A federal comprehensive privacy law in the United States? Can it really be true? Could this finally be the time it happens?
Eventually, maybe the lion really will lie down the lamb. Maybe the Loch Ness Monster will be located. Maybe Congress will finally join 150+ other countries around the world and pass a comprehensive privacy law. Maybe, just maybe . . .
The United States recently inched closer to this occurrence. I see hope breaking out all over the Twitterverse. The American Data Privacy and Protection Act (ADPPA) advanced out of Committee. This is still an early round in the Squid Game of making a law in this country, but this law might have what it takes. It could go all the way.
I’ve learned not to put too much faith in Congress. I am not going to be Charlie Brown with the football. Back around 2005, after the ChoicePoint data breach, as states all started eyeing California’s breach notification law with envy and started to craft laws of their own, I thought for sure Congress would pass a federal data breach notification law.
But I was wrong. Congress failed. Breach notification was an easy issue for Congress to address – far easier than a comprehensive privacy law which is swamped with a multitude of complicated issues. But maybe this is the time. After all, in the movies the hapless underdog somehow finds a way to win. Sometimes, life imitates the movies, and we all need a feel-good story during these dark summer days.
Grading the ADPPA: Is it Any Good?
The ADPPA bill itself isn’t too bad. In my view, Congress is generally a D student when writing laws, and the ADPPA is a B+.
The ADPPA has a lot of the standard elements of privacy laws, and it advances the ball. It even has a private right of action . . . something that I’m surprised managed to survive this long. A private right of action is a very important enforcement mechanism, as Professor Lauren Scholz persuasively argues in her recent article. Perhaps it remains in there because the U.S. Supreme Court has severely limited private rights of action in privacy laws in Spokeo v. Robins and TransUnion v. Ramirez. Cynically, I wonder whether some in Congress are okay with the private right of action because they know courts will make it disappear when people actually try to use it.
The ADPPA has many things that are found in modern comprehensive privacy laws:
- privacy impact assessments
- sensitive data
- a person designated to handle privacy at the organization
- training (I love this, but I’m biased!)
- policies and procedures
- compliance audits
- data minimization
- privacy by design
- rights to access and correction
- right to delete
- right to data portability
- data security program
The ADPPA also has a duty of loyalty, which is something different and encouraging. Woodrow Hartzog and Neil Richards are especially excited about this, since they’ve written about the important role a duty of loyalty could play in privacy laws. Additionally, the law also attempts to regulate algorithms, including requiring algorithmic impact assessments.
Although the ADPPA contains many key components of comprehensive privacy laws, it’s not a breathtaking advancement, and it could be stronger in parts. It’s a respectable law, and it stands up fairly well alongside other comprehensive privacy laws. I thus give it a B+, which is actually quite good since it is far above Congress’s average.
The Troubling Cost: Preemption
But when looking at the big picture, I wonder: Is this law really good for privacy?
I’m not so sure. My biggest concern is the preemption of state laws. Preemption involves when a federal law will trump state or local laws that address the subject matter of the law.
Preemption seems to be the Faustian bargain behind any federal privacy law today. After resisting a federal privacy law for years, industry now wants one because it fears that the innovations being concocted in the various state legislative laboratories.
The sand grains spawning the federal pearl are the recent state consumer privacy laws. Starting in 2018, California passed the California Consumer Privacy Act (CCPA). Other states that followed suit, such as Virginia, Colorado, Connecticut, and Utah. These laws aren’t that great in my opinion, with California being by far the best of a rather mediocre bunch. But the states are moving rapidly. And these laws can grow and evolve. The CCPA was amended several times, most notably by a ballot initiative that significantly strengthened the law.
It’s not clear that these state laws will have much impact on global companies, which already are complying with the GDPR, but the possibility of 50 state laws, some of which might be stricter, causes anxiety among corporations. And such corporate anxiety is akin to a circus fatality – it’s time to send in the lobbyists! The lobbyists promptly raise the hue and cry for preemption.
But with preemption comes a big risk of ossification. I worry that the ADPPA will fossilize the standard privacy protections of today’s time for decades to come.
A Thought Experiment: Suppose Congress Passed a Federal Privacy Law in 2000
Consider the following thought experiment: Suppose that back in 2000, during the early days of talk of a federal privacy law, Congress had passed a federal comprehensive privacy law. What would that law have looked like?
A federal comprehensive privacy law circa 2000 would have been a rather weak law compared to today’s standards. Back in 2000, there would have been no prayer that the law would have contained rights to data deletion or data portability. There would likely have been no sensitive data, privacy impact assessments, privacy by design, a duty of loyalty, or algorithmic accountability. It’s unlikely the law would have adopted the EU-style definition of personal data that includes reasonably linkable data. The law would have probably been a warmed-over version of notice and choice.
But now, in 2022, many of these things are no brainers. They are readily included in the law and aren’t even that controversial. But if a law had been passed in 2000, it’s very likely it wouldn’t have been updated, and we’d be decrying its lameness year after year.
The ADPPA might look good now because it compares well to many comprehensive privacy laws around the world. But the standard is evolving. A law that is adequate today will likely not be adequate in the future.
Waiting for Godot: Congress Rarely Updates Privacy Laws
Congress is notoriously bad at updating laws. If Congress were a landlord, it would be a slumlord, because Congress hardly ever updates privacy laws even when they scream for an update. The Electronic Communications Privacy Act (ECPA) is closing in on being 40 years old. It was passed in 1986. If you were alive back in 1986, recall email, computers and the Internet back then. This was the digital stone age. Despite urging from all sides (law enforcement and privacy advocates) to update ECPA, has Congress done anything? Nope. There have been countless bills that have suffered the same fate as the ark in Raiders of the Lost Ark.
The Family Educational Rights and Privacy Act (FERPA) has a similar story. It’s woefully out of date and has countless shortcomings. It’s about 50 years old. I guess that’s young when so many people in Congress are in their late 70s, but for a privacy law, it is long overdue for an overhaul. As with ECPA, there have been bills, so many bills, but most bills wither on the vine.
I think we have to accept that if Congress were to pass the ADPPA, it could be left untouched, without being updated, for the next 50 or 100 years or even infinity. In about 10 or 20 years, the ADPPA will start looking quite old. Privacy laws age quickly; they often have the functional life span of a dog, yet Congress will hold onto them long after their corpses have started to rot.
Is Preemption Really Needed?
Preemption is the prize most desired by industry lobbyists. A common argument for federal preemption of state laws is that without preemption, the states will continue to pass privacy laws in a frenzy. Complying with a jumble of inconsistent laws will be difficult.
But many other privacy laws didn’t preempt stronger state laws, and the world keeps turning.
For example, HIPAA did not preempt state laws, and a tsunami of state health privacy laws did not follow. The reason is that HIPAA is a strong privacy law, so there is less desire to fix something that is not broken. Not only can HIPAA be enforced by the federal HHS but also state attorneys general can enforce it. The incentives for state legislation are lesser because HIPAA generally satiates the hunger for privacy protections.
The bottom line is this: If a privacy law is good enough, states won’t be incentivized to pass new laws. Why bother when they could enforce a perfectly good law?
As Paul Schwartz aptly observes in his great piece, Preemption and Privacy, 118 Yale L.J. 902 (2008), state “laboratories” of privacy regulation have contributed many legal innovations such as data breach notification law, requirements to provide people with free credit reports, requirements to allow people to freeze their credit, and more.
Even more valuable than the specific innovations of state law is the possibility of new state laws if a federal law grows old and stale. The states can step in when a federal law is no longer getting the job done, and this provides protection against a federal law that Congress neglects. The possibility of state legislative action also provides an incentive for Congress to tend to its laws and keep them healthy. Indeed, the state consumer privacy laws that will be preempted by the ADPPA are the impetus for Congress’s action on the ADPPA. Ironically, with preemption, the ADPPA would be killing its muse.
One possible compromise: The ADPPA could contain a preemption provision that would sunset after 5 to 10 years unless Congress would amend the law to renew the preemption term for another 5 to 10 years. This would force Congress to revisit the law in order to renew the preemption for another period.
The ADPPA is a good start. Without the preemption, it would be a winner. With preemption, I’m not so sure. In the short term, it might be good, but in the long term, Mephistopheles might come to collect his due.
UPDATE: I have a follow up post with further thoughts in response to a thoughtful discussion on Twitter with Omer Tene (Goodwin Procter, LLP): Further Thoughts on ADPPA, the Federal Comprehensive Privacy Bill.
Daniel J. Solove is John Marshall Harlan Research Professor of Law at George Washington University Law School. He is the founder of TeachPrivacy, a company that provides computer-based privacy and data security training. His most recent book is Breached! Why Data Security Law Fails and How to Improve It, published by Oxford University Press 2022.