Big Tech Wolf in Sheep’s Clothing? Californians Unite in Opposition to the ADPPA “Trap”
The American Data Privacy and Protection Act (ADPPA) is a proposed federal privacy law that recently passed the House Committee on Energy & Commerce by an impressive (and bipartisan!) 53-2 vote. In many ways, the ADPPA would go beyond the US’ most robust existing state law — the California Privacy Rights Act (CPRA) — in certain areas such as adding a global delete capability for consumers to get out of data brokers’ databases and also adding new protections for minors under the age of 17. But most significantly it will raise the data protection level in the US, in all states that don't have state privacy laws and even in many states that do.
So, what’s not to like? Well, a lot according to critics. Here is a very good listing of the pro’s and con’s of the ADPPA.
But the one thing with ADPPA that is really sticking in the proverbial craw is preemption. And the state that has the most robust privacy law — California — is raising a big stink. A wide range of California political figures and privacy groups have weighed in on ADPPA and see it as a “false choice” and a “trap.” In effect they see it as a wolf in sheep’s clothing, or as Alastair Mactaggart, head of Californians for Consumer Privacy, sees it: “Big Tech is willing to accept a weak national privacy law in return for eliminating the one law they fear — California’s.“
So, what is preemption? Per Cornell Law School: “The preemption doctrine refers to the idea that a higher authority of law will displace the law of a lower authority of law when the two authorities come into conflict.”
Which means for a few carveouts, the ADDPA does not allow states to bolster privacy protections and to enforce consumer protections. Which is not what Supreme Court Louis Brandeis recommended:
“it is one of the happy incidents of the federal system that a single courageous state may, if its citizens choose, serve as a laboratory; and try novel social and economic experiments without risk to the rest of the country.”
In effect, the ADDPA takes a ceiling approach (vs. a floor approach) to consumer privacy. This is actually in stark contrast to the other consumer protection legislation we have including like the Fair Credit Reporting Act (FCRA), the Gramm-Leach-Bliley Act (GLBA), and the Health Insurance Portability and Accountability Act (HIPAA).
It is also of great concern that existing federal privacy laws just don’t get updated. As Professor Daniel Solove noted:
“Congress is notoriously bad at updating laws. If Congress were a landlord, it would be a slumlord, because Congress hardly ever updates privacy laws even when they scream for an update. The Electronic Communications Privacy Act (ECPA) is closing in on being 40 years old. It was passed in 1986. If you were alive back in 1986, recall email, computers and the Internet back then. This was the digital stone age. Despite urging from all sides (law enforcement and privacy advocates) to update ECPA, has Congress done anything? Nope. There have been countless bills that have suffered the same fate as the ark in Raiders of the Lost Ark.
The Family Educational Rights and Privacy Act (FERPA) has a similar story. It’s woefully out of date and has countless shortcomings. It’s about 50 years old. I guess that’s young when so many people in Congress are in their late 70s, but for a privacy law, it is long overdue for an overhaul. As with ECPA, there have been bills, so many bills, but most bills wither on the vine.”
Or as California Privacy Protection Agency (CPPA) head Ashkan Soltani stated:
“I’m truly surprised at the willingness of the community to not only accept a provably weaker standard, but also lock into amber these protections preventing states, cities, and even counties from improving on these protections in the future. Given the speed of technological innovation–-this is a trap.”
The counterargument is that preemption is part of the grand bargain that will be what gets Republicans on board, otherwise we are doomed to never had a good chance to ever get a federal privacy law. And it is good trade-off to sacrifice states’ rights to expand civil rights protections to those citizens in the 45 states who don’t have any form of a privacy law.
But one thing is for sure, it is amazing to see how California political figures and privacy groups have rallied in opposition.
Governor Newsom said this:
“It is imperative that any federal law that is enacted preserves California’s existing authority to establish and enforce privacy protections.”
Speaker of the Assembly Rendon said this:
“A federal privacy law can coexist with state laws when constructed as a floor, allowing states to provide stronger privacy protection. Please stand with California voters and protect our privacy.”
California Attorney General Bonta and 9 other state AGs said this:
“Any federal privacy framework must leave room for states to legislate responsively to changes in technology and data collection practices. This is because states are better equipped to quickly adjust to the challenges presented by technological innovation that may elude federal oversight.”
CPPA Board Member Lydia De La Torre stated:
“Preemption to me doesn't really align with ensuring that Californians or, for that matter of residents of any state, enjoy the highest possible privacy protections.” “This is particularly concerning to me in an era... where Roe has been repealed.“
CPPA Executive Director Ashkan Soltani said this:
“We can have strong federal laws without weakening the ability of states to provide stronger protections.”
And Alastair Mactaggart, head of Californians for Consumer Privacy, stated:
“California should not be forced to go backward and lose hard-won privacy rights in return for the rest of the country getting privacy rights that are not nearly as strong as California’s. … ADPPA should be a national privacy ‘floor,’ not a ceiling, and should not preempt the California Privacy Rights Act.”
The next step is for the ADPPA to come to the entire House for a vote, but Speaker of the House Pelosi — a Californian — may not be interested in doing so given the strong and unified opposition from leaders and groups in her state. Even if she were to let it get voted on and it passed the House, it is not known if it could pass the Senate, with Senator Cantwell in opposition to the ADPPA based on its lack of enforcement. We shall see.
I am very sympathetic to the desire to have a comprehensive federal privacy law and I do agree it is superior in certain areas (but Alastair Mactaggart and the CPPA analyses show that the CPRA is still better). But California has always led when it comes to consumer protection — aka the "California Effect" — and I am very concerned that neutering California is not a good thing in the long run for not only citizens in California but in the entire US. To me, not having California being able to write laws in this area would be the "one ring" that Big Tech would love to have. I know nothing of the negotiations, but maybe if the "grand bargain" had dropped the Private Right of Action (PRA) and allowed states to innovate by making ADPPA a floor vs. a ceiling (and the states could have done the PRAs), vs. having a PRA in the ADPPA and requiring preemption for that, then the California delegation including Speaker Pelosi would likely be more amenable. Again, we shall see.
But will leave with this … say you are an environmentalist. Hypothetically, would you agree to a national fuel emission standard of say 30 MPG with the following scenarios: (a) most states and the federal government currently have it at most 22 MPG but California has it at 27, (b) but as part of the deal to set it at 30 MPG it would mean that no state can ever set its own again (e.g., California — that has historically set the standard that automakers follow — could no longer set fuel emission standards), and (c ) knowing full well that the 30 MPG may not get updated for 30 years. I think most environmentalists would want the California Effect to continue.