The EFF is disappointed with the latest version of US data privacy law, or the ADPPA (HR 8152), a comprehensive federal data privacy bill. The bill was passed by the U.S. House Energy and Commerce Committee on Wednesday and heads to the House floor.
We have closely followed the progress of this bill and carefully observed the progress of the negotiations. The EFF last month sent a public letter to Congress for improvements to an earlier version of this bill – many of those suggestions are still valid. Many changes were made to the bill earlier this week, and we are still evaluating the new wording.
We have three initial objections to the version the committee adopted this week. Ahead of an indoor vote, we urge the House to fix the bill and seize this historic opportunity to strengthen — not diminish — the country’s privacy landscape now and for years to come.
Bill crushes existing state protections and freezes them
The bill would override many types of state privacy laws. This is often called “preemption”. The EFF opposes the reduction of state privacy protections to meet a lower federal standard. We were troubled by this week’s committee vote against Rep. Eshoo’s proposed amendment, which would have made the bill serve as a baseline federal standard that states can rely on, not ceiling that States are prohibited from exceeding. Many defenders have long opposed preemption and several states Attorneys General recently told Congress that the bill as written undermines its ability to protect the public.
The ADPPA preemption doesn’t just override state data privacy laws, such as California’s Consumer Privacy Rights Act. It also apparently overrides protections in a number of other areas, even the privacy rights that states have seen able to enshrine in their national constitutions. Based on the text of the current bill, endangered state privacy rules include those relating to biometric information (excluding facial recognition), genetic data, broadband privacy, and data brokers – or “Third Party Collection Entities” as ADPPA calls them.
The bill’s preemption clause also means there can be no state-level progress on many key consumer issues. While it’s exciting that Congress is considering consumer privacy legislation after literal decades of spin, the ADPPA as written prevents states from innovating on these issues. But states have been driving the privacy movement for years. Indeed, states have long been the “democracy labs.”
The EFF wants Congress to establish a baseline for privacy protection. But the ADPPA must not sacrifice the ability of states to react in the future to current and unforeseen problems.
Bill reverses federal telecommunications regulations
The bill exempts telecommunications companies from compliance and prevents the Federal Communications Commission (FCC) from enforcing a important federal privacy law. The same goes for existing federal privacy laws that now apply to cable and satellite television. The price of new privacy protections should not be the elimination of old privacy protections.
AT&T a few years ago violated this law disclosing sensitive customer location data without the customer’s consent (resulting in EFF trial against AT&T). Under the current version of the ADPPA, the FCC would lose the ability to enforce the confidentiality provisions of the Communications Act of 1934. Instead, the Federal Trade Commission would take over this area of regulation under a different set of standards. While this likely appeals to companies that only wish to deal with one regulator, the EFF urges that the ADPPA be amended to allow both regulators to apply their respective privacy rules. Congress must not shield telecommunications companies from the scrutiny of expert federal regulators with deep knowledge of the industry.
Bill needs stronger individual rights to fight back
The EFF has long argued that data privacy bills must include strong private rights of action, which allow people to sue companies that violate their privacy. But the private right of action in the ADPPA is riddled with exceptions and limitations. A strong private right of action is necessary to ensure effective enforcement of privacy laws. Otherwise, the bill has no teeth.
Several privacy laws have private rights of action. If a business fails to contain toxic waste, you rightly expect to be able to sue them for contamination drinking water. Consumer data privacy should be no different in this regard.
Many companies hate private rights of action: they don’t want you to have your day in court. So they fought against them in state houses from coast to coast. We have heard that with the current version of the ADPPA, some members of Congress are seeking to compromise with those who represent business interests. But, as a group that advocates on behalf of technology users and the general public, the EFF wants many changes to ensure that the private right of action is workable for anyone harmed by violations of the new law. by companies. We have communicated these concerns in Congress.
For example, Congress must provide adults with protections from pre-dispute arbitration agreements. AT&T eluded EFF’s location data lawsuit enforcing an arbitration agreement our customers never read because AT&T buried that needle in a haystack of fine print legalese. The protection against forced arbitration is therefore at the heart of our approach to data privacy legislation. While the current version of the ADPPA protects minors from forced arbitration and protects adults who bring claims of gender-based violence, this is woefully insufficient.
The bill should also allow people to sue as soon as it comes into force – it currently has a two-year time limit. Additionally, the bill denies private litigation over many of the bill’s core protections, including data minimization, algorithmic transparency, and unified opt-out mechanisms.
People should also be able to recover damages and punitive damages. Additionally, the bill contains a number of unnecessary and disruptive procedural hurdles before an action can be brought, including requiring consumers to give notice, follow unusual steps, and allow businesses solve problems while avoiding penalties. Individual prosecutions are important, but often require people to mobilize substantial resources first; each additional obstacle makes this recourse less accessible.
New Major Flaws
We are also concerned about recently accepted amendments to the bill that address data flows between companies such as AI Clearview Where ID.me and the government. Specifically, the bill can treat these companies as “service providers” – defined in the ADPPA as companies that collect or process information for government entities – and gives these companies far more latitude than it shouldn’t.
The EFF has shed light on how such Public-private partnerships disclose data and violate privacy, and has called several times for privacy legislation to address these relationships. The ADPPA must not give them free rein.
The EFF urges Congress to strengthen the ADPPA. The people whose privacy we try to protect deserve nothing less. We are aware that legislation requires compromises and that the perfect should not be the enemy of the good. But lawmakers must not squander this opportunity by passing something insufficient that also impedes progress for years to come.