Not a month ago, 53 House lawmakers voted, for the first time this century, to send a comprehensive federal privacy bill to the floor. It was a laudable achievement, but it’s been frozen in place ever since. Now, with fewer than 100 days until the midterm elections, any hope of getting national privacy reform done before a new Congress is sworn in is growing dimmer by the day.
The American Data Privacy and Protection Act (ADPPA) may have advanced farther than any of its forerunners, but there are plenty of obstacles in its path: It has vocal detractors on both sides of the aisle, including one whose support is absolutely key to gaining a foothold in the Senate. And its most enthusiastic supporters are quick to acknowledge the bill is not without flaws. Some Democrats remain adamant that the bill is too weak — especially those in California, whose residents already enjoy the strongest privacy protections in the union. Some Republicans, meanwhile, contend the law is too burdensome on corporations — the very same tech giants they’ve been threatening to cow for years over largely illusive allegations of bias.
What those closest to the negotiation table will tell you is that there broad consensus on at least one point: Passage of the American Data Privacy and Protection Act would prove a legitimate bipartisan victory. In a political era marked by extreme divisiveness, one might even call it historic. Hurdles aside, it benefits greatly from the fact that privacy — or its near extinction — has managed to claw its way up into that realm of rare issues hardened against the cultural wars fueled nightly by our exasperatingly partisan politic.
The ADPPA is a long bill that even practiced privacy lawyers have had some difficulty parsing. It includes a web of exceptions, both for the entities it covers and the types of information they’re bound to collect. The curse of regulating technology is that it advances so rapidly a certain degree of ambiguity is needed to prevent the law from becoming irrelevant the next day. Due to this, many of the protections it offers rely heavily on the concept of reasonableness, granting the courts considerable space in the future to determine how they’re applied. Broadly, it seeks to regulate information companies “collect, process, or transfer,” to the extent that such information may be “reasonably linked to an individual or device.” The idea is to protect consumers by establishing new limits on the categories of human data that companies are permitted to collect and use — minimizing it ideally to only that which is needed to provide a service users request.
“This is a law that can pass,” said Nathalie Maréchal, policy director at Ranking Digital Rights. “It is outlandish that we don’t have a federal baseline privacy bill, and this is vastly better than the status quo.”
David Brody, an attorney with the Lawyers’ Committee for Civil Rights Under Law, concurred. “I think it’s about as good as you can reasonably hope it’s going to be, in something that’s bipartisan,” he said.
The laws and regulations Americans rely on to protect their privacy are, in the best light, obsolete. At worst, they perpetuate serious harms by granting major data holders like Amazon and Google enormous latitude to manipulate and violate people’s trust without ever running afoul of the law. Bestowed by Congress a full century before platform power began to dominate nearly all life and business, the Federal Trade Commission’s authority to investigate “deceptive” and “unfair” practices fails to anticipate the mass commodification of consumers’ personal behavior. You could no more expect a medieval text on the plague to contain knowledge of modern medicine than a law predating the age of radio to comprehend the heights of opportunism that have been achieved through the rampant surveillance of billions.
In a legal sense, companies engaged in shady data practices rarely “deceive” their customers. While privacy policies have become industry standard — a practice maintained by platform gatekeepers like Apple and Google more than any legal mechanism — nothing forbids major data holders from burying their customers in an avalanche of vague and overly technical drivel. This entire scheme revolves around one patently preposterous theory, that the average internet user is someone reasonably capable to begin with of slogging through all this contractual obfuscation.
“When you do anything with a company, they’ll just put some gobbledygook in front of you. You click a box and little do you know you’ve just agreed never to sue them,” said Adam Schwartz, a senior staff attorney at the Electronic Frontier Foundation. (Notably, the ADPPA does little to prevent this.)
Even if the terms were fair and easy to comprehend, most would still find they’re left only with the illusion of choice. The monopolism that’s become a hallmark of platform dominance today has given a mere handful of companies unprecedented gatekeeper control over most modern modes of interpersonal exchange, as well as the very stores of human knowledge. The social pressures and exigencies of professional life more or less compel users now to acquiesce to whatever terms are laid out in front of them.
Sen. Roger Wicker, a Republican and ranking member of the Senate Committee on Commerce, Science, and Transportation, urged his colleagues last month to take up the ADPPA, adding that while no legislation is perfect, the bill represented the “bipartisan, bicameral compromise” with the “best chance of reaching the President’s desk before the end of the year.” That said, Wicker has vaguely nodded toward a desire to tighten the scope of the bill even further.
Sen. Ron Wyden, one of Capitol Hill’s most prominent privacy defenders — and the author of far stronger legislation, which would see executives jailed for lying about their practices to Congress — remains unconvinced that the ADPPA sufficiently limits the use of what the bill calls “de-identified” data. “Senator Wyden is looking closely at the latest version of the House bill,” chief spokesperson, Keith Chu, told Gizmodo in an email. “However, the bill continues to exempt de-identified data, which we know can easily be re-linked to individual Americans.”
The ADPPA’s biggest accomplishment is that brings compromise to two areas of dispute that have long negated the possibility of any bipartisan legislation: state preemption and private right of action (the ability of individual consumers, or classes thereof, to drag companies into court on their own). State preemption has long been a requirement of any bill hoping to gain Republican favor. While privacy advocates are strictly opposed to the idea, the bill as proposed would effectively preempt the authority of the states to pass their own comprehensive privacy packages. And herein lies the biggest hurdle to its passage: winning over Californians who’ve already fought to protect their own data and have gained significant control on their own. In 2020, more than 9.3 million California residents voted to pass the Consumer Privacy Rights Act (CPRA), a ballot measure slated to significantly enhance the state’s already-formidable privacy law in few short months from now.
These California amendments introduced concepts such as “sensitive personal information,” a classification that requires even tighter controls than for that which is merely “personal”. It expanded the “right to delete,” now requiring companies to forward those demands along to third parties with whom they may shared their data. And it added login credentials to the list of items that people could sue over in the wake of data breach. What’s more, it created a new watchdog for the state, the California Privacy Protection Agency, vesting it with a range of investigative and enforcement powers.
On balance, the ADPPA largely mirrors the protections enjoyed by Californians. In certain ways, it’s an even stronger law. The ADPPA, for instance, would strictly prohibit targeted advertising aimed at children and minors under 17, something the CPRA does not accomplish. The CPRA requires companies to inform residents about their “right to opt-out” of the sale or transfer of their personal data; however, few if any users are truly aware of which and how many companies possess that information. Conversely, the “Do Not Sell” mechanism that the ADPPA seeks to create would, in theory, allow consumers to make demands of companies they aren’t even aware exist. And unlike the CPRA, the ADPPA does not completely let data holders off the hook when the third parties they work with behave criminally or with negligence.
Privacy experts have highlighted a few aspects of the federal bill that do appear weaker than the California law. One provision of the CPRA, for example, strictly prohibits state legislators from amending the law unless it’s to further protect consumers. Vice versa, the ADPPA would always be susceptible to a more business-bias Congress watering it down in the future.
The CPRA requires large data holders to regularly audit their own practices. And while the ADPPA does as well, there are a couple of key differences: California requires that companies disclose the results of those audits to regulators each year by default. The ADPPA would require companies to conduct audits every two years instead, and make them accessible only at the government’s request.
Others have claimed the state law better protects consumers against price discrimination — though the difference may, in practice, be negligible. While the ADPPA would ban companies from charging users different rates to provide the same privacy-related service, it contains a carveout for one in particular: When users go to exercising their right to demand personal data be deleted, companies are able to offer “different types of pricing” in the processing of those requests. While the California law claims to ban such tiered-pricing schemes, it doesn’t appear to do so if the difference in price is “reasonably related to the value” of the data itself.
On the other hand, the California legislature has also defines prohibited pricing using additional, broader terms — that which is “unjust,” “coercive,” or “usurious,” and not merely unreasonable — a fact that could, potentially, lead judges to apply fewer presumptions in favor of shady business practices when consumers go to court for relief.
Preemption comes in several flavors and the ADPPA does its best to find the middle ground. Some federal laws, for instance, prohibit states from passing anything even tangentially related to a subject. The ADPPA only preempts that which is directly “covered” by the bill. What’s more, it contains numerous exemptions giving state legislatures room to enact privacy laws in a wide range of areas. They’d retain the power, for instance, to pass additional laws addressing the privacy rights of students and employees, or further strengthen protections around medical and banking related data, as well as any personal information contained in public records. City councils would remain free to regulate wiretapping and other forms of electronic eavesdropping or ban police departments from adopting facial recognition and other invasive surveillance tools, as a handful of cities have done.
When it comes to empowering users to drag privacy violators into civil courts, Republicans are generally opposed. They prefer instead a two-tiered enforcement structure giving the Federal Trade Commission and state attorneys general alone the power to crack down on offenders.
The ADPPA, again, strikes a balance. Consumers can go to court when they feel their rights granted under certain provisions have been violated, but the range of remedies at the court’s disposal is limited. Judges can award compensatory damages, for instance, which strictly address any actual harms suffered. In some cases, they can award injunctive relief, ordering companies not to engage in certain activities likely to cause more harm. (A “right to cure” clause in the bill forestalls the use of injunctions, should an offender manage to remedy the violation on their own within 45 days of being notified by a consumer.)
What the courts would lack under the ADPPA is the ability to financially punish companies for their most egregiously behavior — something privacy experts agree is a major compromise on the side of the consumers.
“It’s a problem,” acknowledged Brody. “Probably the single weakest component of the entire bill is the lack of punitive damages.”
But the limits on private action are not necessarily as big of a deal as they seem. Recent rulings by the Supreme Court have effectively kneecapped the ability of data breach victims to seek relief in federal court anyway. Congress cannot simply write into law that a violation equates to harm. As the court puts it: “An injury in law is not an injury in fact.” Consumers must demonstrate concretely that they’ve suffered an “actual” harm as the result of a breach. Merely having your privacy violated is apparently not enough. In any case, connecting a “concrete” harm back to the company that caused it is not always easy to do.
One of the nation’s leading digital rights groups, the EFF, has notably expressed disappointment in several of the ADPPA’s limits. Adam Schwartz, who’s represented travelers whose devices have been seized at the U.S. border, said the EFF’s opprobrium should not be construed as outright opposition. It has key concerns, he said, most of which revolve around the bill’s exemption for law enforcement. Any company “collecting, processing, or transferring covered data” on behalf of a government agency is basically immune to its protections.
“The government is outright now willy-nilly buying phone app location data and using it to investigate people, but the people don’t know they’re being investigated,” he said. “We’re potentially years away from the courts enforcing the Fourth Amendment, and in the meantime we need Congress to do something.”
A number of companies in recent years have been caught selling people’s personal data to the government. That includes information that agencies such as the FBI might otherwise need a warrant or other legal process to obtain. It wasn’t until this month that Democratic congressional leaders demanded specific details about this activity from a range of agencies, including the FBI and the Department of Homeland Security. Little is known publicly about the government’s appetite for buying private data and there are few if any rules to prevent it. But for years it’s been known that at least some companies have furnished sensitive information to the government for a price, circumventing evidentiary requirements derived from the protections guaranteed under the Fourth Amendment.
Sen. Wyden, who has questioned ADPPA’s definition of “de-anonymized” data, has likewise expressed concern about the potential for a loophole that “could allow data brokers to sell location data to the government about visits to reproductive health facilities, for example, or other private information that is trivially easy to connect to individuals.”
Schwartz agrees, arguing the bill fall short in giving government contractors ample leeway to share information with the government. “When you mix that with preemption, it becomes very scary,” he said. Schwartz pointed to the glaring case of Clearview AI, a private surveillance firm that’s collaborated with hundreds of police departments, and is notorious for having harvested billion photographs from social media without anyone’s permission.
“If Congress were to pass this law today without the preemption,” Schwartz said, “and the next day Clearview persuaded a judge this is its get-out-of-jail card, then we want California or New York or some state to say, ‘Okay, we’re going to pass the same law as the ADPPA, but we’re going to regulate Clearview like any other covered entity.’”
Experts say this one loophole could be easily buttoned up, however, if Congress also passed a Wyden-sponsored bill colorfully titled, The Fourth Amendment Is Not For Sale Act. The language in that bill would effectively protect any data for which a warrant is traditionally required.
Another concession alarming the EFF is that, at the moment, the ADPPA would allow companies to continue forcing users into arbitration, attaching clauses to their terms of service that essentially ban users from addressing any wrongdoing in court. The one exception introduced into the bill so far blocks arbitration for minors and victims of gender- and partner-based violence.
Even with all its potential shortcomings, the ADPPA — at least for now —remains the best hope for Americans long oppressed by the self-serving, exploitative behavior of corporations that, while feeding people aspirational babble about connecting and empowering users, have instead run amok; manipulating, lying and abusing their trust, exposing them to theft, fraud, harassment, violence, and even death without a semblance of loyalty or care.
The ADPPA is the good-as-it-gets bill. Perhaps the one that we need right now, even if not the one we deserve.
“Nobody’s getting everything that they want, but that’s how lawmaking is meant to work,” said Maréchal. “Privacy is a case of a topic that doesn’t fall neatly along partisan lines, and that’s increasingly rare these days.” The perfect bill, if there one, would never have made it this far.