Unfortunately, we are living in an age in which the mass commodification of consumer data has become commonplace and generally accepted. Companies, and data brokers, can buy and sell the majority of adults’ personal data with impunity.
Aside from the California Consumer Privacy Act (CCPA), which came three years after the E.U.’s General Data Protection Regulation (GDPR), we haven’t seen major U.S. legislation on the personal data front. To be sure, there’s a patchwork of state laws. In addition to the CCPA and California Privacy Rights Act (CPRA), there are the Virginia Consumer Data Protection Act; the Colorado Privacy Act; the Connecticut Data Privacy Act, and the Utah Consumer Privacy Act, to name a few; however, it is time for a strong privacy law at the federal level, and with a few revisions, the American Data Privacy Protection Act (ADPPA) could be this law.
The current state of the ADPPA
On one hand, the ADPPA is far and away the closest the U.S. has ever been to issuing a federal data privacy law; the bill is bipartisan in nature, and it passed the House Energy Commerce Committee with a whopping 53-2 vote. On the other hand, in its current form, this bill does not appear to have much potential. Right now, it can’t get past Speaker of the House Nancy Pelosi, let alone reach the Senate floor.
The main concern held by Pelosi is that the ADPPA would supersede state laws, thus diluting the protections already offered by California’s CPRA and the consumer data protection bills held by other states.
In a September 1 statement, Pelosi writes,
“Governor Newsom, the California Privacy Protection Agency (CPPA), and top state leaders have pointed out the American Data Privacy and Protection Act does not guarantee the same essential consumer protections as California’s privacy laws.”
Likewise, last month the CPPA released a letter opposed to the ADPPA, and in late July, the five-member CPPA board voted unanimously to oppose the ADPPA or any bill that would supersede existing state laws. They write,
“The ADPPA would remove important safeguards that are already available to Californians today and tie the hands of states from improving privacy protections in the future. We urge lawmakers to focus their efforts on ensuring that any privacy legislation follows the model of other federal privacy laws and sets a floor, not a ceiling, on privacy rights.”
A floor, not a ceiling
This exact language was also used by 10 state attorneys general in their open letter to Congress in July. The attorneys general—from California, Connecticut, Illinois, Maine, Massachusetts, Nevada, New Jersey, New Mexico, New York, and Washington — write,
“It is critical that Congress set a federal privacy-protection floor, rather than a ceiling, to continue to allow the states to innovate to regulate data privacy and protect our residents.”
In addition to the preemption issue, these attorneys general believe that states are inherently better suited to respond to technological changes, and there are concerns that the current ADPPA bill compromises the ability of state attorneys general to investigate entities that violate the law.
What exactly is in the current ADPPA bill?
Initially spearheaded by House Energy and Commerce Chair Frank Pallone (D-NJ), Cathy McMorris Rodgers (R-WA), and member of Senate Commerce Committee Sen. Roger Wicker (R-MS), the ADPPA is an attempt to minimize the collection of Americans’ personal data.
Much like the GDPR, this legislation would bolster Americans’ consumer privacy rights, while also holding data collectors accountable for discriminatory data handling practices.
Stronger consumer privacy rights. According to the language in the current bill, the ADPPA provides users with the right to “access, correct, (and) delete” data pertaining to them. Under this bill, most technology companies would be barred from collecting any user data they do not need; only “reasonably necessary” data could be collected. As a caveat, those organizations that are already regulated by existing privacy regulations—such as education, healthcare, and certain financial services companies —would not incur additional compliance burdens from ADPPA.
Additionally, assuming a federal prosecutor isn’t already on the case, individuals would now be able to sue companies for mishandling their data.
More protections for minors. The ADPPA would also provide more protection for minors. Currently, federal privacy laws ban organizations from using personal data to target users under the age of 13; however, the ADPPA would bump this up to 17.
Per Section 205 of the proposed bill, targeted advertising to individuals under 17 is expressly prohibited; entities can’t transfer covered data of individuals to third parties without these individuals’ consent. Put differently, the data of all Americans under 17 would now be defined as “sensitive covered data.”
Public registry of data brokers. Under the ADPPA , which falls under the purview of the FTC, there would be a newly created public registry of data brokers. According to Section 206, data brokers will be required to register with the FTC if they process covered data of more than 5,000 people.
So far, this all sounds well and good. However, in addition to the preemption problem (the potential for the ADPPA to supersede the CPRA and other state laws), there are a number of problematic loopholes in the current bill.
Other than the creation of a registry, the ADPPA continues to let data brokers operate with impunity. Despite this, the proposed bill has instigated a lobbying surge from the data brokerage industry.
Also, the language of the bill provides a few problematic carve-outs. “Covered data” does not include “de-identified data,” “employee data,” or “publicly available information.” The exception for “de-identified data” is particularly problematic because, as we have seen time and again, data can get de-identified and re-identified.
Also, there are loopholes for law enforcement. The bill reads,
“A covered entity may decline to comply with a request to exercise a right described in subsection (a), in whole or part, that would…interfere with law enforcement, judicial proceedings, investigations, or reasonable efforts to guard against, detect, or investigate malicious or unlawful activity, or enforce valid contracts.”
In most cases, law enforcement agencies would still be allowed to collect biometrics, genetic information, and “known nonconsensual intimate images.” Seeing as federal law enforcement agencies are one of the biggest purchasers of Americans’ data, these loopholes should not be taken lightly.
There is little doubt that the collection of Americans’ personal data needs to be reined in. A federal data privacy law is certainly welcome. That said, it is important that Congress passes legislation that sets a floor, rather than a ceiling, for Americans’ privacy rights. Any federal law needs to encourage and respect existing, protective laws at the state level.
There is the inherent risk that a federal law could be amended and watered down in the future. Just as the CPRA cannot be amended unless the amendments further protect Californians, any federal law needs to gaurantee the same.
Lastly, the carve-out for de-identified data needs to be addressed, and although a public registry is nice, we would be better served by an actual crackdown on the data brokerage industry. At any rate, we’re moving in the right direction with this bill.