Alex Krylov & Piper Stull-Lane
The American Data Protection and Privacy Act (ADPPA), a comprehensive privacy bill steadily making its way through an arduous political process, promises significant improvements to America’s state of privacy.
The proposed privacy legislation will be brought to a floor vote in the House sometime in 2023, a major achievement of its own, and — if passed — would be sent to the Senate as a grand bipartisan compromise.
DataGrail believes that data privacy is a human right. So, it begs the question: Is the ADPPA objectively a good addition to privacy legislation in the United States? Can it hold its own on a global stage? Can it be effective today and tomorrow?
To get answers, privacy academic Professor Daniel Solove brought together a panel of data privacy veterans on August 10, 2022 to discuss on LinkedIn Live.
Speakers included: Prof. Daniel Solove, GW Law and TeachPrivacy | Omer Tene, Goodwin Procter | Susan Hintze, Hintze Law | Jody Westby, Global Cyber Risk | Alan Butler, EPIC | Alastair MacTaggart, CCPA and CPRA co-author, caprivacy.org
Their challenge was to give the ADPPA two grades:
- On a curve, how does the ADPPA stack up to its counterparts?
- Objectively, can ADPPA get the job done?
Prof. Solove gave the bill a B+ for quality, and following a spirited debate with fellow privacy luminary (and webinar panelist), Omer Tene, Solove wanted other “graders” (panelists) to join in.
Here’s how their academic exercise shook out.
Honor Roll: areas where the ADPPA gets the job done right
Many experts agreed that implementing federal legislation is better than nothing — with several suggesting the proposal exceeds protections offered by the GDPR and CCPA.
They suggested that:
- It is a political miracle that progress of this arguable magnitude was made by today’s Congress.
- The bill’s protections go beyond what was thought possible even two years ago.
- There is a coming together on major issues of disagreement concerning State privacy laws and enforcement, and a narrowing of gaps on smaller, finickier issues.
Omer Tene offered that ADPPA excels at:
- Addressing civil rights.
- Enshrining data minimization principles.
- Requiring opt-in for sensitive data.
- Strong public enforcement.
- Providing national access: “This law applies to 300 million other people outside of California.”
Alastair MacTaggart commended federal lawmakers for prohibiting ads targeting children, and Susan Hintze applauded the notion of all Americans receiving comprehensive protections.
Audience members added their own perspectives, with several expressing disappointment that “something is better than nothing,” and wanted to see more of a fight to offer consumers with stronger protections nationwide. Fortunately for the unimpressed, there was still plenty of discussion yet to come.
Graders’ consensus: Some federal legislation is better than nothing, and anything that expands protections similar to CCPA’s beyond just Californians should be supported.
Passing Grades: areas where the ADPPA does enough
Prof. Solove offered a B+ in comparison to the GDPR, balancing that with a lower C/C- for the bill’s objective quality. In fairness to Congress, which earned a D for tardiness, Solove notes that the venerable European regulation has its own areas of improvement. A long-standing proponent of laws that address the endemic causes of privacy harms, Solove believes the world has a “long way to go” on consumer privacy and data privacy.
Jody Westby’s curve grade was a B. In her view the bill is “pretty good” for today’s political climate, but criticized lawmakers for reinventing the wheel on private enforcement vis-a-vis the better Privacy Act of 1974. She liked how the FTC and State Attorneys General would share enforcement powers, and how authors excluded California’s cumbersome data sale or share provisions in favor of broader prohibitions. But her objective score was a clipped D on geopolitical grounds. Unlike the EU, the US “does not do privacy well,” she explained. “We’re like a hairdresser who does not do her own hair.”
In Westby’s view, the bill is reactive to the EU, the global leader on data privacy and tech policy, and as written, “will not put the US on the global stage.”
For his part, Alan Butler thought the ADPPA measured up to an A-. He applauded the bill’s robust individual rights and protections from retaliation, and how it prohibited rather than offered an opt-out from certain high risk activities. His objective grade was, at most, a B: He stressed concerns with ADPPA not going far enough to address from a specific entity, such as governmental surveillance and harms from automated (algorithmic) decisioning.
Graders’ consensus: The ADPPA does “many good things,” yes, but is far from an ultimate solution.
Needs Improvements: areas where the ADPPA struggles
Prof. Solove raised concerns over the ADPPA becoming antiquated (“ossifying”) over time. “When I look at history, I see that Congress has not kept laws up-to-date, and they get frozen in time.” Per his earlier post, “Continuous legal innovation is essential for law to work well.” A neglected ADPPA would weaken over time and be less effective with respect to new tech and new ways of doing business.
Hintze sees issues with a “swiss cheese” of loopholes. For one, there are no restraints on publicly available consumer data, which is readily collected and easily combined for profiling and algorithmic decisioning. For another, there is an imbalance with which organizations must comply, citing nonprofits like girl scout troops facing more obligations than banks.
Responding to ossification, Tene offered that this is the case not just for data privacy law, but for all laws, which are “true to the moment” and rely on administrative functions — from rulemaking to enforcement — to keep a law relevant. Congress will need to make updates and patching a priority, which is a political gamble, or help the FTC keep pace through stronger rulemaking authority. Rulemaking powers appear under duress and may very well need Congressional intervention, which is another gamble.
Panelists agreed that while providing for strong enforcement, actual enforcement may be hamstrung through insufficient resources. The FTC would need to be “turbo-charged” to be effective.
Graders’ consensus: The EU spends a lot on its data protection infrastructure. Congress needs to ante and pony up for the law to have long-lasting teeth.
Calls for Detention: areas where the ADPPA falls short
Preemption and the private enforcement through litigation continue to be sticking points, and, for some, a critical failure of the ADPPA. One of Solove’s arguments for a fresh approach to preemption is grounded in the realities of litigation at the federal level. “The ability of states to create privacy laws with a private right of action would be preempted, leaving people with a federal private right of action that might exist in theory only. When they get to the courts, the doors might slam shut.”
MacTaggart, as co-author of the CCPA and CPRA, agrees with this concern. He is part of a strong movement that calls on ADPPA authors to set a legislative floor (no preemption) so that States could continue to experiment with strong protections and enforce their own ceilings.
But things may not be quite so polar. Alan points out how the ADPPA takes a middle path by not preempting significant legal innovations — particularly those concerning facial recognition, civil liberties, civil rights, and general consumer data protections. Still, “not substantially subsumed” by the ADPPA may leave digital privacy issues on the table. MacTaggart points to consumer profiling, brokering, and other data-extractive business practices as potentially falling through the preemption cracks.
Graders consensus: Preemption continues to be a divisive tradeoff, but an inevitable gamble in the here and now. No preemption means no federal privacy law.
After Graduation: what’s next for the ADDPA?
Hintze argued that passing the ADPPA now will bring immediate benefits to all Americans. She argued it is not reasonable “to expect 50 states to pass laws that look just like California,” and cautioned that in the wake of an overturned Roe v Wade and a polarized Congress heading into midterm elections, we may not “have a federal government in a few years” that cares about privacy law.
Tene agreed on the need to move forward despite understandable misgivings. “Privacy reforms are just starting and it makes no sense to yank the [ADPPA] bread out of the hot oven.”
Prof. Solove reiterated doubts about the law remaining effective in the future, and reminded the audience that “there’s still more to come in the congressional process.” The bill is still a moving target with respect to getting the support it needs to pass. And what passes may not be quite the same bill in front of the graders. We may find more loopholes and exceptions added that “could ultimately undermine the law.”
A for effort. The ADPPA closes many historic gaps, and its political momentum reflects a sense of (long-overdue) urgency. To paraphrase webinar panelists, it’s incredible today’s Congress could come out with a strong bipartisan privacy bill, let alone push one towards a floor vote. Respect must go to California for forcing the issue.
B for stacking up. The bill has many of the fundamental elements critical to modern privacy law. Updated definition of personal data? Check. Constraints on sensitive data and risky processing? Check. Data subject rights? Check. Risk assessments? Check. Training, security and accountability? Check. Strong public enforcement? Check. And, it should be possible for US companies to repurpose much of what they already do for EU/UK and California compliance.
B- for substance. The ADPPA is a framework for, hopefully, further protections. We give it high marks for prohibiting manipulative design (“dark patterns”) and discriminatory data practices, setting strong guardrails around sensitive data, and extending essential data rights like access, correction, and deletion to all Americans. But it does nothing about governmental access to data, would require careful tending from a historically negligent Congress, and may very well need companion legislation to “turbo-charge” the FTC for effective enforcement.
C/C+ for prospects. Congress is out for summer break, and with midterm elections top of mind in the Fall we may not see more movement until sometime in 2023. Even then, if power shifts in the House and/or Senate, it may lose critical momentum to pass in both chambers of Congress.
The ADPPA is a compromise on extremes, with good and bad aspects brought together in a passable middle.
The bill deals with complicated issues ranging from the surveillance economy to corporate accountability and preemption. It is only natural privacy veterans would feel conflicted on these and other negotiated issues. Nevertheless, webinar participants shared a sense of urgency: the bill has much-needed legs and can be a new beginning for the US.
To borrow Daniel Solove’s closing remarks, the ADPPA is “the best chance to see something at the federal level in a long time.”
Regardless of outcome, DataGrail believes uniform protections should not mean weakened protections. Our billboard message captures this sentiment exactly: “If the government doesn’t protect your privacy, we will.”