At a time when hyperpartisan antics are the norm in Washington, it is remarkable to hear about efforts at bipartisanship, or to see them reflected in the text of a bill. But watching cross-party collaboration unfold in a live committee session feels almost — supernatural. Even for those who expected a strong vote to advance the American Data Privacy and Protection Act out of the House Committee on Energy and Commerce this week, there was a sense of magical realism in the air as the "Aye" votes trickled in. (The committee room broke into spontaneous applause after the 53-2 vote was final, until Chairman Rep. Frank Pallone, D-N.J., reminded everyone that there were other bills still to consider.)
Of course, as the IAPP reported, it was not all kumbaya during the markup session. Rep. Anna Eshoo, D-Calif., led an effort to add an amendment that would take a different approach to preemption. The amendment would have established “floor” preemption, allowing states like California to create stronger, but not weaker, consumer privacy protections. In contrast, the current bill’s preemption compromise blocks most existing and future consumer privacy laws, though it does include many carveouts preserving state rules in discrete areas, facial recognition, health, banking, torts, etc. Although some in the advocacy community would prefer the type of preemption Eshoo proposed, the consensus among federal privacy watchers is that such an amendment would upset the bipartisan balance. All six of Eshoo’s California colleagues on the committee voted for the amendment, joined by Rep. Peter Welch, D-Vt. Even as some signaled in their remarks that the California delegation may not support the current bill on the House floor, all but Eshoo and Rep. Nanette Barragán, D-Calif., nevertheless voted to advance the final bill text, without the Eshoo amendment.
It is far from clear that California’s current law, which is still being finalized by its privacy regulator, is stronger than the provisions of the ADPPA. In fact, a harmony of voices from the policy community are positive about the ADPPA’s approach, even if it preempts California’s law. The Washington Post’s reporting on advocates’ support for ADPPA included a useful comparison memo. The Future of Privacy Forum’s Stacey Gray also wrote a well-reasoned analysis in Lawfare concluding that “the substantive protections in the ADPPA as presently drafted are significantly stronger than the California Privacy Rights Act in nearly every way.”
Here's what else I’m tracking:
- The ADPPA now awaits being called to the House floor for full consideration. For those interested in tracking the line-by-line progress of the ADPPA drafting committee, and checking up on the provisions that most impact your privacy operations, I’ve posted a version of the full ADPPA text on LinkedIn with the most recent round of changes tracked (thanks to the FPF legislative team for the collaboration). I’d love to hear Privacy Professionals’ thoughts and questions on this bill — please reach out.
- Meanwhile, #hotprivacysummer continues in the Senate. The Senate Committee on Commerce, Science, and Transportation scheduled an executive session July 27 to consider two bipartisan youth privacy and safety bills: the Children and Teens’ Online Privacy Protection Act—S. 1628, sponsored by Sens. Edward Markey, D-Mass., and Bill Cassidy, R-La.; and the Kids Online Safety Act—S. 3663, sponsored by Sens. Richard Blumenthal, D-Conn., and Marsha Blackburn, R-Tenn.
- Google announced its intention to become certified under the Cross Border Privacy Rules. The announcement highlights the company’s confidence in the newly created Global CBPR Forum as a means of facilitating responsible cross-border data flows that “find the right balance between holding companies accountable for their data use, protecting individuals from harm and misuse, and helping maintain the trust within the ecosystem that enables innovation and change, all while being globally scalable.” It also previews Google’s commitment to assisting its customers (particularly small and medium businesses) in achieving compliance with CBPR standards as the system solidifies and expands.
- The White House Office of the National Cyber Director is taking the first steps to address the cybersecurity talent gap. It hosted a National Cyber Workforce and Education Summit this week, and hinted at future initiatives. Workforce development is one of the top priorities of the newly created ONCD.
- The Center for Democracy and Technology convened a task force on reproductive health information, bringing together a multi-stakeholder group representing tech companies, academia, and civil rights and privacy organizations.
Under scrutiny — geolocation is sensitive, folks
- The U.S. Department of Homeland Security is the subject of a massive trove of records released by the ACLU after a lengthy Freedom of Information Act lawsuit. The records show the extent to which Customs and Border Protection, Immigration and Customs Enforcement, and other parts of DHS purchase mobile phone geolocation data from commercial brokers to facilitate their activities.
- Mobile carrier geolocation data practices, including data retention and sharing practices, are the subject of a new inquiry from Federal Communications Commission Chair Jessica Rosenworcel.
- Four geolocation data brokers (Oracle, AWS Data Exchange, Near and Mobilewalla) received letters from House Democrats asking whether they are taking steps to “protect the privacy rights of those seeking to exercise their reproductive rights.” The letters were prompted by a coordinated inquiry from Access Now, Amnesty International USA, and Fight for the Future.
- Thousands of kid-directed mobile applications were reviewed in a report by Pixalate and found to be potentially violating privacy rules, including by sharing location data with third parties.
Upcoming happenings
- July 27 at 10 a.m. EDT, the Committee on Commerce, Science, and Transportation, will convene an Executive Session which is expected to include markup of two bills related to youth privacy and safety (Russel 253, virtual).
- July 28 at 11:30 a.m. EDT, the IAPP hosts a LinkedIn Live on What’s Next at the FTC? (virtual).
- July 29 at 5:30 p.m. EDT, the IAPP DC and Northern Virginia KnowledgeNets will host a happy hour for interns and professionals (Crafthouse, Arlington)
Please send feedback, updates and bug ID questions to cobun@iapp.org.