As expected, the House Energy & Commerce Committee advanced the bipartisan, bicameral American Data Protection and Privacy Act (ADPPA) on a 53-2 vote. It's the first time this century a consumer privacy protection bill has ever made it out of committee in Congress, so congrats to all involved!
ADPPA's next step is a vote by the full House. It's not currently on the House floor schedule, and Congress takes most of August off, so it probably won't happen until mid-September. The Sunday Show: Prospects for the American Data Privacy and Protection Act, a discussion with Nora Benavidez of Free Press, Justin Brookman of Consumer Reports, and Justin Hendrix, has some good perspectives on the current status and next steps.
But even though the bill has strong bipartisan support, it's still far from a sure thing. The intense debate about whether ADPPA will preempt state laws has gotten most of the attention, but as Tonya Riley reports in Federal privacy legislation progresses, but concerns about data brokers loom on Cyberscoop, that's far from the only issue.
“The bill before us has a major loophole that could allow law enforcement to access private data to go after women,” said Rep. Anna Eshoo, D-Calif., who voted against the bill. “For example, under this bill, a sinister prosecutor in a state that criminalizes abortion could use against women their intimate data from search histories or from reproductive health apps. That loophole must be addressed.”
And Senator Wyden continues to be concerned about the exemption of "de-identified" data.
“[T]his loophole could allow data brokers to sell location data to the government about visits to reproductive health facilities, for example, or other private information that is trivially easy to connect to individuals,” a Wyden aide wrote in an email to CyberScoop. “He strongly believes this must be fixed before any legislation becomes law.”
“This bill, at least from the perspective of pregnant people, it really doesn’t do much”
UPDATE: Several California Privacy Protection Agency board members also expressed concerns during their July 28 special board meeting. See Is there an elephant in the Zoom room? for more – including a followon discussion about how similar potential ADPPA loopholes affect unhoused people.
To be clear, this isn't the only challenge facing ADPPA. Most of the other coverage in the last week has focused on the battle over whether ADPPA should preempt state privacy laws. At the markup, Rep. Eshoo's amendment to strip the preemption section was voted down (8-48), but several California Representaties said they'd vote against the bill on the floor unless this issue was addressed. Daniel Solove's A Faustian Bargain: Is Preemption Too High a Price for a Federal Privacy Law? and the letter from a coalition of state Attorneys General (including Washington's) opposing preemption of state laws have more.
And while the version of the ADPPA the committee advanced did include some significant improvements, they also weakened the bill in some significant ways – and didn't address the loopholes Rep. Eshoo and Sen. Wyden are talking about. They also didn't address concerns Senate Commerce committee staffers raised in a memo, as reported by Cristiano Lima in the Washington Post:
According to the memo, the American Data Privacy and Protection Act “makes it harder for women to seek redress when their sensitive health data has been used against them” and would force women to “jump through arbitrary, drawn-out hoops” to sue over privacy violations.
As Shaunna Thomas of gender justice group UltraViolet says in the Spokesman-Review article
“We see an opportunity for asking Democrats to recognize the threats that have become far more acute in a post-Roe world, and to consider using the leverage they have – which is not insignificant – to consider these improvements in that light.”
But will Democrats use that leverage? The risk is that contentious topics like preemption take up so much time and energy that legislators don't talk about the elephant in the room – and so don't realize that the current version of ADPPAl, as Kim Clark says, "really doesn't do much" to protect pregnant people.
We shall see.
UPDATE, 6:00 pm (Pacific time)
The California Consumer Privacy Agency (CCPA) released a bill analysis this morning and announced has a public special board meeting at 9:00 am Thursday.
And this short thread from ACLU of Northern California also makes some great points.
Sacrificial lambs, sneaking loopholes through, and other industry tactics
The version of ADPPA the committee advanced had a lot of changes from the subcommittee's version (which in turn had a lot of changes from the original discussion draft). Some strengthen the bill; some weaken it; many are just cosmetic, like changing "shall not" to "may not."
Virtually all of the strengthening changes either reverse a weakening change the subcommittee made, are balanced by other weakening changes, and/or are only small fixes that leave bigger issues unaddressed. Industry lobbyists plan for this by multiple levels of loopholes in early versions of a bill, including some "sacrificial lambs" that they know they're going to have to give up. As a result, privacy advocates, legislators, and staff all have to focus their energy on these relatively-minor issues. When the change is finally made, industry can portray their concession as a compromise, and legislators and the media can talk about how the bill is getting "steadily stronger".
The brouhaha about whether California Consumer Privacy Agency (CCPA) can enforce the ADPPA is a good example of a sacrificial lamb and worth looking at in detail. California's voters created CCPA and gave it a $10,000,000 budget in a statewide referendum just two years ago, so it's very very very unlikely that California legislators would vote for a bill that effectively gets rid of it.
But the ADPPA discussion draft didn't give state privacy agencies the authority to enforce the bill. So everybody had to spend valuable time arguing about it before reaching the obvious conclusion that yeah, state privacy authorities should be allowed to take action to protect their residents.
But the section that got added to the subcommittee version allowing state privacy authorities to enforce was worded in a way that it didn't include CCPA. So now everybody had to spend time talking about that before reaching the obvious conclusion that yeah, CCPA should be allowed to take action to protect Californians.
And in the current version there's still a provision that state Attorneys General, including California, warn will substantially interferes with many states' investigation and enforcement authorities. Hey wait a second, I'm noticing a pattern here. Nobody's mentioned this yet in any of the hearings, and as far as I know privacy groups' comments haven't yet emphasized this issue – in fact, Alan Butler of EPIC has said the bill's enforcement is stronger than anybody gives it credit for. So maybe industry will be able to sneak this major loophole through (they tried something similar in Washington in 2020). Even if it gets fixed now, it will take more valuable time and energy.
Another industry tactic is to get changes into the bill that they know will almost certainly get undone. Again, this chews up time and energy from privacy advocates, legislators, and staff. Often, industry can get a concession to "balance" their willingness to "compromise" by undoing the change – or use this "compromise" to avoid bigger changes. And when the changes get undone, it's another opportunity for the bill's supporters to claim it's getting stronger, when the reality is that it's just gotten back to where it originally was.
Changes since the subcommittee version
With that as context, here's a list of some of the most important changes. Many thanks to WA People's Privacy and the other Washington privacy organizers who helped with the crowdsourced bill analysis! I'll continue to update this as we analyze some of the other changes.
If you want to follow along, you'll want the July 19 ADPPA version as amended by the six amendments that passed. The redlined version from IAPP and Future of Privacy Forum, including all the amendments and highlighting the specific textual changes from the subcomittee's version, is also very useful.
- State consumer agencies with expertise in data privacy, including the California Privacy Protection Agency (CPPA), can now enforce the bill (Sec. 2(32)). This addresses one of the many issues CPPA had brought up in their July 1 comments.
- Race, color, ethnicity, religion, and union membership are now once again considered "sensitive covered data" (Sec. 2(28)(A)(14)). This undoes a very harmful change the subcommittee had made. Unfortunately, the committee removed sexual orientation from sensitive data, and other very sensitive data such as sex, gender, immigration status ,and national origin still isn't considered "sensitive covered data."
- The defintion of de-identified data, which is exempt from ADPPA, has been revised to undo another very harmful change the subcommittee made (Sec 2(12)). Note however that this does not appear to have fully addressed the concerns from Sen. Wyden and others that de-identified data is a major loophole.
- "High impact social media companies" (with more than 300,000,000 users) have to treat somebody as a minor if they "know or should have known" that person is under 17 (Sec. 2(20)(A)(i). Kids privacy experts have been calling for this stronger "constructive knowledge" standard, so this is a big deal. However, "small" businesses with annual revenues of $41,000,000 or less can continue to take advantage of the "actual knowledge" loophole. Mid-size companies, abd large non-social media companies, split the difference with a "willful disregard" standard.
- The weak private right of action, allowing people to sue companies who break the law, now comes into effect in two years instead of four (Sec. 403(a)(1)); and people no longer forfeit their rights if they send a badly-worded demand letter, removing one of the hurdles to being able to sue (Sec. 403(a)(1)). [Remaining hurdles still include requirements for consumers to give prior notice to the FTC, and a "get out of jail free card" that gives companies a way to duck penalties -- another good example of industry's multi-level loophole strategy.] Balanced against this, businesses with revenues of less than $25,000,000 are now exempt from the private right of action. (Sec. 403(e)(2))
- Forced arbitration is no longer enforceable on claims related to gender or partner-based violence or physical harm (Sec. 403(b)). However, companies can still impose forced arbitration on adults in all other cases. During the markup, Rep. Donald McEachin of Virginia said that the bill as currently written wouldn't have his support on the floor because of forced arbitration, and Senate Commerce Chair Maria Cantwell has flagged this as an issue that needs to be fixed.
- Changes to the section on preempting FCC privacy laws (404(b)(4)) are appreciated by Public Knowledge, who now supports the bill. That said, according to EFF, ADPPA still blocks several important federal privacy laws.
- Service providers processing data on behalf of government agencies are now (once again) not exempt from ADPPA, undoing yet another very harmful subcommittee change. Balanced against this, though, a key restriction on all service providers – whether or not they're operating on behalf of government agencies – have been weakened (Sec. 302).
- The "permissible purposes" for which businesses and non-profits can collect and process data without consent have been broadened substantially. (Sec 101(b)). One change, for example, expands the definition of "security" in 101(b)(5). Previously, it was "network security as well as intrusion." Now, it's "network security and physical security and life safety, including an intrusion or trespass." Does ADPPA protect unhoused people? discusses one of the potential implications of including "trespass."
Note that there was already concern that 101(b) purposes was over-broad – see for example Washington AG Ferguson's June 24 letter describing how "internal research" (101(b)(2)) "may be used by technology companies to maintain all data indefinitely." And 101(b)(6) may well be the source of the "major loophole that could allow law enforcement to access private data to go after women" Rep. Eshoo referred to. So it's very disappointing to see this key data minimization section getting even weaker.
- Social security numbers can now be collected, processed, and transferred without consent for "fraud and identity fraud detection and prevention." (102(1))
- The definition of "employee data", which is exempt from ADPPA, has been broadened to include "information processed by an employer relating to an employee who is acting in a professional capacity for the employer, provided that such information is collected, processed, or transferred solely for purposes related to such employee’s professional activities on behalf of the employer." (Sec. 2(8)(C)(ii))
- When people are using devices provided by their employer – or sending something to somebody whose device is provided by their employer – calendar information, address book information, phone or text logs, photos, audio recordings, and videos, maintained for their own private use is no longer considered sensitive covered data. (Sec. 28(A)(x))
- The language requirements for privacy notices has been narrowed. Previously, these had to be provided in any language the product or service is provided in, and any language in which the company carries out activities related to such product or service. Now, they only have to be provided in the those languages if they're also "covered languages" (Sec. 2(10)), defined as the top 10 languages in the US. Many immigrants, Native Americans, and Indigenous people use software in languages that don't fall in the top 10 (Facebook and Google both support over 100 languages), so this significantly impacts their rights.
- Service providers are now allowed to combine service provider data with covered data for the 101(b) permissible purposes (Sec. 302). There are several other changes to this section as well, and EFF is concerned that this section will gives government contractors such Clearview AI and ID.me much more leeway than it should.
UPDATE, August 4: What Microsoft, IBM and others won as the privacy bill evolved (Ben Brody and Hirsh Chitraka on Protocol) discusses these changes in more detail.
- Several related changes significantly weaken the Algorithm Impact Assessments and Algorithm Design Evaluations requirements (207(c)), which are vital for enforcing the civil rights anti-discrimination protections against large companies. One major change is to eliminate the requirement that companies use external, independent auditors or researchers to the extent possible. As we've seen time and again with Facebook's repeated denials of discrimination in housing ads – followed by settlements when external audits reveal ongoing discrimination – internal auditors are often unlikely to surface real problems.
- The standard for which algorithms require assessment (207(c)(1)(A)) has changed from “may cause potential harm” to “consequential risk of harm.” This is an attempt to focus impact assessments on the highest priority algorithms, but could easily mean that important algorithms don't get impact assessments – especially since, s Brandon Pugh and Sofia Lesnes point out on R Street, "the exact meaning of consequential risk is not clear."
This is especially concerning because the definition of Covered Algorithm (now in 2(7), but otherwise unchanged in this version) also potentially excludes a lot of important algorithms; see comments from Cynthia Khoo, Ben Winters, and Anjana Susarla about the potential limitations of the "facilitate human decision-making" framing.
- Algorithm Impact Assessments no longer have to include "foreseeable capabilities outside of the articulated proposed use of the covered algorithm." and "reasons for the superiority of the algorithm over nonautomated decision making methods". The requirements for these assessments were already noticeably weaker.
- Another weakness: the new version added a new requirement to authenticate global opt-out requests, which it turns out completely undercuts the purpose of global opt-out. (Sec. 210(b) – ADPPA calls this "unified opt-out") From CCPA's letter:
California requires businesses to honor browser privacy signals as an opt out of sale, and authentication of such requests is not required. This is to prevent hundreds of businesses from contacting the individual to confirm the opt out one-by-one and to prevent targeted advertising loopholes. ADPPA’s global opt out has recently been amended to include an authentication requirement for global opt-out requests.
On Twitter, Jason Kint of Digital Content Next has an excellent explanation of why this would be so bad.
- Companies with less than 15 employees are now exempt from Sec. 301(c), even if they do not qualify as Sec 209 small businesses (who were already exempt). This means they don’t have to designate a security and privacy officer; and if they're large data holders, they're exempt from the 301(c)(3) audits and compliance training requirement.
This came in as a bipartisan amendment modifying 301(c)(1), described as lessening the burden on small businesses. While I certainly agree that there’s no reason a corner store or tiny family-owned restaurant should have to name a security and privacy officer, they were already exempt due to Sec. 209. So this seems a loophole for tech companies like who process too much data to qualify for Sec. 209 – like small biomedical startups, for example (who also benefit from another bipartisan amendment described as removing barriers to clinical trials). As Cobun Zweifel-Keegan of IAPP reminded me, this could also exempt businesses like Cambridge Analytica – a classic example of why exempting companies based on size can be problematic.