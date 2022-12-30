Danny Bradbury investigates the spider-web of state and agency laws that attempt to tackle data privacy in the US and how realistic a federal initiative really is If information is power, then US data brokers must be among the most powerful organizations of all. They collect and sell information on individuals including their political beliefs, habits, interests and even real-time GPS locations. Much of this happens without the individual data subjects’ knowledge. Privacy advocates would like a federal privacy law to protect this information. Several such laws are in play, but one is gaining significant attention: the American Data Privacy and Protection Act (ADPPA). Today, those wanting to prosecute privacy-related claims must use a patchwork of laws. Some of these are widely applicable, such as section five of the Federal Trade Commission (FTC) Act, which allows the FTC to sue companies for deceptive practices. If a company mishandles personally identifying information (PII) in violation of its privacy policy, the FTC can make a case that it has misled affected individuals. This patchwork of laws makes it difficult to prosecute big privacy violation cases. For example, a recent class action suit launched against Oracle in California seeks damages from the company, which is also a data broker and has amassed mounds of data on up to five billion people. The complaint invokes Californian common law and the state constitution, the Unfair Competition law, the California Invasion of Privacy Act and the Federal Wiretap Act. It does not invoke an overarching Federal privacy law because there isn’t one. While Congress continues to equivocate on a federal law, states have taken the matter into their own hands. First, California passed the California Consumer Protection Act (CPPA) in 2018, making it effective in 2020. Virginia and Colorado followed suit in 2021 with their own laws, and this year Connecticut and Utah followed suit. A few other states have privacy bills in committee. There are also dozens of states with data breach notification laws that stop well short of comprehensive data protections. Then there are industry-specific laws such as the Health Insurance Portability and Accountability Act (HIPAA), which protects healthcare data. Additionally, there are laws protecting specific groups. Consumers can try to hold companies to account under the Children’s Online Privacy Protection Act (COPPA), as the government did when it fined YouTube for its handling of children’s data. Federal Accountability Even now, there are multiple bills in play seeking to introduce accountability for consumer data at a federal level. The International Association of Privacy Professionals (IAPP) publishes a tracker detailing current legislation. The most recent one, published in April, highlighted 17 consumer privacy bills on the Hill in the 117th Congress. Since then, Rep. Frank Pallone (D-NJ), Chairman of the House Energy & Commerce Committee, introduced the ADDPA. Co-sponsored by two Republican and one Democrat representatives, the bill has bipartisan support. It also received support from Sen. Roger Wicker (R-MS), Ranking Member of the Senate Commerce Committee. Pallone introduced it in June 2022, and it passed the House Energy and Commerce Committee the following month. The ADDPA has been well-received by some privacy policy experts. Cobun Zweifel-Keegan, managing Director, Washington, D.C. for IAPP, says that it represents a new way of thinking about consumer privacy protection.

Fair information practices in the US have typically followed a principle called notice and choice, otherwise known as notice and consent. This means notifying consumers about how their information will be used and then letting them make their own choices. However, some think this idea is outmoded and unworkable. “A lot of recent thinking and scholarship on in the privacy realm has started to raise questions about the utility of that kind of approach and also the ability of consumers to make educated choices, even when a lot of effort is made to educate them.” The relationships between different companies using consumer data and the complexity of what they do with it is beyond many peoples’ understanding. Just ask the average customer how many privacy policies they’ve read. Instead, the ADPPA takes a more aggressive approach, says Matt Wood, vice president of policy and general counsel at the Free Press Association, which supports the bill. “There are certain things for which consent is required, but there also is a list of prohibited uses,” he says. “So biometric data and geolocation data, that’s where you have a longer list of prohibitions.” The ADPPA also includes a civil rights section that prevents organizations from collecting or processing data related to race, color, religion, national origin, sex or disability. It also requires companies to conduct annual impact assessments for algorithms that could cause harm to individuals, reporting on its design, uses, and the data it processes. This would likely affect big tech companies that use AI to manage things like personalized social media news feeds. There are other provisions in the ADPPA. Like the Europe’s General Data Protection Regulation (GDPR) approach, it requires organizations to appoint a privacy officer that will oversee a data privacy program. It also calls for a data security officer. Other notable measures in the bill include the creation of a registry for third-party collecting entities (which includes data brokers). Individuals will be able to request that all registered data brokers delete all information about them collected indirectly and avoids collecting any more. The FTC would be instrumental in enforcing this law. The Bill calls for a Bureau of Privacy within the Commission, and a Privacy and Security Victims Relief Fund that will use the proceeds of civil penalties to compensate victims of privacy violations. The Problem of Pre-emption The ADDPA has garnered significant attention thanks to its bipartisan support and its fast passage through the committee. However, it is not a law yet, and it begs the question: why has the US taken so long? Congress has been aware of the privacy issue for at least 22 years, since the FTC first asked for a federal privacy law. “The core issues that are the most fiercely debated and which have been the death blows to previous and current legislation are pre-emption and enforcement,” explains Emory Roane, Policy Counsel at privacy advocacy group the Privacy Rights Clearinghouse.

