One out of six ain't good: Five ways the American Data Privacy and Protection Act falls short

How does ADPPA respond to critiques of California's privacy law?

One out of six ain't good: Five ways the American Data Privacy and Protection Act falls short

FIND OUT MORE: Prof. Daniel Solove moderated an excellent webinar on ADPPA Wednesday, August 10. Here's our live-tweeting – or, if you prefer, in a single threadreaderapp page.  

A lot of the discussion of the proposed American Data Privacy and Protection Act (ADPPA) has focused on comparing it to California's privacy law, generally viewed as the strongest of the handful of existing state privacy laws.   In Californians for Consumer Privacy Announce Opposition to ADPPA, the group responsible for California's privacy law says that for Californians, ADPPA "would weaken existing privacy laws in far-reaching and vital ways."  But not everybody sees it that way.

Here's how Alan Butler and Caitriona Fitzgerald of EPIC Privacy frame it in Evaluating the American Data Privacy and Protection Act:

We believe that the ADPPA is stronger in several key areas then California’s CCPA, that it would provide roughly equivalent protections in most circumstances, and that the few areas where the CCPA is stronger could be addressed through minor amendments to the ADPPA.

The nicely-designed side-by-side from EPIC, CDT and Lawyers Committee makes their case in more detail.*  UPDATE, August 12: Californians for Consumer Privacy's side by-side responds.   They disagree.  UPDATE, September 7: a new analysis from Californians for Consumer privacy spotlights 20 ways in which CPRA is stronger.

Taking a step back ... as Omer Tene of Goodwin Procter points out on Twitter, when California's current privacy law was on the ballot as Prop. 24 in 2020, ACLU of Northern California opposed it, arguing it was catering to big tech interests and harmful to marginalized communities.**  Color of Change, Dolores Huerta, and many immigrant rights groups opposed it for similar reasons.  

With all the weaknesses these groups identified in California's law,  "roughly equivalent protections in most circumstances" doesn't necessarily translate to strong protection.  

So let's build on Tene's point and take a different approach to the comparison.

How many of Prop 24's weaknesses does ADPPA address?

Prop. 24, also known as the California Privacy Rights Act (CPRA), amended the 2018 California Consumer Privacy Act (CCPA).  As significant as Prop 24 was, it was also a missed opportunity to do even better – as the groups who critiqued it pointed out.  So I went through the three highest-profile criticisms of Prop 24 from 2020.  

Here are the problems they highlighted, along with opinions about how well these issues are addressed in ADPPA.  

Pay for privacy – substantially worse in ADPPA

Proposition 24 asks you to approve an Internet “pay for privacy” scheme. Those who don’t pay more could get inferior service – bad connections, slower downloads and more pop up ads. It’s an electronic version of freeway express lanes for the wealthy and traffic jams for everyone else.

– from the ballot argument against Prop 24

This criticism of Prop 24 may have been overstated – language in the bill, combined with CPPA's rulemaking authority, goes a long way to limit pay for privacy schemes.  However, the key langauge is missing from ADPPA – as even supporters like Butler and Fitzgerald agree.

ADPPA would remove the CCPA’s requirement that financial incentives practices with respect to exercising privacy rights not be “unjust, unreasonable, coercive, or usurious in nature.” This is an important backstop to prevent exploitative practices.

- CPPA July 26 bill analysis, on the latest draft of ADPPA
CPRA states that if businesses wish to incent consumers to share/sell their data, “[the] business shall not use financial incentive practices that are unjust, unreasonable, coercive, or usurious in nature.” [§1798.140(b)(4)]

ADPPA’s section covering retaliation, §104, is missing this critical consumer protection, which is terrible for consumers. We’ve all been in the situation where the item is 30% or 50% more expensive in the grocery store if you’re not a member of the store’s loyalty program. So if your choice is to pay 50% more for the cereal box or be forced into a loyalty program that gets you the discount but allows the store to sell your data—how is that a choice? It’s coercive on the part of the business, and CPRA stops it.

- Californians for Consumer Privacy Announce Opposition to ADPPA
In our chart comparing the bills, which is below, we summarize these provisions and highlight a few areas where the California law is stronger or where we feel the ADPPA needs to be tightened to avoid loopholes. These include the “guardrails” set for differential prices charged to individuals who chose to delete their data or decline to participate in a loyalty program

- Evaluating the American Data Privacy and Protection Act, Alan Butler and Caitriona Fitzgerald of EPIC Privacy

No protection for employee data – also a problem in ADPPA, and getting worse

Currently, employers can obtain all kinds of personal information about their workers and even job applicants, including things like using a pregnancy tracking app, where you go to worship or if you attend a political protest. Proposition 24 allows employers to continue secretly gathering this information for more years to come, overriding a new law that lets workers know what sensitive private information their bosses have beginning January 1, 2021.

– from the ballot argument against Prop 24

Employers collect all kinds of data about job applicants and employees from a myriad of places: job applications, background checks, HR and benefits forms, social media.  The original CCPA, passed in 2018, covered employee data. Businesses pushed back, and in 2019 the California legislature passed a bill which largely exempted employers for a year.  Prop 24 pushed the deadline back a couple more years.

In ADDPA, by contrast:

You might have also noticed from the definition above that the bill explicitly doesn’t apply to “employee data....”  The bill also notes that the term “employee” can be defined as “ employee, director, officer, staff member, trainee, volunteer, or intern of an employer,” regardless of whether they’re unpaid or a temp worker. It’s not just “employees” that are being targeted here, but volunteers and interns, too.

- Shoshana Wodinsky, in Close the Loopholes in the American Data Privacy & Protection Act on Gizmodo
The definition of "employee data", which is exempt from ADPPA, has been broadened to include "information processed by an employer relating to an employee who is acting in a professional capacity for the employer, provided that such information is collected, processed, or transferred solely for purposes related to such employee’s professional activities on behalf of the employer."  (Sec. 2(8)(C)(ii))

- me, in But What About the Elephant? on ADPPA's latest draft

Global opt-out – a major loophole in ADPPA

You can set web browsers and cell phones to send a signal to each website you visit and app you use to stop selling your personal data, so you don’t have to think about it each time. Proposition 24 would allow companies to disregard those instructions and shift the burden to you to notify each and every website and app individually to protect your data.

– from the ballot argument against Prop 24

This is another area where, despite concerns about the Prop 24's language, California's rulemaking has led to an approach that seems fairly workable ... but ADPPA takes a step backwards.

So here is where federal bill (ADPPA) will have a massive fail if not fixed. The latest amended bill suddenly has new language allowing a company to require an authentication process before honoring the global opt-out signal....  If this specific language becomes law - then consumers who turn on GPC (global opt-out) - will have to authenticate each and every site/app in order to visit. More likely they'll just turn it off and lobby will then argue to FTC users don't want it. Poof go your new rights.

- Jason Kint on Twitter, also citing the CPPA bill analysis

Restricting people from enforcing their privacy rights in court –   also a problem in ADPPA

Proposition 24 restricts Californians from enforcing your own privacy rights in court.

– from the ballot rebuttal argument
Although the ADPPA does contain a private right of action, with the possibility of pursuing monetary damages as well as injunctive relief, that right of action is otherwise deficient in a wide range of respects. These deficiencies are significant enough that the private right of action is unlikely to serve either as an effective vehicle for rights enforcement or as a motivator to comply with the law in order to avoid the risk of liability.

- ACLU July 18 letter on ADPPA
[T]he American Data Privacy and Protection Act “makes it harder for women to seek redress when their sensitive health data has been used against them” and would force women to “jump through arbitrary, drawn-out hoops” to sue over privacy violations.

- Senate Commerce committe staffers, quoted in Cristiano Lima's Abortion ruling could scramble data privacy talks, June 27
[A]lthough a covered entity or service provider may have technically violated a provision of the ADPPA, plaintiffs may be unable to bring a claim in federal court absent a showing of concrete injury. Proving damages for privacy violations has often proved difficult for plaintiffs. Given that the ADPPA limits cases to federal (and not state) courts, this limitation could be determinative in many lawsuits.

- Analyzing the American Data Privacy and Protection Act’s Private Right of Action, Shelby Dolen and David Stauss
Forced arbitration is no longer enforceable on claims related to gender or partner-based violence or physical harm (Sec. 403(b)).  However, companies can still impose forced arbitration on adults in all other cases. During the markup, Rep. Donald McEachin of Virginia said that the bill as currently written wouldn't have his support on the floor because of forced arbitration, and Senate Commerce Chair Maria Cantwell has flagged this as an issue that needs to be fixed.

- me, in But What About the Elephant? on ADPPA's latest draft
• §403(b) only prevents pre-dispute arbitration agreements for minors (who cannot legally enter contracts in any event, so this is just gratuitous), or gender or partner-based violence/physical harm

• 1798.192 prevents forced arbitration clauses for any rights contained in CPRA

Californians for Consumer Privacy Announce Opposition to ADPPA

Privacy Loopholes – also a problem with ADPPA

Prop 24 introduces numerous other exceptions and loopholes that will further weaken privacy protections for Californians.  

- ACLU of Northern California's Californians Should Vote No on Prop 24

The post lists several example loopholes – some of which are addressed in the ADPPA, some of which aren't.  For example, ACLU discusses how CPRA allows police to tell companies not to delete data; ADPPA similarly says companies have to ignore deletion requests if they "reasonably" believe the request was to "support criminal activity." ADPPA actually has an even bigger loophole here: companies are allowed to ignore deletion requests that interfere with "investigations" as well as  "reasonable efforts" to guard against, detect, prevent, or investigate fraudulent, malicious, or unlawful activity.

And ADPPA's got plenty of loopholes that weren't on the ACLU of Northern California's shortlist of Prop. 24 problems.

“The bill before us has a major loophole that could allow law enforcement to access private data to go after women. For example, under this bill, a sinister prosecutor in a state that criminalizes abortion could use against women their intimate data from search histories or from reproductive health apps. That loophole must be addressed.”

Rep. Anna Eshoo, D-California, quoted in Federal privacy legislation progresses, but concerns about data brokers loom

Teen’s jailing shows exactly how Facebook will help anti-abortion states, Anti-Abortion Centers’ Databases Could Be Weaponized Post-Roe and Teen’s jailing shows exactly how Facebook will help anti-abortion states highlight the stakes of loopholes like this.

“[T]his loophole could allow data brokers to sell location data to the government about visits to reproductive health facilities, for example, or other private information that is trivially easy to connect to individuals.  [Senator Ron Wyden (D-Oregon) strongly believes this must be fixed before any legislation becomes law."

-  a Wyden aide quoted in Federal privacy legislation progresses, but concerns about data brokers loom
[T]he ADPPA includes a substantial loophole that my office opposed in state legislation. Section 209 includes the following exemption: “A covered entity may collect, process, or transfer covered data for any of the following purposes . . . [to] conduct internal research or analytics to improve products and services.” This broad exemption directly conflicts with the ADPPA’s data minimization language and may be used by technology companies to maintain all data indefinitely.

- Washington Attorney General Bob Ferguson, in a June 24 letter
We are also concerned about newly accepted amendments to the bill that address data flows between companies such as Clearview AI or ID.me and the government. Specifically, the bill may treat these companies as “service providers”—defined in the ADPPA as companies that collect or process information for government entities—and gives these companies much more leeway than it should.

- EFF, in Americans Deserve More Than The Current American Data Privacy Protection Act

Applies outside of California –  addressed in the ADPPA, although many protections are lower both outside and inside California

Under California law, your privacy rights follow you wherever you go. But with Proposition 24, the minute you travel out of state with a phone, wearable device, or computer, big tech companies are allowed to capture the health, financial, and other confidential information you stored on your device.

– from the ballot argument against Prop 24

ADPPA applies to the whole country, so clearly addresses this.  

However, as Californians for Consumer Privacy's side by-side highights (and some of the earlier discussion here reinforces), in many ways ADPPA's protections are lower than CPRA's.  So Californians are being asked to give up some important protections (and not be able to get them back) in exchange for not letting anybody else getting those protections.  You can certainly see why they wouldn't like that trade.

One out of six ain't good

So of the six areas these groups highlighted, only one is addressed in ADPPA – and in a couple, ADPPA is arguably worse than California's a existing law.  Combine this with the critiques in Californians for Consumer Privacy Announce Opposition to ADPPA and it's clear that there are a lot of ways ADPPA falls short.

Of course, there's no question that ADPPA also has areas where it improves on California's privacy law. Explicitly including civil rights protections with anti-discrimination language that includes disparate impact (as well as intentional discrimination) is a very big deal.  ADPPA also incorporates some important new ideas, such as a duty of loyalty.  Californians for Consumer Privacy analysis also highlights several areas where ADPPA improves on CPRA.  These all point to improvements that might well be helpful in California – and other states as well, since privacy laws in Virginia and Utah are much weaker than California's.

Then again, the analysis here also points to a lot of ways ADPPA falls short.  And these aren't the only areas of ADPPA that need work – there's also the unnecessary interference with state Attorney General enforcement ability,*** stripping FTC oversight of telecom data abuse, potential threats to unhoused people, and more.  

Butler and Fitzgerald point to the possibilities of amendments to ADPPA to address some of its weaknesses.  At least so far, the trend isn't encouraging.  Microsoft, IBM and the Business Software Alliance have been big winners. Many of the changes in the most recent version of ADPPA actually weakened its protections.  Still, if Congress decides they really do want to protect people's privacy, they've got a good roadmap for improvements to ADPPA.  

As it is right now, though, comparing ADPPA to California's privacy law just highlights how much improvement is still needed.


Image credit: JessicaRodriguezRivas, via Wikipedia Commons.  licensed under the Creative CommonsAttribution-Share Alike 4.0 International license.

* Although the previous version of the side-by-side (linked from a Washington Post article) claimed that ADPPA was stronger in some additional ways that turned out to be inaccurate, so this one may still be overstating the case.  

UPDATE: Californians for Consumer Privacy's comparison makes it ADPPA 3, CPRA 22 (or something like that).  So even if the truth is somewhere in between, EPIC's spreadsheet was indeed still overstating the case.

** Gilad Edelman's The Fight Over the Fight Over California’s Privacy Future on Wired has some of the fascinating backstory.

*** Specifically, ADPPA 404(c)'s language: “a violation of this Act shall not be pleaded as an element of any such cause of action."  As the AG's letter says:

In many states, the Attorney General’s office uses civil investigative demands under its consumer protection authority to demand documents or information from entities when we believe there could have been a violation of a law. Ordinarily, a violation of a federal law or standard could also be a violation of state consumer protection law. But Section 404 would act as a bar to investigate violations of the federal law, because it prohibits them from forming the basis for state consumer protection claims. This language unnecessarily interferes with robust enforcement capabilities.

The 2020 version of the Bad Washington Privacy Act had a similar problem, and Attorney General Ferguson said it made the bill "unenforceable."  Meanwhile, Microsoft it as "raising the bar on privacy in the United States" because of its "strong enforcement." Good times!