Calif. Privacy Agency Board Opposes US Bill for Preempting State
The California Privacy Protection Agency will oppose the American Data Privacy and Protection Act (ADPPA) as drafted, plus any other federal privacy bill that preempts California, CPPA board members decided unanimously Thursday. The board authorized staff at a virtual meeting to weigh in on HR-8152 and other federal privacy bills. Former FTC Chairman Jon Leibowitz (D) urged the board to compromise on preemption.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
Congress’ bill has complicated CPPA’s rulemaking to implement the 2020 California Privacy Rights Act (CPRA). The CPPA is set to receive comments and hold a hearing on draft rules in late August (see 2207080034). The CPPA board met Thursday on two days’ notice, which is allowed only in special circumstances. Gov. Gavin Newsom (D) and other state leaders have also resisted federal preemption on privacy.
The CPPA board voted 5-0 on motions to oppose ADPPA as drafted and to allow staff to oppose any federal bill that preempts California’s privacy law, provides weaker protections than CPRA or prevents the state from strengthening protections in the future or responding to societal and technological changes, or which significantly compromises the state agency's authority. And the board unanimously supported authorizing staff to support any federal bill that doesn’t broadly preempt California’s law or that creates a floor for privacy protection that protects states' current rights and allows them to strengthen them in the future.
All Americans deserve privacy protections, but a federal law shouldn’t reduce California protections or prohibit states from building on it, said CPPA Board Chair Jennifer Urban: "Congress can set a very useful floor," but "states need to be responsive." Even if ADPPA were “the strongest possible law today, it could be weakened in the future,” she said. Congress carved out the Illinois Biometric Information Privacy Act, noted Urban: “California should be fully recognized, too.” Also, Urban said she worries “greatly about the breadth of preemption and how far it could end up reaching."
"We'll only have a robust federal law if everyone makes some sacrifices,” countered Leibowitz during public comments. He urged the state agency not to oppose the bill but instead help make it better. Congress might not be moving if not for California’s law, said Leibowitz: While not perfect, the House bill “is far stronger than existing California law,” including because it has better protections for children and civil rights and includes a broader private right of action.
ADPPA offers a “false choice,” said CPPA board member Chris Thompson. “The federal privacy is treating privacy rights as though they are in limited supply and the strong rights of Californians … have to be taken away in order to provide weaker rights federally.” Congress should instead follow the model of the Clean Air Act and set a federal floor that allows for state innovation, he said. “California has been active for years … while the federal government has just been putting its shoes on.”
Preemption can be necessary when laws' misalignment makes compliance impossible or confuses consumers, but that’s not the case here, said the CPPA board’s Lydia de la Torre. She called for a public awareness campaign to show what privacy protections Californians would be giving up. There is room for a federal law that preserves a role for states, said board member Angela Sierra. "The states are in the best position to really react and address changes in technology.” Also, Sierra raised concerns about causing enforcement uncertainty that might weaken the agency’s effectiveness.
Board member Vinhcent Le supports ADPPA "as a floor, not a ceiling for privacy rights,” he said. If preempted, Californians would no longer be able to opt out of automated decision-making, he said. Plus, CPRA covers more service providers and allows audits. While excited about having a national law, “it does not need to come at the expense” of California, he said.
CPRA author Alastair Mactaggart sees "a lot to like in ADPPA for much of America,” but it’s “giant step backwards for California in many really important areas, including government surveillance" and auditing, said the Californians for Consumer Privacy founder at the meeting. The Electronic Frontier Foundation doesn’t oppose ADPPA but has concerns about preempting stronger state laws and preventing states from building on the law, said Hayley Tsukayama, legislative activist. American Civil Liberties Union California Action strongly opposes broad preemption, said George Parampathu, legislative advocacy intern.
The CPPA is the only stand-alone state privacy agency in the U.S., “so obviously this is an issue of huge importance to them,” Electronic Privacy Information Center (EPIC) Deputy Director Caitriona Fitzgerald said in an interview before the agency’s meeting. The federal bill as currently drafted would maintain the state agency’s enforcement authority, but California would need to work out “whether they would be enforcing the federal or how that all would work.”
ADPPA is stronger than California privacy law, said Fitzgerald: EPIC released a comparison Thursday. “It has really strong limits on the ability for companies to collect and use our information” in its data minimization language, “whereas a lot of California law is more based on opting out of the use of your personal information.” While Fitzgerald isn’t “excited” about the bill preempting states from adding protections, she said it’s better to have a privacy law that covers all states. She noted that some states outside California passed “weak laws that really do almost nothing for privacy.”
“Privacy lawyers are in an impossible position” trying to guide business clients on compliance, with California and Colorado privacy law rulemakings happening at the same time as Congress considering a preemptive bill, Husch Blackwell attorney David Stauss told us after the CPPA meeting. “It’s impossible to drive full compliance until you actually know what you're going to have to comply with.”
The CPPA joins other California leaders in "trying to ratchet up the pressure" on House Speaker Nancy Pelosi (D), a fellow Californian, not to support broad preemption, said Stauss: But it’s hard to say if the agency's opposition will move the needle. Stauss, who worked on developing Connecticut’s privacy law, said federal legislation was always the goal. “The states were doing this because the federal government would not do it. If the end product of all the state work was a good federal privacy bill, then mission accomplished.”