Danny Bradbury investigates the spider-web of state and agency laws that attempt to tackle data privacy in the US and how realistic a federal initiative really is
If information is power, then US data brokers must be among the most powerful organizations of all. They collect and sell information on individuals including their political beliefs, habits, interests and even real-time GPS locations. Much of this happens without the individual data subjects’ knowledge.
Privacy advocates would like a federal privacy law to protect this information. Several such laws are in play, but one is gaining significant attention: the American Data Privacy and Protection Act (ADPPA).
Today, those wanting to prosecute privacy-related claims must use a patchwork of laws. Some of these are widely applicable, such as section five of the Federal Trade Commission (FTC) Act, which allows the FTC to sue companies for deceptive practices. If a company mishandles personally identifying information (PII) in violation of its privacy policy, the FTC can make a case that it has misled affected individuals.
This patchwork of laws makes it difficult to prosecute big privacy violation cases. For example, a recent class action suit launched against Oracle in California seeks damages from the company, which is also a data broker and has amassed mounds of data on up to five billion people. The complaint invokes Californian common law and the state constitution, the Unfair Competition law, the California Invasion of Privacy Act and the Federal Wiretap Act. It does not invoke an overarching Federal privacy law because there isn’t one.
While Congress continues to equivocate on a federal law, states have taken the matter into their own hands. First, California passed the California Consumer Protection Act (CPPA) in 2018, making it effective in 2020. Virginia and Colorado followed suit in 2021 with their own laws, and this year Connecticut and Utah followed suit. A few other states have privacy bills in committee. There are also dozens of states with data breach notification laws that stop well short of comprehensive data protections.
Then there are industry-specific laws such as the Health Insurance Portability and Accountability Act (HIPAA), which protects healthcare data. Additionally, there are laws protecting specific groups. Consumers can try to hold companies to account under the Children’s Online Privacy Protection Act (COPPA), as the government did when it fined YouTube for its handling of children’s data.
Federal Accountability
Even now, there are multiple bills in play seeking to introduce accountability for consumer data at a federal level. The International Association of Privacy Professionals (IAPP) publishes a tracker detailing current legislation. The most recent one, published in April, highlighted 17 consumer privacy bills on the Hill in the 117th Congress.
Since then, Rep. Frank Pallone (D-NJ), Chairman of the House Energy & Commerce Committee, introduced the ADDPA. Co-sponsored by two Republican and one Democrat representatives, the bill has bipartisan support. It also received support from Sen. Roger Wicker (R-MS), Ranking Member of the Senate Commerce Committee. Pallone introduced it in June 2022, and it passed the House Energy and Commerce Committee the following month.
The ADDPA has been well-received by some privacy policy experts. Cobun Zweifel-Keegan, managing Director, Washington, D.C. for IAPP, says that it represents a new way of thinking about consumer privacy protection.
“A lot of recent thinking and scholarship on in the privacy realm has started to raise questions about the utility of that kind of approach"
Fair information practices in the US have typically followed a principle called notice and choice, otherwise known as notice and consent. This means notifying consumers about how their information will be used and then letting them make their own choices. However, some think this idea is outmoded and unworkable.
“A lot of recent thinking and scholarship on in the privacy realm has started to raise questions about the utility of that kind of approach and also the ability of consumers to make educated choices, even when a lot of effort is made to educate them.”
The relationships between different companies using consumer data and the complexity of what they do with it is beyond many peoples’ understanding. Just ask the average customer how many privacy policies they’ve read.
Instead, the ADPPA takes a more aggressive approach, says Matt Wood, vice president of policy and general counsel at the Free Press Association, which supports the bill.
“There are certain things for which consent is required, but there also is a list of prohibited uses,” he says. “So biometric data and geolocation data, that’s where you have a longer list of prohibitions.”
The ADPPA also includes a civil rights section that prevents organizations from collecting or processing data related to race, color, religion, national origin, sex or disability. It also requires companies to conduct annual impact assessments for algorithms that could cause harm to individuals, reporting on its design, uses, and the data it processes. This would likely affect big tech companies that use AI to manage things like personalized social media news feeds.
There are other provisions in the ADPPA. Like the Europe’s General Data Protection Regulation (GDPR) approach, it requires organizations to appoint a privacy officer that will oversee a data privacy program. It also calls for a data security officer.
Other notable measures in the bill include the creation of a registry for third-party collecting entities (which includes data brokers). Individuals will be able to request that all registered data brokers delete all information about them collected indirectly and avoids collecting any more.
The FTC would be instrumental in enforcing this law. The Bill calls for a Bureau of Privacy within the Commission, and a Privacy and Security Victims Relief Fund that will use the proceeds of civil penalties to compensate victims of privacy violations.
The Problem of Pre-emption
The ADDPA has garnered significant attention thanks to its bipartisan support and its fast passage through the committee. However, it is not a law yet, and it begs the question: why has the US taken so long? Congress has been aware of the privacy issue for at least 22 years, since the FTC first asked for a federal privacy law.
“The core issues that are the most fiercely debated and which have been the death blows to previous and current legislation are pre-emption and enforcement,” explains Emory Roane, Policy Counsel at privacy advocacy group the Privacy Rights Clearinghouse.
“The core issues that are the most fiercely debated and which have been the death blows to previous and current legislation are pre-emption and enforcement"
Pre-emption is an especially thorny issue. A law that pre-empts state legislation effectively replaces it, preventing citizens from using state-level legal measures against violators. As more states pass comprehensive consumer data privacy laws, opposition to pre-emption grows.
In California, opponents are unwilling to relinquish the work already completed on perhaps the strongest state-level consumer privacy law.
“The ADPPA absolutely, unequivocally, objectively would represent an improvement for many Americans in many states that have tried and failed to pass comprehensive privacy laws,” says Roane. “That is simply not the case though in California, and arguably it’s not the case in other states like Connecticut and Colorado.”
Enforcing the Law
The other sticking point in federal privacy legislation is enforcement. State attorney general’s can bring civil cases against alleged violators under the ADPPA, but it also allows individuals to bring their own private civil actions.
The provision for private suits, known as the private right of action, only kicks in four years after the ADPPA comes into effect. That doesn’t placate Jordan Crenshaw, executive director and policy counsel for chamber technology engagement at the U.S. Chamber of Commerce. He fears a sea of frivolous lawsuits from ambulance-chasing attorneys targeting businesses.
“We’re incredibly concerned that private attorneys will have every incentive to throw claims against the wall and see what sticks,” he frets.
A carve-out in the ADDPA preserves California Civil Code section 1798.150 from pre-emption. This is the PRA clause that allows consumers to go after violators themselves.
Crenshaw opposes this too. The US Chamber of Commerce will accept nothing less than a law that offers complete pre-emption of state legislation. “It’s a new national patchwork, as opposed to really solving the problem of having 50 different state privacy laws throughout the country,” he argues.
The Future of ADDPA
In trying to please everyone, the ADDPA’s authors have managed to draw ire from both sides. In spite of (or perhaps because of) these political complexities, the bill is an admirable accomplishment, according to Wood.
Wood notes that until this point, nobody else on the federal stage has been able to get Republicans to vote for a bill with a private right of action.
What chance does ADDPA have of becoming law? Privacy advocates should not celebrate just yet. This Congress is tied up in November’s mid-term elections, leaving it short on time with a long to-do list. Also, despite its bipartisan support, it faces significant opposition on the Hill.
The Bill may have passed committee, but it still has to get through the House. That requires the support of speaker Nancy Pelosi, who happens to be from California. She opposes the bill based on its pre-emption.
Sen. Maria Cantwell (D. Wa), who has her own privacy bill, the Consumer Online Privacy Rights Act, also opposes the ADDPA on the grounds of enforcement. As chairwoman of the Senate Commerce Committee, she is effectively the Senate’s gatekeeper for this bill.
Even if the bill doesn’t become law, it could still move the needle forward, says Coburn. “I think this is certainly the main contender for shaping that conversation moving forward, because it’s a bipartisan, bicameral bill,” he says.
US politics is a strange and inefficient machine. Laws often do not pass, but they spark and elevate conversations. Whether or not the ADDPA makes it to the White House, it will hopefully inch us closer to resolving one of the biggest problems for privacy in the United States and bring more wide-ranging protections for Americans in every state.