American Data Privacy and Protection Act: 53 House legislators voted last month to bring a comprehensive federal privacy bill to the floor. It was a feat, but it’s been frozen since. With less than 100 days until the midterms, any possibility of national privacy reform before a new Congress is inaugurated in is fading.
The American Data Privacy and Protection Act (ADPPA) has moved further than its predecessors, yet it faces several challenges. It has outspoken opponents on both sides of the aisle, including one whose support is crucial for Senate passage. Even the bill’s biggest fans admit it has issues. Some Democrats are sure that the law is too weak, especially those in California, where privacy protections are already strong. Some Republicans say the measure is overly burdensome on corporations — the same digital titans they’ve threatened to cow over bias charges.
Passage of the American Data Privacy and Protection Act would be a bipartisan success, say people closest to the negotiations. In a contentious political climate, it’s historic. Privacy — or its near extinction — has managed to claw its way into that rare domain of problems hardened against the nightly cultural conflicts sparked by our political politics.
Even privacy lawyers have trouble deciphering the ADPPA. It provides a web of exclusions for both covered companies and required information. Technology advances so quickly that ambiguity is needed to avoid laws from becoming irrelevant the next day. Due to this, many of its protections rely on reasonableness, giving courts room to determine how they’re implemented. It regulates information organisations “gather, handle, or transfer” that can be “reasonably linked to a person or device.” The goal is to protect consumers by limiting the types of human data organisations can gather and use to only what’s needed to offer a requested service.
Ranking Digital Rights’ Nathalie Maréchal remarked, “This measure can pass.” “It’s absurd that we don’t have a federal baseline privacy statute, and this is better than nothing.”
David Brody, a Lawyers’ Committee attorney, agreed. “It’s as excellent as you can hope for in a bipartisan bill,” he remarked.
American privacy laws and regulations are outdated. At worst, they allow Amazon and Google to abuse people’s confidence without breaking the law. Congress granted the FTC the jurisdiction to investigate “deceptive” and “unfair” actions a century before platform power began to dominate practically all life and commerce. This predates the broad commodification of customers’ personal activity. You can’t expect a mediaeval book on the plague to know modern medicine, nor can you expect a law from before radio to understand the opportunistic of mass monitoring.
Shady data methods rarely “deceive” customers legally. While privacy rules have become industry standard — a process maintained by platform gatekeepers like Apple and Google – nothing prohibits major data holders from drowning their customers in confusing and overly technical rubbish. This entire plan rests on the absurd premise that the average internet user can decipher all this legalese.
“When you deal with a firm, they give you gobbledygook. You check a box and pledge not to sue, says EFF attorney Adam Schwartz. (ADPPA doesn’t prohibit this.)
Even if the terms were fair and understandable, most would only have the illusion of choice. Monopoly, a hallmark of platform dominance today, has given a few businesses extraordinary gatekeeper power over most modern modalities of interpersonal exchange and human knowledge. Social and professional pressures force users to accept whatever terms are presented.
Republican Sen. Roger Wicker, ranking member of the Senate Commerce, Science, and Transportation Committee, pushed his colleagues to take up the ADPPA last month, saying that while no law is perfect, the bill had the “greatest chance of reaching the President’s desk before the end of the year.” Wicker has hinted at wanting to narrow the bill’s reach.
Sen. Ron Wyden, one of Capitol Hill’s most renowned privacy champions and author of harsher legislation that would imprison executives for lying to Congress, is dubious that the ADPPA limits the use of “de-identified” data. Senator Wyden is reviewing the latest House measure, his spokesperson said. The measure exempts de-identified data, which can be re-linked to individuals.
The ADPPA’s main achievement is that it compromises state preemption and private right of action, two areas that have long prevented bipartisan agreement (the ability of individual consumers, or classes thereof, to drag companies into court on their own). State preemption is a Republican must-have. Privacy groups oppose the bill because it would prevent states from passing their own privacy laws. Herein lies the largest challenge to its passage: winning over Californians who have already fought to protect their own data. Over 9.3 million Californians voted in 2020 to adopt the Consumer Privacy Rights Act (CPRA), which would strengthen the state’s privacy law in a few months.
These California amendments established “sensitive personal information,” which requires stronger controls than “personal” information. It enlarged the “right to delete,” requiring corporations to communicate those requests with third parties. People can now sue over login passwords after a data breach. It also formed the California Privacy Protection Agency with investigative and enforcement capabilities.
Overall, ADPPA mirrors California’s provisions. It’s stronger in certain aspects. The ADPPA would outlaw advertising to children under 17, whereas the CPRA does not. The CPRA mandates enterprises to tell residents about their “right to opt-out” of the sale or transfer of their personal data, although few users know which companies have it. The ADPPA’s “Do Not Sell” mechanism would allow consumers to demand things from companies they don’t know exist. Unlike the CPRA, the ADPPA doesn’t absolve data holders when third parties act criminally or negligently.
Privacy experts say the federal bill is weaker than California’s. The CPRA bans state lawmakers from altering the law unless it protects consumers. A future business-friendly Congress could water down the ADPPA.
Large data holders must audit themselves under the CPRA. The ADPPA has a few key differences. California compels corporations to report audit results annually. The ADPPA would oblige firms to conduct audits every two years and make them public upon request.
Others say the state law protects consumers from price discrimination, albeit the difference may be insignificant. The ADPPA bans enterprises from charging varying charges for the same privacy-related service, with one exception: Companies might provide “alternative fees” for processing consumers’ requests to erase personal data. The California legislation purports to restrict tiered pricing, but it doesn’t if the price difference is “fairly proportionate to the value” of the data.
The California legislature defines illegal pricing as “unjust,” “coercive,” or “usurious,” not fair unreasonable, which could cause courts to adopt fewer presumptions in favour of shady corporate practises when consumers seek remedy in court.
The ADPPA aims for a moderate ground with preemption. Some federal statutes ban states from passing tangentially related laws. ADPPA merely preempts what it “covers.” It also offers exclusions that allow state legislatures to establish privacy legislation in several areas. They’d be able to adopt more rules protecting kids’ and employees’ privacy, as well as medical, banking, and public record data. City governments could limit wiretapping and other electronic eavesdropping or ban police departments from using facial recognition and other invasive surveillance methods.
Republicans oppose letting consumers sue privacy offenders in civil court. They favour a two-tiered enforcement approach that gives the FTC and state attorneys general the power to prosecute.
Again, ADPPA is balanced. When consumers’ rights under certain articles are breached, they can move to court, although the court’s remedies are restricted. Judges can award compensation for actual harms. In rare situations, they can require firms to stop certain harmful behaviours. (A “right to cure” language in the bill prevents injunctions if a violator fixes the problem within 45 days of being contacted by a consumer.)
Under the ADPPA, courts won’t be able to financially punish firms for outrageous activity, which privacy experts say is a big consumer sacrifice.
Brody admitted the situation. Punitive damages are the bill’s weakest point.
Private action constraints aren’t as bad as they look. Recent Supreme Court opinions have effectively limited victims’ ability to seek relief in federal court. Congress can’t simply make a violation a crime. “A legal harm is not a factual injury,” the court says. Consumers must show “actual” harm from a breach. Privacy breaches aren’t enough, it seems. Connecting “tangible” injury to the corporation that caused it is difficult.
The EFF has voiced dissatisfaction in the ADPPA’s limitations. Adam Schwartz, who represents visitors whose gadgets were taken at the U.S. border, said the EFF’s criticism shouldn’t be interpreted as resistance. Law enforcement exemption is a major problem, he said. Any corporation “collecting, processing, or transferring covered data” for a government agency is exempt.
The government is buying phone app location data and using it to investigate people, but they don’t know. In the meantime, Congress must act before the courts enforce the Fourth Amendment.
Companies have sold personal data to the government in recent years. That includes information the FBI might need a warrant or other legal process to get. Democratic congressional leaders wanted details this month from the FBI and DHS. There are few restrictions to prevent the government from buying private data. Some firms have provided sensitive information to the government for years, bypassing Fourth Amendment evidentiary standards.
Sen. Wyden, who questions ADPPA’s definition of “de-anonymized” data, is concerned about a loophole that “could allow data brokers to sell location data to the government about visits to reproductive health facilities, for example, or other private information that is trivially easy to connect to individuals.”
Schwartz agrees, saying the bill doesn’t allow federal contractors to share information. “Mixing it with preemption is scary,” he warned. Schwartz cited Clearview AI, a private surveillance service that’s worked with hundreds of police departments and acquired billions of photos from social media without authorization.
“If Congress were to pass this law today without the preemption and Clearview persuaded a judge this is its get-out-of-jail card,” Schwartz said, “then we want California or New York or some state to say, ‘Okay, we’re going to pass the same law as the ADPPA, but we’ll regulate Clearview like any other covered entity.’”
The Fourth Amendment Is Not For Sale Act, proposed by Wyden, would close this loophole, say experts. This measure would protect warrant-required data.
The EFF is also concerned that the ADPPA will allow firms to continue driving users into arbitration by attaching language to their terms of service that restrict customers from addressing misconduct in court. The bill’s one exception forbids arbitration for minors and victims of gender and partner violence.
Even with all its potential shortcomings, the ADPPA remains the best hope for Americans long oppressed by the self-serving, exploitative behaviour of corporations that, while feeding people aspirational babble about connecting and empowering users, have instead run amok; manipulating, lying, and abusing their trust, exposing them to theft, fraud, harassment, violence, and even death without a semblance of loyalty or care.
The ADPPA is great. Maybe the one we need, but don’t deserve.
Maréchal: “Nobody gets everything, but that’s how lawmaking works.” Privacy is a rare non-partisan concern these days. The perfect bill wouldn’t have gotten this far.