Federal privacy legislation: It'll be an interesting summer! (UPDATED)
ADPPA, COPRA, HLDPA and more!
Last updated: June 18. Originally published: June 14.
As Congress heads into the summer, there's a sudden surge of activity on federal privacy legislation. The recently-released American Data Privacy and Protection Act (ADPPA) has a hearing in the House on Tuesday, June 14. Meanwhile, Sen. Maria Cantwell (D-WA) is circulating a draft of her own bill, a revision to 2019's Consumer Online Privacy Rights Act (COPRA). As if that's not enough, there are also several different children's privacy bills being considered. Exciting!
Update, June 15: and now there's another bill, the Health and Location Data Protection Act (HLDPA).
In late May, over 50 civil rights, civil liberties, and consumer protection organizations urged Congress to "pass comprehensive consumer privacy legislation during this session that prohibits data-driven discrimination and ensures that everyone has the right to equal opportunity on the internet." Signers including Lawyers Committee on Civil Rights, EPIC Privacy, CDT, Access Now, and Free Press have all described the draft ADPPA as encouraging – both because of its explicit civil rights protections, and its bipartisan support (it's sponsored by House Energy and Commerce Chair Frank Pallone (D-NJ), ranking member Cathy McMorris Rodgers (R-WA.) and Sen. Roger Wicker (R-MI), ranking member of the Senate Commerce Committee).
Issues like whether individuals can sue companies who violate their privacy (a "private right of action") and whether the federal bill will prohibit states from passing stronger legislation ("pre-emption") have previously been sticking points to getting bipartisan support. ADPPA's compromises in both of these areas are seen as breaking a stalemate. Since bipartisan support is crucial to get anything through Congress, this is indeed a big deal.
On the other hand, there are also lots of concerns about ADPPA.
- Sen. Cantwell has criticized its private right of action – which wouldn't take effect until 2026 – as too weak.
- Sen. Brian Schatz (D-HI) has reportedly said that a bill without a duty of care should not pre-empt state consumer privacy laws; Sen. Cantwell also opposes pre-emption.
- ACLU says ADPPA needs substantial revision, and is concerned that it will be rushed to the floor.
- EFF has urged Congress to strengthen the bill
- The Chamber of Commerce describes the bill as "unworkable."
- Ari Ezra Waldman (author of the outstanding Industry Unbound) describes it as another gift to industry.
Some of the links below go into more details about other issues, including law enforcement access, a "duty of loyalty" that appears to set a very low bar, the complex pre-emption clause, and the exclusion of de-identified data and employment data.
So while I too am encouraged by the bipartisan interest in passing privacy legislation, I'm tempering my enthusiasm for now. Based on what we've seen over the years in the Washington state legislative battles, I'm nervous that language in the bill that looks strong will turn out to be weaker than it appears, or will be undercut by other sections of the bill. And of course, big tech and data brokers will no doubt claim that even the current text will cause the sky to fall, and will devote huge lobbying efforts to weaken it – as they routinely have with state privacy bills.
One approach that proved very useful here in Washington state is to look at real-world privacy abuses that are occurring today and we expect to see in the near future. In 2021, for example, we looked at whether the state-level bill would prevent ICE access to data from Muslim prayer apps; and earlier this year, we focused on the Markup's reporting on ed tech abuses (here and here). As we get more information about the legislation, this will help understand how effectively ADPPA and COPRA will actually be in protecting us.
So, we shall see. But to end on a positive note: There's general agreement that 2022 is the best chance yet to get a strong privacy bill through Congress. With luck – and enough pressure from privay groups and grassroots activists to counter big tech's lobbying – the bills will improve as they move through the process and converge on something that really does protect our privacy. Which would be pretty darned cool ...
So stay tuned for an interesting summer!
Links with more information
- Here’s the June 3 draft of the ADPPA. It’s long. Why is there a section on “Digital Content Forgeries” in a privacy bill? I have no idea, and neither does anybody else I’ve talked to.
- Rebecca Kern’s Bipartisan draft bill breaks stalemate on federal data privacy negotiations in Politico, Will Oremus’ House and Senate members unveil stalled data privacy bill in the Washington Post, and Chris Mills Rodrigo's Why a bipartisan data privacy proposal faces an uphill battle in The Hill are all good overviews of the political situation.
- Müge Fazlioglu's Distilling the essence of the American Data Privacy and Protection Act discussion draft and Cobun Zweifel-Keegan's Understanding the scope of the draft American Data Privacy and Protection Act, both on IAPP, delve into some key areas.
- We’re so close to getting data loyalty right, by Woodrow Harzog and Neil Richards, also on IAPP, analyzes the "loyalty duties" in ADPPA and other legislation in more detail.
- Olga Kagan's Federal Privacy Law incoming? New Bipartisan Bill Filed on LinkedIn and David Stauss' Bipartisan U.S. Federal Privacy Bill Circulated on Byte Back have a detailed run-down on the bill's contents.
- Shoshana Wodinsky's Our Country Moves Closer to a Federal Privacy Law, and I Move Closer to Losing My Mind and Mike Masnick's New ‘Bipartisan’ Federal Privacy Bill Tries To Build Consensus Support, And Basically Succeeds In Annoying Everyone provide some more skeptical views.
- Blake Reid's Twitter thread goes into depth on pre-emption; his summary is "As far as I can tell, the default-preemption structure coupled with broad/ambiguous exceptions (particularly the civil rights exception) will introduce a tremendous degree of uncertainty about what is actually preempted." William McGeveran and Whitney Merrill also make some good points.
- A dozen members of the Disinfo Defense League, including Free Press, Access Now, Kairos Action, Media Justice, Equality Labs, Asian Americans Advancing Justice, Muslim Advocates, and Common called on Congress to ensure new privacy legislation safeguards everyone’s online civil rights.
Update, June 18: here's my live-tweeting of the hearing (unrolled into a single web page for your convenience). And, here's EPIC's live-tweeting, which also has links to witnesses' written testimony. Some new links since then:
- Jessica Rich's Readout on House Privacy Hearing: Wide Attendance, Lots of Issues, Full Steam Ahead on Kelley Drye's Add Law Access Blog; Joe Duball's US House committee showcases federal privacy momentum, opportunity, on IAPP; Insights from the House Subcommittee Hearing on ADPPA, by Hilary Higgins, Ali Jessani, and Kirk Nahra of Wilmer Hale on JD Supra; and U.S. Comprehensive Federal Privacy Legislation Takes Major Step Forward by Ieuan Jolly and Kris Ekdahl of Linklaters on are all good overviews.
- Cristiano Lima notes that the Senate may be a roadblock, with quotes reactions from Sens. Blumenthal, Schatz, and Cantwell.
- Jolina Cuarasema's The Time is Now for Comprehensive Federal Data Privacy Legislation, on Common Sense, summarizes her testimony and highlights some provisions that need to be added to better predict kids and teens.
- Ashley Johnson's Three Bills Show Remaining Divisions in Attempt to Reach a Compromise on Federal Data Privacy Legislation, on ITIF, compares and contrasts ADPPA with COPRA and Sen. Schatz' Data Care Act.
- Users beware: Apps are using a loophole in privacy law to track kids’ phones, a discussion between Washington Post tech columnist Geoffrey Fowler NPR Fresh Air Dave Davies, goes into the "actual knowledge" loophole.
- What does the newest U.S. privacy bill mean for cybersecurity?, by Tatyana Bolton, Brandon Pugh, and Sofia Lesmes on IAPP, looks at the security implications.
Keep in mind that authors of various articles are not necessarily neutral here! For example, ITIF represents the tech industry, and in their testimony pressed for ADPPA to be weakened. Still, these are all good analyses ... and who am I kidding, I'm not particularly neutral either 😎.
Image credit: JessicaRodriguezRivas, via Wikipedia Commons. licensed under the Creative CommonsAttribution-Share Alike 4.0 International license.