The elephant and the lame duck: ADPPA after the midterms (a federal privacy legislation update)
Reading the political tea leaves ...
It could well be that [lobbyists] are just posturing, and the industry plan is to demand concessions on other fronts in return for a "compromise" on preemption.
– me, in A "fresh wrench", two hearings, and a busy week, July 17
Congress heads back to DC this week for the lame duck session. The Democrats did much better than expected in the midterms because so many voters are passionate about protecting reproductive freedom after the Supreme Court's decision ending Roe. Will Congressional Democrats show their appreciation by passing a privacy bill that fails to protect against post-Roe threats?
It doesn't seem like a very good idea to me ... but it seems like they're giving it a try.
- Alfred Ng's paywalled story today on Politico Pro reports that the sponsors of the American Data Privacy and Protection Act (ADPPA) are going to take one last try at getting it through.*
- As How well does ADPPA protect against post-Roe threats? discusses, loopholes in the current version of ADPPA leave pregnant people and abortion care providers at risk.
It's quite possible that most Congressional Democrats don't even know this is an issue with ADPPA. There's been so little discussion about it that I call it the elephant in the room. Instead, most of the discussion has focused on how the current version preempts current and future California privacy laws.
Speaker Pelosi and the California delegation have quite rightly said is a non-starter. So unless there's some kind of breakthrough in negotiations, ADPPA's not going anywhere this session. But who knows, maybe the sponsors have a card up their sleeve ...
We'll get back to preemption and ADPPA's chances of passing below – along with some lessons from our experiences here in Washington state. But first, let's talk about the elephant.
Does ADPPA protect against post-Roe privacy threats?
Sen. Ron Wyden, D-Ore., who has previously expressed he would not vote for the House version of the bill, has similar concerns about the exemption of de-identified data.
“[T]his loophole could allow data brokers to sell location data to the government about visits to reproductive health facilities, for example, or other private information that is trivially easy to connect to individuals,” a Wyden aide wrote in an email to CyberScoop. “He strongly believes this must be fixed before any legislation becomes law.”
– Tonya Riley, Federal privacy legislation progresses, but concerns about data brokers loom on CyberScoop
Sen. Wyden's usually right about stuff like that – and the de-identified data loophole is one only of the ways ADPPA falls short.
Here are a few more, from How well does ADPPA protect against post-Roe threats?. In the chart below, ❌ means "no" and ❓ means "I’m not sure or it's complex"
- ❌ Does ADPPA prevent prosecutors and law enforcement in states that have criminalized abortion from buying location data and targeting people who visit reproductive health care centers? NO.
- ❌ When people travel out of state to get abortions, does ADPPA protect their data? NO.
- ❌ Does ADPPA allow pregnant people to force companies to delete data that might put them at risk? NO.
- ❌ Does ADPPA protect pregnant people and abortion providers from risks of automated license plate readers (ALPRs)? NO.
- ❓Does ADPPA prevent anti-abortion “crisis pregnancy centers” from sharing data with vigilantes and law enforcement? Maybe, but there's a potential looploe they could exploit.
- ❓Will ADPPA hold “crisis pregnancy centers” who break the law and violate people’s privacy accountable? Maybe, but when you look at it closely it's not clear.
- ❌ Will ADPPA prevent law enforcement from accessing people's private messages to investigate whether they got an abortion? NO.
The full post goes into detail on all of these. At a high level, though, this summary from Kim Clark of Seattle-based Legal Voices (quoted in Orion Donovan-Smith’s Spokane Spokesman-Review article) nails it:
“This bill, at least from the perspective of pregnant people, it really doesn’t do much”
But wait, there's more
ADPPA's failure to protect against post-Roe threats is only one of the problems with the current version of the bill.
To start with, the de-identified data loophole Sen. Wyden warns about has a lot of other consequences too. Joseph Cox' How the U.S. Military Buys Location Data from Ordinary Apps on VICE Motherboard looks at how de-identified data was used to target Muslims. Sara Morrison's This outed priest’s story is a warning for everyone about the need for data privacy laws on Vox highlights the potential impact on LGBTAIQ2S+ people. As EFF's Bennett Cyphers says,
Academic researchers have shown over and over again that de-identified or “anonymized” location data still poses privacy risks.
But wait, there's more:
- ADPPA’s algorithmic impact assessments are too weak to make its civil rights protections against anti-discrimination real. ADPPA lets companies like Facebook do their own analysis of whether their algorithms are discriminatory – and exempts government contractors from having to do any algorithimic impact assessments. What could possibly go wrong? Automated Systems and Discrimination goes into more detail on how ADPPA falls short of the standards the of the AI Bill of Rights recently released by the White House Office of Science and Technology Policy.
- ADPPA puts up barriers to state Attorneys General enforcing the law.** AGs from states including Connecticut, Illinois, Maine, Massachusetts, Nevada, New Mexico, New Jersey, New York, and Washington warned in a July 19 letter that the current version of the bill appears to “substantially preempt many states’ ability to investigate” and “unnecessarily interferes with robust enforcement capabilities.”
- ADPPA doesn't protect LGBTAIQ2S+ people – and the de-identified data loophole is only one of the many reasons why. Stress-testing ADPPA with a queer lens discusses how ADPPA stacks up against threats to queer people Antoine Prince Albert III wrote about in Hiding OUT: A Case for Queer Experiences Informing Data Privacy Laws.
- ADPPA's "internal research" exemption arguably undermines the entire purpose of privacy legislation – at least according to Washington Attorney General Ferguson's June 24 letter to Congress. ADPPA’s data minimization and duty of loyalty goes into detail.
The Washington Indivisible federal privacy "one-pager", from a briefing with staffers I helped arrange in September, has a longer list of issues and links to more references.
How grand is the bargain?
Like I mentioned above, it's quite possible that most Congressional Democrats many of them don't realize that these are issues. When I brought up the loopholes leaving pregnant people at risk in a meeting staffers had with local Indivsible activists in July, it was news to them – which probably means the Congressperson they work for didn't know about it either.
And one of the favorite talking points for ADPPA supporters is "perfect is the enemy of the good," encouraging Democrats to view not protecting the people who voted for them as a necessary "compromise" that has to be made to get anything through Congress. Cameron Kerry's description of ADPPA as a “grand bargain” is a good example of this framing:
- People all over the country get some protections including anti-discrimination (that probably can't be enforced) and a very weak "private right of action" allowing them to sue companies (as long as they go through enough hoops, and as long as companies don't require arbitration, which ADPPA allows them to do)
- In return, states like California and Maine (and cities like Seattle) who have passed stronger protections for their residents have to give them up. And states like Washington, where we're on track to pass strong cosumer privacy legislatin next year, have to give up any possibility of better protecting residents in the future.
Of course Kerry uses somewhat different language that makes the bargain seem more attractive – and he leaves out a few important things. Nowhere in his article does he mention the post-Roe threats that aren't addressed, the lesser protection LGBTAIQ2S+ people get under ADPPA, the barriers to AGs and privacy agencies enforcing the law, the exemptions for government contractors and other service providers, and so on.
Factor all of that in, and it doesn't seem like such a grand bargain to me. Other Washington privacy advocates also don't think it's a good deal.
Then again, opinions differ. My Congresswoman, Rep. Suzan DelBene, supports ADPPA in its current form. Of course as well as representing me, Rep. DelBene also represents Microsoft and other businesses headquartered in her district, and is an honorary chair of tech-funded think tank Information Technology and Innovation Foundation (ITIF). So my guess is she probably spends a lot more time listening to industry lobbyists than she does to constituents like me.
Lobbyists are very good at what they do – and we've learned to recognize some of their favorite tactics
Most legislators and staffers spend a lot of time listening to lobbyists. This is a huge problem for groups like EPIC and Lawyers' Comittee, who are in a tough position here, trying to move ADPPA forward while defending against lobbyists' attempts to further weaken it. At least so far, the lobbyists are winning.
We've got a lot of experience with this here in the other Washington, where tech lobbyists and industry-funded privacy groups like Future of Privacy Forum (FPF) have spent years trying to get the Bad Washington Privacy Act (Bad WPA) through our legislature. Over the years, we've learned to recongize some of their favorite tactics.
Back in 2020, for example, AG Ferguson said that the Bad WPA was literally unenforceable. Microsoft framed it as "raising the bar for privacy in the United States "and lauded its strong enforcement. FPF said passing the Bad Washington Privacy Act would be a "significant achievement"; the chart in their analysis, which they also sent to legislators, inaccurately claimed that the AG could enforce the bill. The disinfomation analysis I did of a "quick summary" document lobbyists shared with legislators in 2021, and the fact-checking and the misleading claims in Washington Tech Industry Association 's 2022 op-ed (fact-checked here by Jennifer Lee of ACLU of Washington and Maya Morales of WA People's Privacy), are two more good examples.
And these lobbying tactics work, too. Almost every Washington state legislator I've talked to over the years initially thought the Bad WPA was a lot stronger than it actually was. Fortunately we've been able to spend enough time with them that they've seen through the spin and our Legislature has rejected the Bad Washington Privacy Act four years in a row ... but that's a lot easier with state legislators than it is with Congress. Other states haven't been so successful. Virginia's privacy law was drafted by Amazon, and it whisked right through.***
Lobbyists are taking a similar approach with ADPPA. ITIF, for example, described the June draft of ADPPA as having "strong enforcement measures" even though it explicitly prevented California Privacy Policy Agency (CPPA, by far the strongest and largest state privacy regulator in the country) from enforcing it – and even though it would substantially preempt state AGs' ability to investigate and unnecessarily interfere with their robust enforcement capabilities. Hey wait a second, I'm noticing a pattern here!****
Another game lobbyists are playing is to focus the discussion on comparisons between ADPPA and state legislation. This tactic has been very effective at putting the privacy and civil liberties organizations who support ADPPA into a position where they're mostly talking about the bill's strengths rather than weaknesses.***** Even better, from lobbyists' perspective, the more people are comparing ADPPA to other bills, or arguing about preemption, the less attention the elephant gets.
Okay, now we can talk about preemption
It could well be that ... the industry plan is to demand concessions on other fronts in return for a "compromise" on preemption: add California's privacy law to the already-long list of preemption exceptions, give the California Privacy Protection Agency the authority they need, and hangs Maine, Washington, and all the other states that also don't want to be preempted out to dry.
– me, in A "fresh wrench", two hearings, and a busy week, July 17
Pelosi and California Democrats have made it clear since 2019 that they wouldn't accept a bill that preempts California's law this position. So why did everybody pretend to be so surprised with this "fresh wrench" cropped up again in July?
My guess at the time was that lobbyists were trying to set things up so that they could announce a "dramatic" last-minute "compromise" on ADPPA. And sure enough, starting in September, articles like the LA Times editorial Congress must fix data privacy bill so it doesn’t hurt Californians have been suggesting a waiver for California – and perhaps allowing other states to choose to adopt California's law as an alterntative to the federal law. Who could have predicted?
To be clear: giving California a waiver doesn't address the preemption concerns of other states – or of cities and counties, in California or elsewhere. All it does is maybe get California's delegation on board, and make corporations' life easier. As Maya Morales of WA People's Privacy says, preemption privileges the needs of corporations over the needs of people.
Of course, industry will frame any "compromise" as a major concession, and so they'll almost certainly demand other areas of ADPPA get further weakened. If we do see a new version, it wouldn't surprise me if the algorithmic impact assessments are even weaker – or perhaps removed entirely. And it'll be very interesting to see what new loopholes and exemptions get put in.
Reading the political tea leaves
If lobbyists play their cards right, and there really is an "unexpected breakthrough" on preemption waiting in the wings, then maybe the possibility of actually being able to pass something will keep groups like EPIC Privacy and Lawyers' Committee on board despite the weaknesses they acknowledge in the bill. That in turn might give Democratic legislators cover to ignore the elephant and pass a bill that doesn't protect against post-Roe threats (and gives lesser protections to LGBTAIQ2S+ people, allows companies like Facebook to self-assess whether their algorithms are discriminatory, puts up barriers to Democratic AGs to enforce it etc etc etc). After all, "perfect is the enemy of the good" – and even though West Coast privacy organizations like EFF and WA People's Privacy oppose ADPPA, Congress often pays more attention to DC-based groups.
The most likely way for ADPPA to move forward at this point is to attach it to the omnibus appropriations bill (as Senators Blumenthal and Markey are reportedly trying to do with COPPA 2.0).****** From lobbyists' perspective, this has the advantage of minimizing how much scrutiny the bill gets – no need for a hearing or markup in the Senate, and the omnibus bill is so huge that there wouldn't be time for any discussions about the elephant or anything else.
Then again, there's not a lot of time in the session, and there's a lot of other stuff on Congress' plate. So it's quite possible that ADPPA won't actually move forward at all in the lame duck session.
At this point, it seems to me that would be the best outcome. The power balance in Congress next session is still up in the air as I write this, and they might well get deadlocked again on privacy. But states aren't waiting for Congress to act, and some of the new bills being considered are quite strong – for example, Washington's proposed health data privacy law completely bans sales of health data and requires opt-in to collect or share it. And that means the conversations in DC next session could be very different.
Still, industry has enough to gain from passing a weak preemptive federal privacy bill that they won't give up easily. Late-session negotiations in Washington state have featured some spectacular shenanigans – like the time in 2021 when Bad WPA sponsor Sen. Reuven Carlyle (D-Amazon) tried to hold funding for eviction protection hostage to get his colleagues to pass his bill. So we'll see what happens.
Maybe nothing!
But as we 've learned time and again here in Washington state, it ain't over 'til its over.
Image credit: Savanna elephant in Kruger National Park, South Africa. By Felix Andrews (CC-BY-SA-3.0) via Wikimedia Commons.
Notes
* In his Washington Post Across the Aisle discussion in September, ADPPA co-sponsor House Energy & Commerce Chair Frank Pallone (D-NJ) had confidence that there was enough time to get the bill through in the lame duck session so this doesn't come as a complete suprise.
** §404(b)(2)(A): “a violation of this Act shall not be pleaded as an element of any such cause of action." The AG's letter says:
In many states, the Attorney General’s office uses civil investigative demands under its consumer protection authority to demand documents or information from entities when we believe there could have been a violation of a law. Ordinarily, a violation of a federal law or standard could also be a violation of state consumer protection law. But Section 404 would act as a bar to investigate violations of the federal law, because it prohibits them from forming the basis for state consumer protection claims. This language unnecessarily interferes with robust enforcement capabilities.
We're especially annoyed by this in Washington because after a big legislative battle over exactly this issue in 2020 (which I'll discuss later in the post), big tech conceded on this here in 2021! So even though it's not surprising, it's still kind of annoying to discover that tech lobbyists' fingers were crossed.
*** There's an interesting backstory here. An Amazon lobbyist gave a copy of the Bad Washington Privacy Act to a Virginia state legislator, and after weakening it they quickly passed the Even Worse Virginia Privacy Act. So if the Virginia bill was drafted by Amazon, what does that say about the Washington bill? For what it's worth, Bad Washington Privacy Act sponsor Sen. Reuven Carlyle (now retired after going 0-for-4 trying to pass his signature legislation) represents Amazon’s district and considers their lobbyist Guy Palumbo a treasured friend. But maybe that’s all just a coincidence.
**** The current version is slightly better: It allows CPPA and other state privacy agencies to enforce the bill, which is good, although the barriers to AG enforcement may effect them as well. But as discussed earlier, it still has the same barriers to AG enforcement.
*****Jon Leibowitz (co-founder of the 21st Century "Privacy" Coalition, whose funders include Comcast, AT&T, Verizon, Time Warner Cable/Charter Communications, and DirecTV and their respective trade associations) was very candid about this tactic in his February Wall Street Journal op-ed.
Cristiano Lima's Federal privacy bill trumps California’s law, advocates say, from mid-July in the Washington Post, is a high-profile example of how these techniques work together. It linked to a detailed comparison making a misleading claim that ADPPA was better than California's laws in 13 of 15 areas. The authors' revised version walking back several of these claims, but of course that didn't get mentioned by the Washington Post. Neither did Californians for Consumer Privacy's later analysis, which came to the opposite conclusion: California's law is stronger than ADPPA in 23 of 25 areas. This is a fun game to play – One out of six ain't good is my contribution – but also serves as a distraction from the elephant and other questions about whether ADPPA actually protects people.
****** Technically there's just enough time that it could go the normal route: the House passes it, the Senate Commerce Committee marks it up, the Senate passes it, and if necessary the chambers reconcile any differences. But this could be challenging, both from a timing perspective and because Senate Commerce Committee Chair Maria Cantwell has been resolute about not supporting a preemptive bill that would preempt Washington state – so they'd either have to convince her that the "compromise" is good enough or drop preemption completely. Unanimous consent, which lets them skip some steps of the process, can speed things up, but it requires consent of all members, so it's even more unlikely to happen.