CPW’s Kristin Bryan joins two of Squire Patton Boggs’ policy experts – Beth Goldstein and Jeffrey Turner – to discuss one of the most critical pieces of privacy legislation in years, the American Data Privacy and Protection Act (ADPPA), for Lexology’s Masterclass series. This game-changing privacy legislation not only has potential far-reaching impact, but it could also be in effect within the next year. Join us for an insightful look at what this legislation means for businesses and consumers.

Wednesday, December 7, 2022

11 a.m. ET

More details and registration

Key topics:

  • Current policy and political landscape in Congress and in state capitals
  • Main provisions of the ADPPA
  • Recent state legislative developments driving Congressional action
  • Limitations on the Federal Trade Commission’s power to regulate privacy in the absence of federal legislation
  • Ongoing litigation and future risks
  • Sovereigns vs. corporate distinctions

We hope you can join us on December 7!

Several developments this week underscored the continued importance of a bill that has been introduced to implement uniform privacy federal privacy standards.

Continue Reading Passage of Federal Privacy Bill Remains Possible This Year, Remains a Continued Priority

The California Consumer Privacy Act (CCPA) currently has limited carve-outs for personal information (PI) collected from a job applicant, employee, owner, director, officer, medical staff member, or independent contractor of a business acting in such capacity (including, without limitation, communications, emergency contact and benefits PI) (HR data). An even broader exception applies to B-to-B communications and related PI (e.g., vendor, supplier and business customer contacts and communications) (B-to-B data). As a result, businesses subject to the CCPA are not currently required to honor CCPA rights requests received from persons concerning HR data and B-to-B data. These carve-outs are set to sunset on January 1, 2023, when the California Privacy Rights Act (CPRA), which substantially amends the CCPA, goes into full effect, at which point HR data and B-to-B data will be fully subject to all of the requirements of the CCPA/CPRA. Many business administrators had hoped that either the California legislature would extend the HR data exceptions (or maybe even make them permanent), or a federal law that limited data subject rights to traditional consumers would pass and preempt CCPA/CPRA. It is now clear that the former is impossible and the latter is highly unlikely. Accordingly, many companies have a lot to do by year-end to prepare to stand up a CCPA/CPRA program for HR data and B-to-B data.

Continue Reading HR and B-to-B Data Compliance Deadline Looming – Legislative Efforts to Extend California Consumer Privacy Act Exemptions Fail

On Thursday, House Speaker Nancy Pelosi expressed concerns with certain features of the American Data Privacy and Protection Act (“ADPPA”) and its broad preemption provision, which as currently drafted would override the California Consumer Privacy Act (“CCPA”) and its subsequent voter- approved amendments.  The ADPPA was favorably reported by the House Committee on Energy and Commerce in July by a vote of 53-2.  The bill has not yet been scheduled for a vote on the House floor. Speaker Pelosi “commended” the Energy and Commerce Committee for its efforts, while also praising California Democrats for having “won the right for consumers for the first time to be able to seek damages in court for violations of their privacy rights.”  Speaker Pelosi noted that California leads the nation in protecting consumer privacy and it was “imperative that California continues offering and enforcing the nation’s strongest privacy rights.”  Speaker Pelosi stated that she and others would be working with Chairman Frank Pallone (D-NJ) to address concerns related to preserving  California privacy laws.  Although Speaker Pelosi’s comments cast doubt on the future of the ADPPA, we continue to believe that it will clear the House. We anticipate only modest tweaks to the preemption provision, which must be acceptable to the Republican leadership of the committee for the bill to move forward. As Speaker Pelosi noted, the bill contains a private right of action for consumers—the single most important provision to Republicans in return for strong preemption language. After more than a decade of effort, the Democratic leadership of the House will be hard pressed to let the perfect be the enemy of the really good.

On August 24, 2022, California Attorney General Rob Bonta issued a press release announcing the first public settlement by the Office of the Attorney General (OAG) involving alleged violations of the CCPA. The settlement involves a judicial judgment, civil penalties and ongoing monitoring and reporting. The use of noncompliance letters to cajole companies into compliance over many months now appears to be a closed chapter in the CCPA saga. Season 2 promises more drama, more action and more money. Entertaining unless you are the next target!

Continue Reading The Cookie Crumbles – Lessons from First California Consumer Privacy Act (CCPA) Monetary Settlement

Section 222 of the Communications Act and the Federal Communications Commission’s (FCC) implementing regulations impose on “every telecommunications carrier…a [general] duty to protect the confidentiality of proprietary information of, and relating to, other telecommunication carriers, equipment manufacturers, and customers.”

This duty includes customer proprietary network information “relating to the ‘quantity, technical configuration, type, destination, location, and amount of use of a telecommunications service subscribed to by any customer of a telecommunications carrier’ and that is ‘made available to the carrier by the customer solely by virtue of the carrier-customer relationship.’”

In 2020, the FCC proposed over $200 million in fines “against the nation’s four largest wireless carriers for apparently selling access to their customers’ location information without taking reasonable measures to protect against unauthorized access to that information.”

In the last two months, the FCC has renewed its regulatory focus on wireless carriers’ data privacy practices.

In July, FCC Chairwoman Jessica Rosenworcel personally wrote the top fifteen mobile providers requesting information about their data retention and data privacy practices.

The initial inquiries asked about their “policies around geolocation data, such as how long … [such] data is retained and why and what the current safeguards are to protect this sensitive information.” In addition, the Chairwoman sought information about the carriers “processes for sharing subscriber geolocation data with law enforcement and other third parties’ data sharing agreements.” Finally, the inquiries sought information on “how consumers are notified when their geolocation information is shared with third parties.”

At the time, the FCC Chair observed that “mobile internet service providers are uniquely situated to capture a trove of data about their own subscribers, including the subscriber’s actual identity and personal characteristics, geolocation data, app usage and web browsing data and habits.”

She added that “the highly sensitive nature of this data – especially when location data is combined with other types of data – and the ways in which this data is stored and shared with third parties is of utmost importance to consumer safety and privacy.”

Then, on August 25, the FCC released to the public each of those carriers responses to the inquiries. In doing so, the Chairwoman announced that she has asked the agency’s “Enforcement Bureau to launch a new investigation into mobile carriers’ compliance with FCC rules that require carriers to fully disclose to customers how they are using and sharing geolocation data.”

Finally, consumers will be able to directly file “privacy complaints or share concerns about how providers are handling their information on the FCC’s website”.  Chairwoman Rosenworcel observed that “if you, as a consumer, have concerns or complaints about how your provider is handling your private data, the FCC is making it easier for you to file complaints and make your concerns known – so we can take action under the law.”

The FCC’s actions come at a time when the U.S. House of Representatives is considering Federal privacy legislation that would reportedly “remove the agency’s authority to enforce its privacy regulations for common carriers”.

SPB Partner Beth Goldstein also contributed to this post.

With the powerful Committee on Energy and Commerce having approved a comprehensive, bipartisan privacy bill by a vote of 53-2, the US House of Representatives is one step closer to approving historic privacy legislation after over a decade of debate. Before formally reporting the legislation to the full House, the Committee adopted a substitute amendment that addressed concerns that had been raised in Subcommittee a few weeks ago. Among other provisions, the substitute amendment included the following changes:

  • The amended ADPPA provides an explicit right for the California Privacy Protection Agency (“CPPA”) to enforce the law. This is likely in response to calls by California Governor Newsom and the CPPA itself this week to eliminate the bill’s would-be preemption of the California Consumer Privacy Act (including as amended by the California Privacy Rights Act) (“CCPA”). Notably, however, preemption of the CCPA remains.
  • The definition of “third party” has been amended to provide that affiliated companies are considered a single covered entity if consumers reasonably expect them to share information with one another.
  • The substitute amendment provides a number of additional changes with respect to targeted advertising, including :
    • The FTC has the authority to establish global privacy control or “unified opt-out mechanisms” to allow individuals to opt out from targeted advertising.
    • The ADPPA retains its ban on targeted ads to an individual under 17, and also still considers information relating to such individuals as sensitive covered data, but has introduced a tiered knowledge approach with respect to an individual’s age
    • Internet browsing history over time and across third party websites or online services is now considered sensitive data.
  • Sensitive covered data has been further expanded to include race, color, ethnicity, religion, and union membership, and video data as a category of sensitive covered data has been clarified to include information showing the video content requested or selected by users of consumer generated media.

The leadership of the Committee appears to have found the sweet spot on the two major issues that have bedeviled legislators for years—how and to what extent to preempt state law and the extent to which consumers can vindicate their rights through a private right of action. The substitute amendment, for example, shortened from four year to two years after the date of enactment the date by which consumers can sue over alleged privacy violations. In addition, the substitute amendment limited forced arbitration agreements with respect to claims made by individuals facing domestic violence. With preemption and the private right of action now largely resolved, only a few additional minor issues, plus further changes to the arbitration provision, appear to stand in the way of likely House passage of the bill in September, if not before the August recess begins, on a bipartisan basis.

 

As we previously reported on the CPW blog, the leadership of the House Energy and Commerce Committee and the Ranking Member of the Senate Commerce Committee released a discussion draft of proposed federal privacy legislation, the American Data Privacy and Protection Act (“ADPPA”), on June 3, 2022. Signaling potential differences amongst key members of the Senate Committee on Commerce, Science, and Transportation, Chair Maria Cantwell (D-WA) withheld her support. Staking out her own position, Cantwell is reportedly floating an updated version of the Consumer Online Privacy Rights Act (“COPRA”), originally proposed in 2019.

Early Stakeholder Disagreement

As soon as a discussion draft of the ADPPA was published, privacy rights organizations, civil liberty groups, and businesses entered the fray, drawing up sides for and against the bill. The ACLU came out as an early critic of the legislation. In an open letter to Congress sent June 10, the group urged caution, arguing that both the ADPPA and COPRA contain “very problematic provisions.” According to the group, more time is required to develop truly meaningful privacy legislation, as evidenced by “ACLU state affiliates who have been unable to stop harmful or effectively useless state privacy bills from being pushed quickly to enactment with enormous lobbying and advertising support of sectors of the technology industry that resist changing a business model that depends on consumers not having protections against privacy invasions and discrimination.” To avoid this fate, the ACLU urges Congress to “bolster enforcement provisions, including providing a strong private right of action, and allow the states to continue to respond to new technologies and new privacy challenges with state privacy laws.”

On June 13, a trio of trade groups representing some of the largest tech companies sent their open letter to Congress, supporting passage of a federal privacy law, but ultimately opposing the ADPPA. Contrary to the position taken by the ACLU, the industry groups worry that the bill’s inclusion of a private right of action with the potential to recover attorneys’ fees will lead to litigation abuse. The groups took issue with other provisions as well, such as the legislation’s restrictions on the use of data derived from publicly-available sources and the “duty of loyalty” to individuals whose covered data is processed.

Industry groups and consumer protection organizations had the opportunity to voice their opinions regarding the ADPPA in a public hearing on June 14. Video of the proceedings and prepared testimony of the witnesses are available here. Two common themes arose in the witnesses’ testimony: (1) general support for federal privacy legislation; and (2) opposition to discrete aspects of the bill. As has been the case for the better part of a decade in which Congress has sought to draft a federal privacy bill, two fundamental issues continue to drive the debate and must be resolved in order for the legislation to become law: the private right of action to enforce the law and preemption of state laws or portions of them. . While civil rights and privacy advocacy groups maintain that the private right of action does not go far enough and that federal privacy legislation should not preempt state law, industry groups argue that a private right of action should not be permitted and that state privacy laws should be broadly preempted.

The Path Forward

The Subcommittee on Consumer Protection and Commerce of the House Energy and Commerce Committee is expected to mark up the draft bill the week of June 20. We expect the subcommittee to approve the draft bill with little or no changes. The full Energy and Commerce Committee should complete work on the bill before the August recess. Given the broad bipartisan support for the legislation in the House, we anticipate that the legislation, with minor tweaks, is likely to be approved by the House, setting up a showdown with the Senate after a decade of debate.

With the legislative session rapidly drawing to a close, the prospects for the ADPPA’s passage remain unclear. Intense disagreement remains amongst key constituency groups regarding important aspects of the proposed legislation. Yet, in spite of the differences, a review of the public comments to date regarding the ADPPA reveal one nearly unanimous opinion: the United States needs federal privacy legislation. In light of the fact that most interested parties agree that the U.S. would benefit from federal privacy legislation, Congress has more incentive than ever to reach compromise regarding one of the proposed privacy bills.