The Debate over Regulating Data Brokers
Introduction
The American Data Privacy and Protection Act (H.R. 8152) (ADPPA) is proposed federal consumer data protection legislation. This bill has been introduced each year for the past several years but has never received a vote from both Houses. On March of 2023 the bill was again reintroduced. For a description of the provisions of the Act see https://termly.io/resources/articles/us-federal-data-privacy-law/
The ADPPA and Other Privacy Laws
ADPPA is a law that's core components are analogous to the emerging state laws governing personal information, such as California, Colorado, Connecticut, Utah, and Virginia. ADPPA uses the term “covered data” and defines it as as information that “identifies or is linked or reasonably linkable, alone or in combination with other information, to an individual or device that identifies or is linked or is reasonably linked to an individual, and may include derived data and unique persistent identifiers.” ADPAA notably expressly includes IP addresses within its definition of persistent identifiers.
The similarities with other consumer data protection laws include requiring companies to provide notice to consumers prior processing personal information and providing them the opportunity to opt out. The ADPPA also provides a number of now familiar rights to consumers. These include the right to access, correct, delete, and port personal; and, the right to object to the sharing of their personal information, as well processing it for targeted advertising. Like other consumer data protection laws, ADPPA also provides enhanced protections for what is classified as “sensitive” personal information.
Specific ADPAA Provisions
The ADPPA, like the emerging state laws, prohibits dark patterns in user interfaces that impede the consumer’s choice of their privacy preferences. The FTC has concluded that there is a sharp increase in sophisticated dark patterns. The Act also requires covered entities to provide a “centralized opt-out choice.” The ADPPA also contemplates the introduction of a “unified opt-out mechanism” that will allow consumers to globally opt-out of entities processing their personal information.
Other notable features of the ADPPA include the requirement of third-parties to register, and allowing consumers to globally exercise their data subject rights with these third-parties and opting-out of the third-parties processing their personal information.
Notably, the ADPPA in some ways may provide consumers stricter protections. For example, before a “large data holder” can collect and process, in addition to the privacy policy, ADPPA expressly requires that the holder provide a digestible “short-form notice” that conveys prescribed information to consumers to help ensure that the consumer understands the holder’s processing activities.
The ADPPA is a tremendous advancement of consumer data protection rights that rivals and exceeds those offered by most state laws. And in some cases, particularly with respect to the requirements around third-parties participating in a registry that is subject to global privacy controls, the ADPPA provides more practicable controls around managing third-party data brokers than even the General Data Protection Regulation found in the European Union.
Preemption
A critical feature of the ADPPA is its flexible approach to the issue of preemption. The ADPPA does not seek to override consumer data protection laws in all areas, and allows state laws to exceed the ADPPA protections in almost twenty areas. Furthermore, the ADPPA allows the newly formed California Privacy Protection Agency “to enforce” the ADPPA, “in the same manner it would otherwise enforce the California Consumer Privacy Act.”
The ADPPA thus robustly fills the vacuum of consumer data protection laws, extending the right to privacy to all Americans without undermining the enacted state laws.
The concern, of course, is the impact that it may have on the viability of data companies that employ thousands of Americans to support a digital ad industry that some value at over $450B. Having said that, the GDPR has not prevented the industry from continuing to flourish in Europe, and there is no reason why it cannot similarly flourish in the United States. The industry just will have to do so more responsibly.
Likelihood of Passage
Passage of the ADPPA is far from a foregone conclusion. Democrats in California have opposed the bill arguing the preemption provisions are too broad and would dilute the protections offered by the existing privacy protection law passed in California. For more on the opposition to the bill see https://iapp.org/news/a/pelosi-rejects-proposed-american-data-privacy-and-protection-act-seeks-new-compromise/ There are also competing privacy bills, the most recently filed being S.3337 - the Data Privacy Act filed in November of 2023. In any event, expect a tough road ahead for the ADPPA to pass the House and then Senate and get signed into law.
Conclusion
I support passage of the ADPPA and Congress has been irresponsible in not passing it as examples of abuses of our personal data seem to occur almost on a weekly basis as data brokers compile and sell our data for there own commercial gain. We need federal legislation to insure consistency and uniformity across the country so protections of one's personal data is not dependent on which state they happen to reside in.
This law seems to come at a bit of a tricky time. While I do agree with the regulation of data collection, and it would make more sense to give users more control over it, I do not think that it could be passed at this time. I think that the need for data to be regulated has to come at the cost of there being definitive evidence of data abuse and what it can lead to. I may be ignorant of any evidence that has come out now or sooner, but I think that companies need to either compete with others about allowing the user a more free look over their privacy concerns, or some form of data abuse must come out and be bad enough to warrant a substantial reaction from the public. Otherwise, I completely support the law, because of it making sure that the information is taken in a responsible manner.
ReplyDeleteI support the passage of this law because I believe that Americans should have the right to control their data. The fact that many people are not properly educated on how their data is collected and what it is used for warrants legislation, in my opinion. However, I do think that the law should be implemented slowly, perhaps in steps so that the users and creators of websites can get accustomed to the expectations. People have a reasonable expectation that their data will not be sold for commercial purposes, and the passage of this law will at least ensure that the user knows whether or not their data will be collected.
ReplyDeleteI believe that I support the law. This is because I think it is important for an American to realize where and when their data is being set and stored. I like the idea that people will have the right to access, correct, delete, and port personal; and the right to object to the sharing of their personal information, as well processing it for targeted advertising. One part I don't agree with, is how the law bans deceptive patterns. I don't see how this can happen since the rules of dos and don'ts will never be specific enough to fully ban what it allowed and what's not.
ReplyDelete