It was back before the summer solstice. Temperatures in D.C. were rising, whispers were intensifying of a return to privacy activity on the Hill. Future of Privacy Forum Senior Counsel Keir Lamont, CIPP/US, proposed the hashtag #redhotprivacysummer to symbolize the impending burst of policy activity. Neglecting to heed the policy community’s own privacy Cassandra, little did we know just how accurate the hashtag would be.
Now, with one week to go before the August recess, the robust debate over the preemptive effect of the bipartisan American Data Privacy and Protection Act has grown even redder and hotter. The California Privacy Protection Agency took a highly unusual step of holding a public meeting to avow its opposition to the federal bill.
If enacted, the law would preempt most of California’s current consumer privacy rules, though it would leave intact protections for employee data — one of the distinctive characteristics of CPRA — student data, and the private right of action around data breaches. The California regulator would also explicitly remain empowered as an enforcement body to bring action under the federal law. Nevertheless, agency staff maintains the bill would “compromise the Agency’s ability to fulfill its responsibility to protect Californians’ privacy rights under the California law.”
Professor Daniel Solove called the preemptive effect of the bill a “Faustian bargain,” particularly when considering the ban against future state laws, except in certain domains, though he was less concerned about preempting the existing set of “mediocre” state privacy laws. In contrast, prominent privacy advocate David Brody, in an op-ed for the L.A. Times, wrote that “compromise is necessary for enactment,” and that the current bargain is worth it if it means passing “one of the most significant developments in federal internet policy in decades.” Brody highlighted the civil rights protections of the bill, which would “fight discrimination in a data-driven economy.”
Another op-ed in the Hill, by Bertram Lee, explained in more detail the importance of the proposals, “clarifying that digital discrimination is illegal and mandating that companies take meaningful steps to address algorithmic discrimination, not just against marginalized communities, but against children as well.” For similar reasons, New America’s Ranking Digital Rights project endorsed the ADPPA.
Meanwhile, U.S. Sen. Maria Cantwell, D-Wash., whose most recent drafts of her own federal privacy proposal, circulated this spring, would also preempt California law, remains critical of the ADPPA and dismissive about the chance of re-introducing comprehensive privacy legislation in the Senate, instead betting on youth privacy bills.
Will you join me in a brief, if perhaps trite, thought experiment? The U.S., unlike 150-plus other countries, still lacks comprehensive data privacy legislation at the federal level. Consider the following: you are driving a trolley and you come upon a split in the tracks. If you choose one track, 300 million Americans will soon share a uniform set of privacy standards, with rulemaking and enforcement authority for a federal regulator coupled with state enforcement and a (limited) private right of action. If you choose the other path, 40 million Californians (plus the 18 million residents of the other states with comprehensive privacy laws) will be able to keep the entirety of their state rules, rather than replacing them with federal standards. What will you do?
Here's what else I’m tracking
- The Senate advanced two youth privacy bills out of committee. As the IAPP reported, two bipartisan proposals were heavily amended and advanced by the Senate Committee on Commerce, Science and Transportation. The two bills are the Children and Teens Online Privacy Protection Act (S. 1628), known as COPPA 2.0, and the Kids Online Safety Act (S. 3663). Full text of the approved amendments to the bills is posted on the Committee website.
- “We’ll be officially sending it by the end of the month.” So says an unnamed U.S. official quoted in Politico’s Digital Bridge on the status of the U.S. executive order that would implement the Trans-Atlantic Data Privacy Framework, coming at the heels of a reported visit by relevant EU officials to D.C. this week.
- The metaverse may yet be built on open shared standards. A consortium of tech companies announced the formation of the Metaverse Standards Forum last month. As Politico’s Ben Schreckinger explained: “‘Interoperability,’ or the idea that digital identity and property will be portable and usable across different private platforms, is more than just a buzzword — it’s the fundamental principle that distinguishes a metaverse from a suite of glorified virtual chatrooms.” Novelist Neal Stephenson, who invented the term “metaverse” shares this ideology and is putting his futurist skills to use as part of a separate initiative that would use a blockchain as “the base layer of the open metaverse.” Politico has a fun interview with him. For a manifesto-length explanation of Meta’s approach to governance and interoperability on the Metaverse, check out Nick Clegg’s Medium post.
Under scrutiny
- Newborn genetic screening data should not be used for criminal investigations, as occurred in New Jersey recently, according to the ACLU.
- Fraud detection systems are the subject of an EPIC report criticizing the accuracy and equity of AI-supported predictive approaches.
- Should Alexa diagnose Alzheimer’s? A provocative article in the journal Cell Reports Medicine demonstrates an ethics-by-design approach to answering this not-so-hypothetical question.
Please send feedback, updates and ethical quandaries to cobun@iapp.org.