On July 28, 2022, the California Privacy Protection agency (CPPA) met to discuss the American Data Privacy and Protection Act (ADPPA), and the short version is: they are not fans. If you’re wondering why an agency dedicated to consumer privacy would oppose federal legislation guaranteeing privacy rights to all Americans, the answer can be summed up in the words of CPPA Chair Jennifer Urban at the close of the meeting, “We support privacy for all Americans, we just cannot support it at the expense of Californians.” That was the crux of the concerns raised during the meeting. The proposed ADPPA would preempt California’s CCPA and set a ceiling on privacy protection, and California’s legislators and privacy agency see that as a loss of privacy protections for their constituents.
When the California Consumer Privacy Act (CCPA) went into effect in 2018, it was the first comprehensive consumer privacy legislation in the country. In its wake, we have seen a number of states propose and attempt to pass their own privacy legislation, and four states (Colorado, Connecticut, Utah, and VIrginia) have done so. Those privacy laws, as well as an amended version of the CCPA, go into effect in 2023. While California still generally has the strongest protections in place, the other states’ laws (with the exception of Utah) are fairly similar to it, and, in some instances, are stronger than California’s.
Some of the differences among the state laws revolve around differences in definitions about things like sensitive data or when a consumer may have the right to opt out of having their data used in certain ways. For example, all of the jurisdictions agree that consumers should have the right to opt out of the sale of their data, but the states vary on when consumers might be required to opt in to certain uses of their data. Colorado and Virginia require businesses to have an appeals process for when they deny a consumer’s privacy request, but California, Utah, and Connecticut do not. And so, as states have begun to pass privacy protections for their residents, we have begun to see a patchwork emerge that is difficult for businesses to comply with from an operational perspective.
As a result of that patchwork, the clamor for federal privacy legislation, which had mainly been sounded by consumer advocates in the past, began to be heard from businesses as well. A bipartisan, bicameral proposal emerged this year. The ADPPA is the result of quite a bit of negotiation. Consumer advocates want consumers to have a private right of action that would allow them to directly pursue companies that violate the ADPPA. Business interests are against the private right of action. Initially, the ADPPA included a private right of action that would only go into effect four years after the law went into effect (giving companies an opportunity to get compliant before they had to be concerned with both agency enforcement and consumer litigation), but, in order to get out of committee, it was redlined to make the grace period only two years. This and other similar compromises are why it was able to move out of committee with only two votes in opposition, both of which came from California. However, it is also the crux of the axe California now has to grind with the ADPPA, as seen during the CPPA meeting.
The ADPPA, as currently drafted, would preempt the state privacy laws passed by California, Colorado, Connecticut, Utah, and Virginia. The business impetus for a federal privacy law arises from the patchwork problem–you can’t currently implement an easy, one-size-fits-all privacy program in the US. Without federal preemption, the patchwork problem will persist. However, as the CPPA focused on during their meeting, some patches are stronger than others, and they have serious concerns that implementing a weaker federal law would reduce the protections that Californians currently enjoy and could enjoy in the future.
The Privacy Ceiling
One of the major compromises is that the ADPPA would set a ceiling for privacy protection in the US. Some laws, like the Clean Air Act, set a floor. If a state wants to regulate air only as much as it is required to, it meets that floor. If a state wants cleaner air, it can regulate it beyond the requirements of the Clean Air Act. Minimum wage laws are also good examples of floors–states must meet at least the federal minimum wage requirements, but they are allowed to set higher minimum wages if they choose to do so. Other laws act as ceilings. Regulations concerning the labeling and warning requirements for certain types of products provide good examples of federal ceilings. The federal law specifying what labeling is required for medical devices limits the additional requirements that states can impose on labeling without obtaining permission from the FDA. Massachusetts passed a law that required additional labeling information for hearing aids, but a federal court barred the Massachuesttes law from being enforced because it violated the federal ceiling.
During its meeting, the CPPA determined that the ceiling set by the ADPPA would both strip Californians of some of the privacy rights they are currently afforded (or will be afforded when the amended version goes into effect in 2023) and prevent California from passing more protective privacy laws or regulations in the future. This was of particular concern because of the quickly evolving nature of technology and how it might expose personal data in ways we do not yet anticipate or have the tools to regulate. California sees itself as a particularly important “laboratory of democracy” for technology issues because of its strong tech sector, and the agency also focused on the ability of a state to more quickly react to a changing state of play than the federal government might.
In addition to concerns regarding the fact that ADPPA would set a ceiling, concerns about preemption itself also look specifically to enforcement problems. The ADPPA would make the FTC the privacy enforcement body for privacy rights violations. A redline has been put in place that will allow the CPPA to act as an enforcement body for ADPPA violations, but that doesn’t assuage the concerns voiced at the ADPPA board meeting or by the State Attorneys General who submitted a joint letter to Congress stating, “Ordinarily, a violation of a federal law or standard could also be a violation of state consumer protection law. But [the ADPPA] would act as a bar to investigate violations of the federal law, because it prohibits [ADPPA violations]] from forming the basis for state consumer protection claims. This language unnecessarily interferes with robust enforcement capabilities.” While the CPPA would be able to investigate ADPPA violations because of that change, California’s AG would still not be able to investigate those claims as part of a state consumer protection case.
The Case for the ADPPA
All public comments at the CPPA meeting echoed those of the CPPA itself, showcasing a strong anti-ADPPA sentiment due to the issues of preemption and setting a privacy ceiling. There was one notable exception. Jon Leibowitz, the former Chair of the FTC, made a comment strongly in favor of the ADPPA, asserting that it not only provide privacy protections for all Americans, but that it would also increase protections for Californians because, in his view, it provides for greater civil rights protections and greater protections for children. Additionally, as he pointed out, the ADPPA’s private right of action is broader than California’s, which is limited to only security breaches. Most importantly, in Mr. Leibowitz’s summary, the ADPPA provides greater protections because it will implement nationwide data minimization requirements and its enforcement will be strengthened because of the funding available through the FTC.
So, would the ADPPA provide greater protections to Californians? The CPPA does not think so. In his final statement, ADPPA Executive Director Soltani explained that, in the expert opinions of his staff and himself, the ADPPA is not stronger than California’s law and that California has greater experience in enforcing privacy protection and will do a better job than the FTC (a body for which he previously worked).
The board of the CPPA unanimously passed three motions at the end of the meeting: (1) one motion that opposes the ADPPA as currently drafted; (2) one motion to allow the CPPA staff to oppose any federal bill that in their judgment seeks to preempt California privacy law or would prevent California from strengthening privacy protections in the future; and (3) a motion authorizing staff to support any future federal bill that does not broadly preempt California privacy law or that generally creates a true floor for privacy protection that would protect Californians’ current right and allow California and other states to build on those rights in the future.
All US Privacy is a single solution that gives businesses the privacy keys to the whole United States. With this package, businesses are one step ahead of the state-by-state privacy whack-a-mole game. SixFifty is continuously monitoring this dynamic area of the law and updating tools with changes in real time. Working with SixFifty is like having the best privacy lawyer in the world by your side.
If you are ready to get started or have any questions, schedule a demo with SixFifty today!