The American Data Privacy and Protection Act (ADPPA) was formally introduced yesterday, and a Consumer Protection and Commerce Subcommittee markup is scheduled for Thursday at 7:30 am Pacific time (10:30 am Eastern). The new version is 120 pages so there's a lot of new material – as well as plenty of changes. Odia Kagan has an initial summary of changes from the earlier draft on LinkedIn, Omer Tene has highlights on Twitter, and I'm collecting reactions in a Twitter moment.
Update: as expected, the subcommittee advanced ADPPA with no further changes. Here's the live-tweeting of the markup.. David Stauss' Federal Privacy Bill Voted Out of House Subcommittee on JD Supra is a good writeup.
And there's been a lot of other action in the week since I wrote Federal privacy legislation: It’ll be an interesting summer!.
- Last week's ADPPA hearing highlighted the bill's encouraging momentum and the importance of addressing civil rights and algorithms and including a data minimization requirement – but also illustrated the challenges of getting to agreement on thorny issues like a private right of action (whether people can sue companies who break the law and violate their privacy) and pre-emption (whether or not a federal bill preempts state privacy laws). Former FTC Bureau of Consumer Protection Director Jessica Rich's Readout on House Privacy Hearing: Wide Attendance, Lots of Issues, Full Steam Ahead on Kelley Drye's Add Law Access Blog ,and Insights from the House Subcommittee Hearing on ADPPA, by Hilary Higgins, Ali Jessani, and Kirk Nahra of Wilmer Hale on JD Supra, are both good overviews.
- Senators Warren, Wyden, Whitehouse, Murray, and Sanders introduced the Health and Location Data Protection Act (HLDPA).
- EFF has urged Congress to strengthen ADPPA, with recommendations including making it non-preemptive; strengthening the private right of action, removing exemptions; prohibiting "pay for privacy" schemes; and providing stronger safeguards by making the bill fully opt-in and strengthening other protections.
- A dozen Washington state Indivisible groups sent mail to Senator Cantwell and Representative McMorris Rodgers (one of the sponsors of the ADDPA), focusing on non-preemption and the importance of well as exploring how effective the legislation will be at stopping the kinds of data abuses that are occurring today as well as looking ahead to developing threats to privacy.
- Senator Cantwell's still not on board with the ADDPA, citing "major enforcement holes” and saying that is currently too weak to override state privacy laws.
- ACLU says ADPPA, and Senator Cantwell's still-unreleased new draft of COPPA, need significant revision, and expressed concern that the bills will be rushed to the floor.
I certainly share the ACLU's concern about bills being rushed to the floor. Congress is on recess for two weeks starting on Monday, and then has only four weeks between the July and August recesses, so there really isn't a lot of time. In Washington state's legislative battles over privacy, big tech tried to use the compressed time frame to try to sneak very weak language in the Bad Washington Privacy Act through. It's easy to imagine them using similar tactics at the federal level.
Of course, those tactics haven't worked for them in Washington state. The Bad Washington Privacy Act failed once again this session, and is now 0-for-4. Meanwhile, those of us working for strong privacy and civil rights protections have continued to build our power, and have an opportunity to pass some good legislation in 2023.
So as things heat up in DC, there's a lot to learn from our experiences here in "the other Washington". Here's three important lessons.
- Language that looks good may well be weaker than it seems
- Get concrete! Will the bill actually stop real-world privacy and civil rights abuses?
- Build a broad alliance of people and groups who want strong privacy protections
Language that looks good may well be weaker than it seems
In testimony at a 2021 hearing, former Microsoft privacy compliance lead Gregg Brown talked about how the Bad Washington Privacy Act's very nuanced definitions were written to "nuance away" the rights the bill appeared to grant. Susan Grant of Consumer Federation of America mad similar points in her testimony, citing "loopholes and definitional problems that essentially neuter the protections the bill is supposed to provide." A Deep Dive into the Affiliates Loophole goes into detail on a specific example from this year's legislation – one that was so nuanced that even a good-faith attempt to fix the probleml fell short.
ADPPA uses different language from the Bad Washington Privacy Act, but there may well be similar problems. A couple of examples:
- Jolynn Dellinger of Duke Law's Kenan Institute for Ethics suggested that ADPPA's use of word “precise” in its definition of “geolocation information” is going to lead to "litigation and, importantly, circumvention." The revised draft defines "precise" as "within 1000 feet"; is that a strong enough definition to alleviate these concerns.
- Ali Akhatib of the Center for Applied Data Ethics highlighted concerns about the bill's exclusions of de-identified data, employee data, and publicly available information. Alan Butler of EPIC suggests that the de-identification is narrowly defined; again, is the definition strong enough to alleviate concerns?
- Cynthia Khoo of Georgetown Law and Ben Winters of EPIC discussed potential limitations of the ADPPA's definition of "algorithm". The revised version has an even more limited definition. Does this undercut the civil rights protections?
And these are only the tip of the iceberg – the revised draft is 120 pages long, so there are dozens more.
Ideally, legislators and staff would take the time to dig deeply into all of these issues, understand what the tradeoffs are, and refine the definitions. But the short timeframe means that's unlikely. Instead, they're likely to primarily hear input from industry lobbyists. So it's challenging for privacy and civil rights advocates to identify the problems and push back effectively.
Get concrete! Will the bill actually stop real-world privacy and civil rights abuses?
One effective tactic we've used to cut through the complexity of the legislation is to focus on real-world privacy abuses. How effective will proposed legislation actually be at stopping them? If it falls short, how can it be strengthened?
I briefly mentioned one example of this in yesterday's privacy news roundup. Doctor check-in software from Phreesia harvests patients health data and uses it to target ads. Does their approach to getting consent meet the ADPPA's requirements for "affirmative express consent"? If so, then the bill's current langauge will do nothing to stop this abusive practice – in fact, it legitimizes it.
Another good example is the way Grindr sold "de-identified" location data that was used to out a Catholic priest. Would this fall under the "de-identified data" exception mentioned above?
In the Washington legislative discussions, we also looked at abuses by ed tech companies like Naviance and PowerSchool (discussed here and here) and CourseHero (discussed here), location data from Muslim prayer apps getting non-conensually shared with military contractors, and the reports of ICE investigators getting warrantelss access to utility data to target immigrants. Recent reports of ICE searches of Lexis/Nexis data provide another good test case. If ADPPA's currently language doesn't protect against all of these cases, it will need to be improved if it is to protect these and other vulnerable groups.
Build a broad alliance of people and groups who want strong privacy protections
One of our organizing strengths has been the breadth of the loose alliance we put together for strong privacy protections. Key participants here include:
- The Tech Equity Coalition, convened by ACLU of Washington and comprised primarily of individuals representing communities historically targeted by surveillance
- Indivisibles and other progressive activists
- WA People's Privacy Network's outreach to community organizations.
A similar organizing approach at the national level could really strengthen the had of groups who are pushing for legislation to be strengthened. For example, Lawyers' Committee on Civil Rights and EPIC Privacy both made a good case at the ADPPA hearing for strengthening the private right of action (PRA), as did EFF in their email, but they'll need help in overcoming the lobbying from multiple industry associations who are telling Congress that even the relatively weak PRA in the current draft would cause the sky to fall.
And there's certainly room for improvement on what we've done so far in Washington state. Can we work with small businesses to push back against loopholes and exemptions that favor big tech (even though we may not see eye-to-eye with them on the private right of action)? What about libertiarians who share concerns about exemptions for law enforcement and other government agencies, or states-rights proponents who don't approve of pre-emption?
Organizing doesn't just happen
One thing I really want to highlight is that this kind of organizing requires a lot of work. Non-profits like EPIC Privacy and ACLU work on a lot of issues, and so have limited resources to invest here. Other privacy non-profits like Future of Privacy Forum get their funding primarily from industry, so aren't likely to help build resistance.
Maya Morales of the WA People's Privacy Network has played a big role in our organizing here in Washington state, including helping us get out of the "privacy bubble" by working with groups like Washington Poor People's Campaign who don't always get involved in privacy issues. Maya's got a fundraiser on Go Fund Me ... please join me in supporting her! And if you’re a grantmaker or larger donor and would like to explore funding longer-term work with WA People's Privacy Network in the future, please reach out and I'll be happy to connect you with her.
To be continued
Congress will have to move quickly to get anything through this session. So expect to hear a lot more about federal privacy legislation this summer – and, most likely, more lessons from our experiences here in the other Washington.