I recently wrote a post about my concerns about the American Data Privacy and Protection Act (ADPPA) (updated version after markup is here), a bill making its way through Congress that has progress further than many other attempts at a comprehensive privacy law. Despite grading the law a B+, I was skeptical of the law because it would preempt state laws, a provision I believe to be a Faustian bargain. Here’s an updated version of the ADPPA after markup.
Omer Tene (Goodwin Procter LLP) has a series of tweets expressing puzzlement at my reaction to the law. He thinks I should be dancing in the streets. He writes that he is “genuinely puzzled by the logic here. Dan argues against passage of a good federal privacy law (he gives it a B+) bc it might be outdated in 20 years.” He argues that my concerns will be the same with every federal law because there won’t be a federal law without preemption. “[W]hat’s the alternative? Omer asks. “Having no federal law to update in 20 years? How’s that any better?” He further argues that “if the preferred option is state by state, it’s a very poor option. Dan and others have rightfully criticized the weak tea brewed by the states. ADPPA blows every one of the state laws out of the water.” Omer contends that the “ADPPA is *far* stronger than CPRA. Even in California. Not to mention it would also apply in 49 other states.”
Omer makes compelling arguments, and I want to respond to clarify and expand upon some things in my original post to better explain my position. First, I agree with the following things that Omer says:
- The existing state laws are weak. California’s law, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), is by far the best of them, but it could go a lot further. The CCPA is obsessed with data sale and sharing and neglects many other issues with the collection and use of personal data. It was originally a narrow law that was expanded to incorporate more GDPR elements, but it never was fully re-architected.
- The ADPPA has many of the common elements of comprehensive privacy laws. It is much stronger than the state laws, especially Utah’s anemic law.
- A comprehensive federal privacy law would be a good thing.
This is where I agree with Omer. It would seem, from the above, that I should be celebrating ADPPA. Finally, we’d get a comprehensive privacy law. It’s an improvement upon the state laws so far. Am I being too picky here? Waiting for Godot? Omer thinks I am. For him, we should thank the heavens for the ADPPA and be grateful for our gifts. But I am worried that this gift might turn into a poison pill.
Despite agreeing to the points above, I have several concerns. There are some points that I didn’t make in my original post and some things to elaborate upon and clarify that will explain my position better.
Grading on a Curve: Why Even a State of the Art Law Today Isn’t Enough
First, I graded the ADPAA with a B+, but that was on a curve. I graded it relative to other comprehensive privacy laws. I graded it based on the state of privacy laws that currently exist. But this is not an objective grade based on my view of the ideal law. As I have argued extensively in my scholarship, I believe that existing privacy laws have some severe shortcomings and must be changed significantly to be up to the challenge of protecting privacy. Many laws will say lots of nice vague things like data minimization, but these provisions often lack rigor and are not enforced with any teeth. Many parts of privacy laws have pretty-sounding rhetoric but ultimately are not any deeper. Further, the ADPPA is being weakened as it winds its way through the federal legislative process, which has a knack for whittling away at the stronger elements of laws. I worry about whether the final version will be as strong as the earlier versions.
This means that any law passed today is really a start, not an end point. Unfortunately, as I pointed out in my first post, Congress isn’t good at keeping its laws updated. I fear that ADPPA could be the final word. It really should be just the opening statement.
Omer seems more content with the current state of privacy law. If one thinks that existing comprehensive privacy laws are really good and are getting the job done, then it certainly makes sense to be happy to accept and live with the ADPPA. The reason I’m not eager to live with the ADPPA for the next 10, 20, maybe even 50 or 100 years is that the state of privacy law today is rather young and needs a lot of development. I’m not ready to set anything into stone.
The Importance of Dynamism
Dynamism and the ability to grow and evolve is a key feature of privacy law. Preemption snuffs out the flame and stops a key engine for developing law in the United States. When privacy law ossifies, it weakens considerably. Consider what happened to the Warren and Brandeis torts, as I wrote about with Neil Richards in our article, Prosser’s Privacy Torts: A Mixed Legacy. In their pathbreaking article, The Right to Privacy, Samuel Warren and Louis Brandeis argued that tort law should evolve to better protect privacy. It took a decade for courts to respond, but during the 20th Century, courts did respond, developing several torts. Torts scholar William Prosser helped the process by writing about these developments, analyzing the cases, and identifying four torts. He put these in the Restatement (Second) of Torts. With this prominent acknowledgement, the process of recognizing the torts sped up, and now the vast majority of the states recognize several of the torts. But Prosser also ossified the law. After he pronounced the four torts, little further innovation occurred. Courts just stuck with the existing torts and didn’t create new ones. The result is that the privacy torts today largely are not well-positioned to address the privacy problems we face from large organizations collecting, using, and transferring personal data.
The current state of affairs with the privacy torts would certainly cause Brandeis to be sorely disappointed were he to be raised from the grave. Brandeis’ view about the importance of dynamism is expressed most eloquently in his dissent in Olmstead v. United States, 277 U.S. 438 (1928), where the U.S. Supreme Court used an antiquated approach to determine Fourth Amendment applicability. The Court held that a wiretap was not regulated by the Fourth Amendment because it could be installed outside of the home, and there must be a physical trespass for there to be a Fourth Amendment violation. Brandeis wrote:
But ‘time works changes, brings into existence new conditions and purposes.’ Subtler and more far-reaching means of invading privacy have become available to the government. Discovery and invention have made it possible for the government, by means far more effective than stretching upon the rack, to obtain disclosure in court of what is whispered in the closet.
Moreover, ‘in the application of a Constitution, our contemplation cannot be only of what has been, but of what may be.’ The progress of science in furnishing the government with means of espionage is not likely to stop with wire tapping. Ways may some day be developed by which the government, without removing papers from secret drawers, can reproduce them in court, and by which it will be enabled to expose to a jury the most intimate occurrences of the home. . . .
Brandeis’s key lesson was that the law must be nimble and evolve with the times. Rigidity is a fatal flaw, especially in laws that must address rapidly-changing technologies. The argument of Warren and Brandeis’s The Right to Privacy was for the law to grow and respond to threats to privacy from new technologies, not to create four specific torts and stop there. Continuous legal innovation is essential for the law to work well.
The Challenge of Enforcement
Omer argues that the ADPPA is great to protect people in states that lack privacy laws. It is true that a benefit of the ADPPA is that it applies to states where the light of privacy doesn’t shine, but there are severe concerns about the enforcement of the ADPPA. It relies on two enforcement mechanisms — private rights of action and state attorneys general. I am a fan of the private right of action as an enforcement mechanism. But if ADPPA preempts state privacy laws, then this forces people to use the private right of action in federal court, where people must deal with the dragon of standing. The U.S. Supreme Court has worked its typical mischief upon standing doctrine, altering it to shut out many valid cases involving clear violations of federal privacy statutes with causes of action. The Court has found ways to creatively interpret away statutory damages provisions (Doe v. Chao). And, more recently in its war against plaintiffs, the Court has allowed courts to throw out cases brought under private rights of action if courts don’t think that there’s a harm. Courts have struggled to recognize privacy harms.
So, while the private right of action appears on the surface to be a gift, it could prove to be hollow. The ability of states to create privacy laws with a private right of action would be preempted, leaving people with a federal private right of action that might exist in theory only. When they get to the courts, the doors might slam shut.
What about the state attorney general enforcement? If the virtue of the ADPPA is to protect privacy in all states, then state attorney general enforcement isn’t enough. The state attorneys general in states that don’t care about privacy won’t suddenly wake up and start caring. It’s not clear that they will do much. People in these states still won’t get protected. Their complaints will be ignored. It is increasingly the reality that in the United States, the particular states that one lives in really matter. We’re fracturing as a nation, and we have states with very different views about how to protect their residents, about freedom and democracy.
I am skeptical about whether the ADPPA will provide much help to individuals in states that don’t care. Their best bet might be to move to a different state.
FTC enforcement can help, but the FTC needs more power, money, and personnel to enforce.
The Value of New Ideas
I agree with Omer that generally state laws thus are weaker than the ADPPA, but not all laws, and not all parts of laws. Certain state laws may generally be weak but might have certain parts that are strong. And certain more narrow state laws on particular issues are stronger. Consider the Illinois Biometric Information Privacy Act (BIPA). This law is a very powerful law, but it is narrowly focused on biometric information. It has a robust private right of action, and unlike federal courts, the Illinois state courts don’t force plaintiffs to prove harm. ADPPA has a carve out for the BIPA, but future laws on countless issues will be preempted. There might be no more BIPAs in the future. Will states have new ideas on regulating algorithms? What about the emerging regulation of dark patterns? What about other issues? Do we really want the ADPPA to be the final word?
The Generative Threat of the Power of the People
Even if state laws thus far aren’t as strong as the ADPPA, a key component of the law’s development is the threat of future legislation. The fear that legislatures will pass stricter laws drives up the strength of any potential federal privacy law. This fear makes some companies aim to stay ahead of the curve. In particular, in California, the referendum process gives a voice to the people. The ADPPA will snuff that out.
There wasn’t as much momentum for a comprehensive privacy law prior to the California Consumer Privacy Act (CCPA). The CCPA was rushed through the California legislature in the summer of 2018 to stave off a referendum. The referendum had widespread popular support, and its existence drove the legislative agenda. For years, there have been calls for a federal comprehensive privacy law, but Congress never responded. But the CCPA and the possibility of many state laws lit a fire in Congress and sparked the ADPPA. I doubt we’d be where we are with the ADPPA were it not for the CCPA.
The CCPA’s first referendum was pulled because the CCPA was passed, but a subsequent referendum strengthened the law in 2020. Although the CCPA after the amendments is still not where I’d like it to be, the referendum process is quite valuable. Of course, there are problems with the referendum process, but a virtue is that it gives the people a say in the legislative agenda. The California referendums sent a loud message: People were concerned about privacy and didn’t think existing laws were adequate. No longer could legislatures bury their heads in the sand. No longer could the tech industry and Big Data industry coast on legislative inaction. The referendums sent a message. Even the initial referendum that got pulled still sent a powerful message: There had to be greater privacy protection in the law, or else there would be hell to pay. The second referendum also sent this message. Companies actually got off easy, because I think nearly anything would have passed in the referendums, and it was somewhat of a squandered opportunity. But nothing can stop more referendums in the future . . . . except for the ADPPA. The ADPPA could shut the door on this.
Short-Term Benefit But Long Term Cost
After being passed, the ADPAA will provide a short term benefit. The US will finally have a comprehensive privacy law, and that law might actually not be that bad. But over time, it will degrade. It can be weakened by courts bent on a different vision of society, one where individuals lack any power against big organizations. It can be weakened by poor interpretations of key terms and by weak state attorney general enforcement. As privacy law in the rest of the world evolves, there will be little incentive for Congress to revisit the ADPPA and keep it up to date. For a short term fix, we’ll end up with an antiquated privacy law that will preempt a main engine for change — the possibility of state legislative action through legislatures and especially referendums.
Omer says that preemption must be the price for a federal privacy law. I hear many people saying this. It has become gospel. If this is true, I find it disappointing that the debate on preemption is over. Industry has surely pulled a major victory here because preemption wasn’t always a given. Many other federal privacy laws don’t preempt. Instead, they provide a floor of protections but leave it open to states to provides stricter protections. This is how the FERPA, HIPAA, TCPA, ECPA, GLBA, and Cable Communications Policy Act work. But today, preemption (in terms of a federal law being the ceiling) is taken as a given. As I argued in my earlier post, if a privacy law is strong, there is little incentive for states to pass new privacy laws. But if a law grows weaker, if gaps open up, if new issues emerge, then states can spring into action and address these problems.
There seems to be a big division among academics, advocates, and others about the ADPPA. Some support it as the best we can practically get; others take my position. I think a key to understanding these divided camps is how effective one thinks that existing standard comprehensive privacy laws are as well as how optimistic one is that Congress will keep updating and improving a law passed today. My view is that privacy law has a long way to go in its development to tackle the privacy problems we face and that Congress will let ADPPA rust.
Ultimately, I’d support the ADPPA if it didn’t preempt. I’d support it if Congress had a good record of keeping its laws updated and I had confidence that in the future, Congress would really care about addressing America’s problems. I’d even support it with a temporary preemption clause that would sunset and force Congress to revisit the law in order to renew another preemption term.
Otherwise, I think the ADPPA offers a short term-benefit that in the long run will become an albatross.
UPDATE: Omer has a further response to this post on Twitter. He argues that it might not be “harder to amend an existing law than to legislate one (that’s eluded us for the past 50 years) from scratch.” He says: “To be clear we got a lot. We got a law with a PRA. With civil rights. Executive responsibility. Algorithm assessments. Data minimization. Privacy by design. Applying in 50 states to all companies and non profits. Dan prefers to pass since in 20 years it might need an update.” Omer’s response is very thoughtful, and I definitely want to be clear that my position is one of ambivalence. I’m not vehemently opposed to the ADPPA. It does many good things, and it is a step forward for the US. If it passes, part of me will even be happy. But I won’t be dancing.
In particular, although the law has all the things that Omer lists, these things are not very rigorous and end up being more rhetorical than meaningful. The law requires privacy impact assessments and privacy by design, but without rigor, these things can be meaningless. With rigor, they can be great. For example, the CCPA has a great requirement that privacy impact assessments be submitted on a regular basis to the state privacy regulatory agency – the California Privacy Protection Agency. The ADPPA doesn’t have this kind of review and accountability.
I ultimately return to the thought experiment I posed in my earlier post. Imagine if Congress had enacted a preemptive privacy law in 2000, when there was an early conversation about a federal comprehensive privacy law. That law would have been far weaker than the ADPPA. Indeed, had Congress crafted the ADPPA about 5 years ago, it would have been far weaker than now. Privacy law is in its formative years. Each year, new strides are being made. Things that would have been controversial a year or two ago are now considered standard fare. I’m concerned that with preemption, we’ll take the bread out of the oven too soon.
As messy and problematic as US privacy law is, it has been dynamic and is growing rapidly. I don’t want the process to stop, because there are miles to go before we sleep. Of course, perhaps optimists like Omer might turn out to be right. Congress could pass the ADPPA and then that would be the start of a great journey. If things change and people want something stronger, Congress could hear the people’s concern and jump right on it and be responsive, thoughtful, and proactive. I would love for this to be true. It’s just not the Congress I’ve seen for most of my lifetime.
In sum, I am ambivalent about the ADPPA. It will do good things but also bad things. It will be a step forward for sure, but also could be something that holds the law back in the future. if it passes, I will celebrate and lament at the same time. I sure hope, though, that Congress would give serious thought to my compromise of a temporary preemption provision that would be renewable.
Daniel J. Solove is John Marshall Harlan Research Professor of Law at George Washington University Law School. He is the founder of TeachPrivacy, a company that provides computer-based privacy and data security training. His most recent book is Breached! Why Data Security Law Fails and How to Improve It, published by Oxford University Press 2022.
NEWSLETTER: Subscribe to Professor Solove’s free newsletter
TWITTER: Follow Professor Solove on Twitter.