Even before June’s Supreme Court decision ending Roe, Congress was under a lot of pressure to act on privacy – a recent poll says 80% of Americans want them to act, thanks to a steady stream of reporting on data abuse by government agencies, ed tech companies exploiting kids personal data, sleazy surveillance-industrial companies like Clearview AI and ID.me, Facebook and its ilk. Now, criminalized abortion and vigilante bounty hunters highlight the stakes and put a spotlight on privacy risks.
So it’s a great opportunity to pass strong privacy protections. Can privacy, civil rights, and civil liberties organiations capitalize on it?
It’s certainly possible. The House and the Senate both made progress on privacy bills in the four short weeks between their July recess and August recess:
- The Fourth Amendment is Not For Sale Act had strong bipartisan support at its House Judiciary hearing. This bill prohibits data brokers from selling data to law enforcement and intelligence agencies without a court order. With Judiciary Chair Jerry Nadler, Ranking Member Jim Jordan, and former Chair Bob Goodlatte all strong supporters, hopefully they’ll schedule it for a Judiciary Committee markup in September.
- The Children and Teens Online Privacy Protection Act (CTOPPA) got through the Senate Commerce Committee on a party-line vote. This bill strengthens and updates COPPA, and even though they voted against it, several Republicans expressed a desire to keep working on it. However, Senate Commerce Ranking Member Roger Wicker wants Congress to focus on a broad consumer privacy bill that also has some privacy protections for children and teens. So CTOPPA’s fate is bound up with …
- The American Protection and Privacy Act (ADPPA) consumer privacy bill, which the the House Energy & Commerce (E&C) advanced 53-2. It’s the first time a consumer privacy bill has made it through committee this century, and ADPPA sets an important precedent by including civil rights protections prohibiting discrimination. However, it faces daunting roadblocks. For one thing, California’s Privacy Protection Agency opposes ADPPA in its current form because it preempts Californina’s privacy law. Also, as I’ll discuss later in the post, there’s an elephant in the room.
And even though they haven’t gotten hearings yet, two other bills are still in the mix:
- The Health and Location Data Protection Act (HLDPA), whose sponsors include Senators Elizabeth Warren and Patty Murray, also focuses on data brokers, prohibiting companies from selling health or location data – to government or anybody else.
- The My Body, My Data Act, sponsored by Representative Sara Jacobs and Senators Wyden and Hirono, protects reproductive health data.
Then again, industry lobbyists will try to take advantage of the situation to get weak legislation passed (so Congress can say they’ve done something) while blocking and weakening anything stronger. With midterms looming, and a lot of other important issues to deal, there’s not a lot of legislating time left this year. So it’s hard to know what will happen.
The Fourth Amendment Is Not For Sale Act probably has the best chance to pass this session. Dozens of consumer-advocacy, media-justice and privacy-rights groups (including the the Brennan Center for Justice, Surveillance Technology Oversight Project, Kairos Action, Demand Progress, Free Press Action, EFF, and ACLU) support it. However, DC-based privacy organizations EPIC Privacy, Future of Privacy Forum (FPF), and Center for Democracy and Technology (CDT) are putting most of their energy into ADPPA.
The ADPPA and the Elephant
Margaret Harding McGill’s framing in Online privacy bill faces daunting roadblocks (on Axios) reflects the conventional wisdom. She describes ADPPA as “still a long shot to become law.”
That’s thanks to lobbying by companies over details they don’t like, disagreements over whether the law should pre-empt state rules, and tensions between the House and the Senate.
Other recent media coverage explores some of these issues in more detail*:
- What Microsoft, IBM and others won as the privacy bill evolved (Ben Brody and Hirsh Chitraka on Protocol)
- Privacy bill strips FCC oversight of telecom data abuse, worrying consumer advocates (Tonya Riley on CyberScoop)
- Corporate lobbying could imperil sweeping data privacy bill (Karl Evers-Hillstrom and Rebecca Klar on The Hill)
- Speaker Pelosi should bring the privacy bill to a vote (Washington Post editorial Board)
- Evaluating the American Data Privacy and Protection Act (Alan Butler and Caitriona Fitzgerald of EPIC Privacy on Tech Politcy Press)
But y’know what none of these articles discuss? That’s right, the elephant in the room.
Will ADPPA protect against post-Roe privacy threats to pregnant people and abortion providers?
But what about the elephant? highlights the red flags that Sen. Ron Wyden, Rep. Anna Eshoo, Senate Commerce Committee staffers, gender-justice nonprofit Ultraviolet, and Seattle-based Legal Voice have raised about this. Kim Clark of Legal Voice, for example, says
“This bill, at least from the perspective of pregnant people, it really doesn’t do much.”
To be fair, ADPPA’s supporters don’t see it that way.** And it’s not yet clear what reproductive justice advocates think of ADPPA’s protections – as I mentioned in How broad is the “consensus” that ADPPA provides “strong privacy protections”?, we haven’t heard much from their perspective. Maybe they’re not concerned with leaving pregnant people’s data accessible to law enforcement and vigilantes in states that criminalize abortion, or making it harder for pregnant people to sue when their sensitive health data has been used against them. More likely, though, they’re just incredibly busy with other short-term priorities, so haven’t had time to look at ADPPA in any detail yet.
I can certainly see why ADPPA’s supporters don’t want to talk about the elephant. Right now, the media will keep focusing on the messaging from groups like Future of Privacy Forum (whose funders include Microsoft, Amazon, Google, Verizon, and the Chan-Zuckerberg Initiative) that the ADPPA has “strong privacy protections.” By contrast, the more discussion of loopholes in ADPPA leaving pregnant people at risk, the more challenging it’ll be for most Democrats to support the bill – and the more questions there will be about how effectively it protects others’ data.
Stay tuned
There’ll be a lot of behind-the-scenes discussions during recess. The Fourth Amdnement Is Not For Sale Act almost certainly has the votes … but will leadership prioritize it? Will Democrats decide to focus on protecting pregnant people and abortion providers? And how much energy will DC-based privacy organizations put into supporting bills other than ADPPA?
Meanwhile, ADPPA supporters will look for a way to get California on board, and industry will pushes to further weaken it. Perhaps there will be a “dramatic” “compromise” adding California’s privacy bill to the already-long list of other exceptions to preemption – in return for some other concessions to industry, of course. That could be enough to get California representatives on board, increase pressure on Cantwell to drop her resistance to preemption, and give media a whole set of new stories to cover instead of talking about the elephant.
If that doesn’t seem likely to happen, then House Democrats could decide to focus on privacy bills that do protect pregnant people – moving forward with My Body My Data and Health and Location Data Privacy Act, or adding their language to the ADPPA. True, there would likely be resistance in the Senate. But with the November election coming up, and Democrats looking to translate anger at the loss of Roe into increased enthusiasm and turnout, this could be very smart politics.
Even if nothing passes this year, we’ll continue to see coverage of privacy abuses, and pressure will mount to do something. If Democrats add some seats in the Senate and hold the House, the opportunity for strong federal consumer and health privacy bills may be even better in 2023. And states like California and Washington may well continue to move the ball forward as well – which is probably why industry-backed groups like FPF are so insistent about a preemptive federal bill is needed.
Stay tuned!
Image credit: Savanna elephant “Loxodonta africana” in Kruger National Park, South Africa, Felix Andrews, via Wikipedia, licensed under CC BY-SA 3.0,
* Also worth reading, if you want to get into the nitty-gritty of the bill: Privacy scholar Prof. Daniel Solove’s A Faustian Bargain: Is Preemption Too High a Price for a Federal Privacy Law? and Further Thoughts on ADPPA, the Federal Comprehensive Privacy Bill; and Analyzing the American Data Privacy and Protection Act’s Private Right of Action, by Shelby Dolen and David Stauss on Byte Back.
** Cameron Kerry’s How comprehensive privacy legislation can guard reproductive privacy, for example, suggests that the ADPPA would “accomplish the essence” of stronger bills like My Body My Data and the Health and Location Data Privacy Act, and be a big step forwards towards protecting pregnant people’s data.
Of course, Kerry’s article was written before the committee further weakened the bill. And he admits that ADPPA doesn’t address the loophole Eshoo’s identified, doesn’t discuss the loophole Wyden has focused on, ignores issues like the absence of whistleblower protections that Ultraviolet has highlighted, and downplays the enforcement concerns that Sen. Maria Cantwell and Commerce Committee staffers have raised.