Hello, friends,
Many countries in the world have baseline privacy laws that set minimum standards for all kinds of data use. The United States does not. Many countries have independent data protection agencies that enforce privacy laws. The United States does not.
Despite being the home of Silicon Valley, the U.S. has lagged behind the world in regulating data usage by the tech giants. We have sector-specific laws that cover aspects of children’s online data, health data, financial data, and student data, but plenty of data falls through the cracks between these laws and the various agencies that regulate them.
The tide finally started to turn in 2018, when California passed the first baseline privacy legislation in the nation, the California Consumer Privacy Act (CCPA). And in 2020, California voters strengthened that law through a ballot initiative.
The California law established the nation’s first-ever data protection agency, called the California Privacy Protection Agency. It launched last year with guaranteed annual funding of $10 million a year, and the ballot measure prevents the California legislature from weakening its privacy protections.
Recently, other states have been rushing to pass privacy laws as well, many of them weaker than the California law and heavily influenced by the tech industry.
All this state action has finally created momentum for a federal privacy law. This month, the House Energy & Commerce Committee overwhelmingly approved a watershed bipartisan federal privacy bill, the American Data Privacy and Protection Act (ADPPA). In addition to baseline privacy requirements, it requires companies to assess whether their algorithms are discriminatory and allows individuals to sue companies directly for damages from privacy violations, with some limitations.
But there’s a big catch: It would preempt nearly all state privacy laws, including California’s landmark law. California officials including the governor, attorney general, and other lawmakers say that the federal law could undermine California’s strong privacy protections and dismantle the nation’s first-ever data enforcement agency. Rep. Anna Eshoo (D-CA) opposed the bill, saying it would “compromise California’s state agencies’ ability to enforce the law …. [and] place major enforcement responsibilities on the historically under-resourced FTC.”
The bill also prevents states from passing additional privacy laws that are stronger than the protections in the act. The Electronic Frontier Foundation said it opposes this “freeze” provision and that Congress “should not trade away states’ ability to react in the future to current and unforeseen problems.” Ten state attorneys general have asked Congress to make federal legislation a “floor, not a ceiling.”
The California Privacy Protection Agency voted this week to oppose the federal law, which it said would significantly weaken Californians’ privacy protections. “We can have strong federal laws without weakening the ability of states to provide stronger protections,” said Ashkan Soltani, executive director of the agency, when I reached out to him for comment.
“As a privacy advocate, I truly understand the lure of a comprehensive federal law. I’ve personally testified (usually once a decade) calling for a strong federal framework,” Soltani said. “However, I’m truly surprised at the willingness of the community to not only accept a provably weaker standard, but also lock into amber these protections preventing states, cities, and even counties from improving on these protections in the future. Given the speed of technological innovation–-this is a trap.”
To dive deeper into the debate and the history, I spoke this week to Cameron F. Kerry, the Ann R. and Andrew H. Tisch distinguished visiting fellow at The Brookings Institution. Kerry has been pushing for a federal privacy law for more than a decade, dating back to his service as general counsel and acting secretary of the U.S. Department of Commerce in the Obama administration.
Our conversation, edited for brevity and clarity, is below.
Angwin: I want to start with the ancient past. When you were in the Obama administration, you proposed the Consumer Privacy Bill of Rights. Could you give a brief description of the bill and why it was revolutionary for its time—even though it never made any progress?
Kerry: It was the first time that a president of the United States said we should have comprehensive commercial privacy legislation, and it started the process of framing how we should respond to data privacy in the digital era. Specifically, it created the “no surprises” rule, which is the notion that data collection, use, and sharing should be consistent with context and user expectations.
Angwin: What has changed since then?
Kerry: Ten years ago I was knocking on doors on Capitol Hill trying to get people to partner on privacy legislation, and I couldn’t find any takers (this includes people who today have their names on privacy bills). Now, lots of members of Congress are involved with privacy legislation. Recent hearings on the Hill concerning privacy are a lot more sophisticated than they were in the past.
This is a reflection of a number of things. More than anything, the exponential explosion of data, alongside growing awareness of the consequences of improper data use, have gotten people’s attention. All of the journalism that you did at The Wall Street Journal in the “What They Know” series was some of the only reporting out there at the time. Since then, the Cambridge Analytica affair kind of exploded the issue, and that coincided with GDPR [European Union privacy law] taking effect. People were like, “Hey, wait a second, the Europeans have all these protections and we don’t?”
Angwin: Many people are comparing the new federal privacy bill being considered, the ADPPA, to the already passed California Consumer Privacy Act (CCPA). Can you weigh in on the differences between the two approaches?
Kerry: I think that the real problem we have with the exponential explosion of data use is getting the information, collection, and sharing ecosystems under control. Frankly, the CCPA doesn’t really do much to address this; it sets the boundaries for collection based on what is disclosed in a privacy policy and based on business purposes. The federal bill goes much further in setting boundaries around collection and tying these to very specific uses. Ultimately, the CCPA is really about the ability to opt out of the sale of information plus the individual rights of access, correction, deletion, and portability. All of these individual data rights are also in the ADPPA.
How else is the ADPPA better? Let me count the ways. The ADPPA extends civil rights protections to the use of personal information for discrimination against individuals in protected groups. The only discrimination protection in the CCPA is for discrimination against people who exercise the law’s individual data rights. The ADPPA has a private right of action, so you can sue for violations. You cannot do that under CCPA except within a very narrow category of data breach. Those are the big things, but there are a lot of smaller differences as well.
[California’s privacy agency disagrees and says the ADPPA would significantly weaken Californians’ privacy protections. “CCPA has substantively stronger protections in areas such as data minimization, dark patterns, global opt-outs, and automated decision making, to name a few—and importantly these protections are constitutionally protected from being weakened,” agency executive director Soltani said.]
Angwin: The ADPPA preempts the California privacy law that set up the first data protection authority in the U.S. The California Privacy Protection Agency says ADPPA creates uncertainty about its ability to enforce the law and creates a privacy “ceiling” that no state can exceed. Why can’t the ADPPA be a floor, rather than a ceiling, and allow California to go ahead with its data enforcement agency?
Kerry: From the start of what can be considered the serious national privacy debate in 2018, it has been clear that, with CCPA out there, the federal law was going to have to meet or exceed the protections in this law. The ADPPA does that.
The political reality is that the federal preemption is part of the price of getting strong protections on collection, use, and sharing of data, along with protections on civil rights, dark patterns, choice, and protection for minors.
[Soltani said, “Preemption is a false choice.” He pointed to laws such as the Clean Air Act and Dodd-Frank Act that set federal protections without limiting states from providing stronger protections.]
Angwin: There’s been some discussion about whether the U.S. should set up a separate data enforcement agency as many other countries have done. Implicit in this bill is the idea that we’re not going to do that, and we’re just going to make the FTC into that agency. Given that the FTC has traditionally been woefully underfunded, I’d like to hear more about that thinking.
Kerry: For one, it is the path of least resistance. There’s not a lot of political appetite to set up new agencies. However, I think it also makes substantive sense. The FTC has 30 years of expertise in this area. The FTC is also recognized internationally. They have enforcement relationships around the world, alongside a lot of institutional memory, knowledge, and expertise.
There are no problems with the FTC’s track record on privacy and data security that can’t be solved with more legal authority and resources. If this is passed, I expect that Congress will appropriate significant funds to beef up the FTC and make good on setting up an FTC privacy bureau.
Finally, I think having a generalist agency that has competition responsibilities is an advantage. The other big set of issues in data use and technology policy, apart from privacy, is competition, and so you’ve got an agency with the right competencies. It just needs the right resources and more authority.
Angwin: Let’s talk about timing. Under the current law, the California agency can begin fining companies for privacy violations next year. My understanding is that it will take the ADPPA about two years to go into effect from when it passes. Is it correct that there will be a two-year gap with privacy enforcement, even in California?
Kerry: That’s correct in some important respects. The effective date of the law is 180 days after it is enacted. But there are some provisions for guidance or rulemaking that will take a couple of years to complete. And the private right of action would not kick in for two years.
I think two years is a reasonable amount of time, considering the comparisons to CCPA and GDPR, both of which had two years before they went into effect.
Angwin: If you could go back 10 years, when you were proposing the Consumer Privacy Bill of Rights, did you think that you could get a bill like this—one with provisions like a private right of action—passed?
Kerry: Absolutely not. We specifically discussed the private right of action piece and concluded there was no way we could have proposed it without losing what business sector support we had. None of us would have gone as far as what is on the table today with ADPPA.
As always, thanks for reading.
Best,
Julia Angwin
The Markup
(Additional Hello World research by Eve Zelickson.)