The American Data Privacy Protection Act (ADPPA) has bipartisan support and is the closest the U.S. has come to passing a comprehensive consumer data privacy law. But it hasn’t passed. Six experts explain why the U.S. lacks a federal omnibus, leaving five states to pass data privacy laws (California, Colorado, Connecticut, Nevada, and Virginia) and the European Union to largely set the global standard. [Video: ADPPA | Transcript 1 | Video: How Rest of World Handles Privacy | Transcript 2]
ADPPA in 2023?
“This year has been a watershed moment for privacy,” Ebbie Yazdani, federal policy director at TechNet told NPF data privacy fellows. “In this year alone, 31 states have considered privacy legislation, and I think many of them have effective dates in 2023, and so the timing is ideal to try to do something at the federal level.”
The ADPPA moved out of House committee with “a very impressively large bipartisan vote,” said Politico tech policy reporter Rebecca Kern. However, Senate Commerce Committee chair Sen. Maria Cantwell does not support the legislation. In next year’s Republican-controlled House, Rep. Kathy McMorris Rogers is expected to reintroduce the bill.
Polling has shown that 84% of Americans are concerned about their data privacy and roughly the same percentage – both Democrats and Republicans – want Congress to act.
A sticking point for Republicans has been preempting state laws – they want one federal standard, Kern said.
“If we allow a patchwork of state laws to continue building, and/or if Congress is unable to fully preempt state laws, there’s going to be a tremendous cost to America’s economy and technology leadership,” Yazdani said, citing a study that said if 50 states enacted their own privacy laws, it would cost $1 trillion for the economy over 10 years.
The ‘private right of action’ and FTC debate
For Democrats, a major push has been for private right of action (PRA).
PRA is a legal term that means allowing individuals to sue if their privacy is violated. “That is something Democrats have wanted for a long time … [and] not something they’ve been willing to give up on,” Kern said.
Republicans have agreed to private right of action with a two-year delay.
ADPPA states that the FTC and state attorneys general are empowered to enforce it. However, “the FTC has been continually underfunded,” Kern said. And both the FTC and attorneys general have competing priorities and functions, which one fellow posited may lead tech companies to make “risk-based judgments about what laws they’re going to comply with” and deal with enforcement or fines if they come.
“What has evolved from the FTC is a type of enforcement that’s based a lot on the promises the companies make,” said Cobun Zweifel-Keegan, managing director of International Association of Privacy Professionals. The FTC has “limited” rule-making authority, “but in general, what you see from the FTC are these one-off enforcement actions against specific companies telling them what they did wrong and putting them under a consent decree and a negotiated settlement that makes sure that they’re going to follow best practices moving forward,” he said.
“Without a private right of action, individuals are disempowered to bring your own cases when there’s egregious things that are done to their privacy,” Zweifel-Keegan said. Europe also allows individual recourse, but “it’s just a very different culture when it comes to suing in Europe … we are a very litigious society,” he said.
EU data protections, consent and Big Tech investigations
It’s not the only thing setting Europe apart.
“We’re one of the few developed countries that don’t have a federal privacy law. GDPR [General Data Protection Regulation] in the EU has existed for a long time and a lot of U.S. companies” comply with it, Kern said.
So why doesn’t the U.S. just adopt a version of that?
GDPR operates from the basis of “don’t collect data,” Zweifel-Keegan said.
“In the U.S. I think we’re just very unlikely to see a proposed regime that would start from that same basis of saying don’t collect, no collection unless there’s a legal basis. He also noted that the EU approaches privacy from a human rights perspective, whereas the U.S. approaches from a consumer perspective.
The privacy notifications you get when you visit many websites are born of EU tech policy. This can lead to “consent fatigue,” Yazdani said.
“We do appreciate the fact that it can feel like we’re just bombarding people with consent notices,” said Gavin Logan, privacy and public policy manager for Meta’s Messenger platform. In order to be “clear and transparent about what you’re doing with people’s data … sometimes it takes longer to get through that process, and so one of the things that we focus on is making sure that the entry experience is clear,” he said.
However, some tech companies are accused of manipulative design and dark patterns to make data collection and privacy confusing for consumers.
Data journalist Surya Mattu, currently at Princeton University and previously at The Markup and Gizmodo, said he wants to see a model of tech investigations similar to what international journalists did to produce the Panama Papers and Pandora Papers.
Journalists “have to find ways to tell data stories that give readers a sense of agency, not apathy, around the role technology play in their life,” Mattu said. “[Tech companies] are just optimizing for an economic function, which is their focus, and then all of this is the stuff you deal with is a byproduct of that.”
The business need for strong cybersecurity has, in turn, boosted data protection and privacy, said Diego Fernández, a lawyer in Argentina with Marval, O’Farrell & Mairal, who advises companies on how to comply with data privacy laws.
He also pointed to Apple as an example of benefitting from a focus on consumer privacy.
“They started to see that if you protect the privacy and protect the personal data of your users … that benefit goes to the pocket of the company,” Fernández said. “And so they not only comply because they have to comply … but because they see a benefit, a tangible benefit, economical benefit at the end of the day.”
Argentina has had a comprehensive data law for 20 years, he said. After decades of debate, it remains to be seen if the U.S. will get one.
This program was sponsored by Arnold Ventures and Medtronic. NPF is solely responsible for the content.
