On This Year’s International Data Privacy Day, Let’s Keep Pushing for National Privacy Protections
International Data Privacy Day is January 28, and President Biden celebrated early by penning an op-ed on tech issues in the Wall Street Journal that made clear privacy is his top tech policy priority. CDT agrees that privacy protections are vital and has long been working toward comprehensive privacy legislation. Unfortunately, such legislation has eluded the United States for decades. Instead, most privacy protections have come through the Federal Trade Commission (FTC), which has been protecting privacy through its general deceptive and unfair practices authority since the mid-1990s, and through sector-specific privacy legislation targeted at finance, health, kids, and other areas. Some states have begun filling the federal privacy void, with California, Colorado, and several other states passing privacy laws (with dozens more considering their own bills). The United States stands increasingly isolated in its lack of a comprehensive privacy law – everyone from the European Union to countries in Asia, Latin America and elsewhere have enacted privacy protections.
Congress is increasingly out of touch with the privacy needs of Americans. For a long time, people have been concerned about online data collection, have felt they benefit very little from it, and have wanted some kind of government intervention. Half of Americans have chosen not to use a product or service for privacy concerns. Congress has largely ignored those calls, opting instead to allow companies to essentially set their own rules – a prospect that many people recognize as a failure or “outdated.”
A breakthrough came in 2022, when we got closer to passing comprehensive privacy protections than we have in recent years. The House Energy & Commerce Committee began work on the American Data Privacy and Protection Act (ADPPA), which was the subject of hearings and markups, and it ultimately passed out of committee on a very strong, bipartisan 53-2 vote. Through this process, ADPPA has been scrutinized and negotiated more than any other comprehensive privacy bill, and made it furthest through the federal legislative process.
While ADPPA is not perfect, it would provide significantly more privacy protections for Americans’ data. At a big picture level, it would shift our privacy regime from one based primarily on notice and choice, in which the burden falls largely on consumers, to one that imposes obligations and limits on the companies that collect and use our data. More specifically, ADPPA includes several key protections:
- Civil rights protections preventing companies from discriminating against protected classes in their use and processing of data;
- Data minimization requirements preventing companies from collecting sensitive data that isn’t strictly necessary to provide the product or service requested by the person;
- A data broker “do not collect” registry and transparency requirements;
- Algorithmic transparency requirements;
- A unified opt-out for targeted advertising across the internet; and
- Direct executive accountability for the privacy practices of the company.
The most contentious issues, private right of action and state law preemption, are both addressed in ADPPA. The private right of action is narrow but can still be an effective tool for holding companies responsible. The bill also allows for FTC and State Attorney General enforcement. The preemption provision preempts state comprehensive privacy laws, but allows states to continue legislating in areas such as facial recognition, employee privacy, health privacy, financial privacy, and data breach.
As a new Congress begins its work, ADPPA should be a priority. Unlike bills on many subjects, ADPPA stands a realistic chance of passing in a Congress in which control is split between the parties. The bill was negotiated on a bipartisan basis from the beginning and has already been scrutinized through hearings, markups, and negotiation among all stakeholders. The bill contains compromises that should be acceptable to both political parties: it provides strong privacy protections and would curtail some of the worst online data abuses of big tech companies, while containing limits on private rights of actions and alleviating the need to comply with a patchwork of requirements. It is not exactly the bill that any stakeholder – including CDT – would write if given the pen on their own, but it would be a notable improvement compared to decades of the status quo.
The importance and potential impact of ADPPA cannot be overstated. Everyone in America deserves privacy protections, not just Californians or Coloradans. In honor of Data Privacy Day 2023, Congress should begin moving ADPPA forward now, and pass it this year.