sen. James Maroney, lead sponsor of Connecticut's privacy law, who "called back instead to California lawmakers' proposal for a federal floor from which states can build."
• Rep. Collin Walke, co-sponsor of Oklahoma's privacy bill, who believes that the better route would be "to set a federal floor, not a ceiling."
• Sen. Reuven Carlyle, primary sponsor of the Bad Washington Privacy Act, who says "We need to ensure the floor of the protections the federal government might establish are genuine, meaningful and compelling."**

Duball also mentions and links to the July 19 coalition letter from 11 state Attorneys General, which encouraged Congress to "adopt legislation that sets a federal floor, not a ceiling."

Hey wait a second, I'm noticing a pattern here!***

Unfortunately Duball doesn't quote anybody on ADPPA's preemption of local laws, and he doesn't bring up any issues from the states other than preemption. For example:

• the July 19 AG coalition letter noted that a clause in ADPPA causes problems for many ability to investigate and “unnecessarily interferes with robust enforcement capabilities.”​​  
• Washington's AG Bob Ferguson's June 24 letter objected to the lack of whistleblower protections, and highlighted a loophole that "may be used by technology companies to maintain all data indefinitely" and "will undermine the entire purpose of data privacy legislation"

So while there's some useful information here, at the end of the day it's yet another example of the pattern I mentioned in  Can we talk about something besides preempting California for a second?:

There’s been so much focus on preemption and California that a lot of other important questions about ADPPA haven’t gotten a lot of airtime, starting with one that's top of mind for a lot of people right now.

Does ADPPA protect against post-Roe threats to privacy? Probably not.

ADPPA's failure to protect against post-Roe privacy threats goes into more detail on that, and A few more topics that could use a lot more discussion list of some of the other issues with ADPPA.

Reviewing the House Committee changes to the proposed ADPPA

Amy Olivero on International Association of Privacy Professionals (iapp.org)

IAPP Westin Research Fellow Olivero breaks down the changes to the draft American Data Privacy and Protection Act (ADPPA).  There's some useful information here, although it's worth mentioning that  both the description of the changes and the chart at the bottom makes ADPPA look stronger than it really is. For example,

• the list of changes is at a very high level.  While this improves readability, it also creates a very false impression by omitting many important changes that significantly weakened the bill.
• the chart helpfully provides information on how long covered entities of different sizes have to respond to access, correction, and deletion requests – but it leaves out the fact that they also get an automatic 45-day exemption.
• the chart accurately notes that service providers and businessess with less than $250,000,000 annual revenue are subject to ADPPA's civil rights protections (Section 207(a)) – but omits the fact that they're exempt from the requirement to do algorithmic impact assessments (Section 207(b)) .

Readout from a Congressional Data Privacy and Security Briefing

Brandon Pugh on R Street (rstreet.org)

R Street's briefing to congressional staffers featured ADPPA co-sponsor Pallone and a panel of supporters of ADPPA: Brandon Pugh of the R Street Institute, Paul Lekas of the Software & Information Industry Association (SIIA), Sara Collins of Public Knowledge and Yosef Getachew of Common Cause.  As with Urban's op-ed, nothing they say is surprising, but it's still useful to see the talking points they're using.   For example:

An attendee raised California’s concerns with preemption, especially as House Speaker Nancy Pelosi (D-Calif.) said work is needed to address outstanding concerns. Panelists’ responses to this included reflecting on the changes to the ADPPA to account for the California Privacy Protection Agency; providing a role in enforcement for states; the ADPPA being stronger in multiple areas like civil rights; and providing rights for all Americans.

Cool!  Except that the reality is ...

• The CPPA has all kinds of problems with the current version of the CPPA
• State AG's object to ADPPA's barriers to their enforcement.  
• ADPPA's civil rights protections are certainly a good thing, but ADPPA’s algorithmic impact assessments are currently too weak to protect civil rights
• There are a lot of other areas where ADPPA is weaker than California's or Maine's current privacy laws.  
• As for "all Americans", sexual orientation has now been removed from the definition of "sensitive data," and sex and gender were never included, and that's only one of the problems from an LGBTAIQ2S+ perspective (Stress-testing ADPPA with a queer lens) ... plus of course there's the elephant.  

I wonder which of those they talked about in the briefing?

Notes from the IAPP, Sept. 23, 2022

Joe Duball on International Association of Privacy Professionals (iapp.org)

What if ADPPA doesn't pass this session?  In Duball's view, bipartisanship in the House is "stymied" by Democrats' "reluctance, mostly on the part of the California delegation, to move forward with preemption."  That's certainly one way to look at it.  As I said in "Tweaking" the "grand bargain"

ADPPA's supporters have argued that they only way to get federal privacy legislation is a “grand bargain”:

* Republicans will support providing some protections to cis straight non-pregnant people all over the country; something called a "private right of action" that people have to jump thrugh hoops to use and doesn't have statutory damages; and exemptions for government contractors

* In return, Democrats will agree states can't provide stronger protections to their residents; AGs and privacy agencies will have a hard time enforcing the law; forced arbitration and a right to cure that can prevent people from suing; and California will give up legislation that had been passed by a referendum in 2020.

So yeah, not going along with the "bargain" does "stymie" this approach to bipartisanship.  And Duball points out that current projections are for Republicans to take the House.  

So in a perfect world, McMorris Rodgers and fellow Republicans working on the bill will use their new majority status to implore a Republican House Speaker to bring this current version of the bill, which a majority of Democrats support, to the floor.

It's certainly a possibility.  That said, there are some major caveats.  

• Let's start with the elephant. In a post-Roe world, will a majority of Democrats really support legislation that fails to protect pregnant people?  
• Would the majority of the 175 Democratic members of the LGBTQ Equality Caucus really support a bill that puts LGBTAIQ2S+ people at risk?
• And in any case, even in Duball's "perfect world" where House Democrats throw pregnant people and LGBTAIQ2S+ people under the bus to pass a corporate-friendly privacy bill, he admits

[P]assing the ADPPA through the House doesn't resolve issues in the Senate, where Democrats could retain control and uphold their own discrepancies with the proposal.

So unless Republicans take both chambers, never mind.

That said, it's certainly worth thinking about what happens if ADPPA doesn't pass. As I said in Democrats have other options,

[D]epending on the November results, it could be a different story in Congress next session. If the Democrats pick up a couple of seats in the Senate and hold the House, they might well remove the filibuster for abortion-related legislation.

Everybody agrees that the Supreme Court's Dobbs decision ending Roe has changed the political landscape when it comes to privacy.  Let's hope Democrats seize the opportunity.

* How much of California's recently-passed Age-Appropriate Design Code does ADPPA preempt?  IAPP's Cobun Zweifel-Keegan, who recently wrote about the  Age-Appropriate Design Code in The future of youth privacy is here, says "Great question. I think that one is open for debate."  Hmm.  Am I the only one who thinks it'd be nice to have a definitive answer to that before legislators vote on the bill?

** I don't always agree with Sen. Carlyle but he's on-target with this:

The ADPPA is "not going to be tinkered with in a meaningful way for a decade or generation. We are living with it because of the general dynamic for how Congress works," Carlyle said.

Daniel Solove's A Faustian Bargain: Is Preemption Too High a Price for a Federal Privacy Law? makes a similar point.

*** Duball actually understates the breadth of opposition: he doesn't mention the letters from Maine's AG and Washington Indivisible groups opposing preemption, or the comments from Maya Morales of WA People's Privacy at the CPPA Board meeting opposing preemption.

Image credit: JessicaRodriguezRivas, via Wikipedia Commons.  licensed under the Creative CommonsAttribution-Share Alike 4.0 International license.