My Privacy & Security Brainiacs team has been tracking US federal bills proposed by Congress that mention privacy in some way. They are either wholly about privacy-related issues or include privacy protections, deprivations, or considerations as part of the bill. So far in 2022, through July 17, there have been at least 168 bills introduced by US federal lawmakers that in some way mention and impact privacy. Out of these introduced bills, only a few of them have been what is considered to be “comprehensive,” which generally means they regulate the collection, use and disclosure of personal information by businesses and provide an explicitly established set of consumer/individual rights for collected data, such as the right to access, correct, and delete personal information collected by businesses.
The concept of establishing a comprehensive privacy (or “data protection” as with GDPR in the EU) regulation within the US has been a longtime hope for replacing the current huge and growing patchwork of state-level, industry-specific, and data-item-specific laws, regulations and standards with one simplified and harmonized US regulation. I’ve been discussing this possibility with others in the industry since way back in 2005, when more states started enacting their own breach notice laws after California SB 1386 was the first in the US to go into effect in 2003. Now there are literally hundreds of local, state and federal privacy and cybersecurity laws and regulations within the US. It certainly would make security, privacy, compliance and audit professionals’ lives much easier to have one overarching regulation applicable to all organizations, wouldn’t it? It would also help the general public to understand the obligations of all types of organizations to protect individuals’ personal data and privacy.
In addition to those US federal comprehensive privacy bills, there are also at least a couple of bipartisan groups drafting other comprehensive bills that have not been introduced officially yet. One that has made the news a lot lately is the draft American Data Privacy and Protection Act (ADPPA). This particular draft, unlike the other bills that have already been officially introduced, has garnered the attention of some business associations. This includes the world’s largest business association with over 65,000 members, the US Chamber of Commerce (Chamber), which recently wrote their objection to the ADPPA. They singled out two specific proposed parts of the draft that they called “unworkable and should be rejected”:
- Preemption of state laws
- Rights of individuals to sue over violations
Given there was enough concern about these specific issues for them to write a formal letter, it is an indicator that the Chamber must believe that even though this is still in draft form, there is a good likelihood that this could very well become a bill that is eventually enacted into law. Let’s inspect these two topics within the draft ADPPA, see why there is such opposition and what compliance, security, privacy and audit professionals should consider.
Preemption of state laws
As currently drafted, states and “political subdivisions of a State” generally would not be able to establish, enforce or “continue in effect” any of their legal requirements that are covered in the provisions of the ADPPA, with exceptions. And there are many exceptions! The exceptions include the following types of legal requirements that would be allowed to continue to be enforced within states and localities, as summarized in the bipartisan discussion draft:
“generally applicable consumer protection laws; civil rights laws; employee and student privacy protections; data breach notification laws; contract and tort law; criminal laws regarding fraud, theft, identity theft, unauthorized access to electronic devices, and unauthorized use of personal information; laws on cyberstalking, cyberbullying, nonconsensual pornography, and sexual harassment; unrelated public sector and safety laws; laws addressing public records and criminal justice information; laws addressing bank, financial, and tax records, Social Security numbers, credit cards, credit reporting, credit repair, credit clinics, and check-cashing services; facial recognition, electronic surveillance, wiretapping, and telephone monitoring laws; the Illinois Biometric and Genetic Information Privacy Acts; laws addressing unsolicited email and phone calls; laws addressing medical information, records, and HIV status or testing; the confidentiality of library records; and Section 1798.150 of the California Civil Code, as amended. State common law rights or remedies and statutes creating remedies for civil relief are not preempted.”
This certainly is a long list! The only exceptions clearly indicated were Illinois’ biometric privacy protection act, and a specific section of California’s data breach privacy law.
Since the longstanding and increasing need by organizations has been to have one comprehensive national privacy regulation, considering all these listed exceptions, the draft would provide yet another regulation for which all organizations would need to comply, in addition to all the other existing legal requirements as applicable to each, with possibly a few specific exceptions. The ultimate effect would be that any type of entity with information that could be associated with an individual, including all organizations in any industry not currently covered by another US legal requirement, would now be bound to implement privacy and data security protections. So, in essence, it would be a widespread privacy protections gap filler.
The concept probably sounds ideal and quite beneficial to those who participated among the group of lawmakers in creating the draft. However, from a practitioner’s view, this would not create harmonization, which is what has been direly needed from both a consumer and a data risk management perspective. Instead, it would add yet another regulation, which would require another round of analysis to identify where it would apply and where it wouldn’t because other legal requirements were already in place and must continue to be followed.
While this may not be “unworkable” as the Chamber described it, it would certainly add more complexity and time to implement and then manage in addition to all those other privacy legal requirements—one more regulation and set of analyses to perform to make practitioners’ lives even more complicated than they are today. To truly make a new comprehensive privacy/data protection regulation effective and practical to implement throughout all types of organizations, it would need to, at a minimum, preempt state and local laws addressing the same issues.
Right of individuals to sue over violations
As currently drafted, the ADPPA includes a private right of action, providing individuals and classes of persons the ability to sue organizations for alleged violations that created some type of injury to them as a result of noncompliance with the requirements. Such private right of action would become enforceable four years after the bill becomes law. The draft includes three ways in which the court could award a plaintiff that wins such lawsuits with:
- an amount equal to the sum of any compensatory damages;
- injunctive or declaratory relief; and
- reasonable attorney’s fees and litigation costs.
This type of right generally aligns with other data protection regulations outside of the US to bring actions against an organization “in any Federal court of competent jurisdiction” for non-compliance with the rights established under the regulation and to have suffered some type of injury as a result. While this would be a huge change, and in the view of many a great improvement for individuals’ privacy and cybersecurity rights in the US, it still has some conditions not found in many of the comprehensive data protection bills in other countries. For example, this draft requires that the action would need to be for “any person or class of persons who suffers an injury that could” have been prevented if the accused entity had complied with the requirements of the regulation. Data protection regulations in some other countries allow such privacy actions simply for non-compliance without demonstrating injuries.
Providing such rights for civil actions would provide some alignment with other countries’ data protection regulations, with which a growing number of US-based organizations must currently comply anyway. Including the need to demonstrate injury would likely limit, possibly significantly, situations that “encourage abusive class action lawsuits,” as the Chamber indicated in their draft letter opposing this part of the ADPPA. Overall, such capability could strengthen the compliance efforts in organizations, which would make such lawsuits less likely.
As a side note, I’m surprised the Chamber did not object to the concept of “data ownership” that is covered in Section 203.
A comprehensive US privacy regulation must be feasible and apply to real life
In general, key revisions to the ADPPA draft would make it more practical and practicable for practitioners to feasibly implement and then manage on an ongoing basis. At a minimum, these would include incorporating the common denominator requirements of all those exempted existing laws into the verbiage of such a regulation and then removing most of the exemptions. This will take some serious and thoughtful consideration by the groups drafting such a workable regulation, and it will require them to speak with actual practitioners to obtain experienced perspectives for how their proposed requirements would work within actual use throughout a wide range of organizations.
Lawmakers need to have an appetite to do such thoughtful learning and application of real-life use cases to create what would truly be a harmonized and feasible comprehensive privacy regulation. It would also effectively provide privacy protections and give all US residents rights for how the information about them is collected, processed, used, shared and retained.