The US Finally Has A Chance For A Federal Privacy Law. It Should Take It

from the stop-playing-politics dept

Strong privacy rights are a crucial first step to a healthy and productive online ecosystem. The European Union figured this out years ago, enacting the General Data Protection Regulation. In contrast, the U.S., the land of tech innovation, is tripping over its own feet at the finish line and hoping nobody notices we’ll be without a consistent and consequential law protecting internet users for at least a few more years. It’s well past time to put politics and personal gripes aside and bring up the American Data Privacy and Protection Act (ADPPA) for a vote in the House of Representatives before the end of the year.

We’re a few weeks into the lame-duck congressional session, and any progress made in House ADPPA negotiations is at best secret, at worst non-existent. With so many disillusioned by the state of governing in the US, it would be easy to shrug this off as the usual gridlock. 

But this impasse defies political logic—we are well past the point of principled opposition, competing ideological stances, or genuine concern for internet users. It must be emphasized over and over again: the main debates that kept comprehensive federal privacy legislation from happening are mostly settled. Republicans agreed to a limited (but significant) private right of action, meaning that users have a right to sue companies for violating their privacy rights. Democrats have overwhelmingly agreed to a federal preemption clause that still preserves many state-level privacy laws, though not hypothetical future legislation.

Beyond minor technical tweaks that folks can easily sit down and hammer out, three major misconceptions about ADPPA continue to drive the conversation: the notion that ADPPA’s provisions will leave Americans worse off on privacy in the future, the idea that ADPPA is soft on industry, and the implicit view that keeping the status quo is preferable to passing ADPPA. It’s hard to overstate that federal legislators from California, bowing to bad faith arguments from territorial state privacy regulators, are the overwhelming drivers of these concerns. 

When California’s privacy leaders and congressional delegation could not continue to falsely claim that their state laws are stronger than the ADPPA (they are not), they started hanging on to a different argument from the preemption debate: that states would not be allowed to “innovate” and that users would be “stuck” with the protections Congress passed. This argument at least is rooted in reality—the ADPPA will certainly bar states from enacting new comprehensive privacy laws. But it fails to engage with the content of the legislation before us and the stark reality of privacy protections in this country. 

To be clear: ADPPA opponents claiming the mantle of potential future innovation at the state level are doing so in defense of state laws that are universally weaker than ADPPA. If state lawmakers, including in California, want to increase privacy protections for their residents, the clear solution is to pass ADPPA now rather than be content with weaker protections that might improve. The pledge of better choices in the future has always been an empty promise at both state and federal levels. To give up a real privacy bill for an empty promise defies logic.

The remaining voices of dissent argue that ADPPA would benefit the tech industry, pointing to support from some companies as evidence. This fails to reckon with myriad reasons why companies might support regulation. 

First, industry would naturally want regulators to address shady players operating on the margins who seriously violate individual privacy and poison the market with questionable business practices. ADPPA’s limits on the invasive third-party data broker industry are a good example of this. Second, many businesses (particularly major players) would rather abide by clear, uniform, stable federal rules—even if they come at a cost—than deal with operating in a chaotic environment with many different state laws. And it does come at a cost – ADPPA has some of the strongest boundaries on the online advertising ecosystem in general, ensuring that current pernicious practices would have to change. What would actually be a gift to bad actors in industry is the underlying, unspoken consensus of those who are delaying the passage of ADPPA: keeping the status quo.

The implicit perspective of those opposed to moving on comprehensive privacy legislation now is that the status quo is preferable to meaningful reform. With Republicans likely wanting to start from scratch on privacy legislation from a position of power in the House, it will be a very long time before we’re back this close to the finish line—with no guarantee that anything approaching ADPPA’s high standards will ever again come to a vote. 

We’d be stuck with the status quo for a while, a patchwork of state privacy law covering fewer than 1 in 5 people in the U.S. Having several different legislative frameworks to follow wouldn’t be ideal for companies, but none of those bills are, in any way, stronger than ADPPA. Less powerful laws might be better than none—but not for the millions who wouldn’t fall under those protections. Talk about a gift to industry.

A better future is possible for all, and it already cleared what looked like impossible odds. It shouldn’t die now because members of congress don’t want to do their job, which is simple: bring ADPPA up for a vote.

David Morar is a policy fellow at the Open Technology Institute.

Filed Under: adppa, california, pre-emption, privacy, privacy law