Happy Friday, U.S. Digest readers!
As we head into this early summer weekend, the privacy world grants you no shortage of weekend reading.
Making the rounds is the discussion draft of the bipartisan American Data Privacy and Protection Act, possibly the strongest prospect for comprehensive federal privacy legislation seen in years. Meanwhile, at the state level, the California Privacy Protection Agency Board released the California Privacy Rights Act draft regulations, voting unanimously Wednesday to authorize Executive Director Ashkan Soltani to begin the anxiously awaited CPRA rulemaking process.
At 64 and 66 pages, respectively, they’ll run you about the same time with a good cup of tea. But which one to prioritize?
During a LinkedIn Live, moderated by IAPP Vice President and Chief Knowledge Officer Caitlin Fennessy, CIPP/US, the Future of Privacy Forum’s Director of Legislative Research and Analysis Stacey Gray, CIPP/US, said the California regulations may present the larger compliance challenge in the near future, but both advancements are “pretty significant.” And movement on the ADPPA is happening quickly, with a hearing scheduled before the House Committee on Energy and Commerce’s Subcommittee Tuesday.
“This one matters because it’s bicameral and bipartisan. Full stop,” Gray said of the ADPPA discussion draft. “That’s a pretty big deal. That’s why people are paying attention.”
There’s been a “window of opportunity” for federal privacy legislation, Gray said, since the CCPA passed in 2018. That window could arguably stall at the midterm elections this November, she said. “A bill that’s going to get serious compromise right now and is actually going to stand a chance of passing would really need to be worked out right now, in the next month-and-a-half really, so that it could be considered and go for a vote,” she said.
Also, during the LinkedIn Live, Brookings Institution Tisch Distinguished Visiting Fellow Cameron Kerry noted the content of the ADPPA includes boundaries around the collection, use and sharing of information, civil rights protections, and algorithmic transparency and accountability provisions. But, he said, without bipartisan agreement, including the support of Senate Commerce Committee Chairwoman, Sen. Maria Cantwell, D-Wash., who has yet to sign onto the bill and is anticipated to release her own draft proposal any day now, “it’s impossible to visualize a path forward that gets us to a law.”
The ADPPA would preempt most state privacy laws, with a list of exceptions including the federal Children’s Online Privacy Protection Act and Illinois’ Biometric Information Privacy Act. It could preempt laws in California, Colorado, Connecticut, Utah and Virginia, Gray said, if the federal and state legislation regulated the same issues. It could create an “ironic situation” in California if the federal law were to go into effect, she said, where most of the CPRA would be preempted. In an analysis of the ADPPA this week, Senior Westin Research Fellow Müge Fazlioglu, CIPP/E, CIPP/US, noted a private right of action concerning data breaches in California would be exempt from preemption.
“It does preempt the core operational compliance issues that most in the business community are concerned about, which is states having different standards for access rights, portability, etc., and sets a uniform standard for those,” Gray said.
A lot is aligning around the ADPPA, Kerry said, adding the work of stakeholders and legislators in Washington “is bearing fruit now” and “we are closer than we have ever been in 20 years of efforts to get privacy bills.”
“You can kind of taste it,” he said. “I think there is the opportunity here to put the kind of substantive protections that we’ve talked about in place. That, to me, is the important objective here.”
So, it seems, for now, the ADPPA is the reading to add to your list. But there’s still plenty to keep a close eye on around CPRA rulemaking. The CPPA is likely to miss an initial July 1 statutory deadline to adopt regulations, which is being closely watched by the business community, and indicated the topic would be placed on an upcoming agenda. And with the authorization vote Wednesday, a Notice of Proposed Rulemaking Action is anticipated next, which will officially commence the formal rulemaking process. Then it will be time for stakeholders and interested parties to share their thoughts on the draft regulations.
So keep the California draft handy. You’ll need it soon.
If you want to comment on this post, you need to login.