Executive Summary
There is much to like in the proposed American Data Privacy and Protection Act (ADPPA) for many Americans. But for Californians, it would weaken existing privacy laws in far-reaching and vital ways. California should not be forced to go backward and lose hard-won privacy rights in return for the rest of the country getting privacy rights that are not nearly as strong as California’s. But unfortunately, Big Tech is willing to accept a weak national privacy law in return for eliminating the one law they fear — California’s.
ADPPA should be a national privacy ‘floor,’ not a ceiling, and should not preempt the California Privacy Rights Act. This national model already exists with respect to other consumer protection legislation like the Fair Credit Reporting Act (FCRA), the Gramm-Leach-Bliley Act (GLBA), and the Health Insurance Portability and Accountability Act (HIPAA).
Detail Analysis
Here are some of the ways the ADPPA (July 19, 2022, Amendments), if enacted, would weaken Californians’ privacy rights:
ADPPA would spell the end of the “One-Way Ratchet” protecting privacy in California from being weakened:
• A simple majority in the Legislature can amend CPRA, but not in any way that harms consumer privacy—to do that would require a new initiative. CPRA, and California privacy protections in general, cannot be weakened absent another citizen-approved initiative. This is highly unlikely; thus, 1 in 8 Americans has a virtual guarantee of strong privacy protections.
• ADPPA would eliminate this protection/system.
CPRA offers stronger protections against profiling and automated decision-making than ADPPA:
• ADPPA does not contemplate allowing consumers to opt-out of profiling or automated decision-making; CPRA specifically directs the California Privacy Protection Agency to promulgate regulations allowing consumers to opt-out of this technology.
• This is an incredibly important feature of CPRA in an era where AI and facial recognition are increasingly responsible for so many important decisions; and is frequently in error (see this story of Amazon falsely matching 28 members of Congress with criminal mugshots, or this PBS piece on the frequent misidentification of people of color when such technology is used).
ADPPA would invalidate the role of the nation’s first dedicated privacy agency, the California Privacy Protection Agency:
• ADPPA would eliminate the CPPA’s authority to enforce CPRA—and does not give additional funding to the FTC to enforce in CPPA’s place, which would put us back where we’ve been for decades, with very weak privacy enforcement in the US.
• CPAA has guaranteed funding and is on track to become the US’s premier protection agency for consumer privacy. On the other hand, ADPPA gives enormous responsibilities to the FTC, with no additional funding.
ADPPA would eliminate California Privacy Protection Agency’s right to audit businesses:
• CPRA creates the position of Chief Privacy Auditor to ensure compliance with CPRA (created by initiative statute, so the California Legislature cannot eliminate it).
• This important compliance tool would be eliminated under ADPPA—taking away incredible consumer rights from all Californians.
Blanket preemption of CPRA, other state laws, including by future regulatory regime:
• ADPPA would preempt all of CPRA except for 1798.150, the security data breach/private right of action.
• Worse, the preemption includes “…a regulation promulgated under this Act…”, which means that any future FTC commission could, by simple regulation, preempt any state protections created to address yet-to-be-invented technologies.
• Other Federal laws touching consumer privacy, including Gramm-Leach-Bliley, the Fair Credit Reporting Act, and the Health Insurance Portability and Accountability Act, are federal ‘floors,’ not ‘ceilings.’ They allow states to pass laws that protect privacy more fully in their respective domains, thereby establishing that the states can continue to be laboratories of legal innovation and protect consumers (especially as technology progresses and changes rapidly).
• The only reason not to allow a similar construct concerning CPRA is that the technology industry is worried about the scope and coverage of CPRA and is desperate to neuter its breadth and reach.
• This is a terrible precedent to set. If ADPPA passes, it could quickly become another Electronic Communication and Privacy Act of 1986, which has for 36 years allowed the production of consumers’ emails stored on a server for over 180 days to any law enforcement agency without a warrant.
Definition of “Covered data” [personal information] is much more robust in CPRA than in ADPPA:
• CPRA §1798.140(v)(1)(A) says, “Personal information…includes…identifiers such as a…unique personal identifier..[and] (K) inferences drawn from any of the information identified in this subdivision” (i.e., your smartphone).
• ADPPA [§ 2(8)(A)], on the other hand, says “covered data…may include derived data and unique persistent identifiers.”
• The name of the game for businesses is to give you a unique identifier, pseudonymize your name and information, then sell your data / track you using this pseudonymous data, all while keeping your legal name “separate” from this identifier, so they can swear in court that they don’t know your name, and they don’t know you.
• However, if the algorithm knows everything about ‘you,’ then just because it hides behind not tying that directly to your name, your privacy has barely improved. If an entity is tracking your device’s movements and selling its data to the government, CPRA gives you the right to know what they’re collecting, to delete it, and stop its sale—whereas, under ADPPA, you’re out of luck. This should be outrageous to everyone everywhere on the political spectrum: whether you fear the government coming for illegal immigrants, your reproductive rights, or your guns, what American wants more government surveillance with less ability to learn about it?
• By allowing businesses to decide whether to include these unique identifiers (“may include”), ADPPA’s protections are much weaker than CPRA’s, and its definition of ‘covered data’ is much weaker than CPRA’s definition of ‘personal information.’
CPRA covers banks and other financial institutions that ADPPA does not:
• ADPPA §2(9) (The term “covered entity…means any entity…that is subject to the Federal Trade Commission Act”). But the FTC Act excludes banks, savings and loan institutions, and federal credit unions.
• While these entities are covered by specific privacy laws (e.g., the Gramm Leach Bliley Act), CPRA starts where those laws leave off. For example, a bank is constrained concerning what it can do with your credit information. Still, if it also collected your geolocation, hair color, or sexual identity, CPRA would constrain the bank from what it could do with that information.
• CPRA stops banks from becoming commercial data brokers; ADPPA does not.
Service providers to the government are covered by CPRA but not in ADPPA, which is a considerable weakness:
• As a baseline, neither CPRA nor ADPPA covers government entities. Instead, CPRA covers ‘businesses,’ and ADPPA covers certain businesses and non-profits.
• However, ADPPA Sec. 2 (9)(B)(ii) also excludes all service providers to any “Federal, State, Tribal, territorial or local government entity.”
• By design, CPRA specifically includes these entities. Because service providers are defined in CPRA as service providers only to businesses, not government entities, when a service provider acts on behalf of a government entity, it becomes a ‘business’ subject to access, deletion, and correction requests.
• So, the cell phone provider selling geolocation information to a government agency is not covered by ADPPA but is covered by CPRA.
• This has massive implications in a politically volatile world: whether you think governments shouldn’t be tracking attendees at protest rallies, seekers of abortions, or purchasers of guns, CPRA allows consumers to learn about government surveillance activity (with due exceptions for preventing criminal activity) by letting them query the service providers to governments.
• CPRA intentionally gave these rights to 40 million Californians, and now ADPPA would eliminate them. ADPPA would represent a breathtaking diminution of Californian rights in this regard.
“Precise geolocation” is a much stronger privacy concept in CPRA than in ADPPA:
• “Precise geolocation” in ADPPA excludes information derived from surveillance cameras [“The term ‘precise geolocation’ does not include geolocation information identifiable or derived solely from the visual content of a legally obtained image, including the location of the device that captured such image.” §2(24)(B)]
• This means that a consumer’s location whenever they take a photo is not protected…so all the tracking entity has to do is obtain the meta-data from a picture to track consumers as they use their devices. Think of a photo taken in a place of worship, a gay bar, or a health facility—under CPRA consumers can ‘hide’ their location inside a circle of approximately 246 acres. Under ADPPA, remember not to use your camera.
• Additionally, ADPPA means that any precise geolocation information obtained when you walk by someone’s doorbell camera, or into a mall, or a bank, or half the coffee shops in America, for goodness’ sake—all that can be used to track you footstep by footstep as you make your way through your day. This exception alone would turbocharge the industry of scraping video feeds to sell consumers’ precise locations.
• This would represent a massive loss of privacy vis-à-vis CPRA, especially considering how ubiquitous surveillance cameras have become.
Protection against businesses using financial incentives to coerce consumers into selling/sharing data is much more robust in CPRA than in ADPPA:
• Tremendous weakening of the prohibition in CPRA against using financial incentives to ‘force’ consumers to participate in the surveillance economy by selling/sharing their data. CPRA states that if businesses wish to incent consumers to share/sell their data, “[the] business shall not use financial incentive practices that are unjust, unreasonable, coercive, or usurious in nature.” [§1798.140(b)(4)]
• ADPPA’s section covering retaliation, §104, is missing this critical consumer protection, which is terrible for consumers. We’ve all been in the situation where the item is 30% or 50% more expensive in the grocery store if you’re not a member of the store’s loyalty program. So if your choice is to pay 50% more for the cereal box or be forced into a loyalty program that gets you the discount but allows the store to sell your data—how is that a choice? It’s coercive on the part of the business, and CPRA stops it.
• The ADPPA exemption will ensure that all loyalty programs continue the practice of absurd markups if you’re not a member of the program.
• Worse, §104(b)(5) explicitly allows a business to offer different pricing or functionality if a consumer requests that their data be deleted, all but ensuring that businesses will set up massive hurdles to data deletion (Why yes, you *can* delete your data, but from then on every search will cost you $0.10)
• This will have profound racial consequences, given that many minority communities are least able to pay extra so as not to be forced into a retailer’s loyalty program. ADPPA’s exemption would ensure that almost every consumer’s grocery store and pharmacy purchases would be available for sale and that consumers would have no right to stop the sale. Yay, whether you’re buying Depends, Preparation H, or wart removal liquid, isn’t it wonderful to think all that will be available for Big Advertising to monitor and profit from?
CPRA requires businesses to let consumers access, correct, and delete all their data; ADPPA makes much smaller amounts of data available:
• CPRA makes businesses give you all your data since 1/1/22. ADPPA [§203(a)(1)(A)] only requires businesses to provide you with the last 24 months of data. Time passes quickly—in 2032, CPRA will allow you to see the previous ten years of your data vs. only two years with ADPPA.
• Only “large data holders” ($250M in revenue, 5M individuals) have the same 45-day time period to comply with access, deletion, and correction requests, as in CPRA. [§203(c)(1)(A)]
• ADPPA § 203(e)(3)(A)(v) contains an exception where businesses do not have to grant access, deletion, or correction requests if the business feels such activity would “result in the release of… confidential business information.”
• So, a business merely has to deem the information it is collecting on consumers as ‘confidential business information,’ and then it doesn’t have to disclose or delete it. Really?
• §203(a)(1)(A): ADPPA allows businesses not to turn over data in “archival or back-up systems.” If your data is in an archive, you no longer get that data when you make an access request and can no longer delete it. CPRA requires that as soon as the business restores the data (and can use it), they must fulfill your request.
Small businesses have a much stronger security threshold in CPRA than in ADPPA:
• To be a smaller business under ADPPA [§209], the threshold is < $41M annual revenue, processing data for 200,000 individuals [except for billing or collecting payment—those consumers don’t count against the 200,000 threshold in ADPPA], and the business must earn < 50% of revenue from PI processing.
• While ADPPA §208(a)(1) requires covered entities to have “reasonable…data security practices and procedures to protect and secure covered data” (just like CPRA), ADPPA § 209(a)(1) would vastly diminish security by listing the following safe harbors, which mean small businesses do not have to take many of the steps that would be expected under CPRA’s requirement to have “reasonable security procedures and practices…to protect the personal information from unauthorized or illegal access.” Under ADPPA, small businesses do NOT have to:
• §208 (b)(1) “Identify[…] and assess[…] any material internal or external risk to, or vulnerability in, the security of [its systems]…including unauthorized access…”
• §208 (b)(2) “tak[e] preventive and corrective action designed to mitigate reasonably foreseeable risks or vulnerabilities to covered data…”
• §208 (b)(3) “evaluat[e] and mak[e] reasonable adjustments to the action described in paragraph (2) in light of any material changes in technology, internal or external threats to covered data”
• §208(b)(5) “…train…each employee with access to covered data on how to safeguard covered data…”
• §208(b)(7) “Implement…procedures to detect, respond to, or recover from security incidents, including breaches.
• CPRA’s required security is therefore immensely more robust for all businesses between $25M and $41M in revenue or who collect between 100,000 and 200,000 individuals’ information.
ADPPA contains enormous delays to the rights of 40 million Californians:
• Almost 9.4 million Californians voted to enact more robust privacy rights in 2020, which are slated to go into effect in 2023.
• ADPPA gives the Federal Trade Commission 2 more years from the date of passage to promulgate regulations. CPRA’s go into effect in 2023!
Self-regulation by industry:
• §303(a) allows industry to propose technical compliance programs; requires the FTC to approve or deny the program; and gives industry the right to sue the Commission if it does not approve, amend or repeal a technical compliance program.
• Given the lack of resources allocated to the FTC under ADPPA, this section alone is a recipe for minimal regulation since industry will be able to tie up the Commission in court for even the most minor change to a compliance program.
CPRA prevents forced arbitration:
• §403(b) only prevents pre-dispute arbitration agreements for minors (who cannot legally enter contracts in any event, so this is just gratuitous), or gender or partner-based violence/physical harm
• 1798.192 prevents forced arbitration clauses for any rights contained in CPRA
CPRA Private Right of Action much stronger than ADPPA:
• The only part of CPRA that ADPPA does not preempt is 1798.150, the Private Right of Action (PRA). There is much talk of how much stronger and broader ADPPA’s Private Right of Action is than CPRA’s, since CPRA’s covers ‘just’ security and data breach, whereas ADPPA’s covers more subject matter. However, ADPPA’s PRA is so weak as to be a PRA in name only.
• §403, Private Right of Action: Plaintiffs have the right to undefined “compensatory damages,” [§403(a)(2)(A)]; vs. CPRA’s specified $100 – $750 per consumer per incident.
• Under CPRA plaintiff does not have to show harm. Instead, they simply have to prove that the business did not have “reasonable security procedures and practices” to protect their information.
• ADPPA requires consumers to notify the State Attorney General and the Commission of the case, either of whom can decide to take the case over. This is not a true Private Right of Action at all.
• Right to Cure: §403(c): ADPPA Private Right of Action also has a right to cure granted to many businesses. For businesses with less than $41M in revenue, plaintiffs must first contact the business before starting the lawsuit, and the business then has 45 days to cure the problem. This is a fix-it ticket, not a speeding ticket. Not that this isn’t useful public policy, but this is not a true ‘private right of action’ at all, since businesses can merely wait until a consumer identifies a problem, then ‘fix’ it, and have no liability.
• There is a blanket exemption for all businesses from this section, for any covered entity with under $25M in revenue, that processes less than 50,000 individuals’ data, or gets less than 50% of its revenue from transferring covered data.
• §403(a)(4): Requires FTC Study to be conducted annually starting in 5 years, which is designed to undermine privacy and be pro-industry, since the study is supposed to examine the impact of ‘demand letters’ (from consumers to businesses alleging violations of the law), specifically including the following criteria in the list to be studied:
• “a) The impact on insurance rates in the United States; b) The impact on the ability of covered entities to offer new products or services; c) The impact on the creation and growth of new startup companies, including new technology companies; and d) Any emerging risks, benefits and long-term trends in relevant marketplaces, supply chains, and labor availability.”
• This methodology is almost certain, by its terms, to produce a report concluding that ‘demand letters’ are hurting businesses; and the likely outcome will be to increase pressure on Congress to eliminate even this very weak, watered-down Private Right of Action.
ADPPA totally preempts virtually all of CPRA, but none of the Illinois Biometric Information Privacy Act:
• §404(b)(1) ADPPA would represent a total preemption of CPRA and the rights of 40 million Californians.
• Only one section, 1798.150 (data security private right of action), is not preempted, of the entire CPRA.
• §404(b)(2)(M) specifies that the Illinois Biometric Information Privacy Act is not preempted by ADPPA—coincidentally, Congresswoman Schakowsky (D-IL-09) is the chair of the House subcommittee with jurisdiction over the bill.
• Why preempt one state law but leave another intact? CPRA should be exempted too.
CPRA has massively stronger enforcement than ADPPA—which gives FTC huge new responsibilities, with no funding:
• ADPPA would give the FTC enormous new responsibilities, with no new resources.
• CPRA/Proposition 24 awarded the new California Privacy Protection Agency $10M indexed to inflation annually, which works out to (currently) ~$0.29 per CA resident, annually.
• On a like-for-like basis, the FTC should get just shy of $100,000,000, to be as well-resourced nationally as the CPPA is for California.
• Huge responsibilities and no money to enforce them, is a recipe for weak national privacy rights, and weak privacy rights for Californians. This is one of the reasons industry is pushing so eagerly for a Federal privacy regime. And, appropriations can always be cut, if the regulator is too active—whereas in California, the funding is guaranteed, and the Legislature cannot reduce it.
ADPPA enshrines targeted advertising as a permitted purpose in “Duty of Loyalty” section:
• “Permissible purposes” for collecting, processing or transferring covered data now specifically would include in federal law, “Targeted Advertising.” [§101(b)(17)]. This could have seriously negative consequences in terms of future efforts to impose limitations on the persistent tracking advertising industry.
• CPRA’s ‘business purposes’ include privacy-protective ‘contextual advertising,’ not the much more privacy-invasive practice of ‘targeted advertising.’