Pass the popcorn! We're only a few minutes away from the webinar #PrivacyTwitter has been waiting for with bated breath! And talk about an all-star cast ...
https://twitter.com/DanielSolove/status/1557419300574691328
Some quick background: the American Data Privacy and Protection Act (ADPPA) is the first federal consumer privacy bill to make it through committee this century. It's a huge milestone! But its prospects going forward are unclear.
privacy.thenexus.today/the-opportunit…
privacy.thenexus.today/the-opportunit…
@AlanInDC's recent article (with @CaitrionaFitz) in @techpolicypress makes the the case for ADPPA.
techpolicy.press/evaluating-the…
techpolicy.press/evaluating-the…
earlier today, @omertene shared some reasons why he thinks ADPPA should pass.
https://twitter.com/omertene/status/1557405703249268741
But not everybody agrees. At @CalPrivacy's special board meeting, Alistair Mactaggart of @caprivacyorg described ADPPA as a major threat to Californians' privacy. @CalPrivacy's board voted unanimously to oppose ADPPA in its current form.
privacy.thenexus.today/is-there-an-el…
privacy.thenexus.today/is-there-an-el…
Solove's post on ADPPA's preemption as a "Faustian Bargain" is also excellent reading.
ADPPA overrides state and local laws like California's and Seattle's Broadband Privacy Ordinance, and prevents stronger future state and local consumer privacy laws
teachprivacy.com/a-faustian-bar…
ADPPA overrides state and local laws like California's and Seattle's Broadband Privacy Ordinance, and prevents stronger future state and local consumer privacy laws
teachprivacy.com/a-faustian-bar…
The webinar will start in just a couple minutes -- so register now before it's too late!
teachprivacy.com/webinar-federa…
teachprivacy.com/webinar-federa…
And just in time for the webinar, @caprivacyorg has , announced their opposition to ADPPA and released their detailed analysis of how it compares with California's law
caprivacy.org/californians-f…
caprivacy.org/californians-f…
It's a great complement to our post from last night (which will clearly need updating!) looking at the two bills.
privacy.thenexus.today/one-out-of-six…
privacy.thenexus.today/one-out-of-six…
Solove starts off by asking whether the bill is strong enough to do good. "On the whole, I give it a fairly high grade on a curve - especially for something coming out of Congress. Objectively, I would give it a C or C-. Even the GDPR has a long way to go."
Solove: "Will this improve privacy? Yes. Will it solve the problem? No."
@jodywestby: "On a curve, I give it a B. They made a complete mess of the private right of action, which they didn't need to do. They did a good job of getting rid of the sale/share of CPRA.
Objectively, I give it a D. The US isn't in the driver's seat."
Objectively, I give it a D. The US isn't in the driver's seat."
@AlanInDC: "In terms of where we are in Congress, I'd give it an A-. It has strong prohibitions on harmful business practices, data minimization, anti-discirminatino.
Objectively, a C or B. Not addressing law enforcement, no statutory damages, no privacy authority."
Objectively, a C or B. Not addressing law enforcement, no statutory damages, no privacy authority."
Alistair Mactaggart of @caprivacyorg: "I think it's a real mistake. Preemption is the real central issue. Tech industry's attempt to neutralize CA. Why are we trying to do it this way, as opposed to make it a floor?"
"It's tech industry's attempt to replace CA's regulations. It does some things well -- prohibiting targeting advertising to kids, data broker regulations -- but there are plenty of things it does worse."
Mactaggart mentions the elephant and talks about ADPPA's failure to protect against post-Roe threats!
"If it were a floor, I'd be jumping up and down. But take out preemption and it won't pass."
"If it were a floor, I'd be jumping up and down. But take out preemption and it won't pass."
@omertene suggests that none of this would have happened without Mactaggart and California's law (I agree!). He gives it an A on a curve -- "not even close". Not on a curve, he doesn't know how to compare to pie-in-the-sky that won't materialize.
Tene: has a good balance between principles (like data minimization, privacy by design, anti-discrimination) and operational issues like notices, global opt-out. Also points to strong enforcement -- a PRA, a "turbocharged" FTC, keeps state AG's in the mix.
I'm not going to fact-check everything real-time, but as @jason_kint points out the global-opt out Tene's talking about is very ineffective, and the state AGs have complained that their enforcement power is severely curtailed.
@slhintze: "I give any law that passes Congress an A+ -- something is better than nothing. Compariing to other laws in US, an A- -- an overall improvement. Compared to other laws around the world, B+.
Objectively, I'm a hard grader: C+. Quite a few gaps and holes to improve"
Objectively, I'm a hard grader: C+. Quite a few gaps and holes to improve"
@slhintze notes that we need privacy protections for LGBTQ+ people. "We need to set aside our differences and not let perfect be the enemy of the good."
Solove: it remains to be seen whether the PRA is viable, or really weak and meaningless. Privacy Impact Assessments, maybe it's okay, but no requirement to submit to regulator -- could just be a papwerwork requirement.
FTC enforcement, looks good, but will Congress give the FTC what it needs to enforce? Not clear. Lots of "maybes." The optimist in me says if everything works great - FTC gets what they needs, PRA is viable, it gets updated over time -- it looks good.
"I'm a cynic." We see that Congress *doesn't* update privacy laws. So I'm very ambiguous.
The things I like, I have to put an asterisk near them -- if it develops in a different way I could easily dislike them.
The things I like, I have to put an asterisk near them -- if it develops in a different way I could easily dislike them.
Alan Butler: "The thing I like most in the law is 102(2), the specific prohibition on sensitive data processing. This bill would require that sensitive data can't be processed except for specific enumerated purposes. Other bills don't limit this."
Enforcement is at three levels:
- FTC
- State AGs and privacy agencies
- PRA. Even acknowledging limits, this is stronger than state bills.
Need FTC funding, some small things that need tightening, need to clarify preemption -- e.g., limiting automated decision making.
- FTC
- State AGs and privacy agencies
- PRA. Even acknowledging limits, this is stronger than state bills.
Need FTC funding, some small things that need tightening, need to clarify preemption -- e.g., limiting automated decision making.
Susan Hintze: "Biggest thing I like is that it covers people outside California." Programmatic protections are in line with GDPR. Loves Privacy By Design (FYI @LourdesTurrecha), privacy impact reports, requirement for privacy officers is huge.
Love the concept of FTC Bureau of Privacy, requirement for FTC to educate entities and give guidelines. Agree that the FTC will need funding, although that's something that can be addressed over time.
Hintze: "There's so many things to hate that it's hard to pick just a couple. So many holes it's like swiss cheese!" Exemption for public data is so broad, really undermines protections against discrimination when you have loopholes you can drive a truck through.
Last draft struck the definition of sexual orientation from sensitive data. "Some people are fine with having that information out there, others are at risk."
There are a lot of weird preemptions, a lot of sausage making. "Let's play some favorites here among the states"
There are a lot of weird preemptions, a lot of sausage making. "Let's play some favorites here among the states"
Absurdity of some clauses, it applies to girl scout troops but not banks. I'm willing to get over all those though!
Mactaggart: like exempting kids from targeted advertising, national scope.
Dislike: no prohibition against weakening. Lost opt-out from profiling and automated decision making. No separate privacy authority, could be important for EU adequacy.
Dislike: no prohibition against weakening. Lost opt-out from profiling and automated decision making. No separate privacy authority, could be important for EU adequacy.
Concerned that service providers to government agencies are exempt, points to ICE buying data.
Sensitive data excludes data from surveillance cameras and photos -- including location data.
Sensitive data excludes data from surveillance cameras and photos -- including location data.
Covered data under ADPPA "may" include identiiers, under CPRA it does.
Pay for privacy: CRPA has strong language, it's gone in ADPPA -- "all retailers will force you into loyalty programs, and there goes your ability to have some kind of privacy."
Pay for privacy: CRPA has strong language, it's gone in ADPPA -- "all retailers will force you into loyalty programs, and there goes your ability to have some kind of privacy."
"It makes me sad that we're here. Preemption is the problem." EPIC's opposed preemption for ever, rolling over for short-term gain is a mistake. A strong state privacy law makes a difference -- MS and Apple extended CCPA protections to the whole country.
Tene: "I couldn't disagree more with Alistair." Going through section by section on ADPPA, we could do the same thing with CCPA/CPRA -- they're far from perfect privacy laws. This law has data minimization, opt-in for sensitive data, civil rights.
"This is the foundation -- sensitive data opt-in, it knocks California out." I do think this law provides stronger protections to 40 million CA residents, but aside from that it applies to 300 million people outside CA.
Tene objects to "California exceptionalism", notes that women in other states are also concerned about post-Roe threats. "This law would give them some protection." Again, I'm not going to fact-check in real time, but many people disagree.
privacy.thenexus.today/what-about-the…
privacy.thenexus.today/what-about-the…
Tene: "It's not unreasonable to have a national standard. This law does have carve-outs -- biometrics, student privacy laws. It's not realistic to talk about a federal privacy law without preemption."
Tene: Solove's point about ossifying and becoming detached from reality is true about any law." Draws analogy to climate change law (which isn't preemptive, so I'm not sure it makes this point). "We rely on agencies and courts to keep these laws alive."
Tene: "What I like most about this law is that it exists. It's a bipartisan compromise." Compliments legislators, "a tremendous achievement they've been able to stitch it together". Applies in 50 states, data minimization,
Some incoherence (reflecting compromise) - when is advertising opt-out, some confusion. Line was originally fuzzy between service providers and covered entities, fixed in the latest draft.
@BenBrodyDC has discussion service providers protocol.com/newsletters/po…
@BenBrodyDC has discussion service providers protocol.com/newsletters/po…
Westby: we need a federal law! I like the data security provisions -- quite good, better than California law, that's a big plus. Business community has had 20 years to get their act together, and they haven't. I really like 208.
Westby: Likes 403 with FTC and State AGs sharing authority. AGs have a good record of protecting people in their states, US government doesn't.
Very happy that reference to share and sell are gone, that third-party doesn't include affiliates.
Very happy that reference to share and sell are gone, that third-party doesn't include affiliates.
Westby: doesn't have employee data, that's good.
Don't like: doesn't include FTC budget. It has a lot of guidance and compliance requirements for FTC, look at how much EU spends -- we need to spend more.
Not sure about eliminating other federal regulators (FCC)
Don't like: doesn't include FTC budget. It has a lot of guidance and compliance requirements for FTC, look at how much EU spends -- we need to spend more.
Not sure about eliminating other federal regulators (FCC)
Really don't like the private right of action. "It's a mess," with all the requirements you have to do before.
FTC setting guidelines on public data (outside of human subject research) is concerning, this could get very muddied up.
FTC setting guidelines on public data (outside of human subject research) is concerning, this could get very muddied up.
Westby: the preemption problem is unnecessary. Why not just saying it's preempting any state law that conflicts? Exempting these other laws is confusing, makes industry nervous -- went way out of bounds.
But it is a start. The US can't innovate on laws like the EU can -- we can't do privacy, we just don't do it well. Yes, laws get behind, but still we need a federal law to be on the global stage, to be a player.
Solove: I'm torn. I'd lke to see a federal law, but we do have the FTC act, and if we had passed a federal law in 2000 it would be far weaker than today. Even if we did it two or three years ago, the progress in privacy laws is phenomenal. Do we really want to fix it now?
Maybe optimistically this is a starting point, and Congress will ratchet up protections. I ... don't ... know. We're kicking away the ladder, the threat of state legislation - California has driven things. FTC is already doing a lot under Section 5, will this strip resources?
Solove: we might be better off not having a federal law. "It's not so bad in the interim." A lot of companies are following California and GDPR.
Tene: I *would* take the bread out of the oven, because it might burn later.
Tene: I *would* take the bread out of the oven, because it might burn later.
Tene: it's surprising that a cynic like Solove says that things might get better in two years. It might get worse. It's a unique moment and opportunity, sometimes you need to seize the opportunity! Not convinced by the argument about timing.
With respect to the Section 5 comparison, so far-fetched to compare this law with all its rights to the prohibition on unfair and deceptive business practices. It's so much stronger!
Solove: depends on your view. Rights are good, but they don't do as much as people want them too.
Butler: This bill sets strong protections and a recognition of "finding some form of middle ground." For a long time EPIC and others said "federal floor or nothing", companies said "federal feeling or nothing". This is a middle ground, between the two extremes.
Mactaggart: somehow a lot of people have bought into the notion of "privacy's different, unless we get federal protection it's not going to pass." What about GLBA and HIPAA? They have privacy floors. What's so different?
This is just a mantra that tech keeps repeating. The only reason we're talking right now is that tech's trying to get back to where we were -- give all the regulation to FTC with no resources, that's perfect!
Tene: would you prefer no ECPA?
Mactaggart: data breach is a better example. CA went first, now each state has them. Companies can survive -- they do it in all other areas of laws. CPRA isn't perfect, CA legislature can update it.
Mactaggart: data breach is a better example. CA went first, now each state has them. Companies can survive -- they do it in all other areas of laws. CPRA isn't perfect, CA legislature can update it.
Mactaggart thinks that CA can drive privacy. Hopes that Soltani gets adequacy from EU, then people will get on board.
Westby: the EU has showed us why preemption is needed. The Data Protection Directive was a mess, that's what drove GDPR. Companies can't do this any more. What states are doing is out of time. Agree that CA is more aligned with GDPR, we have to get a federal standard.
Westby: have to stop taking this US-centric view, and look globally.
Butler: Congress can at any time pass a preempting federal law. The trend we've seen in the states is new comprehensive laws that are bad, new proposals even worse. Industry will push for weaker and weaker state laws across the country, then push for weak preemptive federal law
So there's a real risk of not doing it now. The ballot initiative is a great thing in California, but it'll be weaponized by companies. So there's a real benefit to setting a strong privacy standard through a bipartisan process.
Hintze: agrees. The political issues and treatment of fundamental rights isn't the same as protecting people from harm due to data breaches. When we're seeing states not protect fundamental rights, I don't see how we'll get 50 states to pass laws like CA's
And that's why I think this is the right time. Without our ability to have privacy protections in place, we won't be able to express ourself. I don't know we'll have a federal government in a couple years that can even consider privacy legislation. Now is the time.
A lot of the state laws aren't even really protecting people's rights, just giving us busy work to do. So we can't rely on state laws.
Solove: a lot to think about. I'm really so ambivalent and torn. A lot depends on how it plays out -- public information, FTC funding (could easily be taken away in the future, or it could get stronger). It really is trying to make a hard balance and prediction.
Solove: "I teeter in the middle." Great arguments on both sides: costs and benefits. Also, the bill now isn't necessarily what it looks like when it passes. Could well be more loopholes and exemptions that underline the law -- it's a moving target.
Solove: I read different things about its likelihood of practice. This has been our best chance to see things at the federal level in a long time.
Fascinating conversation, I've learned a lot. Thanks everybody!
Fascinating conversation, I've learned a lot. Thanks everybody!
@threadreaderapp please unroll
• • •
Missing some Tweet in this thread? You can try to
force a refresh
