Federal privacy negotiators should accept victory gracefully

Members of the house depart after the first session of the 117th Congress in the House Chamber at the U.S. Capitol in Washington, DC, U.S., January 3, 2021. Tasos Katopodis/Pool via REUTERS
Editor's note:

The blog post was edited slightly for tone on August 12, 2022.

For the first time ever, a congressional committee teed up a comprehensive information privacy bill for a floor vote. On July 20, 2022, the House Committee on Energy & Commerce reported out the bipartisan American Data Privacy and Protection Act (ADPPA) by a lopsided 53-2 vote. This bill is the product of a “three corners” compromise among the Democratic chairs and ranking Republicans on the full committee and key subcommittee in the House and the ranking Republican on the counterpart Senate Committee on Science, Commerce & Transportation.  

But the fourth corner—the Senate committee chair Sen. Maria Cantwell (D-Wash.)—not only is conspicuously absent from the agreement on the ADPPA but also has been actively critical of the bill at each stage of its progress. Although neither she nor any Senate Democrat appears as a sponsor, the bill nonetheless bears their unmistakable imprint. In particular, it contains a robust individual right to sue companies, strong civil rights protections, and meaningful changes to existing business practices.  

Taking the long view 

The substance of the ADPPA’s privacy protections goes further than what seemed possible when Congress began a serious national privacy debate in 2018. This reflects just how far Congress has come since then on privacy.  

When initial efforts toward bipartisan legislation in both houses of Congress stalled in late 2018, Sens. Cantwell and Roger Wicker (R-Miss.), the ranking Senate Commerce Republican, each released their own bills, and House Energy & Commerce Committee staff released a “bipartisan” staff draft containing many bracketed areas of disagreement. As Brookings colleagues and I described in a 2020 report, these bills were “promisingly similar in many aspects,” but needed to do more to “sharpen the focus on obligations of covered entities” and “staked out polar all-or-nothing positions on … federal preemption of state privacy laws, and a right for individuals to bring lawsuits for privacy violations.”  

Nevertheless, our discussions with stakeholders during this period made clear that they appreciated the compromises needed to enact legislation and were prepared to make them once there was the political will to force the issue. And this year, that political will has coalesced. First, House Energy & Commerce Republican staff released their own draft which showed steps to bridge gaps on civil rights and federal preemption. Then, Sens. Richard Blumenthal (D-Conn.) and Marsha Blackburn (R-Tenn.) agreed on a bill that built on the House Republican draft and provided a template for a bipartisan bill. Finally, “four corners” negotiations among the chairs and ranking members of the full Commerce committees and the Subcommittee on Consumer Protection, Product Safety, and Data Security in the House picked up the baton and released a bipartisan, bicameral discussion draft before moving on to markups in committee. 

When the ADPPA first appeared as a discussion draft, Sen. Cantwell called it “riddled with loopholes” and said it needed to add a “duty of loyalty;” She also reiterated criticism of enforcement when it was formally introduced. And, after it was reported out in an interview with the home state Spokane Spokesman-Review, Sen. Cantwell even threw shade at major civil rights organizations as “infiltrated by people who are trying to push them to support a weak bill.” A week after the full House committee vote, the Senate counterpart held a markup that reported out two bills on children’s privacy (an issue touched on in ADPPA), but did not take up Cantwell’s own comprehensive privacy bill. 

Maybe Sen. Cantwell is intentionally playing “bad cop” in the national privacy debate, with her House counterparts Frank Pallone (D-N.J.) and Jan Schakowsky (D-Ill.), cast as good cops. But the ADPPA has attracted a broad coalition of civil rights, privacy, and tech policy advocacy groups; although some in civil society have publicly questioned whether Sen. Cantwell really wants privacy legislation passed, that is hard to believe. After all, she and colleagues on her committee as well as others have invested serious time and resources on comprehensive privacy legislation and could lose leverage if power shifts in one or both houses of Congress come January. 

The intensity of Sen. Cantwell’s reaction does not reflect the narrowing gaps of the national privacy debate—both the broad compromises from the starting points of 2019 and changes to the ADPPA as it has progressed with broad support. Since the federal privacy debate picked up steam, I have tracked legislation, developments, and the positions of stakeholders, developing taxonomies of bills and issues in play and exploring pathways to bridging differences. The remaining differences are minimal compared to how far negotiators have come and the stakes on more fundamental elements of a privacy bill. 

The diminishing gaps 

To amplify both how far the debate has come and the narrow range of difference, this post looks at the state of debate on these remaining issues based on the ADPPA as it has advanced and at a draft bill that Sen. Cantwell has circulated (but not released) as the ADPPA was taking shape. As Wilson Sonsini lawyers put it in comparing these soon after the ADPPA discussion draft, “[d]espite the sticking points, negotiators have made tremendous progress. … The consensus on the substantive provisions is remarkable and seems to reflect a genuine interest in trying to achieve something. It is a shining example of how a functional Congress can work.” 

Effect on state laws and others: Some members of the California congressional delegation have objected to ADPPA preemption of state laws that would include the 2018 California Consumer Privacy Act and subsequent initiative that takes effect in 2023. All California members on the Energy & Commerce Committee supported amending the bill to allow states to adopt laws more protective of privacy than the federal law, and two voted against reporting it while a third expressed an intention to do so on the floor if it is not tweaked. In an interview with The Markup and—along with privacy lawyer/scholar Omer Tene and David Brody of the Lawyers’ Committee for Civil Rights Under Law—in Twitter threads, I have addressed why I believe substantial preemption is an essential trade-off for strong privacy protections. 

In contrast to the polar opposites of the original Wicker and Cantwell bills, when it comes to preemption, the more recent Cantwell drafts and the ADPPA are virtually identical. The latter has a specific carve-out for California and Illinois laws, empowering California’s Privacy Protection Commission to enforce the federal law and preserving that state’s private right of action for data breaches as well as Illinois’ Biometric Information Privacy Act. 

The Spokesman-Review reported that Sen. Cantwell “signaled” the Supreme Court abortion decision “may change her willingness to compromise on privacy legislation,” but it is not clear which way the suggestion cuts. The context of criticism of the ADPPA suggests it could increase resistance to compromise, but the risks to women’s health information add urgency to the protection of personal information. At any rate, her bill and the ADPPA are functionally identical in treating health information as “sensitive data” subject to heightened protections, and in allowing states latitude to legislate on “health information [and] medical records” as well as “public health information, medical information, reporting or services.” Neither specifically addresses data relating to fertility, pregnancy, or abortion services apart from other health and health care information. 

Rep. Anna Eshoo (D-Calif.), who was one of the two California members to vote against the ADPPA in committee, charged that the ADPPA contains a “loophole that could allow law enforcement to access private data to go after people seeking abortion[s].” Presumably, this refers to a provision on lawfully permitted data uses that permits lawful government access. Such a provision is standard in privacy laws; indeed, California has one, which broadly allows “cooperation” with law enforcement whereas the ADPPA’s exception applies “only insofar as authorized by statute.”  

Public enforcement: The ADPPA and Sen. Cantwell’s bill are also almost identical with regard to enforcement authority by the Federal Trade Commission and state attorneys general (including Federal Trade Commission (FTC) authority to issue fines it lacks today and a new FTC Privacy Bureau). As mentioned above, the ADPPA also allows California’s privacy agency to enforce the federal law. But the basic contours of the ADPPA’s enforcement scheme are the same as in those in the draft bill she has circulated—a private right of action with enforcement by the FTC, and concurrent authority for state attorneys general. 

Private enforcement: Sen. Cantwell’s most concrete and strenuous objections to the ADPPA have related to bringing private lawsuits. There are meaningful differences here, but they pale in comparison to the stark differences in the 2019 bills, where Cantwell’s bill had an unfettered right of action that included statutory damages and Wicker’s had none. Now both supplement public enforcement with private litigation that has similar scope of liability, damages, and relief. The differences are far more granular now. 

First and foremost, Sen. Cantwell objected to a four-year period in the original version of the ADPPA before the right to sue would kick in. But now the version reported to the House floor cuts that period by half. The ADPPA as well as Cantwell’s bill have various provisions for guidelines or regulations from the FTC (and two of the most complex have two-year timelines: individual rights to data access, correction, deletion, and portability involves the most process design and engineering, and assessments of algorithms present novel issues). As communications expert Blair Levin points out, “[w]hile the law gives the FTC a year to set up the privacy bureau, the law will go into effect quickly, without clear guidance from the FTC for how it will be enforced.” In this light, it makes sense to allow companies  time to come into compliance, as both the European Union and California 2018 privacy laws did before the entirety of their statutory schemes came into effect. 

Sen. Cantwell also reiterated a longstanding objection to clauses in terms and conditions of service that require consumers to arbitrate claims rather than bring them to court. This issue has prevented bipartisan agreement for many months, but here too the gaps have narrowed substantially since opening bids. Her original bill would have barred mandatory arbitration clauses from applying to any privacy rights and remedies, while Sen. Wicker’s left them untouched. Her most recent draft has tried to find some middle ground by limiting the mandatory arbitration ban to claims by minors, claims for “substantial privacy harms” (defined as financial, physical, or mental injury amounting to at least $10,000), and lesser claims of physical or mental harm for injunctive relief only. The price of some industry buy-in on this iteration is a provision that appears to disallow class actions. 

In turn, the ADPPA as introduced adopted an arbitration ban for claims by minors; the full committee version narrowed the difference further by adding claims “related to gender or partner-based violence or physical harm.” The bill also includes a further nod toward Cantwell’s “substantial privacy harms” by defining “substantial privacy risks,” which include physical and economic injury as well as traditional “highly offensive intrusion into privacy expectations” and discrimination, and by requiring that covered entities assess and mitigate these risks. While these provisions do not affect mandatory arbitration, they do amount to a soft duty of care that could affect the scope of private claims. 

The ADPPA imposes more procedural hurdles to bringing claims. The ADPPA requires claimants to give the FTC and state attorneys general at least 60 days’ notice before bringing a claim (allowing an opportunity to intervene), and potential defendants at least 45 days’ notice. The final version softened a heavy-handed provision that would conclusively knock out claims that omit specified language in notices to potential defendants. Sen. Cantwell’s bill “encourages” prior notice as a way of resolving claims—so there is some policy agreement on notice—but requires prior notice only as to claims for injunctive relief.  

Duty of loyalty: As mentioned above, Sen. Cantwell’s initial response to the ADPPA mentioned including a duty of loyalty. Her later criticisms did not. Whether this is a sign she is dropping this point is not clear but, in any event, the ADPPA includes elements of such a duty and has incorporated aspects of the duty as framed in Sen. Cantwell’s drafts. Both bills have a title headed “duty of loyalty” that starts off with data minimization. Cantwell’s also included an obligation to avoid defined harmful data practices; the revised ADPPA has taken a step in this direction by defining “substantial privacy risk” and including the term as a consideration to be reflected in the design of “reasonable policies, practices, and procedures.” 

Woody Hartzog and Neil Richards, privacy scholars who have written a series of articles about a privacy duty of loyalty, wrote of the ADPPA that “people are justifiably excited” because it is “the most significant bipartisan privacy legislation introduced in more than a decade, and it represents a sincere attempt to move beyond the ineffective ‘notice and choice approach.” They see both ADPPA and Sen. Cantwell’s draft as lacking an overarching duty to act in the best interests of individuals, but the bills cover other elements they identify. Data minimization is “a key part,” but additional ones are “manipulation, breaches of confidentiality, wrongful discrimination, and reckless and extractive engagement models.” ADPPA addresses manipulation through its prohibition on obtaining consent through deception or manipulation; breaches of confidentiality through added protections for “sensitive” information and transfers of data as well as data security; and discrimination through extension of civil rights protection and algorithmic assessments. Engagement is less directly addressed, but affected by restrictions on targeted advertising, tracking, and data aggregation. The title of Hartzog’s and Richards’s piece on the ADPPA is “[w]e’re so close to getting DP right.” In this context, close may be good enough. 

Children’s privacy. The Senate Commerce Committee reporting out two bipartisan bills on children’s privacy creates another intriguing possibility for harmonizing House and Senate bills into a single privacy bill. The two Senate bills (both amended in committee) are the Children’s and Teens Online Privacy Protection Act sponsored by Sens. Ed Markey (D-Mass.), Richard Blumenthal (D-Conn.), Bill Cassidy (R-La.) and Cynthia Lummis (R-Wyo.), and the Kids Online Safety Act (KOSA) from Sens. Blumenthal and Blackburn. The first (often referred to as COPPA 2.0) updates the 1998 Children’s Online Privacy Protection Act to extend protections regarding the collection of personal information to teens ages 13-16 and require an “eraser button” to make it easy for minors to delete personal information.  The second requires companies to act in the best interests of minors and increase transparency about algorithms that may affect their behavior or mental state.   

ADPPA addresses manipulation through its prohibition on obtaining consent through deception or manipulation; breaches of confidentiality through added protections for “sensitive” information and transfers of data as well as data security; and discrimination through extension of civil rights protection and algorithmic assessments.

Meanwhile, the ADPPA also contains revisions to the 1998 COPPA, extending protections against targeted advertising up to the age of 18 and redefining “knowledge” to establish heightened standards for “large data holders” and “high impact social media platforms” respectively.  It also adopts COPPA 2.0’s proposal for a new Youth Privacy and Marketing Division within the FTC.  This significant overlap offers the possibility to coalesce around additional elements of COPPA 2.0 and KOSA in the ADPPA.  This might provide a win-win for both houses, as well as make good on President Biden’s call in his 2022 State of the Union speech for action to protect children’s privacy. 

Other issues. There are some differences between the ADPPA and Senator Cantwell’s drafts apart from the private enforcement issues she has flagged that have substantive impact. One is on protections for whistleblowers, where the Cantwell drafts have a provision that protects individuals who provide enforcement authorities information about statutory violations against retaliation, and the ADPPA has none.  In light of the respect accorded to whistleblowers like Frances Haugen on both sides of the aisle, this could be an area of compromise. 

Another significant difference is on authority for the FTC to bring litigation without having to clear it with the Department of Justice, which Sen. Cantwell’s would provide and the ADPPA would not.  Such a provision would reinforce the FTC’s enforcement authority. Republican reluctance to enlarge FTC powers in reaction to the appointment of Lina Khan as commission chair will make it difficult to resolve this issue. 

Resolving the differences 

How long an interval to come into compliance before risking lawsuits, the scope of claims to which mandatory arbitration clauses will not apply, the size of speedbumps on the way to the courthouse—all these are granular issues that only indirectly affect the substantive scope of information privacy protection. Negotiators in both houses should be able to slice and dice these to enable final agreement on a bill, whether House leaders “pre-conference” the ADPPA with senators before they bring it to the House floor or if they send the bill to the Senate.  

The stakes on more fundamental elements of a privacy bill are too large and the marginal differences on outstanding issues too small for anyone to walk away from the table in what’s left of this Congress.