Will California be the death of national privacy legislation?
Californians are understandably proud of what their state has done to advance privacy protection by enacting comprehensive privacy legislation in 2018. That pride now stands in the way of federal privacy legislation. As a strong bill advanced to the House floor, California officials mounted a full court lobbying press against its preemption of provisions in state laws that are “covered by” provisions in the federal law.
Their campaign succeeded with Speaker Pelosi. She aligned herself with the Californian advocates, issuing a statement that H.R 8152, the American Data Privacy and Protection Act (ADPPA), “must continue to protect Californians — and states must be allowed to address rapid changes in technology.” As a result, as she prepares to relinquish her role as Speaker, Pelosi now holds the answer to the question asked in the title of this piece. If she chooses to bring this bipartisan bill bipartisan bill to the floor during the coming lame-duck session, it is likely to pass the House. But if Speaker Pelosi insists on carving laws like California’s out of the bill, the answer to the title question will be yes, and the bill will die.”
This latest impasse in the privacy debate shines a spotlight on California advocates’ claim that their law is stronger than the ADPPA and that the ADPPA would take away privacy protections from people in California. Both laws are comprehensive, so there are bound to be differences—some consequential, some less so. This post analyzes these differences and how the ADPPA incorporates the same key protections as the California Consumer Privacy Act (CCPA) but adds important new protections that go well beyond the California law. Moving forward, the question for Speaker Pelosi, California privacy advocates, and others is whether these differences are worth killing what potentially could be a civil rights and consumer protection bill that would provide privacy protections not only for people in California but also every person in America.
How we got here
The effort to protect California’s privacy regime was spearheaded by the California Privacy Protection Agency (CPPA) and Californians for Consumer Privacy (CCP). The latter was co-founded and led by Alastair and Celine Mactaggart, who put a real estate fortune behind a referendum campaign that led to passage of the CCPA in 2018 and then a successful referendum campaign in 2020 that amended the CCPA and established the CPPA to enforce it. Together, the two entities mobilized California’s Governor Gavin Newsome, Attorney General, and Speaker of the California House, among others, to contact U.S. House Speaker Nancy Pelosi. The Los Angeles Times weighed in as well.
After the full House Energy and Commerce Committee voted 53-2 to report out the ADPPA, the CPPA and CPP upped the ante: the agency voted to oppose the bill, sent its own letter to Pelosi, and the organization announced its opposition followed by a lengthy analysis asserting that California’s law “is significantly stronger than ADPPA.”
Since Pelosi’s statement in August, Representatives Frank Pallone (D-NJ) and Cathy McMorris Rodgers (R-WA), the chair and ranking member of Energy and Commerce Committee, respectively, have communicated with her and expressed optimism about being able to bring the bill to floor during the coming lame duck session. To get there, they have to persuade the Speaker.
If Speaker Pelosi brings the bill to the floor, the lopsided committee vote presages a strong bipartisan vote to pass it. Such a vote from the House would put pressure on Senate leaders not to hold the bill up over minor differences. Senator Maria Cantwell (D-WA), the Senate Commerce chair and the missing “fourth corner” in the ADPPA sponsorship, has held out for additional changes to provisions. But changes to the bill as it progressed have narrowed the gaps between it and proposals from Senator Cantwell. She would have to decide whether the remaining small differences justify blocking the bill in the Senate.
Weighing the merits of the ADPPA and CCPA
Few (if any) privacy experts or advocates outside of California believe that California’s law is stronger or broader than the ADPPA. On the contrary, many believe that the ADPPA is distinctly stronger, including: Omer Tene, the research director for the International Association of Privacy for almost a decade; Stacey Gray, who follows legislation for the Future Privacy Forum; and David Brody of the Lawyers’ Committee for Civil Rights Under Law. Along with the Electronic Privacy Information Center and Center for Democracy & Technology, both organizations have a long history of involvement in privacy issues. The Lawyers’ Committee put out a chart comparing the ADPPA and CCPA in detail as the federal bill went to markup. A group of 48 civil rights organizations and other policy advocates sent a letter to Speaker Pelosi, in a broad display of unity. Even though influential privacy scholars like Danielle Citron and Daniel Solove would prefer to leave room for state privacy laws, both see the ADPPA as stronger (“much stronger” in one case).
The ADPPA goes significantly beyond the California law in placing the burden of protecting information on those that process it instead of the individuals who generate it—spelling out and limiting allowable uses of data, requiring privacy and algorithmic impact assessments, extending civil rights protections online, protecting against manipulation, and providing a much broader individual right to sue than the CCPA does. The ADPPA would be the first comprehensive privacy legislation to break significantly with continuing reliance on notice and choice, extend civil rights protections to discrimination in the use of personal information, and require all businesses and non-profits to incorporate privacy by design when assessing their use of algorithms.
Boundaries for collection, use, and sharing
Early in this national privacy debate, I argued in the Los Angeles Times that a federal privacy law “can do much better than the CCPA by requiring that business collect, use and share personal information in ways that protect the interests of the individuals affected.” The ADPPA meets these criteria—it would limit data collection, use, and sharing to what is “reasonably necessary and proportionate” to provide a product or service requested by an individual or for other purposes that are enumerated in the bill. By contrast, as a Washington Post editorial noted that when the CCPA went into effect in 2020, it “doesn’t generally place limits on the data companies can collect and keep in the first place.” The CCPA only requires that businesses notify individuals of the information they collect and the purposes for which they use it, and to use it in ways “reasonably necessary and proportionate to achieve the operational purpose for which it was collected or processed.” This “operational purpose” yardstick sets the boundaries based on the what the companies themselves choose and puts the burden on consumers to exercise a right to see and delete it (unless it is needed for a variety of purposes along the lines of those enumerated in the ADPPA). This circular standard makes California’s law a throwback to the discredited regulatory paradigm of notice-and-choice.
Indeed, the CCPA relies almost entirely on consumer rights to limit companies’ access to data. Its essence, as the New York Times editorial board described it, is reliance on “an opt-out system for data collection,” giving consumers the right to opt out from the “sale” of data linked to them, a term expanded by the 2020 referendum to include, in addition to direct sales for consideration, data sharing for behavioral advertising and reinforced by a mandatory “do not sell” button each business must display visibly. In addition, consumers also have the right of access to data, to delete it, and to receive it in a portable and readable format.
Such rights have become table stakes for privacy legislation. Like almost every state and federal privacy bill, the ADPPA provides for access, deletion, and portability of personal data. Like the California law, it also provides an opt-out from targeted advertising but goes beyond the CCPA in requiring companies to limit use of “sensitive’ personal data to what is “strictly necessary” to provide requested goods and services for such purposes and get consent to share the data with third parties, where CCPA only provides an opt-out of such use and disclosure of “sensitive” personal information.
These rights are important for empowering individuals and providing agency over personal information, but not substitutes for objective boundaries to collection and use. The CPPA appears to recognize this shortcoming, since on October 18 it released changes to proposed regulations that would broadly limit collection and processing to what is “consistent with the reasonable expectations of the consumer.” Whether the agency’s rulemaking authority allows it to improve on the statutory language this way could be the subject of a legal challenge, but the CPPA board (with CCP founder Alastair Mactaggart appointed as a member by the Attorney General in October) hopes to have rules in effect by January 2023. Conceivably, Congress could act on the ADPPA before then.
Civil rights and algorithms: The ADPPA breaks new ground with a provision that brings civil rights protections to bear on discrimination in the processing of personal information. As the letter from civil rights, privacy, and consumer organizations to Speaker Pelosi put it, the bill would “significantly expand equal opportunity online through strong anti-discrimination provisions, algorithmic bias assessments, and heightened protections for data that reveal sensitive information about a person.” Such protection has become an essential ingredient of privacy legislation, and the involvement of civil rights leadership has changed the privacy debate as awareness of the impact of data on vulnerable individuals has made privacy a civil rights issue.
The CCPA does not have any such provision. California does have a public accommodations law similar to the 1964 Civil Rights Act, the Unruh Act, that has been applied to internet-based companies in the e-commerce context. In August, however, an intermediate California appeals court ruled that a website does not constitute “a place of public accommodation,” leaving this theory in some doubt. In any event, the ADPPA explicitly carves provisions of state civil rights laws out of preemption, so the Unruh Act would be unaffected regardless of how this issue comes out.
The ADPPA also breaks new ground with provisions for privacy by design and algorithmic impact assessments. The duties for all covered entities under the ADPPA include a general requirement to consider compliance with all applicable laws and to identify, assess, and mitigate privacy risks. In addition, when it comes to algorithms used “in furtherance of a consequential decision,” all covered entities would have an obligation to evaluate the algorithm to reduce the risk of discrimination, and “large data holders” would have additional obligations to conduct and record a more prescriptive impact assessment.
The CCP raises a concern that the ADPPA does not allow individuals to opt of “profiling or automated decision-making, whereas the CCPA “specifically directs” the agency to promulgate regulations to provide some form of access and opt-out rights in this regard. It is the case that the ADPPA does not have a provision specifically addressing automated decision-making. Each legislation takes a different approach to concerns about algorithms, with the ADPPA seeking to smoke out problems and risks of algorithms more generally, whereas the CCPA focuses more narrowly on algorithms and tracking used for automated decision-making.
Boundaries on collection, use, and sharing; civil rights protections; multilayered and broad enforcement–these are key elements of privacy legislation in the ADPPA that are not in the CCPA.
Private right of action: In that 2019 Los Angeles Times op-ed, I expressed doubt that federal legislation could arrive at any private right of action because of business opposition. But ADPPA negotiators managed to reach bipartisan agreement on an individual right to seek actual damages for a range of violations of the federal privacy law that include unlawful use of sensitive personal information and violations of civil rights. This goes well beyond the private right of action that was included in the CCPA, which applies just to data breaches.
Boundaries on collection, use, and sharing; civil rights protections; multilayered and broad enforcement–these are key elements of privacy legislation in the ADPPA that are not in the CCPA. At the same time, the ADPPA also contains the key elements of the CCPA–not in exactly the same ways, but in substance.
Differences and devils in the details: Neither the ADPPA nor the CCPA is a perfect law. And each has other differences: the CCPA covers some narrower issues better than the ADPPA, and vice versa. CCP and CPPA also make claims about some of these that simply do not stand up. The CDT/ EPIC/ Lawyers’ Committee comparison chart analyzed 25 different aspects of the ADPPA and CCPA and found 14 where the ADPPA is stronger, nine where they are “roughly equivalent,” and two where the CCPA is stronger. These are some of the more consequential differences and claims.
Sharing information with law enforcement: All privacy legislation governing the commercial sector contains some provision authorizing covered organizations to share with governments. California’s (similar to those in Virginia, Colorado, Utah, and Connecticut) allows them to do so to “[c]ooperate with law enforcement agencies concerning conduct or activity that the business, service provider, or third party reasonably and in good faith believes may violate federal, state, or local law.” In effect, whatever the entity wants to do to cooperate, it can do. If a police detective calls up and asks for data on a person’s geolocation over some period, they can just hand it over.
The ADPPA has a much tighter provision because, while it also would allow cooperation with law enforcement, it does so only “at the direction of a government entity” and “only insofar as authorized by statute.” In other words, it permits lawful government access and limits sharing to what is lawful.
CCP’s letter to Speaker Pelosi makes the assertion that “in a post-Dobbs, post-Roe world… people coming to California for reproductive health care can use [California’s law] to protect their searches and locations from home-state law enforcement surveillance—but not if ADPPA passes.” Since Dobbs, California has passed a blocking statute to prevent California companies from handing information in response to legal process from other states for purposes of investigating abortions lawful under California law. This statute is part of California’s penal code, not the CCPA, and since the ADPPA does not cover government access, it would not preempt the blocking statute. Reproductive privacy of people in other states would be much more protected by the ADPPA’s nationwide safeguards for sensitive data and other data minimization requirements than by California’s statute.
The CCP’s claim appears to be based in part on a misconception in some quarters that any entity that provides a government with personal data is a “service provider” to that government and so treated like a government that is excluded from the entities covered by the ADPPA. The final markup clarified that this exclusion applies “only insofar as” the entity is acting as a service provider to the government entity, which means it must be acting “on behalf of, and at the direction of” the government entity and, unlike a covered entity, does not “determine the purposes and means of collecting, processing, or transferring covered data.” A cell phone provider that sells geolocation data to the government is not a service provider within these definitions and thus not exempt. Rather, they are data brokers that control the purposes and means of collecting and processing.
Scope of organizations covered: The CCPA applies only to “businesses” for profit and exempts from small businesses, defined as businesses that gross more than $25 million, process data on at least 100,000 individuals, or derive 50% or more of annual revenues from the sale or sharing of personal information. This leaves a wide swathe of business that can cause meaningful privacy harm out of coverage.
The ADPPA would include nonprofits and does not have any floor for covered entities, making every entity subject to baseline requirements. It does take scale into account in exempting small businesses from certain obligations and directing the FTC to take into account the size and scope of entities, number of individuals, and amount of data collected in applying various provisions. “Small business” for purposes of exemptions is defined based on both revenue not greater than $41 million and data on at least 200,000 individuals—larger entities than in the CCPA but not the blanket exemption of that law.
Targeted advertising: The CCP maintains that the “ADPPA enshrines targeted advertising” in its permissible purpose provision but—far from “enshrining” targeted advertising—the ADPPA takes numerous steps to limit the systems that support online advertising. The provision that CCP refers to does include targeted advertising as a permissible purpose but only based on “covered data previously collected” for other permissible purposes—i.e., no tracking for the purposes of advertising—and is subject to the right to opt out of all targeted advertising, like the CCPA.
The ADPPA and CCPA are essentially alike in approaches to advertising, giving people tools to limit it. But the ADPPA does significantly more to directly reduce the collection and sharing of information that can be used to track individuals, profile characteristics, and target ads.
Future-proofing the legislation: One area where the CCPA could prove stronger is in the ability to adapt to changes in technology and the marketplace. Much of the substance of the CCPA’s privacy protections—its opt-out requirement, for a notable example—would come through regulations to be adopted by the CPPA. The Future of Privacy Forum’s Stacey Gray suggests that the federal bill could allow for additional rulemaking along such lines consistent with a recommendation that Daniel Weitzner and I made early in the privacy debate that “the role of rulemaking be focused and concrete,” the ADPPA provides for rulemaking on discrete subjects with issues and considerations spelled out, rather than a broad grant of rulemaking authority.
Nonetheless, additional focused and concrete rulemaking is something the bill’s floor managers could explore as a way to accommodate California interests without altering the bipartisan compromise on preemption.
The scope of preemption: On preemption, the CPPA and CCP paint a bleak picture of the impact of the ADPPA provision both on California law and on the ability of the CPPA to protect the privacy of Californians. The CPPA’s August 15 letter to Pelosi calls the ADPPA “a Trojan horse that significantly weakens existing privacy laws” that “would nearly eliminate the Agency’s ability to carry out its mandate of protecting the privacy of California residents under California law,” while CCP declares the bill “would invalidate the role” of the agency and preempt all of the CPRA except for…the security data breach/ private right of action.” Ashkan Soltani, the privacy technologist who is executive director of the CPPA and was a consultant in formulating the CCPA, argued the ADPPA “sets “a provably lower standard” while Alastair Mactaggart, in a statement accepting his appointment to the CPPA, called the ADPPA a “real threat” to privacy that “would preempt all of California’s hard-won privacy protections.”
These overstated claims don’t reflect the way the ADPPA’s preemption section works. First, its language does not displace state laws wholesale. It applies to laws “covered by the provisions of this Act, or a rule, regulation, or requirement promulgated under this Act.” Thus, preemption depends on whether a particular “provision” of the ADPPA covers the subject of a state law. The Supreme Court has interpreted “covering” language like this as meaning that federal law preempts a subject of state law only if it “substantially subsume[s]” the subject, and so permitting a state to “supplement” a federal regulatory scheme that sets “general terms.” This leaves some room for state law depending on what specific provisions of federal law say about a particular issue.
Second, the ADPPA excludes a variety of state laws, among them “consumer protection laws of general applicability” including state unfair and deceptive act statutes that have been significant tools for state attorneys general, as well as common law rights and remedies and state statutory causes of action for traditional privacy torts (among other things). Speaker Pelosi’s statement about the ADPPA referred to maintaining California’s recently enacted appropriate design bill aimed at protecting children, but it is by no means clear that this legislation would be subsumed by the ADPPA’s provisions on children.
And finally, the ADPPA arms the CPPA with a broad grant of authority to enforce the federal law “in the same manner it would otherwise enforce the [CCPA].” This is an additional “mandate of protecting the privacy of California residents,” albeit not necessarily “under California law.” Does it really matter what the source of law is if the substance of the rights being protected are equivalent (or stronger)?
While the net effect of these provisions would be to leave some aspects of CCPA in place, significant elements undoubtedly will be preempted, along with agency authority to put these into effect through rulemaking. Most notably, these include the “do not sell” opt-out, the mandatory Do-Not-Sell button and a “global privacy control” required by regulations, and operation of opt-out rights or exercise of rights of access, correction, deletion, and portability of data, all of which have parallels in the ADPPA. But some provisions may not be (including a catchall power to “[p]erform all other acts necessary or appropriate…seek to balance the goals of strengthening consumer privacy while giving attention to the impact on businesses.”) In addition to rulemaking authority, the CCPA gives the agency significant public information and education functions and—especially—a broad set of enforcement powers.
While agency staff raised a concern that it might require state legislation “to give the Agency the ability to enforce the federal law,” the ADPPA’s explicit language allowing to enforce federal law as it would the state law makes it clear that nothing in the ADPPA “invalidates” the CCPA’s considerable enforcement authority. The same applies for CCP’s contention that the ADPPA would “eliminate” the agency’s authority to conduct audits of business.
Based on their perceptions of the comparison between the ADPPA and CCPA and the impact of the ADPPA, the CPPA and CCP have called for “floor” preemption,” pointing to earlier privacy laws as examples. That’s the approach taken by Rep. Anna Eshoo (D-CA), who leads the charge for California during the House Energy and Commerce Committee mark-up, offering an amendment to carve out of preemption any state law “if the protection such law affords any consumer is greater than the protection provided by [the ADPPA].” Her amendment was defeated, with only California members voting in favor.
There is a fundamental difference between the ADPPA and these laws and others that allow similar latitude to states: the ADPPA is a comprehensive law—a major departure from U.S. privacy regulation to this date.
Advocates of this floor preemption point to other federal privacy laws that take similar approaches, in particular the Gramm-Leach-Bliley financial privacy law enacted in 1999 and the 1996 Health Insurance Portability and Accountability Act (or HIPAA) on medical records. There is a fundamental difference between the ADPPA and these laws and others that allow similar latitude to states: the ADPPA is a comprehensive law—a major departure from U.S. privacy regulation to this date. It applies to all entities in commerce and nonprofits, unless carved out where other laws are applicable, whereas those other, less preemptive govern specific sectors, often with narrow requirements such as the Gramm-Leach-Bliley Act’s focus on notice and disclosure or with localized aspects, such as drivers’ licenses. A better historical analogy might the Fair Credit Reporting Act (FCRA), enacted in 1970 as the first national privacy law with a broader set of requirements affecting use of information than later sectoral laws, but nowhere near as comprehensive as the ADPPA. The FCRA preempted state law and does today (this was later made subject to a sunset provision until preemption was made permanent in 2004).
In addition, differing views on whether CCPA or ADPPA is stronger show how gauging whether a state law provides “greater” protection than a federal statute can be a slippery slope that gets more slippery the broader the laws. This is consistent with the experience of Jessica Rich, former chief of the FTC Consumer Protection Bureau, in applying a similar standard under the Gramm-Leach-Bliley Act. She explains further, “[f]loor preemption sounds good but it can be unmanageable in practice. You need to compare multiple provisions in both and then judge which is stronger overall. Also, who decides? Is it the agency enforcing the law or a court? There are also difficult political issues between the feds and the states that are better for Congress to resolve in advance.”
Regardless of the merits, “floor” preemption is not a realistic option because it is likely to end the bipartisanship that has enabled the ADPPA to reach this point. That’s why Rep. Jan Schakowsky (D-IL), a co-sponsor and chair of the Energy and Commerce subcommittee that incubated the bill, called it “a poison pill” in the Committee debate. Any greater latitude for state privacy laws would almost certainly undo the grand bargain that has enabled the ADPPA. The result might be to lose any Republican votes, and maybe some Democratic votes as well (the centrist New Democrat Coalition in the House endorsed the ADPPA in October; it has emphasized the need for a strong national standard, and its chair Suzan DelBene (D-WA) introduced her own bill with a much broader preemption standard than the ADPPA’s).
Privacy legislation in the balance
Congress is closer—far closer—than ever before to passing legislation that would bring meaningful boundaries and other protections to runaway collection, use, and sharing of personal information. While the ADPPA would preempt provisions in the CCPA, it would provide the substance of the protections in most of those provisions, and it would add important protections that are not in the CCPA. And it provides these protections throughout America, including in 45 states that have no comprehensive privacy law.
If comprehensive privacy legislation does not pass in what is left of this Congress, who knows whether a Republican House would take up privacy legislation. But if it did, it is a fair bet such legislation would do less to protect individual privacy and change business practices and more to preempt state privacy laws. The issue is at a consequential crossroad.