Evaluating the American Data Privacy and Protection ActCaitriona Fitzgerald, Alan Butler / Aug 8, 2022
Alan Butler is Executive Director and President and Caitriona Fitzgerald is Deputy Director of the Electronic Privacy Information Center (EPIC).
On July 20th, the American Data Privacy and Protection Act (“ADPPA”) was reported favorably out of the U.S. House Energy and Commerce Committee by a bipartisan 53-2 vote. The ADPPA would establish important protections for all individuals in the U.S. and make much needed advancements for privacy rights at a time when those rights are very much at risk.
Strong Protections in the ADPPA, But Also Significant Preemption
The ADPPA would impose data minimization obligations on companies that collect and use personal information; strictly regulate all uses of sensitive data; provide special protections for minors; create individual rights to access, correct, and delete data; establish strong civil rights safeguards online; require transparency of algorithmic decision-making; and prohibit cross-contextual behavioral advertising. The law provides for “three tier” enforcement by the Federal Trade Commission, state attorneys general and privacy authorities, and individuals via a private right of action.
Under the ADPPA, no state would be permitted to enforce provisions of law covering the same issues as the ADPPA, and existing provisions of law that cover those issues would be superseded. But the preemption rule in the ADPPA has many significant exceptions, including for general consumer protection laws, civil rights laws, provisions concerning facial recognition, criminal law, or electronic surveillance. The ADPPA sets a “ceiling” on general comprehensive consumer privacy standards in the United States. But notably, the ADPPA preemption provision does not preempt all state laws in the “field” of privacy, and states would retain power to enforce current laws and enact new laws that address issues not “substantially subsumed” by ADPPA or within one of the savings provision categories.
Many privacy and consumer protection organizations, including EPIC, have advocated for decades that Congress should enact comprehensive privacy legislation that sets a federal “floor” and allows the states to go further without restriction. However, no such bill has passed or even advanced to a committee vote in either chamber in more than two decades. In the meantime, several states have passed comprehensive privacy bills that seek to fill the federal void. Many of the bills introduced in the states provide little protection for individuals, and in most states there are currently no online privacy protections at all.
The Need for a Strong National Privacy Standard
We need a strong national standard to protect the privacy of all individuals. The ADPPA is the first privacy bill in twenty years to garner broad bipartisan support and have a real chance at becoming law. That is due, in part, to a key compromise struck in the bill: it includes a private right of action with certain restrictions, as well as a ceiling preemption provision with certain carveouts.
As with most political compromises, these measures have been criticized by all stakeholders. But no amount of wishful thinking is going to change the political reality we face right now. More than ten years of concerted effort to reach a deal for comprehensive privacy legislation had failed until this compromise was struck in ADPPA. Unfortunately, there is no serious prospect of a strong, comprehensive federal privacy bill that does not include some form of this compromise. So, the key question is: would we be better off with a strong federal standard with enforcement at the federal, state, and individual level, or would we be better off with the status quo?
Congress, of course, should not pass a weak federal standard that preempts state law. In fact, we believe that Congress shouldn’t pass a weak federal standard under any circumstances—even if it doesn’t preempt state law—because it would send the wrong message and undermine enforcement efforts. So if ADPPA is to preempt existing and future state privacy laws, it must be stronger than current state laws and resilient to future shifts in technology and business practices. We believe it is.
How the ADPPA Measures Up to California
California has one of the strongest comprehensive privacy regimes in the United States. In 2018, the California legislature passed the California Consumer Privacy Act (CCPA), and in 2020 California voters amended that law via a ballot initiative, the California Privacy Rights Act (CPRA). The amended CCPA provides broad protections against businesses’ unauthorized sale or sharing of personal information, establishes individual data rights, and limits the collection and uses of personal information. Colorado and Connecticut have followed suit by passing privacy laws as well. But having a strong set of privacy protections in one state, or even three states, is not enough. Online privacy abuses are not limited by geography or state boundaries.
We believe that the ADPPA is stronger in several key areas then California’s CCPA, that it would provide roughly equivalent protections in most circumstances, and that the few areas where the CCPA is stronger could be addressed through minor amendments to the ADPPA. Crucially, the ADPPA would also extend privacy protections to more than 330 million people living in the U.S., whereas the CCPA only directly protects California’s 39 million residents. And though the preemption provision in the ADPPA would supersede most of the substantive provisions of the CCPA, it would leave in place state privacy laws that concern issues not covered by ADPPA or that fit within the specific list of preemption carve outs (e.g. privacy provisions related to criminal law, civil rights, facial recognition, and consumer protection laws of general applicability).
The ADPPA’s baseline requirement that companies must limit their data collection to what is reasonably necessary and proportionate to provide or maintain a product or service requested by the individual (or pursuant to certain enumerated purposes) is more specific and detailed than California’s data minimization requirement. Indeed, under the proposed regulations issued by the California Privacy Protection Agency, companies would be permitted to collect and use data for purposes that are not consistent with what a reasonable consumer would expect, so long as they get opt-in consent. The proposed California rules would give more leeway to companies to determine the purposes for which they can collect data.
The ADPPA goes even further in its explicit restriction on the collection, use, and transfer of sensitive covered data (such as biometrics and geolocation), which is only permitted when strictly necessary and not permitted at all for advertising purposes. In contrast, the CPPA provides individuals with a right to limit processing of their sensitive data through an opt-out link.
Critically, the ADPPA would also extend civil rights to online spaces, something California’s law does not cover. These provisions prohibit companies from processing data in a way discriminates (whether intentionally or not) on the basis of race, color, religion, national origin, sex, or disability. Among other benefits, this will have the impact of prohibiting targeted advertising that discriminates or has a disparate impact on those bases, a protection that does not exist under California law.
Many of the other provisions in the ADPPA provide an equivalent level of protection to the CCPA, including some parts of the bill that mirror the CCPA standards. In our chart comparing the bills, which is below, we summarize these provisions and highlight a few areas where the California law is stronger or where we feel the ADPPA needs to be tightened to avoid loopholes. These include the “guardrails” set for differential prices charged to individuals who chose to delete their data or decline to participate in a loyalty program, as well as the scope limitation on privacy impact assessments and the lack of clarity around which entities count as “third parties.” The most significant difference between the CCPA and the ADPPA is that the California ballot initiative provides some protection against future efforts by the California legislature to weaken the privacy provisions in the CCPA. There is no equivalent protection in the federal system, but it is worth noting that a future Congress could always vote to preempt California with a weaker law than the ADPPA, so not passing the ADPPA does not provide assurance that the California law will be protected from federal supremacy.
To be clear, EPIC has long argued that federal privacy laws should set a floor, allowing states to enact stronger protections. We still believe this is the best approach and would prefer that the ADPPA took that approach, but we recognize that compromise is necessary to enact a national standard that would protect the privacy and civil rights of all Americans. The bipartisan American Data Privacy and Protection Act presents Congress with the best opportunity it has had in decades to stem the very real data abuses and privacy harms that are happening online every minute of every day due to the lack of a U.S. privacy law. All Americans deserve privacy and civil rights online.