{"id":4069,"date":"2022-08-31T05:44:44","date_gmt":"2022-08-31T05:44:44","guid":{"rendered":"https:\/\/2024.thenexus.today\/index.php\/2022\/08\/31\/adppa-data-minimization\/"},"modified":"2022-08-31T05:44:44","modified_gmt":"2022-08-31T05:44:44","slug":"adppa-data-minimization","status":"publish","type":"post","link":"https:\/\/2024.thenexus.today\/index.php\/2022\/08\/31\/adppa-data-minimization\/","title":{"rendered":"ADPPA&#8217;s data minimization and duty of loyalty: a deep dive"},"content":{"rendered":"<p>One of ADPPA&#8217;s strong points is its focus on <em>data minimization<\/em>. \u00a0This principle has been a bedrock of privacy law as one of the Fair Information Practices since the 1970s, and is also included in Europe\u2019s GDPR and California\u2019s CPRA.<\/p>\n<p>ADPPA complements data minimization with a \u201cduty of loyalty\u201d, a powerful and relatively-recent innovation in privacy law. \u00a0As privacy scholars Neil Richards and Woodrow Herzog write in<a href=\"https:\/\/iapp.org\/news\/a\/were-so-close-to-getting-data-loyalty-right\/\"> We\u2019re so close to getting data loyalty right<\/a><\/p>\n<blockquote><p>Done correctly, duties of loyalty would change a company\u2019s business incentives away from manipulative and exploitative practices toward long-term, sustainable and mutually beneficial information relationships between people and companies<\/p><\/blockquote>\n<p>Of course, as widely-respected privacy scholar Prof. Daniel Solove says in \u00a0<a href=\"https:\/\/teachprivacy.com\/further-thoughts-on-adppa-the-federal-comprehensive-privacy-bill\/\">Further Thoughts on ADPPA, the Federal Comprehensive Privacy Bill<\/a>, &#8220;many parts of privacy laws have pretty-sounding rhetoric but ultimately are not any deeper\u201d. Virginia\u2019s and Utah\u2019s privacy laws \u2013 which even industry lobbyists describe as \u201cweak and loophole-ridden\u201d \u2013 are also based on data minimization principles, but the wording is so weak that there\u2019s virtually no protection.<\/p>\n<p>So let\u2019s dive more deeply into these relevant sections of ADPPA. \u00a0I\u2019ve included some of the key language from the current version of bill;, but if you want to follow along in the text, section numbers (\u00a7) refer to the<a href=\"https:\/\/docs.house.gov\/meetings\/IF\/IF00\/20220720\/115041\/BILLS-117-8152-P000034-Amdt-1.pdf\"> July 19 ADPPA version<\/a> as amended by the six<a href=\"https:\/\/docs.house.gov\/Committee\/Calendar\/ByEvent.aspx?EventID=115041\"> amendments<\/a> that passed.<a href=\"https:\/\/media-exp1.licdn.com\/dms\/document\/C4E1FAQG-kcljte035A\/feedshare-document-pdf-analyzed\/0\/1658364628458?e=1661990400&amp;v=beta&amp;t=rw5yxfubj0O4f0wUTkGNr1XoCc3eC0MtfVRIGhDNRkMhttps:\/\/media-exp1.licdn.com\/dms\/document\/C4E1FAQG-kcljte035A\/feedshare-document-pdf-analyzed\/0\/1658364628458?e=1663804800&amp;v=beta&amp;t=tfCKZkWWRth0EvQY71JCP6LgFnQRIbstucvzxJq8yPg\"> The redlined version from IAPP and Future of Privacy Forum<\/a>, including all the amendments and highlighting changes from the subcommittee&#8217;s version, is also very useful.<\/p>\n<h2 id=\"data-minimization-and-permissible-purposes\">Data minimization and permissible purposes<\/h2>\n<blockquote><p>A covered entity may not collect, process, or transfer covered data unless the collection, processing, or transfer is limited to what is reasonably necessary and proportionate to\u2014<\/p>\n<p>(1) provide, or maintain a specific product or service requested by the individual to whom the data pertains; or<\/p>\n<p>(2) effect a purpose expressly permitted under subsection (b).<\/p>\n<p>\u2013 American Data Privacy and Protection Act (ADPPA), \u00a7101(a):<\/p><\/blockquote>\n<p>ADPPA\u2019s data minimization rules apply to everything that the businesses and non-profits it regulates do to any data that it covers. There are actually some big exemptions hidden behind these definitions,* but put that to the side for now and focus on the entities and data that it does cover.<\/p>\n<p>Once a company collects data for specific purpose, ADPPA&#8217;s data minimization rules say they can only process or transfer it it for that purpose and for the other <em>permissible purposes<\/em> listed in \u00a7101(b). \u00a0<\/p>\n<p>Why have <em>any <\/em>permissible purposes beyond providing the individual with the product or service the individual requests? \u00a0Well, imagine if companies had to get consent from everybody before each time they analyze email to see whether it should go into a spam folder. \u00a0Spammers wouldn\u2019t give consent, so good luck with spam detection. \u00a0And for the rest of us, you can imagine how this would be even more annoying than cookie dialogs.<\/p>\n<p>We\u2019ll go through the specific permissible purposes below, but first let\u2019s talk about how the ADPPA\u2019s \u201cduty of loyalty\u201d interacts with the data minimization requirements.<\/p>\n<h2 id=\"%E2%80%9Cduty-of-loyalty%E2%80%9D\">\u201cDuty of loyalty\u201d<\/h2>\n<p>As Richards and Herzog discuss, ADPPA\u2019s \u201cduty of loyalty\u201d (\u00a7102) only covers data minimization \u2013 <a href=\"https:\/\/iapp.org\/news\/a\/were-so-close-to-getting-data-loyalty-right\/\">just one piece of what a duty of loyalty really needs to cover<\/a>, and the reason I put air quotes around it. Still, it\u2019s certainly an important aspect, and ADPPA\u2019s \u00a0\u201cduty of loyalty\u201d adds some significant protections for <em>sensitive data <\/em>(defined in \u00a72(28))<\/p>\n<p>Sensitive data is a fairly broad category under ADPPA, including health data; biometric and genetic information; \u201cprecise geolocation information\u201d; credit card numbers and financial information; drivers license and passport numbers; photos, videos, and private communications including emails, voicemails and texts (unless they\u2019re on employer-issued machines); and quite a few other categories. There are some important exceptions; for example, sex, sexual orientation, and immigration status aren\u2019t considered sensitive data, and as <a href=\"https:\/\/www.caprivacy.org\/californians-for-consumer-privacy-announce-opposition-to-adppa\/\">Californians for Consumer Privacy discusses<\/a> the definition of \u201cprecise geolocation information\u201d (\u00a72(24)) excludes location information from surveillance cameras and photos people take. \u00a0Once again, though, let\u2019s put these aside for now.<\/p>\n<p>For sensitive data, ADPPA\u2019s \u201cduty of loyalty\u201d adds several important protections to the basic data minimization rules:<\/p>\n<ul>\n<li>Prohibiting transferring (selling or sharing) sensitive data to third parties** without consent, with a few exceptions (listed in \u00a7102(3))<\/li>\n<li>A heightened standard of <em>strictly <\/em>necessary and proportionate (as opposed to just <em>reasonably<\/em> necessary and proportionate)<\/li>\n<li>Prohibiting collecting and processing sensitive data for targeted advertising or as part of a merger or acquisition***<\/li>\n<li>Allowing individuals to sue under the private right of action if their sensitive data is misused****<\/li>\n<\/ul>\n<p>Looking at it differently, ADPPA\u2019s \u201cduty of loyalty\u201d says that businesses and non-profits can collect or process even sensitive data as long as it\u2019s strictly necessary for permissible purposes (1)-(15) without asking consent. \u00a0<\/p>\n<p>And it&#8217;s not just they don&#8217;t have to get your consent. \u00a0There\u2019s an exception to ADPPA\u2019s opt-out rights (\u00a7204(b)(2)) which says <em>you can\u2019t even opt out<\/em> of having your data collected, processed, and transferred for these purposes.<\/p>\n<h2 id=\"what-could-possibly-go-wrong\">What could possibly go wrong?<\/h2>\n<p>The example permissible purpose I talked about above, spam detection, seems innocuous enough. \u00a0Others, though, could potentially open up big loopholes. \u00a0For example,, \u00a7101(b)(2)(C) allows companies to collect and process data \u201cto conduct internal research or analysis to improve a product or service for which such data was collected.\u201d \u00a0This also sounds innocuous, but here\u2019s what Washington\u2019s Attorney General Ferguson had to say<a href=\"https:\/\/www.documentcloud.org\/documents\/22111995-ferguson-privacy-letter-to-4-corners_6-24-2022\"> in June<\/a> about the effects of a slightly-differently-worded version of this in the June ADPPA discussion draft<\/p>\n<blockquote><p>This broad exemption \u2026 may be used by technology companies to maintain all data indefinitely. For example, a company may deny all requests to delete biometric data or retain user photos (including of children) because the data is used to improve their photo tagging technology. Technology companies and their teams of corporate lawyers will defend their data processes, no matter how harmful, as internal research intended to improve the company\u2019s products or services. In short, if Congress passes legislation with this exemption, it will undermine the entire purpose of data privacy legislation.<\/p><\/blockquote>\n<p>And remember, opt-out doesn\u2019t apply. \u00a0So no matter why a company\u2019s collected your data, you can\u2019t stop them from using it without your consent for \u201cinternal research or analytics\u201d as long as they can claim the way they\u2019re using it is reasonably necessary and proportionate to improving their product or service. \u00a0If it\u2019s not sensitive data, they can transfer it to third parties without your consent as well.<\/p>\n<p>Ferguson\u2019s <a href=\"https:\/\/www.documentcloud.org\/documents\/22111995-ferguson-privacy-letter-to-4-corners_6-24-2022\">comments<\/a> were on an earlier draft of ADPPA and the current draft has a slightly narrower definition, but the lawyers I checked with didn&#8217;t think the changes had fully addressed this issue. \u00a0It\u2019s a good example of how a innocuous-sounding permissible purpose could open up major loophole.<\/p>\n<h2 id=\"fraud-and-illegal-activity\">Fraud and illegal activity<\/h2>\n<p>With that as background, let\u2019s move on to a pair of permissible purposes that <em>EFF <\/em>expressed concern about in their <a href=\"https:\/\/www.eff.org\/deeplinks\/2022\/06\/eff-urges-congress-strengthen-american-data-privacy-and-protection-act\">June 14 letter <\/a>(which like AG Ferguson\u2019s letter applied to an earlier draft.<\/p>\n<p>\u00a7101(b)(6) allows collecting and processing data (without consent or the ability to opt out) to prevent, detect, protect against or respond to fraud. \u00a0 In<a href=\"https:\/\/www.politico.com\/news\/2022\/08\/28\/privacy-bill-triggers-lobbying-surge-by-data-brokers-00052958\"> Privacy bill triggers lobbying surge by data brokers<\/a>, Alfred Ng quotes a data broker\u2019s deputy general counsel as saying that their lobbying was to help \u201censure that fraud prevention products can continue providing meaningful consumer protections.\u201d \u00a0Ng also quoted staffers as saying the lobbying hasn&#8217;t had any effect, but I&#8217;m not so sure: the latest version added new exceptions for fraud in the \u201cduty of loyalty\u201d and several other places.*****<\/p>\n<p>Think about the kinds of companies that would want to take advantage of this exception. \u00a0Data broker<a href=\"https:\/\/apnews.com\/article\/chicago-lawsuits-georgia-immigration-635396b572cadf172c74b4a0000f52e8\"> LexisNexis is currently being sued by immigration advocates<\/a> for collecting, combining, and selling personal data without consent. Surveillance technology company Clearview AI was banned from selling facial recognition technology in the US after<a href=\"https:\/\/www.malwarebytes.com\/blog\/news\/2022\/05\/clearview-ai-banned-from-selling-facial-recognition-data-in-the-us\"> secretly taking facial recognition data from people without their consent<\/a> in May, and just two weeks later introduced the laughably-named<a href=\"https:\/\/www.clearview.ai\/clearview-ai-launches-clearview-consent-companys-first-consent-based-product-for-commercial-use\"> Clearview Consent<\/a> which &#8220;is all about making everyday consumers feel more secure in a world that is rife with crime and fraud.&#8221; \u00a0Facebook, Google, and other ad tech companies are concerned with advertising fraud. \u00a0Companies in the<a href=\"https:\/\/themarkup.org\/the-breakdown\/2022\/07\/27\/who-is-collecting-data-from-your-car\"> connected vehicle data ecosystem<\/a> focus on insurance fraud. \u00a0The list goes on.<\/p>\n<p>How much non-consensual data collection and processing will these companies be able to do as a result of this exception?<\/p>\n<p>\u00a7101(b)(6) also allows collecting and processing data \u00a0to \u00a0prevent, detect, protect against or respond to illegal activity, which is defined as a felony or misdemeanor that causes harm.<\/p>\n<p>In states which have criminalized abortion, does this mean that pregnant people&#8217;s data can be collected processed (without consent or the ability to opt out) if it&#8217;s &#8220;strictly necessary&#8221; to prevent abortions?<\/p>\n<p>What about states which have criminalized gender-affirming health care?<\/p>\n<h2 id=\"trespass-and-public-safety-incidents\">Trespass and public safety incidents<\/h2>\n<p>\u00a7101(b)(5) allows collecting and processing data (without consent or the ability to opt out) to prevent, detect, protect against or respond to security incidents. In the latest version, <\/p>\n<ul>\n<li>the definition of security incident in \u00a7101(b)(5) was broadened to add trespass. <\/li>\n<li>a new permissible purpose \u00a7101(b)(15) was added, allowing government entities to require contractors to process to prevent, detect, protect against, or respond to public safety incidents, including trespass. \u00a0<\/li>\n<li>and a \u00a0new &#8220;duty of loyalty&#8221; exception 102(3)(D), allows government contractors transfer an individual\u2019s sensitive data to third parties without consent if the transfer is necessary to prevent, detect, protect against or respond to a public safety incident including trespass, natural disaster, or national security incident<\/li>\n<\/ul>\n<p>What risk does this create in cities and states that use \u201ctrespass\u201d laws to target <a href=\"__GHOST_URL__\/is-there-an-elephant-in-the-zoom-room\/#does-adppa-protect-unhoused-people\">unhoused people<\/a>? \u00a0<\/p>\n<p>What about law enforcement agencies surveilling activists (who after all might cause a protest that escalates into a public safety incident)?<\/p>\n<h2 id=\"but-wait-there%E2%80%99s-more\">But wait, there\u2019s more!<\/h2>\n<p>This version of ADPPA\u2019s has 17 permissible purposes, up from 12 in the previous version. \u00a0Most of them raise at least some questions. \u00a0For example:<\/p>\n<ul>\n<li>Does \u00a7101(b)(7) (which allows companies to use data without consent \u201cto investigate, establish, prepare for, exercise, or defend legal claims involving the covered entity or service provider\u201d) mean that Google can use whatever you\u2019ve got in your email and Google Docs to prepare for potential future legal claims against them?<\/li>\n<li>Anti-abortion \u201ccrisis preganancy centers\u201d have a \u201cgood faith\u201d believe in imminent risk of serious harm caused by abortions. \u00a0Does \u00a7101(b)(8) allow them to process any data they\u2019ve obtained for other purposes to prevent or detect people who might be about to get an abortion \u2013 or health care providers who might be performing, or helping with, abortions? \u00a0What about gender-affirming care? Does the similarly-worded \u201cduty of loyalty\u201d exception \u00a7102(3)(C) allow transferring (sharing and selling) this data?<\/li>\n<li>How broad are the exceptions for \u201cpublic interest research\u201d (\u00a7101(b)(10)), especially after the latest amendment adding an exemption for research that\u2019s excluded from criteria of institutional review boards?<\/li>\n<li>\u00a7101(b)(13) lets companies transfer data in the context of mergers, acquisitions, and bankruptcies. \u00a0While they do have to provide notice and a \u201creasonable opportunity\u201d to request deletion, ADPPA&#8217;s deletion rights have significant exceptions \u2013 for example, companies can ignore requests that interfere with &#8220;investigations, or reasonable efforts to guard against, detect, prevent, or investigate fraudulent, malicious, or unlawful activity.&#8221; \u00a0(\u00a7203(e)(3)(A)(vii)). What kinds of loopholes does this open up?<\/li>\n<li>\u00a7101(b)(16) covers first-party advertising and marketing, and \u00a7101(b)(17) covers third-party targeted advertising. \u00a0Unlike the other permissible purposes, the \u201cduty of loyalty\u201d doesn\u2019t currently let companies or non-profits use sensitive data for these purposes. Still, because they&#8217;re permissible purposes, companies can use non-sensitive data for advertising without consent (although like CPRA, ADPPA does provide an opt-out for targeted advertising (204(c))). What are the implications?<\/li>\n<\/ul>\n<h2 id=\"cynicism-is-justified\">Cynicism is justified<\/h2>\n<p>Maybe I\u2019m just being cynical to think that industries that make money by exploiting people\u2019s data are trying to get loopholes into ADPPA that let them legally exploit as much data as possible without asking for consent. \u00a0Perhaps data brokers and surveillance-industrial complex companies won\u2019t try to take advantage of the exceptions for \u201cinternal research\u201d, \u201ctrespass,\u201d \u201cfraud,\u201d \u201cillegal activity\u201d and government contractors. \u00a0Or maybe ADPPA\u2019s standards of \u201cstrictly necessary\u201d for sensitive data, and \u201creasonably necessary\u201d for non-sensitive data are strong enough to prevent shenanigans.<\/p>\n<p>But then again, as<a href=\"https:\/\/www.protocol.com\/newsletters\/policy\/cloud-enterprise-privacy\"> What Microsoft, IBM and others won as the privacy bill evolved<\/a> and<a href=\"https:\/\/www.politico.com\/news\/2022\/08\/28\/privacy-bill-triggers-lobbying-surge-by-data-brokers-00052958\"> Privacy bill triggers lobbying surge by data brokers<\/a> discuss, there\u2019s been a heckuva lot of lobbying to weaken ADPPA since it was first introduced, with <a href=\"__GHOST_URL__\/what-about-the-elephant\/#weakening\">a fair amount of success<\/a> \u2013 and the next version of ADPPA may be even weaker. Especially if you look at the past behavior of the entities this bill is trying to regulate \u2013 and the way big tech has pushed weak privacy legislation across the country \u2013 it\u2019s clear that cynicism is justified.<\/p>\n<p>So it would be great to see some more detailed legal analysis of ADPPA\u2019s data minimization sections. If there are some issues, there\u2019s still time to amend ADPPA; there may well be existing language in other bills worth looking at. \u00a0For example, California\u2019s CPRA limits the \u201cserious harm\u201d exception to sharing data with law enforcement (as opposed to ADPPA which also allows sharing data to vigilantes), and puts in some process requirements for emergency requests. HIPAA similarly only allows sharing with law enforcement, and then only \u00a0if there\u2019s a warrant, subpoena, or summons. These all seem like potential \u00a0improvements to ADPPA\u2019s current protections.<\/p>\n<p>Of course there\u2019s also the political aspect: even if it turns out that improvements are needed to better protect people at risk, are the votes there? \u00a0It\u2019s hard to know. Stay tuned!<\/p>\n<hr>\n<p>* \u00a0For example, ADPPA exempts \u00a0\u201cde-identified\u201d data, employee data including benefits information, publicly available information, and inferences from publicly available information (\u00a72(9)). It also exempts government agencies, banks, airlines, and other businesses not regulated by the FTC Act (\u00a72(9)). \u00a0And, when a covered entity is collecting, processing, or transferring data on behalf of a government agency or another covered entity, they\u2019re not considered a covered entity; they\u2019re a <em>service provide<\/em>r instead.<\/p>\n<p>*** Note that ADPPA&#8217;s definition of &#8220;third party&#8221; specifically excludes affiliates. \u00a0Also, when a service provider collects, processes, or transfers data on behalf of a business, non-profit, or government agency, they\u2019re also not considered a third party. \u00a0These are both potentialcans of worms on their own \u2013<a href=\"https:\/\/www.eff.org\/deeplinks\/2022\/07\/americans-deserve-more-current-american-data-privacy-protection-act\"> EFF has concerns<\/a> that an amendment to the latest version gives service providers much more leeway than it should. But this writeup is already long and complex enough that I\u2019ll save this discussion for a potential future post.<\/p>\n<p>*** the \u201cduty of loyalty\u201d only allows collection and processing for permissible purposes (1)-(12) and (14), so these other purposes are excluded<\/p>\n<p>**** The private right of action \u00a0<em>doesn&#8217;t<\/em> apply to violations of data minimization (\u00a7209(e)(1)), but does to the \u201cduty of loyalty\u201d<\/p>\n<p>***** \u00a7102(1), \u00a7203(E)(1)(e), \u00a7203(E)(3)(A)(vi), and \u00a7209(b)(2). \u00a0<a href=\"https:\/\/media-exp1.licdn.com\/dms\/document\/C4E1FAQG-kcljte035A\/feedshare-document-pdf-analyzed\/0\/1658364628458?e=1661990400&amp;v=beta&amp;t=rw5yxfubj0O4f0wUTkGNr1XoCc3eC0MtfVRIGhDNRkM\"> The redlined version from IAPP and Future of Privacy Forum<\/a> is very useful for looking at how the bill is changing over time!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>One of ADPPA&#8217;s strong points is its focus on data minimization. \u00a0This principle has been a bedrock of privacy law as one of the Fair Information Practices since the 1970s, and is also included in Europe\u2019s GDPR and California\u2019s CPRA. ADPPA complements data minimization with a \u201cduty of loyalty\u201d, a powerful and relatively-recent innovation in [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[458,459],"class_list":["post-4069","post","type-post","status-publish","format-standard","hentry","category-uncategorized","tag-adppa","tag-federal-privacy-legislation"],"_links":{"self":[{"href":"https:\/\/2024.thenexus.today\/index.php\/wp-json\/wp\/v2\/posts\/4069","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/2024.thenexus.today\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/2024.thenexus.today\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/2024.thenexus.today\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/2024.thenexus.today\/index.php\/wp-json\/wp\/v2\/comments?post=4069"}],"version-history":[{"count":0,"href":"https:\/\/2024.thenexus.today\/index.php\/wp-json\/wp\/v2\/posts\/4069\/revisions"}],"wp:attachment":[{"href":"https:\/\/2024.thenexus.today\/index.php\/wp-json\/wp\/v2\/media?parent=4069"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/2024.thenexus.today\/index.php\/wp-json\/wp\/v2\/categories?post=4069"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/2024.thenexus.today\/index.php\/wp-json\/wp\/v2\/tags?post=4069"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}