{"id":4047,"date":"2022-08-09T22:39:00","date_gmt":"2022-08-09T22:39:00","guid":{"rendered":"https:\/\/2024.thenexus.today\/index.php\/2022\/08\/09\/one-out-of-six-aint-good\/"},"modified":"2022-08-09T22:39:00","modified_gmt":"2022-08-09T22:39:00","slug":"one-out-of-six-aint-good","status":"publish","type":"post","link":"https:\/\/2024.thenexus.today\/index.php\/2022\/08\/09\/one-out-of-six-aint-good\/","title":{"rendered":"One out of six ain&#8217;t good: Five ways the American Data Privacy and Protection Act falls short"},"content":{"rendered":"<blockquote class=\"kg-blockquote-alt\"><p><em>F<strong>IND OUT MORE<\/strong>: Prof. Daniel Solove moderated an excellent webinar on ADPPA Wednesday, August 10. <a href=\"https:\/\/twitter.com\/NexusOfPrivacy\/status\/1557431010077224960\"> Here&#8217;s our live-tweeting<\/a> \u2013 or, if you prefer, <a href=\"https:\/\/threadreaderapp.com\/thread\/1557426453779689472.html\">in a single threadreaderapp page<\/a>. \u00a0<\/em><\/p><\/blockquote>\n<p>A lot of the discussion of the proposed American Data Privacy and Protection Act (ADPPA) has focused on comparing it to California&#8217;s privacy law, generally viewed as the strongest of the handful of existing state privacy laws. \u00a0 In <a href=\"https:\/\/www.caprivacy.org\/californians-for-consumer-privacy-announce-opposition-to-adppa\/\">Californians for Consumer Privacy Announce Opposition to ADPPA<\/a>, the group responsible for California&#8217;s privacy law says that for Californians, ADPPA &#8220;would weaken existing privacy laws in far-reaching and vital ways.&#8221; \u00a0But not everybody sees it that way. <\/p>\n<p>Here&#8217;s how Alan Butler and Caitriona Fitzgerald of EPIC Privacy frame it in <a href=\"https:\/\/techpolicy.press\/evaluating-the-american-data-privacy-and-protection-act\">Evaluating the American Data Privacy and Protection Act<\/a>:<\/p>\n<blockquote><p>We believe that the ADPPA is stronger in several key areas then California\u2019s CCPA, that it would provide roughly equivalent protections in most circumstances, and that the few areas where the CCPA is stronger could be addressed through minor amendments to the ADPPA.<\/p><\/blockquote>\n<p>The <a href=\"https:\/\/www.documentcloud.org\/documents\/22087567-advocates-memo-comparing-federal-privacy-bill-with-california-lawhttps:\/\/techpolicy.press\/wp-content\/uploads\/2022\/08\/EPIC-ADPPAvCCPA-07292022.pdfhttps:\/\/techpolicy.press\/wp-content\/uploads\/2022\/08\/EPIC-ADPPAvCCPA-07292022.pdf\">nicely-designed side-by-side<\/a> from EPIC, CDT and Lawyers Committee makes their case in more detail.* \u00a0<strong>UPDATE, August 12<\/strong>: <a href=\"https:\/\/www.caprivacy.org\/analysis-shows-cpra-is-significantly-stronger-than-adppa\/\">Californians for Consumer Privacy&#8217;s side by-side responds<\/a>. \u00a0 They disagree. \u00a0<strong>UPDATE, September 7: <\/strong><a href=\"https:\/\/www.caprivacy.org\/californians-for-consumer-privacy-announce-opposition-to-adppa\/\">a new analysis from Californians for Consumer privacy<\/a> spotlights 20 ways in which CPRA is stronger.<\/p>\n<p>Taking a step back &#8230; as Omer Tene of Goodwin Procter points out <a href=\"https:\/\/twitter.com\/omertene\/status\/1552317950429986929\">on Twitter<\/a>, when California&#8217;s current privacy law was on the ballot as Prop. 24 in 2020, ACLU of Northern California opposed it, arguing it was catering to big tech interests and harmful to marginalized communities.** \u00a0Color of Change, Dolores Huerta, and many immigrant rights groups opposed it for similar reasons. \u00a0<\/p>\n<p>With all the weaknesses these groups identified in California&#8217;s law, \u00a0&#8220;roughly equivalent protections in most circumstances&#8221; doesn&#8217;t necessarily translate to strong protection. \u00a0<\/p>\n<p>So let&#8217;s build on Tene&#8217;s point and take a different approach to the comparison. <\/p>\n<h2 id=\"how-many-of-prop-24s-weaknesses-does-adppa-address\">How many of Prop 24&#8217;s weaknesses does ADPPA address?<\/h2>\n<p>Prop. 24, also known as the California Privacy Rights Act (CPRA), amended the 2018 California Consumer Privacy Act (CCPA). \u00a0As significant as Prop 24 was, it was also a missed opportunity to do even better \u2013 as the groups who critiqued it pointed out. \u00a0So I went through the three highest-profile criticisms of Prop 24 from 2020. \u00a0<\/p>\n<ul>\n<li>The <a href=\"https:\/\/consumercal.org\/wp-content\/uploads\/2020\/07\/No-on-Proposition-24-ballot-argument-for-CFC-website.pdf\">ballot argument against Prop 24<\/a>, signed by Dolores Huerta along with Richard Holober of Consumer Federation of California and Tracy Rosenberg of Californians for Privacy Now<\/li>\n<li>The <a href=\"https:\/\/consumercal.org\/wp-content\/uploads\/2020\/07\/No-on-Proposition-24-Rebuttal-Argument.pdf\">ballot rebuttal argument<\/a>, signed by Kevin Baker of \u00a0ACLU of California, Nan Brasmer of \u00a0California Alliance for Retired Americans, John Mathias of Color of Change, and Mark Toney of TURN)<\/li>\n<li>ACLU of Northern California&#8217;s <a href=\"https:\/\/www.aclunc.org\/blog\/californians-should-vote-no-prop-24\">Californians Should Vote No on Prop 24<\/a>.<\/li>\n<\/ul>\n<p>Here are the problems they highlighted, along with opinions about how well these issues are addressed in ADPPA. \u00a0<\/p>\n<h3 id=\"pay-for-privacy-%E2%80%93-substantially-worse-in-adppa\">Pay for privacy \u2013 substantially worse in ADPPA<\/h3>\n<blockquote><p>Proposition 24 asks you to approve an Internet \u201cpay for privacy\u201d scheme. Those who don\u2019t pay more could get inferior service \u2013 bad connections, slower downloads and more pop up ads. It\u2019s an electronic version of freeway express lanes for the wealthy and traffic jams for everyone else.<\/p>\n<p>\u2013 from the <a href=\"https:\/\/consumercal.org\/wp-content\/uploads\/2020\/07\/No-on-Proposition-24-ballot-argument-for-CFC-website.pdf\">ballot argument against Prop 24<\/a><\/p><\/blockquote>\n<p>This criticism of Prop 24 may have been overstated \u2013 language in the bill, combined with CPPA&#8217;s rulemaking authority, goes a long way to limit pay for privacy schemes. \u00a0However, the key langauge is missing from ADPPA \u2013 as even supporters like Butler and Fitzgerald agree.<\/p>\n<blockquote><p>ADPPA would remove the CCPA\u2019s requirement that financial incentives practices with respect to exercising privacy rights not be \u201cunjust, unreasonable, coercive, or usurious in nature.\u201d This is an important backstop to prevent exploitative practices.<\/p>\n<p>&#8211; <a href=\"https:\/\/cppa.ca.gov\/meetings\/materials\/20220728_item2_cppa_staff_memo_hr8152.pdf\">CPPA July 26 bill analysis<\/a>, on the latest draft of ADPPA<\/p><\/blockquote>\n<blockquote><p>CPRA states that if businesses wish to incent consumers to share\/sell their data, \u201c[the] business shall not use financial incentive practices that are <strong><em>unjust, unreasonable, coercive, or usurious in nature<\/em><\/strong>.\u201d [\u00a71798.140(b)(4)]<\/p>\n<p>ADPPA\u2019s section covering retaliation, \u00a7104, is <strong>missing <\/strong>this critical consumer protection, which is terrible for consumers. We\u2019ve all been in the situation where the item is 30% or 50% more expensive in the grocery store if you\u2019re not a member of the store\u2019s loyalty program. So if your choice is to pay 50% more for the cereal box or be forced into a loyalty program that gets you the discount but allows the store to sell your data\u2014how is that a <em>choice? <\/em>It\u2019s coercive on the part of the business, and CPRA stops it.<\/p>\n<p>&#8211; <a href=\"https:\/\/www.caprivacy.org\/californians-for-consumer-privacy-announce-opposition-to-adppa\/\">Californians for Consumer Privacy Announce Opposition to ADPPA<\/a><\/p><\/blockquote>\n<blockquote><p>In <a href=\"https:\/\/techpolicy.press\/wp-content\/uploads\/2022\/08\/EPIC-ADPPAvCCPA-07292022.pdf\">our chart comparing the bills<\/a>, which is below, we summarize these provisions and highlight a few areas where the California law is stronger or where we feel the ADPPA needs to be tightened to avoid loopholes. These include the \u201cguardrails\u201d set for differential prices charged to individuals who chose to delete their data or decline to participate in a loyalty program<\/p>\n<p>&#8211; <a href=\"https:\/\/techpolicy.press\/evaluating-the-american-data-privacy-and-protection-act\/\">Evaluating the American Data Privacy and Protection Act<\/a>, Alan Butler and Caitriona Fitzgerald of EPIC Privacy<\/p><\/blockquote>\n<h3 id=\"no-protection-for-employee-data-%E2%80%93-also-a-problem-in-adppa-and-getting-worse\">No protection for employee data \u2013 also a problem in ADPPA, and getting worse<\/h3>\n<blockquote><p>Currently, employers can obtain all kinds of personal information about their workers and even job applicants, including things like using a pregnancy tracking app, where you go to worship or if you attend a political protest. Proposition 24 allows employers to continue secretly gathering this information for more years to come, overriding a new law that lets workers know what sensitive private information their bosses have beginning January 1, 2021.<\/p>\n<p>\u2013 from the <a href=\"https:\/\/consumercal.org\/wp-content\/uploads\/2020\/07\/No-on-Proposition-24-ballot-argument-for-CFC-website.pdf\">ballot argument against Prop 24<\/a><\/p><\/blockquote>\n<p>Employers collect all kinds of data about job applicants and employees from a myriad of places: job applications, background checks, HR and benefits forms, social media. \u00a0The original CCPA, passed in 2018, covered employee data. Businesses pushed back, and in 2019 the California legislature passed a bill which largely exempted employers for a year. \u00a0Prop 24 pushed the deadline back a couple more years.<\/p>\n<p>In ADDPA, by contrast:<\/p>\n<blockquote><p>You might have also noticed from the definition above that the bill explicitly doesn\u2019t apply to \u201cemployee data&#8230;.\u201d \u00a0The bill also notes that the term \u201cemployee\u201d can be defined as \u201c employee, director, officer, staff member, trainee, volunteer, or intern of an employer,\u201d regardless of whether they\u2019re unpaid or a temp worker. It\u2019s not just \u201cemployees\u201d that are being targeted here, but volunteers and interns, too.<\/p>\n<p>&#8211; Shoshana Wodinsky, in <a href=\"https:\/\/gizmodo.com\/american-data-privacy-and-protection-act-improvements-1849022612\">Close the Loopholes in the American Data Privacy &amp; Protection Act<\/a> on Gizmodo<\/p><\/blockquote>\n<blockquote><p>The definition of &#8220;employee data&#8221;, which is exempt from ADPPA, has been broadened to include &#8220;information processed by an employer relating to an employee who is acting in a professional capacity for the employer, provided that such information is collected, processed, or transferred solely for purposes related to such employee\u2019s professional activities on behalf of the employer.&#8221; \u00a0(Sec. 2(8)(C)(ii))<\/p>\n<p>&#8211; me, in <a href=\"__GHOST_URL__\/what-about-the-elephant\/\">But What About the Elephant?<\/a> on ADPPA&#8217;s latest draft<\/p><\/blockquote>\n<h3 id=\"global-opt-out-%E2%80%93-a-major-loophole-in-adppa\">Global opt-out \u2013 a major loophole in ADPPA<\/h3>\n<blockquote><p>You can set web browsers and cell phones to send a signal to each website you visit and app you use to stop selling your personal data, so you don\u2019t have to think about it each time. Proposition 24 would allow companies to disregard those instructions and shift the burden to you to notify each and every website and app individually to protect your data.<\/p>\n<p>\u2013 from the <a href=\"https:\/\/consumercal.org\/wp-content\/uploads\/2020\/07\/No-on-Proposition-24-ballot-argument-for-CFC-website.pdf\">ballot argument against Prop 24<\/a><\/p><\/blockquote>\n<p>This is another area where, despite concerns about the Prop 24&#8217;s language, California&#8217;s rulemaking has led to an approach that seems fairly workable &#8230; but ADPPA takes a step backwards.<\/p>\n<blockquote><p>So here is where federal bill (ADPPA) will have a massive fail if not fixed. The latest amended bill suddenly has new language allowing a company to require an authentication process before honoring the global opt-out signal&#8230;. \u00a0If this specific language becomes law &#8211; then consumers who turn on GPC (global opt-out) &#8211; will have to authenticate each and every site\/app in order to visit. More likely they&#8217;ll just turn it off and lobby will then argue to FTC users don&#8217;t want it. Poof go your new rights.<\/p>\n<p>&#8211; <a href=\"https:\/\/twitter.com\/jason_kint\/status\/1552419839284764673\">Jason Kint on Twitter<\/a>, also citing <a href=\"https:\/\/cppa.ca.gov\/meetings\/materials\/20220728_item2_cppa_staff_memo_hr8152.pdf\">the CPPA bill analysi<\/a>s<\/p><\/blockquote>\n<h3 id=\"restricting-people-from-enforcing-their-privacy-rights-in-court-%E2%80%93-also-a-problem-in-adppa\">Restricting people from enforcing their privacy rights in court \u2013 \u00a0 also a problem in ADPPA<\/h3>\n<blockquote><p>Proposition 24 restricts Californians from enforcing your own privacy rights in court. <\/p>\n<p>\u2013 from the <a href=\"https:\/\/consumercal.org\/wp-content\/uploads\/2020\/07\/No-on-Proposition-24-Rebuttal-Argument.pdf\">ballot rebuttal argument<\/a><\/p><\/blockquote>\n<blockquote><p>Although the ADPPA does contain a private right of action, with the possibility of pursuing monetary damages as well as injunctive relief, that right of action is otherwise deficient in a wide range of respects. These deficiencies are significant enough that the private right of action is unlikely to serve either as an effective vehicle for rights enforcement or as a motivator to comply with the law in order to avoid the risk of liability.<\/p>\n<p>&#8211; <a href=\"https:\/\/www.aclu.org\/letter\/aclu-letter-house-energy-and-commerce-committee-american-data-privacy-protection-act\">ACLU July 18 letter on ADPPA<\/a><\/p><\/blockquote>\n<blockquote><p>[T]he American Data Privacy and Protection Act \u201cmakes it harder for women to seek redress when their sensitive health data has been used against them\u201d and would force women to \u201cjump through arbitrary, drawn-out hoops\u201d to sue over privacy violations. <\/p>\n<p>&#8211; Senate Commerce committe staffers, quoted in Cristiano Lima&#8217;s <a href=\"https:\/\/www.washingtonpost.com\/politics\/2022\/06\/27\/abortion-ruling-could-scramble-data-privacy-talks\/\">Abortion ruling could scramble data privacy talks<\/a>, June 27<\/p><\/blockquote>\n<blockquote><p>[A]lthough a covered entity or service provider may have technically violated a provision of the ADPPA, plaintiffs may be unable to bring a claim in federal court absent a showing of concrete injury. Proving damages for privacy violations has often proved difficult for plaintiffs. Given that the ADPPA limits cases to federal (and not state) courts, this limitation could be determinative in many lawsuits.<\/p>\n<p>&#8211; <a href=\"https:\/\/bytebacklaw.com\/2022\/08\/analyzing-the-american-data-privacy-and-protection-acts-private-right-of-action\">Analyzing the American Data Privacy and Protection Act\u2019s Private Right of Action<\/a>, Shelby Dolen and David Stauss<\/p><\/blockquote>\n<blockquote><p>Forced arbitration is no longer enforceable on claims related to gender or partner-based violence or physical harm (Sec. 403(b)). \u00a0However, companies can still impose forced arbitration on adults in all other cases. During the markup, Rep. Donald McEachin of Virginia said that the bill as currently written wouldn&#8217;t have his support on the floor because of forced arbitration, and Senate Commerce Chair Maria Cantwell has flagged this as an issue that needs to be fixed.<\/p>\n<p>&#8211; me, in <a href=\"__GHOST_URL__\/what-about-the-elephant\/\">But What About the Elephant?<\/a> on ADPPA&#8217;s latest draft<\/p><\/blockquote>\n<blockquote><p>\u2022 \u00a7403(b) only prevents pre-dispute arbitration agreements for minors (who cannot legally enter contracts in any event, so this is just gratuitous), or gender or partner-based violence\/physical harm<\/p>\n<p>\u2022 1798.192 prevents forced arbitration clauses for any rights contained in CPRA<\/p>\n<p><a href=\"https:\/\/www.caprivacy.org\/californians-for-consumer-privacy-announce-opposition-to-adppa\/\">Californians for Consumer Privacy Announce Opposition to ADPPA<\/a><\/p><\/blockquote>\n<h3 id=\"privacy-loopholes-%E2%80%93-also-a-problem-with-adppa\">Privacy Loopholes \u2013 also a problem with ADPPA<\/h3>\n<blockquote><p>Prop 24 introduces numerous other exceptions and loopholes that will further weaken privacy protections for Californians. \u00a0<\/p>\n<p>&#8211; ACLU of Northern California&#8217;s <a href=\"https:\/\/www.aclunc.org\/blog\/californians-should-vote-no-prop-24\">Californians Should Vote No on Prop 24<\/a><\/p><\/blockquote>\n<p>The post lists several example loopholes \u2013 some of which are addressed in the ADPPA, some of which aren&#8217;t. \u00a0For example, ACLU discusses how CPRA allows police to tell companies not to delete data; ADPPA similarly says companies have to ignore deletion requests if they &#8220;reasonably&#8221; believe the request was to &#8220;support criminal activity.&#8221; ADPPA actually has an even bigger loophole here: companies are allowed to ignore deletion requests that interfere with &#8220;investigations&#8221; as well as \u00a0&#8220;reasonable efforts&#8221; to guard against, detect, prevent, or investigate fraudulent, malicious, or unlawful activity. <\/p>\n<p>And ADPPA&#8217;s got plenty of loopholes that weren&#8217;t on the ACLU of Northern California&#8217;s shortlist of Prop. 24 problems.<\/p>\n<blockquote><p>\u201cThe bill before us has a major loophole that could allow law enforcement to access private data to go after women. For example, under this bill, a sinister prosecutor in a state that criminalizes abortion could use against women their intimate data from search histories or from reproductive health apps. That loophole must be addressed.\u201d<\/p>\n<p>Rep. Anna Eshoo, D-California, quoted in <a href=\"https:\/\/cyberscoop.com\/privacy-data-brokers-house-ftc-commerce\">Federal privacy legislation progresses, but concerns about data brokers loom<\/a><\/p><\/blockquote>\n<p><a href=\"https:\/\/arstechnica.com\/tech-policy\/2022\/08\/teens-jailing-shows-exactly-how-facebook-will-help-anti-abortion-states\/\">Teen\u2019s jailing shows exactly how Facebook will help anti-abortion states<\/a>, <a href=\"https:\/\/time.com\/6189528\/anti-abortion-pregnancy-centers-collect-data-investigation\/\">Anti-Abortion Centers\u2019 Databases Could Be Weaponized Post-Roe<\/a> and <a href=\"https:\/\/arstechnica.com\/tech-policy\/2022\/08\/teens-jailing-shows-exactly-how-facebook-will-help-anti-abortion-states\/\">Teen\u2019s jailing shows exactly how Facebook will help anti-abortion states<\/a> highlight the stakes of loopholes like this.<\/p>\n<blockquote><p>\u201c[T]his loophole could allow data brokers to sell location data to the government about visits to reproductive health facilities, for example, or other private information that is trivially easy to connect to individuals. \u00a0[Senator Ron Wyden (D-Oregon) strongly believes this must be fixed before any legislation becomes law.&#8221;<\/p>\n<p>&#8211; \u00a0a Wyden aide quoted in <a href=\"https:\/\/cyberscoop.com\/privacy-data-brokers-house-ftc-commerce\">Federal privacy legislation progresses, but concerns about data brokers loom<\/a><\/p><\/blockquote>\n<blockquote><p>[T]he ADPPA includes a substantial loophole that my office opposed in state legislation. Section 209 includes the following exemption: \u201cA covered entity may collect, process, or transfer covered data for any of the following purposes . . . [to] conduct internal research or analytics to improve products and services.\u201d This broad exemption directly conflicts with the ADPPA\u2019s data minimization language and may be used by technology companies to maintain all data indefinitely. <\/p>\n<p>&#8211; Washington Attorney General Bob Ferguson, in <a href=\"https:\/\/www.documentcloud.org\/documents\/22111995-ferguson-privacy-letter-to-4-corners_6-24-2022\">a June 24 letter<\/a><\/p><\/blockquote>\n<blockquote><p>We are also concerned about newly accepted amendments to the bill that address data flows between companies such as <a href=\"https:\/\/www.eff.org\/deeplinks\/2022\/02\/victory-another-lawsuit-proceeds-against-clearviews-face-surveillance\">Clearview AI<\/a> or <a href=\"https:\/\/www.eff.org\/deeplinks\/2022\/02\/victory-irs-wont-require-facial-recognition-idme\">ID.me<\/a> and the government. Specifically, the bill may treat these companies as \u201cservice providers\u201d\u2014defined in the ADPPA as companies that collect or process information for government entities\u2014and gives these companies much more leeway than it should. <\/p>\n<p>&#8211; EFF, in <a href=\"https:\/\/www.eff.org\/deeplinks\/2022\/07\/americans-deserve-more-current-american-data-privacy-protection-act\">Americans Deserve More Than The Current American Data Privacy Protection Act<\/a><\/p><\/blockquote>\n<h3 id=\"applies-outside-of-california-%E2%80%93-addressed-in-the-adppa-although-many-protections-are-lower-both-outside-and-inside-california\">Applies outside of California \u2013 \u00a0addressed in the ADPPA, although many protections are lower both outside and inside California<\/h3>\n<blockquote><p>Under California law, your privacy rights follow you wherever you go. But with Proposition 24, the minute you travel out of state with a phone, wearable device, or computer, big tech companies are allowed to capture the health, financial, and other confidential information you stored on your device.<\/p>\n<p>\u2013 from the <a href=\"https:\/\/consumercal.org\/wp-content\/uploads\/2020\/07\/No-on-Proposition-24-ballot-argument-for-CFC-website.pdf\">ballot argument against Prop 24<\/a><\/p><\/blockquote>\n<p>ADPPA applies to the whole country, so clearly addresses this. \u00a0<\/p>\n<p>However, as <a href=\"https:\/\/www.caprivacy.org\/analysis-shows-cpra-is-significantly-stronger-than-adppa\/\">Californians for Consumer Privacy&#8217;s side by-side<\/a> highights (and some of the earlier discussion here reinforces), in many ways ADPPA&#8217;s protections are lower than CPRA&#8217;s. \u00a0So Californians are being asked to give up some important protections (and not be able to get them back) in exchange for not letting anybody else getting those protections. \u00a0You can certainly see why they wouldn&#8217;t like that trade. <\/p>\n<h2 id=\"one-out-of-six-aint-good\">One out of six ain&#8217;t good<\/h2>\n<p>So of the six areas these groups highlighted, only one is addressed in ADPPA \u2013 and in a couple, ADPPA is arguably <em>worse <\/em>than California&#8217;s a existing law. \u00a0Combine this with the critiques in <a href=\"https:\/\/www.caprivacy.org\/californians-for-consumer-privacy-announce-opposition-to-adppa\/\">Californians for Consumer Privacy Announce Opposition to ADPPA<\/a> and it&#8217;s clear that there are a lot of ways ADPPA falls short.<\/p>\n<p>Of course, there&#8217;s no question that ADPPA also has areas where it improves on California&#8217;s privacy law. Explicitly including civil rights protections with anti-discrimination language that includes disparate impact (as well as intentional discrimination) is a very big deal. \u00a0ADPPA also incorporates some important new ideas, such as a duty of loyalty. \u00a0Californians for Consumer Privacy analysis also highlights several areas where ADPPA improves on CPRA. \u00a0These all point to improvements that might well be helpful in California \u2013 and other states as well, since privacy laws in Virginia and Utah are much weaker than California&#8217;s. <\/p>\n<p>Then again, the analysis here also points to a lot of ways ADPPA falls short. \u00a0And these aren&#8217;t the only areas of ADPPA that need work \u2013 there&#8217;s also the unnecessary interference with state Attorney General enforcement ability,*** <a href=\"https:\/\/www.cyberscoop.com\/adppa-fcc-privacy-ftc-congress-telecom\/\">stripping FTC oversight of telecom data abuse<\/a>, potential <a href=\"__GHOST_URL__\/is-there-an-elephant-in-the-zoom-room\/#does-adppa-protect-unhoused-people\">threats to unhoused people<\/a>, and more. \u00a0 <\/p>\n<p>Butler and Fitzgerald point to the possibilities of amendments to ADPPA to address some of its weaknesses. \u00a0At least so far, the trend isn&#8217;t encouraging. \u00a0<a href=\"https:\/\/protocol.com\/newsletters\/policy\/cloud-enterprise-privacy\">Microsoft, IBM and the Business Software Alliance have been big winners<\/a>. Many of <a href=\"__GHOST_URL__\/what-about-the-elephant\/#changes-since-the-subcommittee-version\">the changes in the most recent version of ADPPA<\/a> actually weakened its protections. \u00a0Still, if Congress decides they really <em>do<\/em> want to protect people&#8217;s privacy, they&#8217;ve got a good roadmap for improvements to ADPPA. \u00a0<\/p>\n<p>As it is right now, though, comparing ADPPA to California&#8217;s privacy law just highlights how much improvement is still needed.<\/p>\n<hr>\n<p><em>Image credit: <\/em>JessicaRodriguezRivas, via <a href=\"https:\/\/commons.wikimedia.org\/wiki\/File:Home_of_the_US_Congress.jpg\">Wikipedia Commons<\/a>. \u00a0licensed under the <a href=\"https:\/\/en.wikipedia.org\/wiki\/en:Creative_Commons\">Creative Commons<\/a><a href=\"https:\/\/creativecommons.org\/licenses\/by-sa\/4.0\/deed.en\" rel=\"nofollow\">Attribution-Share Alike 4.0 International<\/a> license.<\/p>\n<p>* Although the previous version of the side-by-side (linked from a Washington Post article) claimed that ADPPA was stronger in some additional ways that turned out to be inaccurate, so this one may still be overstating the case. \u00a0<\/p>\n<p><strong>UPDATE: <\/strong>Californians for Consumer Privacy&#8217;s comparison makes it ADPPA 3, CPRA 22 (or something like that). \u00a0So even if the truth is somewhere in between, EPIC&#8217;s spreadsheet was indeed still overstating the case. <\/p>\n<p>** Gilad Edelman&#8217;s <a href=\"https:\/\/www.wired.com\/story\/california-prop-24-fight-over-privacy-future\/\">The Fight Over the Fight Over California\u2019s Privacy Future<\/a> on <em>Wired <\/em>has some of the fascinating backstory.<\/p>\n<p><!--kg-card-begin: html--><span id=\"no-per-se\"><\/span><!--kg-card-end: html--><\/p>\n<p>*** Specifically, ADPPA 404(c)&#8217;s language: \u201ca violation of this Act shall not be pleaded as an element of any such cause of action.&#8221; \u00a0As the AG&#8217;s letter says:<\/p>\n<blockquote><p>In many states, the Attorney General\u2019s office uses civil investigative demands under its consumer protection authority to demand documents or information from entities when we believe there could have been a violation of a law. Ordinarily, a violation of a federal law or standard could also be a violation of state consumer protection law. But Section 404 would act as a bar to investigate violations of the federal law, because it prohibits them from forming the basis for state consumer protection claims. This language unnecessarily interferes with robust enforcement capabilities.<\/p><\/blockquote>\n<p>The 2020 version of the Bad Washington Privacy Act had a similar problem, and Attorney General Ferguson said it made the bill &#8220;unenforceable.&#8221; \u00a0Meanwhile, Microsoft it as &#8220;raising the bar on privacy in the United States&#8221; because of its &#8220;strong enforcement.&#8221; Good times!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>FIND OUT MORE: Prof. Daniel Solove moderated an excellent webinar on ADPPA Wednesday, August 10. Here&#8217;s our live-tweeting \u2013 or, if you prefer, in a single threadreaderapp page. \u00a0 A lot of the discussion of the proposed American Data Privacy and Protection Act (ADPPA) has focused on comparing it to California&#8217;s privacy law, generally viewed [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[458,61],"class_list":["post-4047","post","type-post","status-publish","format-standard","hentry","category-uncategorized","tag-adppa","tag-california"],"_links":{"self":[{"href":"https:\/\/2024.thenexus.today\/index.php\/wp-json\/wp\/v2\/posts\/4047","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/2024.thenexus.today\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/2024.thenexus.today\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/2024.thenexus.today\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/2024.thenexus.today\/index.php\/wp-json\/wp\/v2\/comments?post=4047"}],"version-history":[{"count":0,"href":"https:\/\/2024.thenexus.today\/index.php\/wp-json\/wp\/v2\/posts\/4047\/revisions"}],"wp:attachment":[{"href":"https:\/\/2024.thenexus.today\/index.php\/wp-json\/wp\/v2\/media?parent=4047"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/2024.thenexus.today\/index.php\/wp-json\/wp\/v2\/categories?post=4047"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/2024.thenexus.today\/index.php\/wp-json\/wp\/v2\/tags?post=4047"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}