A new national privacy law promising Americans many of the same consumer privacy rights as the European Union's General Data Protection Regulation (GDPR) is working its way through the US Congress. However, the proposed bill falls short of the data privacy protections already enshrined in existing state privacy laws and regulations.
The federal legislation's goal is to provide a single, national foundation for data privacy for consumers while providing governmental oversight and enforcement by the Federal Trade Commission (FTC). In reality, the proposed American Data Privacy and Protection Act fails to meet the benchmarks set in the California Consumer Privacy Act (CCPA) of 2018, or in the replacement California Privacy Rights Act (CPRA), which goes into effect Jan. 1, 2023, critics say.
The law would fall under the purview of the Federal Trade Commission (FTC), which means that it only covers those issues already addressed by the FTC. These include consumer fraud, identity theft, children's privacy, and some cybersecurity issues.
Nancy Pelosi, a California representative who as Speaker of the House has the power to keep the bill from reaching the House floor for a vote, issued a statement on Sept. 1 noting "the American Data Privacy and Protection Act does not guarantee the same essential consumer protections as California's existing privacy laws." Her statement is being interpreted by pundits to mean she will not support the bill without new preemption language to protect California's laws, and would kill it rather than bring it to a vote.
In an open letter to Congressional leaders, 10 attorneys general representing states that currently have privacy laws encouraged Congress to pass legislation that sets only a baseline for privacy. "We encourage Congress to adopt legislation that sets a federal floor, not a ceiling, for critical privacy rights and respects the important work already undertaken by states to provide strong privacy protections for our residents," they wrote. They cited existing federal baselines for other laws, including existing consumer privacy protections, children's privacy and health privacy, and HIPAA. "Any federal privacy framework must leave room for states to legislate responsively to changes in technology and data collection practices," the attorneys general wrote in the letter. "This is because states are better equipped to quickly adjust to the challenges presented by technological innovation that may elude federal oversight."
The Electronic Frontier Foundation also sent a letter to Rep. Frank Pallone, chairman of the House Committee on Energy and Commerce and sponsor of the bill, asking that provisions of the federal bill be strengthened and that the preemption of state privacy bills be eliminated. The Illinois Information Privacy Act, CCPA, and Vermont's Data Broker Act already protect consumers, and other states are looking at similar proposals. "While EFF supports federal legislation that actually protects consumer data privacy, we have long opposed doing so if the price is preemption of stronger state laws," the EFF wrote in the letter.
California Opposes Weakened Protections
The bill also drew strong criticism from California, where the California Privacy Protection Agency issued a memorandum that recommends California's congressional delegation, which makes up 12% of the House of Representatives, oppose the bill.
California legislators and state officials cite several areas where they claim the federal law would reduce privacy protections currently provided by existing state laws. These include reducing privacy protections for individuals seeing abortion-related services and teen mental health.
The federal bill, as currently written, does not permit California to recover the monetary penalties associated with its enforcement of the federal law. In contrast, CCPA currently allows recovery of significant penalties for the violations of the state law.
Other changes ADPPA would make for California, currently covered by CCPA:
- Removing the current opt out of automated decision-making
- Replacing California's definition of personal information with a definition of covered data that does not include some "derived data and unique identifiers" under California law
- Removing certain protections with respect to non-retaliation for exercising privacy rights
- Adding a requirement to authenticate global opt-out requests — California law requires businesses to honor browser privacy signals as an opt-out, whereas ADPPA requires an explicit opt-in for sensitive categories
Debbie Reynolds, a global data privacy and protection expert and the CEO and chief privacy officer of Debbie Reynolds Consulting, says the federal bill limits privacy rights only to the original consumer of a device. For example, if a digital assistant, such as Alexa, is in an office, only the company that purchased the Alexa service would have their privacy protected. Any employee that is overhead by the device discussing private information would not be protect by the law since they were not the consumer of the device's service.
Fiona Campbell-Webster, chief privacy officer at MediaMath and the former head legal counsel and global data protection officer of cloud-based Beeswax, a SaaS application acquired by Comcast, says there are real-life consequences.
"I think we need to be mindful of, before these any of these laws are finalized, what that's going to mean for the experience of consuming content of interacting on the Internet," she says. "The concerns about ... the unintended consequences of big platforms ultimately controlling everything."
She cautions that privacy comes at a price. "I think it would be a real shame to see a world where we were penalized if we couldn't pay for all these different services that we now get for free in a certain way." Some unintended consequences of the privacy bill, she warned, could negatively impact small companies, forcing them to pay higher costs in order to meet the new privacy regulations.
Canada Considers Similar Legislation
The US is not the only North American country working to create a new, national privacy bill. Canada introduced the much-anticipated Digital Charter Implementation Act, 2022 — Bill C-27 — which replaces a similar bill that failed to pass the Canadian Parliament in August 2021. The bill would enact the Consumer Privacy Protection Act (CPPA), the Personal Information and Data Protection Tribunal Act, and the Artificial Intelligence and Data Act, as well as amend other existing acts.
"This is a very significant law for Canada," says David Goodis, a partner at INQ Law in Toronto. "It will apply in all provinces and territories except for British Columbia, Alberta, and Quebec. Quebec passed its own new, updated law earlier this year. BC and Alberta are considering updating their now very old laws. Apart from Quebec, CPPA will be the most modern and strict privacy law in Canada, and roughly on a par with Europe's GDPR and California's CCPA."
There are a few significant differences between the old Bill C-11 and the new Bill C-27, Goodis says. "There are several new duties placed on organizations that may attract monetary penalties if not complied with. For example, organizations will need to implement a privacy management program, ensure their service providers have equivalent privacy protection when transferring personal information from the company to the service provider, and ensure a service provider that discovers a security breach notify the organization. There is also an entirely new portion of the legislation that addresses the specific concerns around protecting children's privacy," he explains.
In addition, according to analysis from global business law firm DLA Piper, the old bill didn't replace provincial laws that are "substantially similar" to the federal law, which meant that the provinces of Quebec, Alberta, and British Columbia would have been able to apply their laws instead of the federal one. While the new bill allows the federal government to decide whether provincial laws as substantially similar and thus allowed to stand, it's not yet clear whether Alberta and British Columbia will pass muster — Quebec, which updated its privacy law in 2021, is expected to be exempt.