Privacy Law Update: August 1, 2022
The proposed American Data Privacy and Protection Act feels so close and yet so far away. The comprehensive privacy bill is on the cusp of a U.S. House floor vote, a first for any federal privacy proposal. But the bill’s fragile nature is being tested at a crucial point in the legislative process as California lawmakers and stakeholders prefer the bill fail or be refit in order to preserve the California Consumer Privacy Act and its successor, the California Privacy Rights Act.
In June 2022, while privacy professionals in Canada were still contemplating Bill C-26 on cybersecurity, the much-anticipated Digital Charter Implementation Act, 2022 — Bill C-27 — was introduced by the federal government. It is a reintroduction and, some may agree, an improvement of Bill C-11, first introduced in 2020 and failed on the order paper as a result of the federal election in 2021.
China’s Personal Information Protection Law lays out strict limitations on cross-border transfers of personal information (PI). Finally, after more than nine months after the PIPL came into effect, three new regulatory developments will provide guidance on the administrative procedures and detailed rules to implement the cross border transfer rules.
For historically marginalized groups, the right to privacy is a matter of survival. Privacy violations have put these groups at risk of ostracization, discrimination, or even active physical danger. These tensions have long pre-dated the digital age. In the 1950s and 1960s, the government used surveillance programs to target Black Americans fighting against structural racism, with the Federal Bureau of Investigation’s (FBI) Counterintelligence Program (COINTELPRO) targeting Dr. Martin Luther King, Jr. and members of the Black Panther Party. During the HIV/AIDs epidemic, LGBTQ+ individuals were fearful that with an employer-based healthcare system, employers would find out about a doctor’s visit for HIV/ AIDS and that individuals would then face stigma at work or risk losing their jobs.
The world of digital marketing is approaching a new normal. Consumer privacy is no longer just a movement to monitor, but one that is reshaping the industry through regulation and action by the tech giants. Major brands are now coming to realize that the way they organize, invest, think about audiences, and engage with consumers, will be reorganized around people’s privacy preferences – rendering many traditional digital marketing strategies fundamentally different.
Opposition to ADPPA Intensifies
Senate Commerce Chair Cantwell continues to oppose the American Data Privacy and Protection Act (ADPPA), significantly undermining its chances for further progress in this Congress. In comments to The Spokesman, Senator Cantwell stated that “[i]f you’re charitable, you call it ignorance” regarding the House’s approach to privacy enforcement and suggested that civil rights groups supporting ADPPA have “been infiltrated by people who are trying to push them to support a weak bill.” In separate comments to the Washington Post Cantwell expressed that she is not planning to bring ADPPA to a markup because “I don’t even think Nancy Pelosi has plans to bring it up, so pretty sure we’re not going to be bringing it up.”
Senate Commerce Marks up Child Online Privacy & Safety Legislation
Mere hours after ADPPA advanced from the House E&C Committee, Senator Cantwell called a Senate Commerce markup of two bills, S.3663, the Kids Online Safety Act (KOSA) (Blumenthal (D-CT) & Blackburn (R-TN)) and COPPA 2.0, the Children and Teens’ Online Privacy Protection Act (Markey (D-MA) & Cassidy (R-LA)). At the July 27 hearing, KOSA advanced unanimously and COPPA 2.0 advanced on a voice vote with some Republicans opposing. Notably, Ranking Member Wicker expressed his support for the ADPPA, opposition to COPPA 2.0, and areas for future improvement in KOSA. Other Republican members expressed concern about the scope of FTC rulemaking authority in the COPPA 2.0 bill.
California Privacy Protection Agency Opposes ADPPA in Special Board Meeting
At a special California Privacy Protection Agency meeting on July 28, the CPPA board unanimously adopted 3 motions related to federal privacy legislation:
- Oppose the American Data Privacy and Protection Act as currently drafted
- Oppose any federal bill that seeks to preempt the CCPA or establish weaker privacy protections
- Authorize Agency staff to support federal privacy protections that do not preempt the CPPA or that create a true “floor” for privacy protections that states can build on in the future.
Board members raised the following concerns about the ADPPA:
- Chairperson Urban: Expressed concern that the ADPPA would cause Californians to lose the privacy rights they currently enjoy today. She further expressed concern about losing the CCPA (as amended by the CPRA)’s constitutional floor, which she called a direct response to industry efforts to weaken the bill.
- Board Member Thompson: Stated that the ADPPA represents a “false choice” by treating privacy rights as if they are limited in supply and the wrong argument that Californians’ strong privacy rights must be taken away in order to provide weaker rights federally. He further questioned the ADPPA requirement that unified opt-out signals must be authenticated.
- Board Member de la Torre: Raised concerns that the ADPPA would jeopardize the ability of California to receive a state-specific EU-adequacy determination. She further raised concerns about the ADPPA overruling privacy laws of local municipalities, not just states. She also argued that the preemptive effect of the ADPPA has not yet been fully explored and that it could strike down laws that protect women in the wake of the Dobbs decision.
- Board Member Sierra: Raised concerns that the ADPPA would limit the enforcement effectiveness of the Agency.
- Board Member Le: Cited to CPPA Deputy Director of Policy and Legislation Maureen Mahoney’s Staff Memorandum to argue that the ADPPA is weaker than the CCPA because the ADPPA: (1) would deprive Californians of the right to opt out of automated decisionmaking; (2) covers fewer service providers (excluding those that perform work for government entities); (3) does not clearly cover inferences; and (4) requires impact assessments for fewer types of businesses.
- Executive Director Soltani: Unequivocally stated that the ADPPA would be weaker than the CCPA on substance. He further argued that California’s existing law is better interoperable with other state and international privacy frameworks.