State of Play: U.S. Privacy Law
Senator Maria Cantwell appears to be holding all the cards
In the West, August is a slow month. Many are enduring the dog days by the pool, taking vacations, and otherwise enjoying the last bits of summer before children return to school. Congress is away. The news cycle slows down. Work grinds to a near halt for a few weeks. It’s one of the few moments during the year when you might be able to step back from the world and enjoy the little things in life. As a child, August always reminded me of this quaint, bucolic Country Time Lemonade commercial from the 90s. You can just taste the wholesomeness of the overly sweet, powdery Country Time Lemonade mix in the commercial (or screenshot above). This August is different.
Have you ever seen the rain?
This year, summer is a rip roaring shit show for the ages that began with the Supreme Court overturning 50 years of well-established precedent - a hard rain after years of relative calm. In June, the conservative super-majority of the Supreme Court gutted Roe in the infamous Dobbs v. Jackson Women’s Health Organization decision, and thus, women found their status as free persons with the right to make decisions about their bodies and welfare regressing to the 1950s - a time when husbands could legally rape their wives in many states.
Not only were women left reeling, Dobbs rejected the entire concept of a constitutional privacy right found in the penumbras of the Bill of Rights and put other marginalized groups at risk. This privacy right, originally established in 1965’s Griswold v. Connecticut, underpins additional rights. Justice Clarence Thomas, chief troller for the conservative super-majority, petulantly threatened additional marginalized groups by attacking other substantive due process rights in his concurring opinion when he stated: “we should reconsider all of this Court’s substantive due process precedents” including the right to contraception (Griswold), same-sex intercourse (Lawrence), and same-sex marriage (Obergefell) as highlighted in the passage below.
America’s entire constitutional privacy framework had just been gutted with women and reproductive freedom absorbing the first blow in what appears to be the opening salvo against numerous marginalized groups and a pluralistic society. Privacy rights may be statutorily found under HIPAA (healthcare), GLBA (financial), FERPA (education), and other federal laws, but the idea of an implicit fundamental constitutional privacy right appears to have been shattered by this Supreme Court as it upended over 50 years of jurisprudence - stare decisis be damned! However, Congress has provided some hope.
Up Around the Bend
After years of hope, numerous state privacy laws, and, aggressive moves by California to regulate the digital ecosystem, Congress - foreshadowing a potential glimmer of hope up around the bend - released a bipartisan federal privacy bill to provide Americans with clear rights in our digital age just as the Supreme Court gutted Roe. While the American Data Privacy Protection Act (ADPPA) does little to address reproductive freedom, it does present a comprehensive regulatory regime with clearly demarcated rights including data minimization (§ 101), data access (§ 203), algorithmic non-discrimination (§ 207), and a private right of action for all Americans (§ 403). Further, ADPPA requires appointment of a data protection officer with annual certification (§ 301) and creation of a Bureau of Privacy within the FTC (§ 401). In exchange, ADPPA would preempt state privacy laws including the California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA) (§ 404). ADPPA represents a ceiling - not a floor - that preempts states from continuing to legislate. Thus, privacy law would remain static until Congress chooses to act again - a clear concern in our era of political gridlock.
While not a bad bill, the privacy community remains split due to a few provisions. In the pro camp: EPIC, members of Future of Privacy Forum (here and here), other privacy experts (Omer Tene, Cameron Kerry), and many in Congress. In the con camp: EFF, ACLU, Daniel Solove, the California Privacy Protection Agency, and Alistair McTaggart/Californians for Consumer Privacy. Much of the disagreement stems from the strength of the private right of action, federal preemption, auditing, opt-out rights, and definitional provisions. In light of the current state of politics, those in favor of ADPPA believe this is a strong bill reflecting bipartisan compromise that would provide rights to all Americans - that we should not let the perfect be the enemy of the good. Those against ADPPA believe this amounts to a huge win for Big Tech/Big Data because it preempts states from legislating while establishing a uniform privacy framework across the nation that insufficiently protects Americans’ privacy.
Despite bipartisan congressional support and significant support within the privacy community, Senator Maria Cantwell, a key vote, remains steadfast in her opposition because of insufficient enforcement measures. If the Supreme Court’s decision and the fight over ADPPA were not enough turmoil in the privacy world, the FTC - not wanting to be left out of the mix - decided throw its hat into the ring in grand fashion.
It Came Out of the Sky
On August 11, 2022, Chair Lina Khan, along with other FTC commissioners, held a press conference to announce the FTC’s Advance Notice of Proposed Rulemaking (ANPR) regarding commercial surveillance and lax data security practices. Proceeding under its Magnuson-Moss (Mag-Moss) rulemaking authority, the FTC seeks comment on a sweeping 95 questions that are incredibly broad and far-reaching leaving many FTC watchers stunned - like it came out of the sky and hit the ground with a thud.
Chair Khan’s views on Big Tech and Big Data are no secret. Before being appointed to the FTC, Khan has been a vocal advocate for greater privacy controls and has condemned Tech’s business model that relies on invading individual privacy. Thus, it should come as no surprise that the FTC’s ANPR on privacy strongly conveys its intent to aggressively regulate what it calls commercial surveillance. Chair Khan’s approach appears to be heavily informed by Shoshana Zuboff’s The Age of Surveillance Capitalism, which raises serious concerns about our current connected digital age where corporations seeks to maximize profit by controlling/predicting indvidual behavior.
However, FTC watchers (often former FTC staff or enforcers) remain unsure if this is a serious effort at privacy rulemaking. Concerns (described here and here) include the length of time to a final rule given the broad ANPR, lack of legwork to establish prevalent unfair or deceptive practices in the market, failure to discuss beneficial uses of consumer data, and possible lack of authority under the Supreme Court’s recent decision in West Virginia v. EPA. In the past, the Mag-Moss rulemaking process has taken at least 5 years and averages around 7 years.
Given that the FTC’s ANPR seeks to aggressively regulate broad areas of commercial data use, needed legwork to establish bases for regulation, and recent court precedent suggesting the FTC may not have authority here, it seems any such privacy rules are a long way off and potentially theoretical. Nonetheless, the FTC has staked out an approach that is aggressively in favor of consumer privacy - potentially more so than ADPPA. Alternatively, the FTC is engaged in the sort of investigating and fact-finding that may serve its rulemaking process pursuant to potential Congressional authority. Nonetheless, the FTC is daring Congress to act while it can.
Bad Moon Rising
Despite retaining Trump, an electoral loser, as the de facto head of their party and outlawing abortion in many states contrary to popular support, Republicans appear poised to secure the House of Representatives in the this year’s midterm elections - foreshadowing a bad moon rising that will bring legislative action to a grinding halt. After years of corruption and general malevolence, the former President finds the walls closing in on him after enabling Senator Mitch McConnell to secure a Federalist Society-influenced conservative super-majority on the Supreme Court. This same Court shattered our implicit constitutional right to privacy.
In the past few weeks, the FBI raided Trump’s Mar-a-Lago estate for refusing to return government documents including those containing nuclear secrets, Trump took the 5th Amendment in front of a grand jury investigating his business practices, and the January 6th Committee has spent the entire summer broadcasting its findings regarding Trump’s failed insurrection. Despite the Committee’s efforts involving mainstream conservatives like Liz Cheney, the Republican party has decried it as a witch hunt and Cheney has lost her primary to a January 6th denier. Political cooperation with Democrats, on any matter, is seen as heresy.
Republicans continue their fealty to Trump as his nominees to the Supreme Court have successfully overturned Roe and permitted a slew of state legislation outlawing/limiting abortion in numerous states. While the dog finally caught the car, it appears that Republicans will now campaign at the state level to enact further limits to reproductive freedom where a total ban is not in place despite polling indicating that Americans favor reasonable abortion rights.
Nonetheless, Republicans appear near certain to take back the House during this November’s midterm elections as of August 19, 2022. A new Republican House is unlikely to collaborate with Democrats to pass any further legislation. A Republican majority in the House appears likely to launch investigations into the Biden Administration and otherwise do everything it can to prevent Biden’s reelection. Thus, Congress’ window to pass bipartisan legislation closes at year’s end.
Proud Mary . . . er . . . Maria
Senator Maria Cantwell (D-Washington), Chair of the Commerce Committee, remains a key holdout despite ADPPA’s current bipartisan support because she believes the bill does not contain sufficient enforcement measures - Proud Maria keeps on rollin’ without worrying about what might have been. Because the current window to enact the ADPPA likely expires at the end of the year, the FTC has moved to enact aggressive rules regarding commericial surveillance, and California, with support from those against ADPPA, continues to enact additional aggressive privacy laws to Big Tech’s/Big Data’s chagrin, Cantwell is holding all the cards and likely seeks to extract further concessions for the People.
What concessions could Cantwell seek in exchange for her support? While this is not an exclusive list, it seems that Cantwell may ask for the following:
limits on forced arbitration / class action waivers (likely)
stronger privacy right of action - eliminating prior notice requirements (unlikely)
limits on federal preemption of state law - a floor, not a ceiling; or carve-outs for California or other states (unlikely)
whistleblower protections (most likely)
protecting abortion rights - further prohibiting or limiting collection of health-related data in order to stymie state laws criminalizing abortion. (extremely unlikely)
As a preliminary matter, 5 (protecting abortion rights) seems very unlikely. Republicans would appear to balk at anything that enables or protects abortion given their public support for overturning Roe and newfound campaign to eliminate abortion at the state level or otherwise criminalize those who seek abortion elsewhere.
Similarly, 3 (limits on federal preemption) seems unlikely too. During the bill’s mark up in committee, ADPPA was amended to give CPPA express enforcement authority (§ 404(b)(3)) as a compromise to the California delegation. It seems unlikely there is further room to negotiate here. Federal preemption, especially of California, appears to be a fundamental basis for bipartisan support. Otherwise, businesses will have to continue complying with a multiplicity of state laws and regulations.
Any change in favor of 2 (stronger privacy right of action) may be perfunctory and only serve as a bargaining chip. During the bill’s mark up, the private right of action provision was modified to reduce the delay period by half to two years and permits individuals to file suit for claims related to collecting/processing sensitive data without affirmative consent (§ 102), service or price discrimination for exercising rights under ADPPA (§ 104), insufficient privacy policy (§ 202), data access rights (§ 203), opt-out rights (§ 204), children’s data (§ 205(a)-(b)), “Do Not Collect” registry violations (§ 206(b)(3)(C)), algorithmic discrimination (§ 207(a)), data security practices (§ 208(a)), and service providers/third parties (§ 302).
In light of ADPPA’s reasonably extensive bases for individual lawsuits, Cantwell could ask for eliminating the requisite notices to the FTC and State attorney general (§ 403(a)(3)). However, prior notice requirements to state agencies are not without precedent including in California’s Private Attorneys General Act (PAGA). Most government agencies have limited resources and therefore are unlikely to expend resources where private parties are pursuing the matter. Thus, this requirement seems perfunctory and eliminating it of no major consequence.
Possibly, Cantwell could ask for a statutory damages provision. Statutory damages expressly state a dollar amount per violation and therefore overcomes issues of standing related to injury that are often the case with data privacy/security claims. This would strengthen the viability of any such claims legally and financially but risk bipartisanship support and pushback from Big Tech/Big Data. While powerful, it may be difficult to achieve.
Additional provisions regarding 1 (forced arbitration/class waivers) may be possible, or even likely. In response to prior concerns by Cantwell, ADPPA was amended to eliminate forced arbitration agreements for children and gender/partner-based harm while class action waivers were prohibited for children (§ 403(b)). While these amendments are notable, mandatory arbitrations and class waivers do a disservice for the consumer and the public as a whole. Arbitrations are usually private and substantially less favorable to consumers. Thus, businesses favor arbitrations because it lowers their financial and reputational risks. Further, class action waivers prohibit plaintiffs from pursuing their claims on behalf of all harmed class members - a far more efficient method to redress corporate misconduct. As a result, each harmed individual must find an attorney and file their claim privately in arbitration before the statute of limitations has run. Because of the private nature of arbitration and any potential settlement, the public - journalists, academics, researchers, regulators, and politicians - may never learn about the depth and breadth of corporate wrongdoing and therefore seek additional solutions to prevent such harms. Thus, Cantwell could seek to exclude further categories of claims from this provision or otherwise eliminate it all together.
Finally, 4 (whistleblower protections) seems like an obvious provision that needs inclusion. Without past whistleblowers like Frances Haugen, we may never have learned of Big Tech’s/Big Data’s misdeeds. Whistleblowers are often responsible for shedding light on illegal or deeply troubling government or private sector conduct including spying, discriminaton, and fraud. Hopefully, Cantwell seeks very strong whistleblower protections, including stiff awards and penalties, that protect individual whistleblowers who often face professional and financial ruin. Because of the opacity of these algorithims and complex nature of data collection, these whistleblowers are more important than ever for uncovering Big Tech’s/Big Data’s misdeeds.
The stars have aligned to provide Senator Cantwell a window of opportunity to seek additional protections for the American People. Due to U.S. politics, there is potential for bipartisan data privacy legislations that both parties believe is needed, but a short window to get it passed. Big Tech/Big Data face a fragmented regulatory ecoystem led by state privacy laws, especially California, that increase compliance costs. The FTC has staked an aggressive regulatory posture that indicates it would potentially enforce far more aggressively if left to its own devices. Here’s hoping Proud Maria obtains serious whistleblower protections and further limits on forced arbitration/class waivers. Anything else is gravy.