{"id":4123,"date":"2022-11-14T07:23:24","date_gmt":"2022-11-14T07:23:24","guid":{"rendered":"https:\/\/2024.thenexus.today\/index.php\/2022\/11\/14\/the-elephant-and-the-lame-duck\/"},"modified":"2022-11-14T07:23:24","modified_gmt":"2022-11-14T07:23:24","slug":"the-elephant-and-the-lame-duck","status":"publish","type":"post","link":"https:\/\/2024.thenexus.today\/index.php\/2022\/11\/14\/the-elephant-and-the-lame-duck\/","title":{"rendered":"The elephant and the lame duck: ADPPA after the midterms (a federal privacy legislation update)"},"content":{"rendered":"<blockquote><p>It could well be that [lobbyists] are just posturing, and the industry plan is to demand concessions on other fronts in return for a &#8220;compromise&#8221; on preemption.<\/p>\n<p>\u2013 me, in <a href=\"__GHOST_URL__\/a-fresh-wrench-and-two-hearings\/#what-next-on-preemption\">A &#8220;fresh wrench&#8221;, two hearings, and a busy week<\/a>, July 17<\/p><\/blockquote>\n<p>Congress heads back to DC this week for the lame duck session. The Democrats did much better than expected in the midterms because so many voters are passionate about protecting reproductive freedom after the Supreme Court&#8217;s decision ending Roe. Will Congressional Democrats show their appreciation by passing <a href=\"https:\/\/nexusofprivacy.net\/adppa-post-roe-threats\/\">a privacy bill that fails to protect against post-Roe threats<\/a>?<\/p>\n<p>It doesn&#8217;t seem like a very good idea to me &#8230; but it seems like they&#8217;re giving it a try.<\/p>\n<ul>\n<li>Alfred Ng&#8217;s \u00a0paywalled story today on Politico Pro <a href=\"https:\/\/subscriber.politicopro.com\/article\/2022\/11\/lawmakers-want-to-squeeze-in-privacy-bills-before-end-of-congress-00066730\">reports<\/a> that the sponsors of the American Data Privacy and Protection Act (ADPPA) are going to take one last try at getting it through.* <\/li>\n<li>As <a href=\"__GHOST_URL__\/adppa-post-roe-threats\/\">How well does ADPPA protect against post-Roe threats?<\/a> discusses, loopholes in the current version of ADPPA leave pregnant people and abortion care providers at risk. <\/li>\n<\/ul>\n<p>It&#8217;s quite possible that most Congressional Democrats don&#8217;t even know this is an issue with ADPPA. There&#8217;s been so little discussion about it that I call it the elephant in the room. Instead, most of the discussion has focused on how the current version preempts current and future California privacy laws.<\/p>\n<p>Speaker Pelosi and the California delegation have quite rightly said is a non-starter. \u00a0So unless there&#8217;s some kind of breakthrough in negotiations, ADPPA&#8217;s not going anywhere this session. But who knows, maybe the sponsors have a card up their sleeve &#8230; <\/p>\n<p>We&#8217;ll get back to preemption and ADPPA&#8217;s chances of passing below \u2013 along with some lessons from our experiences here in Washington state. But first, let&#8217;s talk about the elephant. \u00a0<\/p>\n<h2 id=\"does-adppa-protect-against-post-roe-privacy-threats\">Does ADPPA protect against post-Roe privacy threats?<\/h2>\n<blockquote><p>Sen. Ron Wyden, D-Ore., who has previously expressed he would not vote for the House version of the bill, has similar concerns about the exemption of de-identified data.<\/p>\n<p>\u201c[T]his loophole could allow data brokers to sell location data to the government about visits to reproductive health facilities, for example, or other private information that is trivially easy to connect to individuals,\u201d a Wyden aide wrote in an email to CyberScoop. \u201cHe strongly believes this must be fixed before any legislation becomes law.\u201d<\/p>\n<p>\u2013 Tonya Riley, <a href=\"https:\/\/cyberscoop.com\/privacy-data-brokers-house-ftc-commerce\">Federal privacy legislation progresses, but concerns about data brokers loom<\/a> on CyberScoop <\/p><\/blockquote>\n<p>Sen. Wyden&#8217;s usually right about stuff like that \u2013 and the de-identified data loophole is one only of the ways ADPPA falls short. <\/p>\n<p>Here are a \u00a0few more, from <a href=\"__GHOST_URL__\/adppa-post-roe-threats\/\">How well does ADPPA protect against post-Roe threats?<\/a>. \u00a0In the chart below, <strong>\u274c <\/strong>means &#8220;<em>no&#8221; <\/em>and <strong>\u2753 <\/strong>means<strong> &#8220;<\/strong><em>I\u2019m not sure or it&#8217;s complex&#8221;<\/em><\/p>\n<ul>\n<li>\u274c Does ADPPA prevent prosecutors and law enforcement in states that have criminalized abortion from buying location data and targeting people who visit reproductive health care centers? \u00a0<strong>NO.<\/strong><\/li>\n<li>\u274c When people travel out of state to get abortions, does ADPPA protect their data? \u00a0<strong>NO.<\/strong><\/li>\n<li>\u274c Does ADPPA allow pregnant people to force companies to delete data that might put them at risk? \u00a0<strong>NO.<\/strong><\/li>\n<li>\u274c Does ADPPA protect pregnant people and abortion providers from risks of automated license plate readers (ALPRs)? \u00a0<strong>NO.<\/strong><\/li>\n<li>\u2753Does ADPPA prevent anti-abortion \u201ccrisis pregnancy centers\u201d from sharing data with vigilantes and law enforcement? \u00a0Maybe, but there&#8217;s a potential looploe they could exploit.<\/li>\n<li>\u2753Will ADPPA hold \u201ccrisis pregnancy centers\u201d who break the law and violate people\u2019s privacy accountable? Maybe, but when you look at it closely it&#8217;s not clear.<\/li>\n<li>\u274c Will ADPPA prevent law enforcement from accessing people&#8217;s private messages to investigate whether they got an abortion? <strong>NO.<\/strong><\/li>\n<\/ul>\n<p><a href=\"__GHOST_URL__\/adppa-post-roe-threats\/\">The full post<\/a> goes into detail on all of these. \u00a0At a high level, though, this summary from Kim Clark of Seattle-based Legal Voices (quoted in Orion Donovan-Smith\u2019s Spokane <a href=\"https:\/\/www.spokesman.com\/stories\/2022\/jul\/25\/historic-data-privacy-law-could-be-within-reach-if\/\"><em>Spokesman-Revi<\/em>ew article<\/a>) nails it:<\/p>\n<blockquote><p>\u201cThis bill, at least from the perspective of pregnant people, it really doesn\u2019t do much\u201d<\/p><\/blockquote>\n<h2 id=\"but-wait-theres-more\">But wait, there&#8217;s more<\/h2>\n<p>ADPPA&#8217;s failure to protect against post-Roe threats is only one of the problems with the current version of the bill. \u00a0<\/p>\n<p>To start with, the de-identified data loophole Sen. Wyden warns about has a lot of other consequences too. \u00a0Joseph Cox&#8217; <a href=\"https:\/\/www.vice.com\/en\/article\/jgqm5x\/us-military-location-data-xmode-locate-x\">How the U.S. Military Buys Location Data from Ordinary Apps<\/a> on <em>VICE Motherboard<\/em> looks at how de-identified data was used to target Muslims. Sara Morrison&#8217;s <a href=\"https:\/\/www.vox.com\/recode\/22587248\/grindr-app-location-data-outed-priest-jeffrey-burrill-pillar-data-harvesting\">This outed priest\u2019s story is a warning for everyone about the need for data privacy laws<\/a> \u00a0on <em>Vox <\/em>highlights the potential impact on LGBTAIQ2S+ people. \u00a0As EFF&#8217;s Bennett Cyphers <a href=\"https:\/\/www.eff.org\/deeplinks\/2022\/08\/inside-fog-data-science-secretive-company-selling-mass-surveillance-local-police\">says<\/a>,<\/p>\n<blockquote><p>Academic researchers have shown <a href=\"https:\/\/www.osti.gov\/pages\/servlets\/purl\/1095747\">over<\/a> and <a href=\"https:\/\/link.springer.com\/chapter\/10.1007\/978-3-642-27576-0_3\">over again<\/a> that de-identified or \u201canonymized\u201d location data <a href=\"https:\/\/dl.acm.org\/doi\/10.1145\/2030613.2030630\">still poses privacy risks<\/a>.<\/p><\/blockquote>\n<p>But wait, there&#8217;s more:<\/p>\n<ul>\n<li><a href=\"https:\/\/thenexusofprivacy.net\/adppa-impact-assessments-and-civil-rights\/\"><strong>ADPPA\u2019s algorithmic impact assessments are too weak to make its civil rights protections against anti-discrimination real<\/strong><\/a>. \u00a0ADPPA lets companies like Facebook do their own analysis of whether their algorithms are discriminatory \u2013 and exempts government contractors from having to do <em>any <\/em>algorithimic impact<em> <\/em>assessments. What could possibly go wrong? <a href=\"https:\/\/thenexusofprivacy.net\/comments-for-ftc-public-forum-for-commercial-surveillance\/\">Automated Systems and Discrimination<\/a> goes into more detail on how ADPPA falls short of the standards the of the AI Bill of Rights recently released by the White House Office of Science and Technology Policy.<\/li>\n<li><strong>ADPPA puts up barriers to state Attorneys General enforcing the law<\/strong>.** AGs from states including Connecticut, Illinois, Maine, Massachusetts, Nevada, New Mexico, New Jersey, New York, and Washington warned in a July 19 letter that the current version of the bill appears to <a href=\"https:\/\/oag.ca.gov\/system\/files\/attachments\/press-docs\/Letter%20to%20Congress%20re%20Federal%20Privacy.pdf\">\u201csubstantially preempt many states\u2019 ability to investigate\u201d and \u201cunnecessarily interferes with robust enforcement capabilities.\u201d<\/a>\u200b\u200b<\/li>\n<li><strong>ADPPA doesn&#8217;t protect LGBTAIQ2S+ people \u2013 <\/strong>and the de-identified data loophole is only one of the many reasons why. <a href=\"https:\/\/thenexusofprivacy.net\/adppa-with-a-queer-lens\/\">Stress-testing ADPPA with a queer lens<\/a> discusses how ADPPA stacks up against threats to queer people Antoine Prince Albert III wrote about in <a href=\"https:\/\/publicknowledge.org\/hiding-out-a-case-for-queer-experiences-informing-data-privacy-laws\">Hiding OUT: A Case for Queer Experiences Informing Data Privacy Laws<\/a>.<\/li>\n<li><strong>ADPPA&#8217;s &#8220;internal research&#8221; exemption arguably undermines the entire purpose of privacy legislation \u2013 <\/strong>at least according to<strong> <\/strong>Washington Attorney General Ferguson&#8217;s <a href=\"https:\/\/www.documentcloud.org\/documents\/22111995-ferguson-privacy-letter-to-4-corners_6-24-2022\">June 24 letter<\/a> to Congress. \u00a0<a href=\"__GHOST_URL__\/adppa-data-minimization\/\">ADPPA\u2019s data minimization and duty of loyalty<\/a> goes into detail.<\/li>\n<\/ul>\n<p>The <a href=\"https:\/\/indipluswa.medium.com\/washington-indivisible-federal-privacy-one-pager-add67a8c1453\">Washington Indivisible federal privacy &#8220;one-pager<\/a>&#8220;, from a briefing with staffers I helped arrange in September, has a longer list of issues and links to more references.<\/p>\n<h2 id=\"how-grand-is-the-bargain\">How grand is the bargain?<\/h2>\n<p>Like I mentioned above, it&#8217;s quite possible that most Congressional Democrats many of them don&#8217;t realize that these are issues. \u00a0When I brought up the loopholes leaving pregnant people at risk in a meeting staffers had with local Indivsible activists in July, it was news to them \u2013 which probably means the Congressperson they work for didn&#8217;t know about it either.<\/p>\n<p>And one of the favorite talking points for ADPPA supporters is &#8220;perfect is the enemy of the good,&#8221; encouraging Democrats to view not protecting the people who voted for them as a necessary &#8220;compromise&#8221; that has to be made to get anything through Congress. Cameron Kerry&#8217;s description of ADPPA as a \u201c<a href=\"https:\/\/twitter.com\/privacypen\/status\/1549237595418365952https:\/\/www.brookings.edu\/blog\/techtank\/2022\/06\/22\/endgame-on-the-narrowing-path-ahead-for-privacy-legislation\/\">grand bargain<\/a>\u201d is a good example of this framing:<\/p>\n<ul>\n<li>People all over the country get some protections including anti-discrimination (that probably can&#8217;t be enforced) and a very weak &#8220;private right of action&#8221; allowing them to sue companies (as long as they go through enough hoops, and as long as companies don&#8217;t require arbitration, which ADPPA allows them to do)<\/li>\n<li>In return, states like California and Maine (and cities like Seattle) who have passed stronger protections for their residents have to give them up. \u00a0And states like Washington, where we&#8217;re on track to pass strong cosumer privacy legislatin next year, have to give up any possibility of better protecting residents in the future.<\/li>\n<\/ul>\n<p>Of course Kerry uses somewhat different language that makes the bargain seem more attractive \u2013 and he leaves out a few important things. Nowhere in his article does he mention the post-Roe threats that aren&#8217;t addressed, the lesser protection LGBTAIQ2S+ people get under ADPPA, the barriers to AGs and privacy agencies enforcing the law, the exemptions for government contractors and other service providers, and so on.<\/p>\n<p>Factor all of that in, and it doesn&#8217;t seem like such a grand bargain to me. Other Washington privacy advocates also don&#8217;t think it&#8217;s a good deal. <\/p>\n<p>Then again, opinions differ. My Congresswoman, Rep. Suzan DelBene, supports ADPPA in its current form. Of course as well as representing me, Rep. DelBene also represents Microsoft and other businesses headquartered in her district, and is an honorary chair of tech-funded think tank Information Technology and Innovation Foundation (ITIF). \u00a0So my guess is she probably spends a lot more time listening to industry lobbyists than she does to constituents like me.<\/p>\n<h2 id=\"lobbyists-are-very-good-at-what-they-do-%E2%80%93-and-weve-learned-to-recognize-some-of-their-favorite-tactics\">Lobbyists are very good at what they do \u2013 and we&#8217;ve learned to recognize some of their favorite tactics<\/h2>\n<p>Most legislators and staffers spend a lot of time listening to lobbyists. \u00a0This is a huge problem for groups like EPIC and Lawyers&#8217; Comittee, who are in a tough position here, trying to move ADPPA forward while defending against <a href=\"https:\/\/www.politico.com\/news\/2022\/08\/28\/privacy-bill-triggers-lobbying-surge-by-data-brokers-00052958\">lobbyists&#8217; attempts to further weaken it<\/a>. \u00a0At least so far, <a href=\"https:\/\/www.protocol.com\/newsletters\/policy\/cloud-enterprise-privacy\">the lobbyists are winning<\/a>. <\/p>\n<p>We&#8217;ve got a lot of experience with this here in <a href=\"__GHOST_URL__\/the-view-from-the-other-washington-federal-privacy-legislation-adppa-update-6-22\/\">the other Washington<\/a>, where tech lobbyists and <a href=\"https:\/\/fpf.org\/about\/supporters\/\">industry-funded privacy groups like Future of Privacy Forum (FPF)<\/a> have spent years trying to get the Bad Washington Privacy Act (Bad WPA) through our legislature. \u00a0Over the years, we&#8217;ve learned to recongize some of their favorite tactics. <\/p>\n<p>Back in 2020, for example, AG Ferguson said that the Bad WPA was literally unenforceable. Microsoft framed it as &#8220;<a href=\"https:\/\/blogs.microsoft.com\/on-the-issues\/2020\/01\/24\/washington-privacy-act-protection\/\">raising the bar for privacy in the United States<\/a> &#8220;and lauded its strong enforcement. \u00a0FPF said passing the Bad Washington Privacy Act would be a &#8220;<a href=\"https:\/\/fpf.org\/blog\/a-new-model-for-privacy-in-a-new-era-evaluating-the-washington-privacy-act\/\">significant achievement<\/a>&#8220;; the chart in their analysis, which they also sent to legislators, inaccurately claimed that the AG could enforce the bill. \u00a0The <a href=\"https:\/\/docs.google.com\/document\/d\/1m5uh5-AJ7__klJmsDzKwisL9unwacntL\/edit#\">disinfomation analysis<\/a> I did of a &#8220;quick summary&#8221; document lobbyists shared with legislators in 2021, and the fact-checking and the <a href=\"https:\/\/wapeoplesprivacy.org\/correcting-misleading-claims-in-wtias-seattle-times-op-ed\/\">misleading claims in Washington Tech Industry Association &#8216;s 2022 op-ed <\/a>(fact-checked \u00a0<a href=\"https:\/\/www.aclu-wa.org\/story\/fact-check-was-leadership-privacy-legislation\">here<\/a> by Jennifer Lee of ACLU of Washington and Maya Morales of WA People&#8217;s Privacy), are two more good examples. \u00a0<\/p>\n<p>And these lobbying tactics work, too. Almost every Washington state legislator I&#8217;ve talked to over the years initially thought the Bad WPA was a lot stronger than it actually was. Fortunately we&#8217;ve been able to spend enough time with them that they&#8217;ve seen through the spin and our Legislature has rejected the Bad Washington Privacy Act four years in a row &#8230; but that&#8217;s a lot easier with state legislators than it is with Congress. \u00a0Other states haven&#8217;t been so successful. \u00a0<a href=\"https:\/\/www.reuters.com\/investigates\/special-report\/amazon-privacy-lobbying\/\">Virginia&#8217;s privacy law was drafted by Amazon<\/a>, and it whisked right through.***<\/p>\n<p>Lobbyists are taking a similar approach with ADPPA. ITIF, for example, <a href=\"https:\/\/itif.org\/publications\/2022\/06\/06\/american-data-privacy-and-protection-act-review-part-1-state-preemption-and-private-right-of-action\/\">described<\/a> the June draft of ADPPA as having &#8220;strong enforcement measures&#8221; even though it explicitly prevented California Privacy Policy Agency (CPPA, by far the strongest and largest state privacy regulator in the country) from enforcing it \u2013 and even though it would substantially preempt state AGs&#8217; ability to investigate and unnecessarily interfere with their robust enforcement capabilities. Hey wait a second, I&#8217;m noticing a pattern here!****<\/p>\n<p>Another game lobbyists are playing is to focus the discussion on comparisons between ADPPA and state legislation. \u00a0This tactic has been very effective at putting the privacy and civil liberties organizations who support ADPPA into a position where they&#8217;re mostly talking about the bill&#8217;s strengths rather than weaknesses.***** Even better, from lobbyists&#8217; perspective, the more people are comparing ADPPA to other bills, or arguing about preemption, the less attention the elephant gets.<\/p>\n<h2 id=\"okay-now-we-can-talk-about-preemption\">Okay, now we can talk about preemption<\/h2>\n<blockquote><p>It could well be that &#8230; the industry plan is to demand concessions on other fronts in return for a &#8220;compromise&#8221; on preemption: add California&#8217;s privacy law to the already-long list of preemption exceptions, give the California Privacy Protection Agency the authority they need, and hangs Maine, Washington, and all the other states that also don&#8217;t want to be preempted out to dry.<\/p>\n<p>\u2013 me, in <a href=\"__GHOST_URL__\/a-fresh-wrench-and-two-hearings\/#what-next-on-preemption\">A &#8220;fresh wrench&#8221;, two hearings, and a busy week<\/a>, July 17<\/p><\/blockquote>\n<p>Pelosi and California Democrats have made it clear <a href=\"https:\/\/www.politico.com\/story\/2019\/02\/21\/congress-data-privacy-california-1185943\">since 2019<\/a> that they wouldn&#8217;t accept a bill that preempts California&#8217;s law this position. \u00a0So why did everybody pretend to be so surprised with this &#8220;fresh wrench&#8221; cropped up again in July? <\/p>\n<p>My guess at the time was that lobbyists were trying to set things up so that they could announce a &#8220;dramatic&#8221; last-minute &#8220;compromise&#8221; on ADPPA. \u00a0And sure enough, starting in September, articles like the LA Times editorial <a href=\"https:\/\/www.latimes.com\/opinion\/story\/2022-09-12\/editorial-congress-fix-data-privacy-bill-preempt-california\">Congress must fix data privacy bill so it doesn\u2019t hurt Californians<\/a> have been suggesting a waiver for California \u2013 and perhaps allowing other states to choose to adopt California&#8217;s law as an alterntative to the federal law. \u00a0Who could have predicted?<\/p>\n<p>To be clear: giving California a waiver doesn&#8217;t address the preemption concerns of other states \u2013 or of cities and counties, in California or elsewhere. \u00a0All it does is maybe get California&#8217;s delegation on board, and make corporations&#8217; life easier. \u00a0As Maya Morales of WA People&#8217;s Privacy says, <a href=\"https:\/\/wapeoplesprivacy.org\/our-public-comment-in-historic-ccpa-meeting\/\">preemption privileges the needs of corporations over the needs of people<\/a>.<\/p>\n<p>Of course, industry will frame any &#8220;compromise&#8221; as a major concession, and so they&#8217;ll almost certainly demand other areas of ADPPA get further weakened. If we do see a new version, it wouldn&#8217;t surprise me if the algorithmic impact assessments are even weaker \u2013 or perhaps removed entirely. \u00a0And it&#8217;ll be very interesting to see what new loopholes and exemptions get put in.<\/p>\n<h2 id=\"reading-the-political-tea-leaves\">Reading the political tea leaves<\/h2>\n<p>If lobbyists play their cards right, and there really is an &#8220;unexpected breakthrough&#8221; on \u00a0preemption waiting in the wings, then maybe the possibility of actually being able to pass <em>something <\/em>will keep groups like EPIC Privacy and Lawyers&#8217; Committee on board despite the weaknesses they acknowledge in the bill. That in turn might give Democratic legislators cover to ignore the elephant and pass a bill that doesn&#8217;t protect against post-Roe threats (and gives lesser protections to LGBTAIQ2S+ people, allows companies like Facebook to self-assess whether their algorithms are discriminatory, puts up barriers to Democratic AGs to enforce it etc etc etc). \u00a0After all, &#8220;perfect is the enemy of the good&#8221; \u2013 and even though West Coast privacy organizations like EFF and WA People&#8217;s Privacy oppose ADPPA, Congress often pays more attention to DC-based groups. \u00a0<\/p>\n<p>The most likely way for ADPPA to move forward at this point is to attach it to the omnibus appropriations bill \u00a0(as Senators Blumenthal and Markey are reportedly trying to do with COPPA 2.0).****** From lobbyists&#8217; perspective, this has the advantage of minimizing how much scrutiny the bill gets \u2013 no need for a hearing or markup in the Senate, and the omnibus bill is so huge that there wouldn&#8217;t be time for any discussions about the elephant or anything else.<\/p>\n<p>Then again, there&#8217;s not a lot of time in the session, and there&#8217;s a lot of other stuff on Congress&#8217; plate. So it&#8217;s quite possible that ADPPA <em>won&#8217;t <\/em>actually move forward at all in the lame duck session.<\/p>\n<p>At this point, it seems to me that would be the best outcome. \u00a0The power balance in Congress next session is still up in the air as I write this, and they might well get deadlocked again on privacy. \u00a0But states aren&#8217;t waiting for Congress to act, and some of the new bills being considered are quite strong \u2013 for example, <a href=\"https:\/\/www.atg.wa.gov\/news\/news-releases\/ag-ferguson-rep-slatter-sen-dhingra-propose-legislation-protect-washingtonians\">Washington&#8217;s proposed health data privacy law completely bans sales of health data<\/a> and requires opt-in to collect or share it. \u00a0And that means the conversations in DC next session could be very different.<\/p>\n<p>Still, industry has enough to gain from passing a weak preemptive federal privacy bill that they won&#8217;t give up easily. \u00a0Late-session negotiations in Washington state have featured some spectacular shenanigans \u2013 like the time in 2021 when <a href=\"https:\/\/indipluswa.medium.com\/indivisibles-say-pass-hb-1277-to-mitigate-harm-on-vulnerable-communities-from-eviction-2956bc5db1c8\">Bad WPA sponsor Sen. Reuven Carlyle (D-Amazon) tried to hold funding for eviction protection hostage<\/a> to get his colleagues to pass his bill. \u00a0So we&#8217;ll see what happens. <\/p>\n<p>Maybe nothing! \u00a0<\/p>\n<p>But as we &#8216;ve learned time and again here in Washington state, <a href=\"https:\/\/wa-privacy.net\/it-aint-over-till-its-over\/\">it ain&#8217;t over &#8217;til its over<\/a>. <\/p>\n<hr>\n<p><em>Image credit: Savanna elephant in Kruger National Park, South Africa. By Felix Andrews (<a href=\"http:\/\/creativecommons.org\/licenses\/by-sa\/3.0\/\">CC-BY-SA-3.0<\/a>) via <a href=\"http:\/\/commons.wikimedia.org\/wiki\/File:Elephant_side-view_Kruger.jpg\">Wikimedia Commons<\/a>.<\/em><\/p>\n<h2 id=\"notes\">Notes<\/h2>\n<p>* In his Washington Post <a href=\"https:\/\/acrosstheaislesept29.splashthat.com\/\">Across the Aisle<\/a> discussion in September, ADPPA co-sponsor House Energy &amp; Commerce Chair Frank Pallone (D-NJ) had confidence that there was enough time to get the bill through in the lame duck session so this doesn&#8217;t come as a complete suprise.<\/p>\n<p>** \u00a7404(b)(2)(A): \u201ca violation of this Act shall not be pleaded as an element of any such cause of action.&#8221; \u00a0The AG&#8217;s letter says:<\/p>\n<blockquote><p>In many states, the Attorney General\u2019s office uses civil investigative demands under its consumer protection authority to demand documents or information from entities when we believe there could have been a violation of a law. Ordinarily, a violation of a federal law or standard could also be a violation of state consumer protection law. But Section 404 would act as a bar to investigate violations of the federal law, because it prohibits them from forming the basis for state consumer protection claims. This language unnecessarily interferes with robust enforcement capabilities.<\/p><\/blockquote>\n<p>We&#8217;re especially annoyed by this in Washington because after a big legislative battle over exactly this issue in 2020<em> (<\/em>which I&#8217;ll discuss later in the post), big tech conceded on this here in 2021! \u00a0So even though it&#8217;s not surprising, it&#8217;s still kind of annoying to discover that tech lobbyists&#8217; fingers were crossed. \u00a0<\/p>\n<p>*** There&#8217;s an interesting backstory here. An Amazon lobbyist gave a copy of the Bad Washington Privacy Act to a Virginia state legislator, and after weakening it they quickly passed the Even Worse Virginia Privacy Act. \u00a0So if the Virginia bill was drafted by Amazon, what does that say about the Washington bill? \u00a0For what it&#8217;s worth, Bad Washington Privacy Act sponsor Sen. Reuven Carlyle (now retired after going 0-for-4 trying to pass his signature legislation) represents Amazon\u2019s district and considers their lobbyist Guy Palumbo a <a href=\"https:\/\/twitter.com\/Reuvencarlyle\/status\/1131950017437163520\">treasured friend<\/a>. \u00a0But maybe that\u2019s all just a coincidence. <\/p>\n<p>**** \u00a0The current version is slightly better: It allows CPPA and other state privacy agencies to enforce the bill, which is good, although the barriers to AG enforcement may effect them as well. \u00a0But as discussed earlier, it still has the same barriers to AG enforcement.<\/p>\n<p>*****Jon Leibowitz (co-founder of the <a href=\"https:\/\/www.theatlantic.com\/politics\/archive\/2015\/05\/the-privacy-coalition-that-wants-to-trim-data-regulations-for-telecom-giants\/456477\/\">21st Century &#8220;Privacy&#8221; Coalition<\/a>, whose <a href=\"https:\/\/stopthecap.com\/2017\/07\/19\/californias-internet-privacy-legislation-undermined-industry-funded-privacy-group\/\">funders<\/a> include Comcast, AT&amp;T, Verizon, Time Warner Cable\/Charter Communications, and DirecTV and their respective trade associations) was very candid about this tactic in his <a href=\"__GHOST_URL__\/a-fresh-wrench-and-two-hearings\/#lobbyists-gonna-lobby\">February Wall Street Journal op-ed<\/a>. \u00a0 <\/p>\n<p>Cristiano Lima&#8217;s <a href=\"https:\/\/www.documentcloud.org\/documents\/22087567-advocates-memo-comparing-federal-privacy-bill-with-california-law\">Federal privacy bill trumps California\u2019s law, advocates say<\/a>, from mid-July in the Washington Post, is a high-profile example of how these techniques work together. It linked to a detailed <a href=\"https:\/\/www.documentcloud.org\/documents\/22087567-advocates-memo-comparing-federal-privacy-bill-with-california-law\">comparison<\/a> making a misleading claim that ADPPA was better than California&#8217;s laws in 13 of 15 areas. \u00a0The authors&#8217; <a href=\"https:\/\/www.documentcloud.org\/documents\/22087567-advocates-memo-comparing-federal-privacy-bill-with-california-law\">revised version<\/a> walking back several of these claims, but of course that didn&#8217;t get mentioned by the Washington Post. \u00a0Neither did Californians for Consumer Privacy&#8217;s later analysis, which came to the opposite conclusion: <a href=\"https:\/\/www.caprivacy.org\/analysis-shows-cpra-is-significantly-stronger-than-adppa\/\">California&#8217;s law is stronger than ADPPA in 23 of 25 areas<\/a>. \u00a0This is a fun game to play \u2013 One out of six ain&#8217;t good is my contribution \u2013 but also serves as a distraction from the elephant and other questions about whether ADPPA actually protects people. <\/p>\n<p>****** Technically there&#8217;s just enough time that it could go the normal route: the House passes it, the Senate Commerce Committee marks it up, the Senate passes it, and if necessary the chambers reconcile any differences. \u00a0But this could be challenging, both from a timing perspective and because Senate Commerce Committee Chair Maria Cantwell has been resolute about not supporting a preemptive bill that would preempt Washington state \u2013 so they&#8217;d either have to convince her that the &#8220;compromise&#8221; is good enough or drop preemption completely. \u00a0Unanimous consent, which lets them skip some steps of the process, can speed things up, but it requires consent of <em>all<\/em> members, so it&#8217;s even more unlikely to happen.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>It could well be that [lobbyists] are just posturing, and the industry plan is to demand concessions on other fronts in return for a &#8220;compromise&#8221; on preemption. \u2013 me, in A &#8220;fresh wrench&#8221;, two hearings, and a busy week, July 17 Congress heads back to DC this week for the lame duck session. The Democrats [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[458],"class_list":["post-4123","post","type-post","status-publish","format-standard","hentry","category-uncategorized","tag-adppa"],"_links":{"self":[{"href":"https:\/\/2024.thenexus.today\/index.php\/wp-json\/wp\/v2\/posts\/4123","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/2024.thenexus.today\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/2024.thenexus.today\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/2024.thenexus.today\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/2024.thenexus.today\/index.php\/wp-json\/wp\/v2\/comments?post=4123"}],"version-history":[{"count":0,"href":"https:\/\/2024.thenexus.today\/index.php\/wp-json\/wp\/v2\/posts\/4123\/revisions"}],"wp:attachment":[{"href":"https:\/\/2024.thenexus.today\/index.php\/wp-json\/wp\/v2\/media?parent=4123"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/2024.thenexus.today\/index.php\/wp-json\/wp\/v2\/categories?post=4123"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/2024.thenexus.today\/index.php\/wp-json\/wp\/v2\/tags?post=4123"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}