New hope for U.S. privacy law, or will Congress’ impasse empire strike back?

Alex Krylov & DeAndrea Salvador

Washington has a growing void to fill. The U.S. remains the only high-tech nation without a comprehensive, federal privacy legislation. Time and time again, congressional efforts have log-jammed, forcing state lawmakers and the Federal Trade Commission to pave their own way towards necessary reforms. 2021 alone saw the fall of COPRA, SMPPCRA, MYOB, and CDPSA among other promising consumer privacy proposals. Yet, there is hope that a new bipartisan effort may yet bear fruit. 

On June 3, a group of bipartisan lawmakers unveiled a discussion draft of the American Data Privacy and Protection Act (ADPPA). According to Senators Roger Wicker (R-Miss) and Frank Pallone (D-NJ), the American Data Privacy and Protection Act “represents the best opportunity to pass a federal data privacy law in decades.” The bill includes federal legislation for “the development of a uniform, national data privacy framework, the creation of a robust set of consumers’ data privacy rights, and appropriate enforcement mechanisms,” and offers compromise on the divisive issues of preempting state laws and granting a private right of action.

In other words, if passed, this bill would enforce the protection of consumer privacy nationwide in the U.S.

Familiar ground

The proposal follows the general contours of recent state privacy laws and efforts. Specifically, it proposes two things:

First, the bill sets a national standard for information that should be treated as “personal”. “Covered [personal] data” offers a sweeping definition aligned to “personal data” (GDPR, and “personal information” under the CCPA/CPRA. It applies to any linked or linkable information that can identify or single out a unique individual. Examples are not enumerated, but it is clear that cookies, device IDs, behavioral inferences, and other currency of today’s surveillance economy are in scope. (Information rendered non-personal using effective de-identification techniques such as data transformation and generalization would be exempt.)

Second, the proposed state privacy law introduces a set of now-standard “consumer data rights,” namely to:

• Be informed about data privacy practices.
• Learn what a company knows about an individual and how to access that personal information in an easy to understand and easy to transfer format.
• Correct inaccurate or incomplete information.
• Delete sensitive data when it is no longer needed.

Bridge over troubled waters

As a proposed bill for federal law, the draft steers through the turbulent questions of states’ rights and overlapping sectoral federal laws. State privacy laws like the CPRA would be preempted, with few exceptions. Federal laws like Children’s Online Privacy Protection Act, the Biometric Information Privacy Act, and the Fair Credit Reporting Act would not be preempted.

“Covered entities subject to and in compliance with the related data privacy and security requirements of certain specified federal laws shall be held to be in compliance with the related laws of the Act solely and exclusively to the extent that covered data is subject to the requirements in the other laws…. State laws covered by the provisions of the Act are preempted, subject to a list of specified state laws to be preserved. That list includes generally applicable consumer protection laws; civil rights laws; employee and student privacy protections; data breach notification laws, etc.”  

Curiously, this may create a donut hole with HR and business contact information. The draft specifically excludes “employee data” from the law’s standardized protections. The definition includes personal information relating to employees and beneficiaries, job applicants, and business contacts. It appears that, to the extent the use of this data is limited to the reasons for which it was originally collected, “employees” would enjoy protections under existing laws, and so no net-new protections are needed.

Since the goal of the ADPPA is to create a set of unified protections for Americans, we expect these and other bridging areas to be fleshed out further. We and the rest of the privacy community hope that negotiations around these difficult topics will not result in a diluted bill. Unified protections should not mean weakened protections.

A strong federal privacy law would offer:

• Guaranteed protections for all Americans at home and abroad
• Baseline protections for foreigners in light of FISA surveillance concerns
• Greater interoperability with the European data protection framework
• A private right of action that starts at the same time as regulatory enforcement
• A clearer articulation of privacy harms that go beyond financial or algorithmic harms
• Broader protections against forced arbitration

Blazing trails

The bill is remarkable in its drive to break big tech-cultural ground. The proposal opens with the concepts of “duty” and “loyalty,” elevating privacy-first principles of transparency, proportionality, fairness, individual participation, and accountability to fiduciary(ish) obligations. Accountability will mean personal responsibility for business executives. 

Organizations will be required to conduct mandatory privacy impact assessments, and to evaluate their use of machine learning and artificial intelligence technologies to protect individuals from algorithmic exclusion and other privacy harms. Privacy leaders (CPOs, CISOs, and others) will need to be appointed to oversee data protection, and C-suite executives will bear personal responsibility for organizational compliance for their entity.

There’s more:

• Importantly, the ADPPA aims to prohibit manipulative design (dark patterns) and the targeting of kids and teens with digital ads. These keystone issues enjoy bipartisan support and align with the FTC’s progressive campaign against Big Tech abuses. 
• Like under the GDPR and CPRA, organizations will need to limit their personal data practices to that which is “reasonably necessary, proportionate, and limited to provide specific products and services.” And, adopt privacy by design principles into their innovation, business, and partnership decisions. 
• Under the law, individuals will be able to supplement FTC enforcement with private litigation. The private right of action remains highly controversial, and lawmakers propose delaying the right by 4 years. In turn, the FTC would be given a greater role in enforcing privacy, including by creating a bureau dedicated to data protection. The current FTC is under-resourced and must juggle its competition authority with the need to address commercial surveillance and other contemporary concerns.. 

The discussion draft also looks to the future. It highlights the privacy right for machine learning and blockchain among other emergent technologies. As a result, certain organizations will be required to conduct algorithmic impact assessments in addition to privacy risk reviews. With the state of data science today, lawmakers recognize that privacy harms can result from unchecked (or unethical) data uses. The FTC will be tasked with reviewing algorithmic designs and impact assessments to reduce exclusionary bias and other discriminatory effects.

A long and winding road?

DataGrail believes that privacy is a human right. The ADPPA offers significant improvements to America’s state of privacy play, but a difficult path lies ahead. With the recent introduction of ADPPA into Congress, we are cautiously optimistic that lawmakers can agree on a bipartisan framework. 

On June 14 the United States House Energy & Commerce Committee held a committee hearing to pitch the ADPPA. The proposal needs to go through the committee review and markup process before it can be sent to congressional floors for a vote. Even if a finalized bill cuts a quick path through the House, Senatorial approval remains uncertain. Senator Maria Cantwell (D-WA) is likely to offer an alternative proposal – a revised version of her Consumer Online Privacy Rights Act (COPRA), first introduced in 2019 and then in 2021. Last but not least, the United States Chamber of Commerce strongly opposes any bill that includes a private right of action.

While we recognize the ADPPA faces a long and winding road to becoming the law of the land, it is nevertheless an important step in the right direction. We appreciate bipartisan lawmakers advocating for GDPR/CPRA-style principles, namely: transparency, fairness, proportionality, privacy-by-design, individual participation and accountability for businesses. We agree with ADPPA’s articulation that privacy protections are “duties of loyalty.”

Regardless of outcome, DataGrail believes uniform protections should not mean weakened protections. As Privacy Advocates, our billboard message captures this sentiment exactly: “If the government doesn’t protect your privacy, we will.”