Privacy Law Update: June 13, 2022
On Friday, June 3, Representative Frank Pallone (D-NJ), Chairman of the House Energy & Commerce Committee, Representative Cathy McMorris Rodgers (R-WA), the committee’s Ranking Member, and Senator Roger Wicker (R-MS), Ranking Member of the Senate Commerce, Science and Transportation Committee, released to the public a draft discussion federal privacy bill. The “American Data Privacy and Protection Act” (ADPPA) is a comprehensive bill that touches all facets of the privacy debate that has been ongoing in Congress for well over 20 years. Some of the provisions in the discussion draft are bracketed, indicating those provisions are still under discussion and are not subject to agreement between the authors. In their press release, the three authors thanked Consumer Protection and Commerce Subcommittee Chair, Jan Schakowsky (D-IL), and Ranking Member Gus Bilirakis (R-FL), as well as Members of the Senate Commerce Committee for their input and leadership on the discussion draft. However, of note, Senator Maria Cantwell (D-WA), the Chair of the Senate Commerce Committee, is not an author of the bill.
The U.S. has never had a national data privacy law. That might be set to change with a new draft bill being debated in both chambers of Congress, with support from leaders in both parties.
The American Data Privacy and Protection Act includes requirements that any organization that “collects, processes, or transfers” information that can be linked to a particular individual follow the principles of “privacy by design.” It’s a decades-old idea that the only way to ensure data privacy is to build it into applications in the earliest stages. It’s in Europe’s General Data Protection Regulation as well as Brazil’s national privacy law, among numerous other jurisdictions. But applying that idea to continually evolving technology is likely to require some serious iterating, to use a Silicon Valley term.
Politico asked Ann Cavoukian, who coined the term and came up with seven “foundational principles” in 1997 when she was Ontario’s information and privacy commissioner, about the history — and the future — of the concept.
Today’s data privacy laws refer to specific regions. The GDPR applies in the EU, CCPA is relevant in California and so on. But as data privacy becomes more of a global standard, it’s time to evaluate this course of action and ask whether or not current and future laws still refer only to the regions for which they were initially meant.
California: The California Privacy Protection Agency held a board meeting on Wednesday, June 8th. Lisa Kim and Stacey Schesser from the California AG’s office gave a presentation on the draft proposed CPRA regulations to the board. The board then voted 4-0 to empower Executive Director Soltani to take ‘all steps necessary’ to initiate formal rulemaking proceedings on this first set of CPRA implementing regs. Expect a formal announcement, and the start of a 45-day public comment period, soon (though we understand that non-substantive, technical corrections to the proposed regulations will be adopted first).
During discussion of future agenda items, Boardmember Le requested a legal opinion on what information the Agency can share about enforcement deadlines (suggesting there is appetite on the board to postpone at least some aspects of formal CPRA enforcement, given the delay in promulgating regulations). Boardmember Thompson also requested further information on the process for amending the proposed regulations.
Prior to the meeting, the board released its draft Initial Statement of Reasons (‘ISOR’) for the proposed regulations. Notably, the ISOR determined the regulations would not have a significant adverse economic impact on businesses as businesses are already required to comply with the CCPA and CCPA regs and that any adverse economic impact would come from the Prop 24 ballot initiative, not these new regulations. The ISOR further states that opt-out signals do not need to be enabled by a consumer, but that “selection of privacy-by-design products or services is an affirmative step and sufficient to express the consumer’s intent to opt out…”
Separately, California’s AB 2273 to establish an ‘Age-Appropriate Design Code’ has been referred to the Senate Judiciary Committee, joining AB 2408 the ‘Social Media Platform Duty to Children Act’ which was referred to the Judiciary and Appropriations Committees last week. Senate hearings have yet to be scheduled on either of these bills.
Massachusetts: Mintz Law reports that last week the Joint Committee on Health Care Financing voted to send H 4514, the House version of the ‘Massachusetts Information Privacy and Security Act’ (MIPSA) ‘to study’ (rather than advance it). While the Senate companion (S 2687) is still technically awaiting action following its passage through the Joint Committee on Advanced Information Technology, the Internet and Cybersecurity on February 1, it seems safe to predict that this bill has stalled out for the year. MIPSA contains distinct elements from the GDPR (bases for processing); CPRA (definitions and consumer rights); CPA (contractual requirements); VCDPA (enforcement); and ODPA (safe harbor for breach litigation). The Massachusetts formal session ends on July 31.