Make Privacy Legislation a Lame Duck Priority

David Morar / Nov 14, 2022

David Morar is a Policy Fellow at the Open Technology Institute, a founding fellow of the Digital Interests Lab, project manager with the Private Ordering Observatory and a visiting professor at FGV’s Center for Technology and Society.

With voting in the U.S. midterm elections over and the margin of future legislative majorities still uncertain, the congressional lame duck session is the best opportunity to pass the American Data Privacy and Protection Act (ADPPA) before the game changes.

The ADPPA is a strong, comprehensive federal privacy bill with added protections for civil rights and a whole swath of privacy-protecting requirements for companies. The bill enjoyed a meteoric trajectory from its introduction on June 21st to passage out of committee in the House less than a month later, with an incredible, bipartisan 53 votes for and 2 against. Even more, the bill came out of committee debate stronger in response to criticisms about its blind spots, including specific concessions to the California delegation.

It’s clear why three of the “four corners” (the chairs and ranking members of the House and Senate committees overseeing the bill) introduced and championed this legislation: not only is it an overwhelmingly popular solution, but it also broke a years-long partisan deadlock on comprehensive privacy legislation.

While Democrats and Republicans started off with different perspectives on a wide range of privacy issues, the two sticking points on crafting federal privacy legislation seemed to be a private right of action and preemption. Basically, Democrats would not budge on giving users the right to sue companies for privacy violations, while Republicans were dead-set on ensuring that a uniform federal privacy law should replace the emerging patchwork of state regulations.

The solutions crafted into the ADPPA comforted a majority of concerns on both sides. The legislation would give users a private right of action for violations on a range of issues, including individual rights, kids’ protections, and sensitive covered data, with a few procedural hurdles—including allowing companies to cure their mistakes before being sued for injunctive relief. On the other hand, state privacy legislation would be preempted by the ADPPA—but the federal bill’s rights and protections are broader and stronger than any current state law, making this a concession many advocates are willing to make.

The remaining issues currently stalling the bill stem from concerns about enforcement from Sen. Maria Cantwell (D-WA), who chairs the Senate commerce committee, and concerns about the ADPPA’s clash with California’s current privacy regime from House Speaker Nancy Pelosi (D-CA) and other California members. The good news is that neither of these issues are as serious as the preemption and private right of action debates of 2018-2022. They either deal with nuances or with misunderstanding of the facts, and should not be irreconcilable.

The bad news is that there is a chance compromise is not an option for these particular members of Congress. Back in August, Brookings’ Cam Kerry painstakingly described the sticking points for Sen. Cantwell: “How long an interval to come into compliance before risking lawsuits, the scope of claims to which mandatory arbitration clauses will not apply, the size of speed bumps on the way to the courthouse.” These are concerns on the margins, which can be tweaked more easily in negotiation than sitting on the sidelines.

As for the California delegation and Speaker Pelosi, the math does not add up. ADPPA is broader and stronger than California’s state laws, and holding up good federal legislation because of limitations on hypothetical future state-level action is unreasonable when federal standards are so badly needed. This is increasingly true considering the high likelihood of the House changing hands next Congress, and California losing the negotiating power it has now. The political calculus to pass ADPPA now makes sense all around: Democrats would pass the legislation while they control both chambers, and Republicans, facing a slim (and possibly no) majority in the next Congress, can notch a bipartisan victory now without rolling the dice on renegotiating ADPPA's provisions next year and likely dooming the bill.

This lame-duck session will likely be busy, dominated by several major priorities. But the ADPPA benefits from being both urgent and bipartisan. Considering the unpredictable nature of the 118th Congress and beyond, comprehensive privacy legislation is a must-pass before this Congress is over, and would clear a major hurdle to future tech reforms.

Republicans and Democrats have found common ground on this bill and worked together despite polar opposite perspectives. It’s time for remaining ADPPA critics, overwhelmingly Democrats, to act in a constructive and realistic way: to propose and negotiate compromises they can live with, and to finally ensure everyone in the United States has strong, enforceable online privacy rights.

There is no realistic indication that a better deal is forthcoming. We are not at an impasse by any stretch of the imagination; compromise is eminently doable, with the real issues remaining only indirectly touching on the substance of the bill. It just takes the willingness of those lawmakers involved to actually do it.

The privacy stalemate has persisted for years, with absolutely no one—not the political parties, not industry, and especially not tech users—benefiting from kicking the can down the road. Making it this far and choking at the finish line when resolution is within reach would make the consequences even worse. The time for swift action is now. Let’s get federal comprehensive privacy passed.


David Morar
David Morar, PhD is Senior Policy Analyst at New America's Open Technology Institute, focusing on data privacy and protection, and platform governance. His academic research focuses on private governance structures.