Is there an elephant in the Zoom room? CPPA says no to ADPPA preempting California law

California's Privacy Protection Agency speaks out.

Is there an elephant in the Zoom room?  CPPA says no to ADPPA preempting California law
California Privacy Protection Agency board members, on Zoom at the July 28 special board meeting
It’s important to be crystal clear about who preemption serves, and who it harms: preemption privileges the needs of corporations over the needs of people.

– Maya Morales, WA People's Privacy, at the CPPA board meeting

At yesterday's special board meeting, the California Privacy Protection Agency (CPPA) board voted unanimously to oppose the current version of the federal American Data Privacy and Protection Act (ADPPA) consumer privacy bill, because it would preempt the California Consumer Privacy Act (CCPA), as modified by the California Privacy Rights Act (CPRA), and other California privacy laws.

The board also voted unanimously to oppose any bill that similarly threatens these crucial privacy protections for Californians – although also left room for the Agency to support federal privacy legislation that provides a “true floor” allowing states to implement stronger protections.

CPPA's press release has quotes from all the board members.  Joseph Duball's summary on IAPP (International Association of Privacy Professionals) includes several of the meeting's many highlights:

  • Chris Thompson's framing of the "false choice":
He said federal lawmakers are "treating privacy rights as if they are in limited supply and the strong rights of Californians and others need to be taken away" so the rest of the country can be served "weaker rights."
  • Lydia de la Torre's proposal, adopted by the board, that the agency should embark on a public awareness campaign.  During public comments, Californians for Consumer Privacy founder Alistair Mactaggart (the driving force behind California's landmark 2018 CPPA law and the 2020 referendum that updated it with CPRA) strongly supported de la Torre's proposal, highlighting that it was clearly within the agency's statutory mandate.
  • CPPA Executive Director Ashkan Soltani stated bluntly "While I appreciate suggestions by advocates and others about how the ADPPA may be stronger than California law, I assure you that in my and the staff's expert opinion that it is not."  🍿

The IAPP article also covers the lowlight of the meeting, public commenter Jon Leibowitz's suggested that Californians should give up their rights.  Who could have predicted?  Lobbyists gonna lobby has more about Leibowitz' strategy for passing preemptive federal privacy legislation by comparing it to existing state legislation (although to be fair, Leibowitz said he said he wasn't at the CPPA meeting on behalf of any clients).  

A few perspectives IAPP didn't think were worth mentioning

You wouldn't know it from the IAPP article, but several women also spoke during public comments:

  • Jodi Masters-Gonzales, researcher in AI Ethics and Public Policy and independent auditor of AI systems, strongly opposed ADPPA's removal of CPRA's right to for people opted out of automated decision making – a concern board member Vinhcent Le had previously mentioned.*
  • Hayley Tsukayama of Electronic Frontier Foundation discussed how federal preemption of state privacy law hurts everyone.  
  • Maya Morales, a community organizer who played a key role in the coalition that passed a privacy-protecting ordinance in Bellingham last year (and whose full comments on the WA People's Privacy site are really worth reading), highlighted who's going to be especially hurt:
[I]t is important to note that it is unfavored and marginalized communities that will of course take the brunt of preemptive laws. Preemption will prevent states, counties and municipalities all over this nation from using the law to further protect immigrants of color, LGBTQIA+, Black and Indigenous and People of Color, poor and houseless individuals, and even those with issues of language and disability access that are not addressed by ADPPA.

Also, CPPA Deputy Director of Policy and Legislation Maureen Mahoney (whose work got well-deserved compliments from board members and Soltani) provided an analysis of another way ADPPA clearly weakens California protections by recent changes subverting "universal opt-out."**

And Board member de la Torre also brought up a topic that hasn't gotten enough attention: ADPPA preempts county and municipal legislation as well as state legislation.  In my comments, I briefly mentioned the Seattle Broadbrand Privacy Ordinance; I'm sure there are many others around the country.  As de la Torre noted, though, there hasn't yet been any detailed analysis of which local ordinances would be affected by ADPPA's preemption – and what the consequences are.

Why yes, now that you mention it, there is an elephant in the room!

Speaking of topics that haven't gotten enough attention, the IAPP article also doesn't mention the elephant – which may have something to do with the lack of women's perspectives in the article.  At the meeting, though, board members Lydia de la Torre and Angela Sierra both spoke about the threats to privacy in a post-Roe world.  

So did I in my comments, quoting Kim Clark of Seattle non-profit Legal Voice describeing ADPPA in Orion Donovan-Smith’s Spokane Spokesman-Review article earlier this week:

“This bill, at least from the perspective of pregnant people, it really doesn’t do much.”

I also highlighted that ADPPA's preemption would prevent states like California and Washington (both of whom have a right to privacy in their state Constitution) from providing stronger protections to our residents.

With limited time, I wasn't able to go into detail on the red flags that have been raised about ADPPA's ability to protect against post-Roe threats.  For example (from Tonya Riley's Federal privacy legislation progresses, but concerns about data brokers loom on Cyberscoop):

“The bill before us has a major loophole that could allow law enforcement to access private data to go after women,” said Rep. Anna Eshoo, D-Calif., who voted against the bill. “For example, under this bill, a sinister prosecutor in a state that criminalizes abortion could use against women their intimate data from search histories or from reproductive health apps. That loophole must be addressed.”

But what about the elephant? also has perspectives from Senator Ron Wyden, Senate Commerce Committee staffers, and gender-justice nonprofit UltraViolet on other loopholes and shortcomings in the ADPPA that leave reproductive health data and pregnant people's privacy at risk (as well as a short analysis of some of the changes in the latest version of the ADPPA).

And the same ADPPA loopholes and exemptions that make it easy for so-called "crisis pregnancy centers" to share data with vigilantes and law enforcement in states that criminalize abortion also allow targeting of immigrants, LGBTAIQ+ people, unhoused people, people receiving state benefits, and all the other groups who are most impacted by surveillance and data abuse.  Preemption stops our states from protecting them as well.

Does ADPPA protect unhoused people?

It's crucial to analyze any privacy bill from the perspective of these communities who are already harmed by survellance.  While there's been much discussion of ADPPA's very important civil rights protections, there's been a lot less of how effective the privacy protections actually are in practice. For example, when we discussed how effectively ADPPA protects unhoused people at one of our Washington privacy organizers meetings, we weren't able to find any any detailed analysis from the privacy and civil rights organizations who support the bill.  

This is concerning.  Law enforcement targets unhoused people, so all the loopholes that Eshoo and Wyden has identified as threats to pregnant people apply in this case as well – and not just in states that have criminalized abortion, even in supposedly-progressive cities like San Francisco and Seattle.

And as Carrie Leonetti's The Wild, Wild West: The Right of the Unhoused to Privacy in their Encampment discusses, courts have reached conflicting decisions on what, if any, protection the Fourth Amendment and its state counterparts give to a home that is not a house.  As a result, many unhoused people aren't able to take advantage of privacy protections the rest of us take for granted.  I'm not a lawyer, but ADPPA's exemptions for not just publicly available data, but also data derived from publicly available data, certainly seem like they could be potential areas of concern here.  

Leonetti also points out that

Local anti-camping and trespassing ordinances have, in effect, become the new vagrancy laws, criminalizing a status rather than a voluntary behavior in any meaningful sense

In light of this, several changes in the latest version of ADPPA are grounds for even more concern:

  • The "security incident" permissible purpose exception to data minimization (101(b)(5)) has been expanded to include preventing, detecting, protecting against, and responding to trespass.  
  • New section 101(b)(14) gives government contractors an additional "permissible purpose" to prevent, detect, protect against or respond to a public safety incident – including trespass.
  • And new section 102(3)(13), an exception to the loyalty duty, lets government contractors transfer data to prevent, detect, protect against or respond to a public safety incident – including trespass.

There's a lot more to discuss about privacy for unhoused people, in terms of ADPPA and more generally.  

UPDATE, August 9: Californians for Consumer Privacy Announce Opposition to ADPPA makes some relevant and important points, including:

“Precise geolocation” in ADPPA excludes information derived from surveillance cameras

I'll go into more depth about this in a future post.  For now, though, let's switch focus and look at a tactic that ADPPA supporters are using that's very familiar to us in “the other Washington.”

How broad is the "consensus" that ADPPA provides "strong privacy protections"?

In a Twitter discussion later in the evening with board member de la Torre and Dr. Gabriela Zanfir-Fortuna of industry-funded Future of Privacy Forum, EPIC Privacy's Alan Butler claimed that ADPPA has reached "broad consensus" on "strong privacy protections" at the federal level.

Where have I heard that before?  

Oh yeah, that's right, Bad Washington Privacy Act (BadWPA) supporters used those exact same talking points here! In Washington Tech Industry Association lobbyist Michael Schutzler's misleading Seattle Times opinion piece earlier this year, he said the loophole-ridden BadWPA – which was opposed by dozens of immigrant rights, civil rights, civil liberties, and progressive groups, and had already been rejected three times by the state legislature – "reflected years of consensus negotiations with a complex set of stakeholders, and it would have been the country’s strongest privacy bill."  

The footnotes of A "fresh wrench" have a bunch of examples of "strong protections", including the time in 2020 Microsoft described the BadWPA as "raising the bar on privacy in the United States" because of its "strong enforcement" even though our Attorney General said the bill was "unenforceable."  Good times!***   Coincidentally enough, the same language that caused enforcement problems for the BadWPA is present in ADPPA as well.****  A coalition of ten state AG's points out  that this langauge would similarly undermine their enforcement authority.  So they're certainly not part of the "consensus."

And I wonder just who else is, or isn't, part of this "consensus" ...

  • Reproductive justice advocates?
  • Unhoused people and organizations advocating on their behalf?
  • Immigrant rights organizations concerned about non-consensual data sharing with ICE and ICE contractors?
  • The coalition fighting racist surveillance in Detroit?  
  • Other local privacy focused organizations like Stop LAPD Spying, Surveillance Technology Oversight Project, Lucy Parsons Lab, PDX Privacy, Oakland Privacy, and (here in Washington) the Tech Equity Coalition?

And just to be clear, whatever "consensus" there currently is certainly doesn't yet include me.  As I said in my comments, ADPPA does have some very good features – including some that could help inform future legislation in California and elsewhere.  There's no question that getting a consumer privacy bill through committee that includes civil rights protections and anti-discrimination language that covers disparate impact is a huge milestone, and I certainly appreciate the work that's gone into that!

But the current version of ADPPA appears to have some of the same problems Tech Equity Coalition highlighted with the Bad Washington Privacy Act: loopholes and exemptions, a very weak private right of actions that puts up barriers to people being able to sue, preemption of stronger local regulations ....  Of course, it may turn out that some of these concerns are overblown. Others will hopefully be addressed as the bill moves to the House floor.  

For now though it seems to me like "strong privacy protections" may well be an overstatement.

Now what?

Senate Commerce Chair Maria Cantwell has said she doesn't think Speaker Nancy Pelosi has plans to bring ADPPA to the House floor, and Cantwell currently isn't planning on scheduling a markup.  Especially after the CPPA's strong statement, it'll be very difficult for California representatives to vote for something that doesn't change the bill into a "true floor" by removing the preemption section – or at least give their state an exemption.  

So in contrast to all the discussion of  ADPPA's "momentum" after the House Energy & Commerce advanced the bill 53-2, there's now a lot of talk that it's virtually dead.  And indeed, the gap on preemption may be too big to bridge. In the markup, Rep. Jan Schachowsky described Rep. Eshoo's amendment to remove state preemption as a "poison pill" that would kill the bill's chances of passing, disrupting the "grand bargain" of trading a weak private right of action for preempting states from providing stronger protectons pregnant people, unhoused people, and other disfavored and marginalized groups.

Then again, as we've repeatedly seen in Washington state, it ain't over til its over.  So I can see at least a couple of ways that ADPPA could move forward:

  • Industry already has to deal with multiple regulations (including EU's GDPR), so might well decide that they can tolerate California's as well. Perhaps there will be a "dramatic" "compromise" adding the CPRA to the already-long list of other exceptions to preemption – in return for some other concessions to industry, of course.  That could be enough to get California represenatives on board – and increase pressure on Cantwell to drop her resistance to preemption.
  • Or, House Democrats could decide that even though it might meet resistance in the Senate, they've got a golden opportunity to pass a consumer privacy bill that does protect pregnant people.  The My Body My Data Act and Health and Location Data Privacy Act have strong language that could be adopted by ADPPA, and comments from CPRA, ACLU, EFF, and other groups point out other opportunities for improvement. With the November election coming up, and Democrats hoping anger at the loss of Roe translates to increased enthusiasm and turnout, this could be very smart politics.  

    As Shaunna Thomas of gender justice group UltraViolet says in the Spokesman-Review article, Democrats have a lot of leverage here.  Perhaps they'll use it.

With Congress heading to recess, we probably won't know which direction things will go until September.  But not to worry, there's still a lot more to discussions will continue between now and then.  Stay tuned!

CPPA July 28 meeting

* It's entertaining to watch ADPPA proponents tie themselves into knots trying to come up with explanations why not having this right actually makes ADPPA stronger than CPRA. How the California Privacy Protection Agency Advances Equity in AI discusses how CPPA is exploring using its authority to regulate algorithms.  Meanwhile, the latest version of ADPPA removed the requirement that algorithimic impact assessments be done by independent third-party researchers, dropped several requirements on what needs to be covered in the assessments, and further narrowed the definition of which algorithms need to be assessed.  

** Jason Kint of Digital Content Next has a short Twitter thread with a good explanation.

*** Industry-funded Future of Privacy Forum also talked about the unenforceable 2020 Bad Washington Privacy Act's "strong enforcement".   Unfortunately I didn't save a copy of the chart they were using to make the point, and the only Twitter reference I could find has been deleted, but my reply pointing out that their chart was inaccurate lives on!

**** It's in 404(c): “a violation of this Act shall not be pleaded as an element of any such cause of action."  As the AG's letter says:

In many states, the Attorney General’s office uses civil investigative demands under its consumer protection authority to demand documents or information from entities when we believe there could have been a violation of a law. Ordinarily, a violation of a federal law or standard could also be a violation of state consumer protection law. But Section 404 would act as a bar to investigate violations of the federal law, because it prohibits them from forming the basis for state consumer protection claims. This language unnecessarily interferes with robust enforcement capabilities.

Image credit: screenshot of CPPA meeting, originally from @CalPrivacy's tweet.