Will California derail national push to protect data privacy?
After years of efforts, the United States still does not have a federal comprehensive data privacy and security law. There is an opportunity to change this with the American Data Privacy and Protection Act (ADPPA), a bipartisan, bicameral federal bill that passed committee and is awaiting a full House vote.
Without further action, the majority of Americans’ data will be unprotected and variations between states with privacy laws will continue. A patchwork of laws makes compliance hard for businesses of all sizes, and produces both data security and national security concerns.
Even if one makes a concerted effort, it’s nearly impossible to not have a digital footprint. This ranges from online purchases to potentially even more private information about daily life like health data. In fact, the amount of personal information available online grew 150 percent from 2019 to 2021.
Not only is the amount of data constantly expanding, security and privacy threats are increasing. There were a record number of data breaches in 2021, and that was a 68 percent increase from 2020. Add to this threats from foreign countries that seek to exploit our private data and uncertainty on how it is used by companies and third parties even when it is collected with permission.
To its credit, California took a leading step in trying to address these issues by passing the California Consumer Privacy Act in 2018, which was expanded by the California Privacy Rights Act of 2020. The strength of these efforts was shown through the first enforcement action by California’s attorney general against Sephora for $1.2 million on August 24 for allegedly not disclosing to customers that it was selling their personal information.
Now four other states have enacted similar legislation, and 27 states are considering bills this year. The precise substance of these laws vary, but the common theme is empowering consumers to have more control over their data and parameters on how it can be used and shared. Not to mention, countries around the world have also moved ahead with similar reforms.
Most data-privacy experts praise the ADPPA for reaching consensus on areas of traditional disagreement. However, several prominent politicians and entities in California have come out against the bill. The California Privacy Protection Agency (CPPA) wrote to House Speaker Nancy Pelosi in opposition and Gov. Gavin Newsom echoed similar concerns.
“It is imperative that California continues offering and enforcing the nation’s strongest privacy rights,” Pelosi said in a Sept. 1 statement. We’ll see if her concerns will build support or unravel the progress. Most of the apprehension revolves around the new federal bill having strong preemption, which means a uniform federal law would replace state privacy laws.
These critiques either downplay, or ignore, four key aspects.
First, the ADPPA contains provisions that are stronger than those in California’s current law, or in some cases, do not exist at all. Take the private right of action for instance, which means a person’s ability to sue a business if they don’t follow specific requirements of the law like deleting data upon request. This applies broadly under the ADPPA, but does not in California. Most Republicans were historically against any form of a PRA, but a limited version was included as part of a broader compromise.
Second, the ADPPA takes into account the unique needs of California. For example, it was amended to allow for the CPPA to enforce the federal law like it would enforce its own state law.
Third, the ADPPA contains multiple carve outs for all states to continue to have control over, including consumer protection laws to criminal laws. This approach allows for consistency across the nation, but recognizes that states should continue to have a role in certain areas.
Fourth, the digital footprint of Californians extends far beyond the state and it isn’t easy to know how data will move around in cyberspace. A federal framework with consistent standards, rather than a single state approach, would result in broader benefits like more effective enforcement and improved national security.
The ADPPA may not be the perfect bill for every individual, group or state, but it remains the best chance to make federal privacy legislation a reality. There is no guarantee we will have this opportunity again. Policymakers should focus on the benefits that would result and the need for compromise to continue to move the ADPPA forward instead of letting this historic progress die. Our data privacy and security depend on it.