EFF is disappointed by the latest draft of the American Data Privacy Protection Act, or the ADPPA (H.R. 8152), a federal comprehensive data privacy bill. The bill passed the U.S. House Energy and Commerce committee on Wednesday, and is headed to the House floor.
We have been closely monitoring the progress of this bill, and carefully watched how negotiations played out. EFF last month sent a public letter to Congress seeking improvements to a prior version of this bill—many of these suggestions still stand. There were many changes to the bill earlier this week, and we are still evaluating the new language.
We have three initial objections to the version that the committee passed this week. Before a floor vote, we urge the House to fix the bill and use this historic opportunity to strengthen—not diminish—the country's privacy landscape now and for years to come.
The Bill Squashes Existing State Protections—and Freezes Them
The bill would override many kinds of state privacy laws. This is often called “preemption.” EFF opposes rolling back state privacy protections to meet a lower federal standard. We were troubled by this week’s committee vote against Rep. Eshoo’s proposed amendment, which would have ensured the bill serves as a baseline federal standard that states can build upon, and not a ceiling that states are banned from exceeding. Many advocates have long opposed preemption and several state Attorneys General recently told Congress that the bill as written harms their ability to protect the public.
ADPPA's preemption doesn't only steamroll state data privacy statutes, such as California's Consumer Privacy Rights Act. It also apparently rolls back protections in a number of other areas, even rights to privacy that states have seen fit to enshrine in their state constitutions. Based on the text of the current bill, endangered state privacy rules include those for biometric information (apart from face recognition), genetic data, broadband privacy, and data brokers—or "third-party collecting entities" as they ADPPA refers to them.
The preemption clause of the bill also means that there can be no forward progress at the state level on many key consumer issues. While it's exciting that Congress is considering consumer privacy legislation after literal decades of spinning its wheels, the ADPPA, as written, stops states from innovating on these issues. But states have been the engine for movement on privacy for years. Indeed, states have long been the “laboratories of democracy.”
EFF wants Congress to set a baseline for privacy protections. But the ADPPA should not trade away states' ability to react in the future to current and unforeseen problems.
The Bill Steps Backward on Federal Telecommunications Regulation
The bill frees the telecommunications companies from complying with, and blocks the Federal Communications Commission (FCC) from enforcing, an important federal privacy law. The same is true for existing federal privacy laws that now apply to cable and satellite TV. The price of new privacy protections should not be the elimination of old privacy protections.
AT&T a few years ago violated this law by disclosing sensitive customer location data without customer consent (leading to an EFF lawsuit against AT&T). Under the current version of the ADPPA, the FCC would lose the ability to enforce the privacy provisions of the 1934 Communications Act. Instead, the Federal Trade Commission would pick up this area of regulation under a different set of standards. While this probably appeals to companies that only want to deal with one regulator on the beat, EFF urges that the ADPPA be amended to let both regulators enforce their respective privacy rules. Congress must not remove telecommunications companies from the scrutiny of expert federal regulators with a deep understanding of the industry.
The Bill Needs Stronger Individual Rights to Fight Back
EFF long has argued that data privacy bills must include strong private rights of action, which allow people to sue companies that violate their privacy. But the private right of action in the ADPPA is riddled with exceptions and limits. A strong private right of action is necessary to ensure effective enforcement of privacy laws. Otherwise, the bill has no teeth.
Several privacy statutes have private rights of action. If a company fails to contain toxic waste, you rightly expect to be able to sue them for contaminating the drinking water. Consumer data privacy should be no different in this regard.
Many companies hate private rights of action: they don’t want you to have your day in court. So they have fought against them in statehouses from coast to coast. We have heard reports that with the current version of the ADPPA, some members of Congress are seeking to reach a compromise with those representing business interests. But, as a group that advocates for the interests of technology users and the general public, EFF seeks numerous changes to make sure the private right of action is workable for everyone injured by corporate violations of the new law. We have communicated those concerns to Congress.
For example, Congress must provide adults with protections against pre-dispute arbitration agreements. AT&T evaded EFF’s location data lawsuit by enforcing an arbitration agreement that our clients never read, because AT&T buried this needle in a haystack of fine-print legalese. So protection from forced arbitration is central to our approach to data privacy legislation. While the current version of ADPPA protects minors from forced arbitration, and protects adults bringing claims of gender violence, this is woefully inadequate.
The bill should also allow people to file suit as soon as it goes into effect—it currently has a two-year delay. Further, the bill denies private litigation as to many of the bill’s core protections, including data minimization, algorithmic transparency, and unified opt-out mechanisms.
People also should be able to recover liquidated damages and punitive damages. Moreover, the bill has a number of unnecessary and disruptive procedural hurdles before a suit can go forward, including requirements for consumers to give prior notice, follow unusual steps, and allow companies a right to fix problems to duck penalties. Individual lawsuits are important, but often require people to first marshal substantial resources; each additional roadblock makes this remedy less accessible.
New Major Loopholes
We are also concerned about newly accepted amendments to the bill that address data flows between companies such as Clearview AI or ID.me and the government. Specifically, the bill may treat these companies as “service providers”—defined in the ADPPA as companies that collect or process information for government entities—and gives these companies much more leeway than it should.
EFF has shined a light on the ways that such public-private partnerships leak data and violate privacy, and has called repeatedly for privacy legislation to address these relationships. The ADPPA should not give them free rein.
EFF urges Congress to strengthen the ADPPA. The people whose privacy we're trying to protect deserve no less. We realize that legislation requires compromises, and that the perfect must not be the enemy of the good. But lawmakers must not squander this opportunity by passing something insufficient that also prevents progress for years to come.