The proposed American Data Privacy and Protection Act feels so close and yet so far away. The comprehensive privacy bill is on the cusp of a U.S. House floor vote, a first for any federal privacy proposal. But the bill's fragile nature is being tested at a crucial point in the legislative process as California lawmakers and stakeholders prefer the bill fail or be refit in order to preserve the California Consumer Privacy Act and its successor, the California Privacy Rights Act.
Opposition to the federal bill preempting the CCPA and CPRA is growing louder, to the point where the California Privacy Protection Agency deemed it necessary to call an emergency meeting to further state the case for letting California's law stick. The public meeting was the latest knock from the agency, which sent a letter to U.S. House Speaker Nancy Pelosi, D-Calif., explaining the perceived strength of California's law versus the federal proposal and why there should be no floor vote until the federal bill is written to allow California, and other states, to continue legislating and enforcing on privacy as deemed necessary.
The CPPA Board used the meeting to reiterate the points it raised to Pelosi and take a unanimously voted position on its opposition of the current ADPPA framework or any other federal bill that would preempt California law while encouraging support for a federal proposal that allows a legislative floor upon which states can build.
"Privacy is an incredibly complicated issue. While I appreciate suggestions by advocates and others about how the ADPPA may be stronger than California law, I assure you that in my and the staff's expert opinion that it is not," CPPA Executive Director Ashkan Soltani said. "While the rest of the country is getting started (on privacy), California has a great deal more experience in not only legislating but implementing and enforcing privacy protections in our law."
Pelosi's mind could be made up without further CPPA input as U.S. Senate Committee on Commerce, Science and Transportation Chair Maria Cantwell, D-Wash., reportedly has some form of assurance that ADPPA isn't leaving the House as currently constituted.
"I don't even think Nancy Pelosi has plans to bring it up, so pretty sure we're not going to be bringing it up," Cantwell told The Washington Post.
The board meeting opened with CPPA Director of Policy and Legislation Maureen Mahoney outlining the agency's analysis of perceived strength California laws hold over the federal bill. Mahoney emphasized how the ADPPA would remove "the unique floor for privacy protections" granted under the CPRA, take away the state legislature's ability to strengthen a law based on jurisdictional necessity, and potentially diminish enforcement capabilities of the CPPA.
While board members were supportive of the general efforts by U.S. Congress to address privacy at the federal level, they defended their unwillingness to sacrifice the strong protections and enforcement system they believe California already possesses.
"It is the agency's role and our responsibility to act as what our implementing legislation (the CPRA) calls an independent watchdog to protect Californians' privacy rights," CPPA Board Chair Jennifer Urban said, calling the agency's role "very clear" and "set out for us directly by the California voters." She also called attention to "timing" as California residents currently enjoying data subject rights may lose them for a time or altogether with implementation of a federal law.
Board member Chris Thompson spoke of "a false choice" Congress is posing by indicating a federal law and state law cannot co-exist. He said federal lawmakers are "treating privacy rights as if they are in limited supply and the strong rights of Californians and others need to be taken away" so the rest of the country can be served "weaker rights."
Thompson went on to encourage the concept of a federal floor that would allow states to build off of the federal framework, noting it's "been done in a number of areas previously." It's unclear if Congress has explored such a baseline in depth, but U.S. House Committee on Energy and Commerce Chair Frank Pallone, D-N.J., said during the ADPPA's committee markup that preemption was "carefully crafted" with states in mind and any backpedaling from current provisions would "reject all efforts to come to a compromise."
Lydia de la Torre, partner at Golden Data Law and CPPA Board member, previously stated at the IAPP Privacy. Security. Risk. 2021 that she hoped any federal bill would be inspired by the sort of innovative policy trailblazing CCPA and CPRA had done. She supported Thompson's false choice narrative, coming to the conclusion that preemption likely isn't necessary based on California's equivalent protections to those of the EU General Data Protection Regulation and other jurisdictions while the current federal framework may not meet that EU adequacy standard.
The subject of CPRA strength and potential adequacy status compared to ADPPA extended beyond the board meeting as de la Torre engaged further with privacy professionals and advocates on Twitter in an attempt to cement her remarks.
She also pitched board members on a privacy awareness campaign under the agency mandate to enlighten consumers on why a federal floor and state adaptability are essential. This was suggested as a potential priority item on par with ongoing CPRA rulemaking, which is a month past its original deadline.
"I don't read this mandate as limited to CCPA and CPRA," de la Torre said. "I think it's really important to consider, even though we still have limited staff and resources, whether it should be a priority of the agency. … We have the rulemaking, which requires a lot of resources, but I think it's wise to pause for a second and think if rulemaking should be our top priority or maybe there is room to make public awareness a top priority."
The public comment portion of the meeting featured support for the policy stances the CPPA eventually adopted and the pitch for public awareness campaigns. Notable commenters chiming in were Californians for Consumer Privacy founder Alastair Mactaggart and former U.S. Federal Trade Commission Chair Jon Leibowitz.
Mactaggart remains arguably one of the most influential individuals in the U.S. privacy landscape following his work on CCPA's passage by the California legislature and then pushing the CPRA ballot initiative through two years later. While also pleased to see Congress stepping up on privacy legislation, Mactaggart pointed to the 9.4 million voters who approved the CPRA as a chief reason why it should not be canceled out by the current federal framework.
"There's a lot to like in ADPPA for much of America, but it would represent a giant step backwards for Californians," Mactaggart said, noting his concerns on government surveillance and auditing among other areas. "I would urge the board to do whatever it takes to get the message out. … You absolutely have statutory authority to expand resources and really raise the alarm that (the ADPPA), which is reported stronger, is actually massively weaker in many areas."
Leibowitz, who chaired the FTC from 2009 to 2013, was the lone commenter to step up and oppose the CPPA's discussion and stance. Leibowitz supported the notion that California is "a laboratory for democracy" and its importance to the U.S. privacy landscape, but deemed the federal bill "far stronger than California law" with its civil rights protections, increased children's privacy protections and private right of action.
"If a federal law passes, Californians will immediately have greater privacy protections. If it fails, the biggest winners are the 'cyberazzi' that hoover up all of our data," Leibowitz said. "We need a national solution. We'll only have that robust federal law if everyone makes some sacrifices, including businesses and states."
This tracker organizes the privacy-related bills proposed in Congress to keep our members informed of developments within the federal privacy landscape.
This white paper examines the progress made in Congress toward bipartisan agreement on privacy rights over the current legislative session, analyzing the 18 bipartisan federal privacy bills introduced in the 117th Congress.
If you want to comment on this post, you need to login.