"The primary issue with the (American Data Privacy and Protection Act) is that it grants individuals the right to control and limit the use of their personal data, which may result in the removal of vital information from databases and services that are essential in the fight against both violent crime and cybercriminal organization."
This claim serves as the substantive thrust of a recent op-ed in The Hill penned by Kevin Metcalf, the founder and CEO of the National Child Protection Task Force. His critique of the ADPPA comes while members of the House are working behind the scenes to tweak the bill before reintroducing it for consideration in the 118th Congress.
At a time when rights to control and limit the use of personal data are standard features of every data privacy bill, it may be surprising to read that they represent a threat to public safety.
To be clear, although we speak of such things as "rights," they do not create a closely held interest to liberty or property in the consumers who fall under their protection. They are nothing like the rights you would find in the Bill of Rights, a set of guaranteed interests of individuals against U.S. government intrusions. Consumer privacy rights are instead a set of obligations placed on private organizations to respect consumers' requests to control how their data is used and shared. In most contexts, these obligations are subject to extensive exceptions and balancing tests, including for purposes of cooperating with law enforcement agencies.
This is true in all six comprehensive state laws, including the newly minted Iowa law awaiting the governor's signature. And under the most recent public version of the ADPPA, companies would be permitted to deny data requests that interfere with law enforcement or hinder "reasonable efforts to guard against, detect, or investigate fraudulent, malicious or unlawful activity." For deletion requests, there would be an additional exception for personal data that the company "reasonably believes may be evidence of unlawful activity."
That said, one of the ADPPA’s notable distinctions is relevant here. Section 206 of the bill provides for special obligations on "third-party collecting entities," including the creation of a central "Do Not Collect" registry, which would allow individuals to request all registered data brokers delete their personal data and prevent future collection without consent.
Metcalf's op-ed goes on to argue that private third-party databases serve an essential role in the modern law enforcement regime:
"It is fine to allow people to shield their information from marketers and social media companies, but not from crucial databases and services used in criminal investigations and by organizations like the National Child Protection Task Force. … It is only through proven private sector information and analytics solutions that those tasked with fighting both violent crime and cybercrime can address 21st-century problems."
The opinion piece was shared across social channels by LexisNexis Risk Solutions, a major provider of information and analytics services to government and private entities, along with this excerpt: "The reality is that if enacted, the bill (ADPPA) will hinder the ability to stop not only human trafficking and child predators, but also fraud and identity theft, whether in benefits fraud or in pure private sector fraud."
This is not a novel argument. Similar claims were made in a September 2022 letter to House leadership signed by most major law enforcement associations.
Seemingly in response to such critiques, the version of the ADPPA that was voted out of the House Energy and Commerce Committee last term included a handful of amendments related to third-party cooperation with law enforcement, with special regard for protecting children. For example, the privately run National Center for Missing & Exploited Children was explicitly exempted from the scope of the entire law, while third-party collecting entities would be empowered to deny "Do Not Collect" requests that would otherwise block them from helping to operate registries of convicted sex offenders or providing assistance to NCMEC.
Prior ADPPA amendments also added broad exemptions for third parties acting as service providers — including subprocessors — "on behalf of, and at the direction of" government entities. Nevertheless, the debate rages on about the proper extent to which private third-party entities should be exempt from consumer privacy rights and other obligations imposed by comprehensive data privacy laws.
Some are calling for exemptions to better reflect the reality of third-party data services that provide support to multiple law enforcement agencies, and therefore may not qualify as service providers under the law. These voices are seeking changes to the ADPPA, like the inclusion of public interest processing as an additional "permissible purpose," sectoral exemptions for third parties or limitations on sensitive data restrictions.
Nevertheless, data brokers remain a focal point for the energy fueling comprehensive privacy legislation. In fact, most legislators who asked questions at the Subcommittee on Innovation, Data, and Commerce of the Committee on Energy and Commerce hearing mentioned concerns about the practices of data brokers. It is no small feat to balance these concerns against alarm over "child predators and other criminals going off the radar."
Here's what else I'm thinking about:
- The Consumer Financial Protection Bureau launched an inquiry into data brokers. Through a request for information, the agency is seeking public feedback on the types of data collected and used by data brokers, the sources of this data — particularly when it comes from financial entities — and many other aspects of the personal data marketplace. The CFPB wants to better understand "the heterogeneity of these firms and to assist firms in understanding any compliance obligations under the (Fair Credit Reporting Act) and other laws as appropriate." When it was created, the CFPB was given authority to regulate the conduct of consumer reporting agencies under the FCRA, which formerly fell within the purview of the Federal Trade Commission. But, as the agency explains, the scope of its inquiry is broader: "In addition to supervision of consumer reporting agencies, including the three largest nationwide consumer reporting agencies, the CFPB endeavors to gain insight into the full scope of the data broker industry." The inquiry will build on the FTC's 2014 data broker report and could help to inform future rulemaking.
- President Biden's proposed fiscal year 2024 budget would include over USD590 million for the FTC, representing a requested increase of more than 35%. In its annual congressional budget justification memo, the FTC says the money would be used, among other things, to provide for 62 new full-time positions in the Bureau of Consumer Protection. The agency describes the need to support "increasingly complex consumer protection investigations, including privacy and data security issues."
Under scrutiny:
- Local law enforcement agencies are spending federal COVID-19 relief money on surveillance technologies like gunshot detection, according to an EPIC analysis.
- Utah's new social media laws, which Gov. Spencer Cox, R-Utah, says he will soon sign, are the subject of a letter from TechFreedom claiming the laws unconstitutionally restrict minors' access to social platforms. In response to expected legal challenges along these grounds, the governor says, "They will lose in court."
Upcoming happenings:
- March 23 at 10 a.m. EDT, the House Energy and Commerce Committee hosts TikTok's CEO for a hearing titled "TikTok: How Congress Can Safeguard American Data Privacy and Protect Children from Online Harms" (2123 Rayburn House Office Building).
- April 3 at 8 p.m. EDT, the Center for Democracy and Technology hosts its inaugural Spring Fling (Hotel Monaco).
- April 3-5, the IAPP hosts the Global Privacy Summit (Walter E. Washington Convention Center).
- April 6 at 10 a.m. EDT, the Information Technology and Innovation Foundation hosts a virtual webinar, "What are the consequences of backdoors for online privacy?"
Please send feedback, updates and deletion requests to cobun@iapp.org.