Updated December 15.
“Even as enthusiasm among ADPPA’s most optimistic supporters remains high, its prospects are limited this late in the term. Barring miraculous inclusion in a must-pass spending measure, the highest possible outcome for the bill this year is symbolic passage in the House.
There appears to have been a coordinated effort underway this week to accomplish that limited goal, which the bill’s supporters believe will put them on stronger footing for 2023.”
– IAPP Managing Director Cobun Zweifel-Keegan, Privacy compromise: As seen on TV
Even though Congress about to leave town and time is ticking down for any action on privacy legislation this session, there’s been a sudden flurry of activity on the American Data Privacy and Protection Act (ADPPA). A glowing editorial supporting ADPPA in the Washington Post, a long interview with the sponsors on ABC Live that left Cobun “starry-eyed,” a spin-filled TechDirt article by David Morar of New America’s Open Technology Institute (OTI) … yeah, it sure seems like a “coordinated effort.” And what a surprise, none of them mention the elephant in the room.
On Twitter, Zweifel-Keegan clarified
when I say “coordinated effort” I mean the appearance of a coordinated effort among civil society groups and the bill’s sponsors. This last-minute effort, like most of the ADPPA saga so far, does not carry many fingerprints of Industry™️
Joe Jerome of Facebook liked his tweet so it must be true! Although … the Washington Post is owned by Jeff Bezos. ABC is owned by Disney. New America’s funding includes $9.4 million from the Bill and Melinda Gates Foundation, $4,000,000 from ex-Google CEO Eric Schmidt and his wife Wendy Schmidt, $1,885,000 from Google, $550,000 from Amazon, $300,000 from Microsoft, $7,300,000 from Melinda French Gates’ Pivotal Ventures, and $2,000,000 from Reid Hoffman. So call me cynical, but if you look hard enough there might just be some industry influence here.
After all, as New America’s Morar points out in the TechDirt article, there are “myriad reasons why companies might support regulation.” So before we get to the elephant, let’s look at some of the reasons Big Tech might be supporting this particular regulation. The current version of ADPPA:
- lets companies buy and sell location data as long as it’s “deidentified” (which as Sen. Ron Wyden points out could allow data brokers to sell location data to the government about visits to reproductive health facilities) or comes from an image taken by a surveillance camera
- “enforces” civil rights protections by letting companies like Facebook and Twitter do their own algorithmic impact assessments – and completely exempts government contractors like Palantir and ShotSpotter from doing algorithmic impact assessments as long as they’re acting as service providers
- puts up barriers to state Attorneys General enforcing the law
- adds a lot of responsibilities to the FTC without guaranteeing them any more funding
- lets companies require mandatory arbitration
- completely exempts employee data – and provides very little protection for data on employee-issued machines
- guts FCC oversight of telecom companies, and appears to give them a free pass on $200,000,000 in fines the FCC handed out in 2020.
- gets rid of existing state and local consumer privacy laws, like Maine’s ISP privacy law, the Seattle Broadband Ordinance, and California’s CCPA/CPRA
- prevents states, counties, and cities from protecting their residents by passing future consumer privacy laws.
So yeah I can certainly see why ADPPA is widely supported by the tech industry (as Jennifer Haberkorn reported in September), as well as industry trade organization ITIF and Big Tech’s favorite Congresswoman Suzan DelBene (D-Microsoft). Of course they’d like it to be weakerned further, but even in its current form it’s a good deal from their perspective.
And then there’s the elephant, a huge issue that ADPPA supporters never discuss in detail. As Kim Clark of Seattle-based Legal Voices said in July
“This bill, at least from the perspective of pregnant people, it really doesn’t do much.”
And ADPPA’s loopholes that fail to protect pregnant people from post-Roe threats also leave immigrants, Muslims, LGBTQ+ people, and other vulnerable people exposed. It’s disappointing that organizations like OTI (who works “to ensure that every community has equitable access to digital technology and its benefits”) don’t think this even matters enough to mention. Politically, though, I can certainly see why Big Tech would want to get the current Democratic-controlled House to sign off on this in the lame duck unstead of waiting until the Republicans take over in the new year.
Of course, as EPIC Privacy, OTI, Public Knowledge, CDT, and the other public interest, labor, consumer advocacy, and civil rights groups calling for a vote on ADPPA point out, ADPPA could still be strengthened before it comes to the House floor. Realistically, though, with the very compressed timeframe of the lame duck session it’s hard to imagine any significant strengthening. In fact, the changes the House Energy & Commerce made to the bill in July weakened ADPPA significantly. I’m sure data brokers and big tech companies who have been lobbying so successfully on the bill will try to weaken it further before it moves forward.
Will Big Tech get what they want? Currently, Speaker Pelosi and the rest of the California delegation are blocking the bill because it preempts California’s privacy laws. Maybe the last-minute campaign will get California to back down; or, maybe there’s a “compromise” in the works. We shall see.
If ADPPA does go to a vote on the House floor (or gets “miraculously” attached to a must-pass bill) without being strengthened, groups like EPIC Privacy and all the other privacy, civil rights, and public interest groups who have been pushing for a vote on ADPPA are likely to be in a very tough situation.
Then again, Congress has a lot of other stuff on its plate, and it’s quite possible that nothing will happen in the next two weeks. As Cobun says
“[T]he more achievable target of all this activity is momentum for further progress in the 118th Congress. The unity on display among the two E&C leaders as they prepare to swap roles in 2023 seems carefully crafted to send a single message: the change of party control will not upset the compromise that was reached in crafting ADPPA.”
I’ll discuss the implications for 2023, and the potential tough spot for EPIC et al, later on in the article.
But first, let’s talk a little more about the elephant.
Why would Congressional Democrats support a privacy bill that doesn’t protect pregnant people?
I wrote about the elephant at much greater length in How well does ADPPA protect against post-Roe threats?, where I evaluated the bill against several key post-Roe privacy threats … but it’s such an important point that it really bears repeating! Here’s the summary:
✅ yes! ADPPA passes the test
❓ I’m not sure or it’s complex
❌ no. ADPPA does not currently pass the test
- ❌ Does ADPPA prevent prosecutors and law enforcement in states that have criminalized abortion from buying location data and targeting people who visit reproductive health care centers?
- ❌ When people travel out of state to get abortions, does ADPPA protect their data?
- ❌ Does ADPPA allow pregnant people to force companies to delete data that might put them at risk?
- ❌ Does ADPPA protect pregnant people and abortion providers from risks of automated license plate readers (ALPRs)?
- ❓Does ADPPA prevent anti-abortion “crisis pregnancy centers” from sharing data with vigilantes and law enforcement?
- ❓Will ADPPA hold “crisis pregnancy centers” who break the law and violate people’s privacy accountable?
- ❌ Will ADPPA prevent law enforcement from accessing people’s private messages to investigate whether they got an abortion?
Like I said above, I can certainly see why Big Tech would want to get the current Democratic-controlled House to sign off on this. And I can certainly see why Republicans would go for it! But what’s in it for Democrats – especially after they did much better than expected in the midterms because so many voters are passionate about protecting reproductive freedom?
One possibility is that most Congressional Democrats don’t even realize how significant an issue this is with ADPPA. As far as I know, none of the public interest, privacy, and civil rights groups who have been pushing for a vote on ADPPA have done any detailed analysis of this. The most recent letter is typical: it mentions in the first paragraph that passing comprehensive privacy legislation “is even more vital in a post-Dobbs world” but doesn’t have any discussion at all whether or not the legislation would actually address post-Dobbs threats. But at least it acknowledges the existence of the elephant! Evaluating the American Data Privacy and Protection Act, by Alan Butler and Caitriona Fitzgerald of EPIC Privacy, doesn’t even mention Dobbs, Roe, reproductive health, or abortion.
So it could well be that a lot of Congressional Democrats are assuming that if groups like EPIC (which under their previous Executive Director Marc Rotenberg had a well-deserved reputation for being uncompromising on privacy issues) aren’t bringing the issue up, everything is copacetic.
Then again, maybe they actually do know the reality. Here in Washington state, supporters of the Bad Washington Privacy Act used the talking point of “perfect is the enemy of the good,” and I’m hearing the same thing from ADPPA supporters. It’s certainly true that there’s no such thing as perfect legislation, so Democrats may be tempted to advance ADPPA even if doesn’t protect pregnant people and hope that voters have forgotten about it by the time the next election rolls around.
Be careful what you wish for
The same ADPPA loopholes that fail to protect pregnant people also put many others at risk. Most obviously, similar threats apply to trans people and their families in states that have criminalized gender-affirming health care; ADPPA doesn’t protect them either. Or take the de-identified data loophole could allow data brokers to sell location data to the government about visits to reproductive health facilities, De-identified data has been used to out a gay Catholic priest. The military uses “de-identified data” to track Muslims. DHS uses de-identified data to help identify immigrants who were later arrested. Hey wait a second, I’m noticing a pattern here.
Maybe ADPPA will get strengthened to address these problems. Quite frankly, though, from everything I’ve heard from staffers and negotiators … that seems very unlikely. If not, and ADPPA goes forward in its current weak form – or gets further weakened – it leaves EPIC Privacy and all the other privacy, civil rights, and public interest groups who have been pushing for a vote on ADPPA in a real tough situation.
On the one hand, “perfect is the enemy of the good.”
On the other hand, the current version of ADPPA doesn’t protect the people most at risk from having their data abused – and history shows that once privacy legislation has been passed, it doesn’t get significantly strengthened.
So what message would it send if EPIC Privacy and all these other groups support a bill that protects cis, straight, Christian people born in the US who can’t get pregnant – and lets Facebook, Twitter, Palantir, ShotSpotter, data brokers, and other badly-behaving tech companies continue to exploit people’s data?
Laying the groundwork for 2023?
Keep in mind that Big Tech is playing a long game here. If Congress passes a weak preemptive ADPPA this year, they win. If not, they’ll go back to pushing states to pass weak privacy laws and watering down attempts at privacy regulation, one state at a time.
– “Tweaking” the “grand bargain” , September 12
As Zweifel-Keegan mentioned, it’s still possible that ADPPA will “miraculously” get attached to a must-pass bill. Otherwise, whether or not the House advances ADPPA in the lame duck, the battle will resume next year – in Congress and the states.**
As Keir Lamont says in Five Big Questions (and Zero Predictions) for the U.S. State Privacy Landscape in 2023, it’s possible that ADPPA will substantially drive the content of state privacy bills. If EPIC and all these other public interest, privacy, and civil rights groups are able to use their influence to get the House to advance a significantly strengthened version of the ADPPA that protects the people most at risk from data abuse, that’ll be good news.
If you look at ADPPA supporters’ talking points, they’re clearly trying to convince people that the only reason ADPPA hasn’t advanced is because selfish Californians who don’t want it to preempt their state laws are letting their ego get in the way. This is nonsense, of course; not only are there lots of other important issues (including the elephant), but people in other states and cities have opinions on preemption too. Still, it’s a useful narrative from Big Tech’s perspective. And if ADPPA hits the House floor without getting strengthened (or worse, in a further-weakened form), and groups who are pushing for a vote decide to support it, it reinforces the scenario I warned about in “Tweaking” the “grand bargain”
“EPIC’s and Lawyers’ Committee’s strong support for ADPPA is likely to make Big Tech’s path through the states a lot easier.”
We can probably overcome this in Washington state, where we’ve got a strong base of local privacy advocates – and other DC-based privacy organizations have undercut their credibility by supporting the Bad Washington Privacy Act. It’s hard to know about other states. Time will tell.
Shifting focus back to Congress … even if the House advances ADPPA, next year’s a new session and everything restarts. Still, if Republicans decide to prioritize a giveaway to Big Tech, Democrats advancing ADPPA now certainly makes their lives a lot easier – pressure will mount on Sen. Maria Cantwell to surrender and get on board.
Then again, Republicans will have a very thin majority in the House. If new House Minority Leader Hakeem Jeffries and the rest of Democratic leadership decide to fight to protect pregnant people, immigrants, Muslims and LGBTQ+ people, they certainly have a chance to block it. And Democrats will still control the Senate, meaning Sen. Cantwell will continue to chair the Senate Commerce Committee – and she may well try to take another try at privacy legsilation herself So no matter what happens over the next few weeks, ADPPA’s not a slam dunk next year.
Still, Big Tech’s prospects for 2023 are certainly a lot brighter if they can cajole Speaker Pelosi, the California delegation, and the rest of the House into advancing it without strengthening it. And privacy advocates’ prospects are a lot brighter if EPIC et al are able to strengthen the bill – or say no if the bill isn’t strengthened.
And who knows, there may still be some “miraculous” last-minute shenanigans. As we say in Washington state, it ain’t over ’til its over.
Stay tuned!
Notes
* Todd Feathers’ Big Tech Is Pushing States to Pass Privacy Laws, and Yes, You Should Be Suspicious, Feathers’ and Alfred Ng’s 2022 Tech Industry Groups Are Watering Down Attempts at Privacy Regulation, One State at a Time, and Ben Brody’s Quiet industry lobbyists are watering down state privacy laws have more on Big Tech’s strategy for pushing weak legislation at the state level. ]