On July 28, 2022, the California Privacy Protection Agency (the “Agency”) held a special meeting (the “Meeting”) to discuss and act on the proposed federal privacy legislation, the American Data Protection and Privacy Act (the “ADPPA”) (H.R. 8152)(see our blog on this topic).
In one go, the Agency unanimously moved to oppose (a) the ADPPA as it is currently drafted, (b) any federal bill that seeks to broadly preempt the California Consumer Privacy Act (“CCPA”), (c) any bill that, seeks to prevent the Agency from modifying the law based on technological changes, or (d) any bill that compromises the Agency’s authority to mandate on behalf of California. This move was supported by a distinctly high number of public comment speakers including that of Alastair Mactaggart, privacy activist and founder of Californians for Consumer Privacy spearheading support for CCPA since 2016.
Notably, the Agency’s decision and the call for this special meeting serves to highlight that California, and potentially other states with existing privacy laws, believes the ADPPA would impose substantial hardships. Additional states such as Colorado, Connecticut, Virginia, Utah and Nevada, may, as a result, follow California’s lead in its opposition of any federal privacy law that preempts provisions from existing privacy state laws.
Though the Agency commended the ADPPA in its approach to extend privacy protections in states where privacy laws do not currently exist, the Agency ultimately concluded that the broad preemption language in the ADPPA would adversely affect California in a number of ways. The Agency argues that the ADPPA:
- Removes the unique “floor” of the California Privacy Rights Act (“CPRA”). The CPRA, an update to the CCPA, states that “[t]he provisions of this Act may be amended after its approval by the voters by a statute that is passed by a vote of a majority of the members of each house of the Legislature and signed by the Governor, provided that such amendments are consistent with and further the purpose and intent of this Act...” (CPRA, Section 25(a)) This provision sets a “floor” for privacy protections. In the Meeting, the Agency noted that in the event that Congress potentially weakens privacy protections in the future by weakening the ADPPA, California’s unique “floor” to privacy protections as set forth in the CPRA would be preempted.
- Sets a ceiling on privacy protections. In addition to removing the “floor” on privacy protections, the Agency notes that Californians would be prevented from strengthening privacy laws in the future, which is particularly important in light of rapid technological change. The Agency underscored that technological innovation moves quickly and that the states must be able to continue to act and respond nimbly on behalf of its citizens to adjust to new technologies.
- Minimizes the Agency’s mandate. In passing of the CPRA, Californians created the Agency and imbued it with the responsibility to implement and enforce the CCPA. The Agency responded that preempting most of the substantive provisions of the law would eliminate the Agency’s mandate. Further, the Agency notes that the ADPPA does not allow California to recover the monetary penalties associated with its enforcement of the federal law, whereas the CCPA currently allows recovery of significant penalties for the violations of the CCPA (with the same applying under the CPRA). The Agency commented that “it is the Agency’s role and responsibility to act as an independent watchdog” and that “[unlike the Agency,] federal law may not have the attention or resources to pay attention to [the need of] California.” (emphasis added.)
- Weakens existing privacy protections. The Agency argues that the ADPPA as it stands provides fewer protections for California residents in a number of key areas:
- The ADPPA removes the opt-out option of automatic decision-making;
- ADPPA narrows the definition of “personal information” as defined in the CCPA because the ADPPA’s “Covered Data” “may include derived data and unique identifiers” (emphasis added.) This definition is narrower than that of the CCPA, which in contrast, includes “inferences drawn from any of the information identified.” Moreover, the CCPA includes obligations for a broader set of service providers that are not mirrored in ADPPA; and
- The ADPPA removes the mechanism for global opt-out requests. Under CCPA, businesses must honor global privacy controls for opt outs such that consumers seeking to opt out do not have to initiate opt-outs for hundreds of sites. Under the ADPPA, consumers will be required to unsubscribe one service at a time.
- Changes the scope of privacy and security obligations for businesses whose data processing creates consumer risk. Finally, whereas the ADPPA creates obligations for cybersecurity audits and data protection impact assessments (“DPIAs”) on “large data holders” or entities that meet a certain data processing or revenue threshold, the CCPA imposes such obligations on “businesses whose processing of consumers’ personal information presents significant risk to consumers’ privacy or security.” Thus, the ADPPA would effectively narrow the need of DPIAs in comparison to the CCPA.
The Agency would like Congress to adopt a federal privacy law that serves as a baseline, while continuing to allow states to make decisions about additional protections for consumers residing in their jurisdictions. The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) models the Agency’s preferred approach by providing a national floor for privacy protections for individuals’ individually identifiable health information, while giving State Attorneys General concurrent enforcement authority and only preempting state laws that are “contrary.” (45 C.F.R. § 160.203.)
We will continue to provide updates on major federal privacy law developments. To stay updated with our writing on this topic, please subscribe to the WilmerHale Privacy and Cybersecurity Blog.