The virtues of preemption — why we should welcome harmonization in the ADPPA

Since the American Data Privacy and Protection Act (ADPPA) passed through the House Committee on Energy and Commerce on a vote of 53-3, we've seen aggressive attacks emerge focused on the bill’s preemption provisions.

The new California Privacy Protection Agency (CPPA) is up in arms. The California Congressional delegation and some state politicians are close behind. Professor Daniel Solove recently joined the debate,?questioning?whether preemption is a Faustian bargain we would be better off without. This led to an interesting?back-and-forth?between Solove and Omer Tene of Goodwin Procter, in which Solove ultimately acknowledged that he is only “ambivalent” about the ADPPA and “not vehemently opposed” to it, but remains wary of preemption for several reasons, including that the ADPPA lacks accountability and a rigorous enforcement mechanism and that preemption will handcuff our ability to address unanticipated future privacy harms.

I’ll address these other concerns below, but first want to focus on an important piece missing from the larger ADPPA debate. In most of what you read about the ADPPA, whether for or against, preemption is presented as a necessary evil—its only virtue is its value as a bargaining chip to get Republicans to the table as part of the grand bargain that exchanges preemption for national legislation and a private right of action. This is partly true. Preemption?is?a necessary part of a federal privacy bill; stripping it out will almost certainly upset the delicate bargain that got us where we are today, killing the bill’s viability.

But it would be a mistake to view preemption this way. What’s missing from the debate is a full-throated defense of preemption’s other virtues—an argument for why we should?want?preemption in the federal law, beyond simply?needing?it to pass the bill. Some will want to frame preemption as “industry’s” attempt to cabin stronger privacy legislation, but while industry surely wants it, that’s not really what’s happening here. As many others have already noted (e.g.,?here?and?here), the ADPPA is largely equal to or more protective than currently enacted state laws. When we talk about preemption, we’re really talking about harmonization and consistency, both of which we sorely need. I offer several reasons we should welcome this consistency and argue that a harmonized approach will ultimately lead to?greater?protection for individuals across the country (yes, including in California) because consistency leads to better compliance programs and more clarity for individuals interested in exercising their rights.

Why we need harmonization and consistency

Preemption is a necessary ingredient to ensure that privacy law in the U.S. is harmonized and consistent across the states. We should want this because harmonization reduces unnecessary burden and simplifies compliance, which frees companies to focus resources on strategic improvements instead of technical minutiae. Harmonization also improves clarity and transparency for individuals, regardless of where they live, work, or travel in the country. All of this translates to better privacy outcomes for individuals.

Harmonization is a primary goal of the EU’s GDPR — let’s learn from those who went before us

Federal and state lawmakers in the U.S. have relied heavily on the GDPR and the EU experience in drafting U.S. data protection legislation. And rightly so. Between the Data Protection Directive and the GDPR, the EU has decades of experience to share. We should not ignore the EU’s experience with harmonization. One primary goal of the original Data Protection Directive was to harmonize data protection legislation across the EU’s member states. When the DPD failed to achieve the desired harmonization, the EU identified further harmonization as a central promise of the GDPR towards a single digital market. Some may point out that the GDPR allows for a significant number of member-state derogations, but many see this as one of the GDPR’s flaws (itself a necessary evil to secure the legislation), not a virtue. The European Commission’s two-year?review?of the GDPR in 2020 emphasized the need for?greater?harmonization in both implementation and enforcement, not less (“[T]here is still a degree of fragmentation.... For the effective functioning of the internal market and to avoid unnecessary burden on companies, it is also essential that national legislation does not go beyond the margins set by the GDPR or introduces additional requirements when there is no margin”).

Like the EU, we don’t need 50 (or even five) versions of a rule about, for example, what elements go in a privacy notice, what links must be in the footer of a website, or how organizations should respond to data subject requests. We don’t need competing definitions of sensitive data and whether the use of that data requires an opt in or opt out. And organizations operating with nationwide affiliates or franchises can’t tolerate competing definitions of what it means to fall under a common corporate umbrella. There are plenty of other examples. We should, like the EU, move toward a more unified approach, not toward a confusing patchwork that increases burden and reduces transparency. Asking?businesses to analyze and attempt to harmonize these?often conflicting rules is a?time-consuming exercise?that sows confusion and benefits no one but privacy lawyers and consultants (and, perhaps, local regulators). Asking small- and medium-sized businesses to do it is inexcusable. This problem will only grow as rulemaking continues and enforcement actions begin in state courts across the country. We can nip this uncertainty in the bud, and we should.?

Some argue the ADPPA should be a floor, not a ceiling, in part because that’s what we’ve done in other sectoral federal privacy laws. But these comparisons are unpersuasive when you scratch below the surface. The examples given (e.g., HIPAA and GLBA) are sector-specific and affect only a fraction of organizations across the country, most of which are already used to heavy regulatory burdens (and, notably, these sector-specific preemption carveouts remain under the ADPPA). Regardless of whether the floor-not-ceiling approach makes sense in the sectoral cases cited, it doesn’t make sense in the case of a general privacy law, where the benefits of harmonization and consistency outweigh the costs. We should learn from the EU’s experience here and aim toward more harmonization, not less.

Harmonization improves privacy compliance programs by allowing privacy offices to focus on strategic goals instead of technical minutiae

The desire for consistency isn’t just about reducing compliance burdens. Consistency will also improve organizations’ privacy programs. Most organizations have competing priorities and limited resources—this may increase as we head into a coming recession. Our goal should be to help organizations focus their resources on the most important activities that actually advance strategic privacy goals. A patchwork of overlapping and inconsistent requirements detracts from this goal and ultimately harms privacy rights.

I work closely with organizations developing privacy programs and they spend a lot of time and money parsing what the law says before they can even think about how to implement it—time and money that we all wish we could spend focusing on strategic privacy goals.?California’s approach, in particular, is notoriously counterproductive. The CCPA was poorly drafted, full of oddly defined terms and internal inconsistencies. Its regulations were behind schedule and equally confusing, forcing businesses to rush out compliance programs with virtually no guidance. The CPRA and its new privacy protection agency are repeating this drill. The CPRA again includes definitions that make little sense (as just one example, no average consumer will have a clue what?“sharing”?actually means) and its regulations are, again, woefully behind schedule, with many important?regulations not even started. While we should all celebrate California’s first-in-the-nation privacy law and be grateful to those that helped get us to the debate we’re having today, we shouldn’t remain shackled to the law when its costs begin to exceed it benefits. California’s imperfect start and the coming patchwork of conflicting laws will not advance strategic privacy goals across the country, and the problem will only grow as more states look to enact and implement their variations on a theme. Solove suggests that we shouldn’t fear state laws because the HIPAA experience did not result in a “tsunami” of state legislation on health privacy. But anyone who has tried to read and harmonize the state laws and regulations we already have knows the tsunami is already here. Unlike the speculative concerns Solove raised in his recent articles, the costs imposed by a lack of preemption are already upon us.

Beyond misdirecting time and resources, a patchwork of hyper-technical privacy laws detracts from privacy advocates’ ability to implement strategic privacy initiatives throughout an organization. When done well, privacy is not a legal compliance exercise, but rather an organizational imperative that protects customers and aligns with a business’s goals. Forcing privacy advocates to parse through, harmonize, and continually update business requirements based on minute variations turns privacy initiatives from strategic exercises to tactical, box-checking exercises to avoid the inevitable gotcha from the local regulator focused solely on its rules. As more rules and variations pile on (and keep in mind the international variations many organization must contend with as well), important allies in marketing, development, and executive divisions will also begin to see privacy as the box-checking exercise it has become, instead of the strategic enterprise issue it should be. A single, comprehensive approach will help avoid this fate and allow privacy advocates to focus on the important issues. These internal privacy advocates are, in my experience, dedicated professionals trying to do the right thing for their customers and their organizations. The law should help them in their roles, not make things more difficult.

Harmonization improves clarity for individuals, who will benefit from a standard approach across the country

Organizations are already struggling to accommodate variations in state laws without confusing individuals who wish to understand and exercise their rights. As already noted, the few laws already enacted contain material inconsistencies in definitions and processes, some of which simply can’t be squared. California, in particular, wants its specific language and icons (both of which are already confusing), which must then coexist with other state laws that use different language. And there’s more to come—California has barely started its rulemaking process and Colorado is just ramping up its rulemaking. Despite the regulators’ claims that they want their rules to be harmonized and interoperable, we’ve seen no evidence yet of this happening in practice. If we want harmonization, we have the best mechanism to do it sitting before us with the ADPPA.

Why preemption concerns are overstated and, at best,?speculative

Even considering preemption’s virtues, you may lingering concerns about preemption’s long-term effects. In this final section, I address two of these lingering concerns related to the ossification of further privacy development and enforcement mechanisms. We should not allow either of these concerns to scuttle what is otherwise a necessary and valuable part of federal legislation.

The ADPPA’s preemption provisions will not ossify privacy development in the U.S.

Solove argues that the ADPPA may become outdated over time, leaving us with weakened privacy protections. But as Tene points out, it may be easier to update existing federal legislation than it will be to start from scratch. Tene is right, and we shouldn’t abandon our best chance at a federal law based on speculative fears about what a future Congress might fail to do 20, 50, or 100 years from now. Planning is good. But we shouldn’t let over-analysis paralyze us. Also, although none of us would accuse Congress of moving too quickly on anything, it’s unfair to suggest that it will inevitably take a 50-year hiatus on further privacy legislation. Recall, for example, that Congress updated HIPAA in 2009 through the HITECH Act, which strengthened the 1996 law’s privacy and security provisions and added the Breach Notification Rule. Thirteen years is not fast, but it’s not 50 years.

Nor should we assume that the ADPPA will be in dire need of immediate repair. Lawmakers drafted the ADPPA leveraging decades of experience from other data protection laws, most notably the GDPR. So we should not view the ADPPA as a nascent experiment that will quickly become outdated, but instead as the product of decades of experience in data protection law tailored to U.S. values.

Solove’s related concern, that preemption will ossify future privacy law development, is also overstated. Solove basis his argument on the assumption that dynamism and the ability grow can originate only in the states. But we know this is not the case. Privacy and data protection is (or at least should be) a global exercise. The five enacted U.S. state laws and the ADPPA draw heavily from the GDPR and the European experience, and we can expect global dynamism to continue at a fast pace. The UN Conference on Trade and Development?reports?that 137 of 194 countries have some form of legislation in place to secure the protection of data and privacy. We should continue to view the world’s nations as privacy laboratories.?

Moreover, the ADPPA doesn’t preempt everything. While it preempts and harmonizes critical pieces to achieve the benefits I’ve outlined above, it preserves quite a bit. It preserves states’ general consumer protection laws, civil rights laws, criminal laws, laws related to the privacy of employees or students, and provisions related to?facial recognition, electronic surveillance, wiretapping, or telephone monitoring.?Some remain concerned that the carve outs in fact leave?too many?doors open for state action.

Finally, where some flexibility is needed, the ADPPA already includes a rulemaking mechanism to address future concerns with no need for Congress to act. Take, for example, the ADPPAs definition of sensitive covered data. Following the lengthy list of data elements that qualify as sensitive data in subsection (A) (again, incorporating heavily from other jurisdictions’ data protection experience), subsection (B) provides that the FTC may promulgate rules to include in the definition of “sensitive covered data” any other type of covered data “as a result of any new method of collecting, processing, or transferring covered data.” So the ADPPA has room to be “nimble,” as Solove suggests it needs.

The ADPPA’s enforcement and accountability mechanisms are strong and will benefit all individuals in the United States

The ADPPA leverages three enforcement mechanisms: FTC enforcement, state agency enforcement, and a private right of action. Taking these in reverse order, Solove first argues that the federal standing doctrine may render the private right of action meaningless. It’s of course true that the Supreme Court has limited privacy actions based on technical rule violations where the plaintiff has been unable to allege a concrete harm from the violation. But it’s going too far to say that the standing doctrine will make the ADDPA’s private right of action a hollow promise. Even today, the standing doctrine as articulated in?Ramirez?has?not stopped?a wave of data breach and privacy class actions from proceeding past the pleading stage as plaintiffs adjust their tactics to plead sufficient claims.

Regarding state agency enforcement, Solove argues that certain agencies, in states that don’t care about privacy, will not enforce the law. That’s probably true, but at worst it puts residents of those states in no worse a position than they’re in today. At best, I am far more confident than Solove that the ADPPA will help residents of those states in ways that no law does today, and at a time of great need. Residents of these non-enforcement states will benefit from FTC enforcement where a state regulator fails to act and can bring a private action to right concrete harms. The ADPPA also includes a Privacy and Security Victims Relief Fund to provide “redress, payment, compensation, or other monetary relief” to individuals—I assume the FTC would distribute this relief to victims across the nation as it does today. In short, I wouldn’t be so dismissive of the significant benefits residents of these non-enforcement states will enjoy, even if they might not all have the CPPA in their corner. Solove rightly notes the widening divisions in our country and suggests that residents of these states might need to just “move to a different state.” That’s of course easier said than done for most, and especially for the most vulnerable in our society, and I would rather see us roll out comprehensive privacy legislation to these residents that includes federal and private enforcement options, even if their state agencies will fail to act. And, of course, for states that do have a strong privacy agency, like the CPPA, the ADPPA allows state agency enforcement coextensive with the FTC so that individual states may fund additional oversight and enforcement as they see fit.

Finally, a few words on FTC enforcement. Solove dismisses FTC enforcement in a single line noting that the FTC needs more power, money, and personnel. But the ADPPA would give the FTC all three. Here’s a few examples: It authorizes the FTC to issue rules, regulations, guidance, and awareness material on a wide range of issues. It mandates the creation of a new Bureau of Privacy and a Youth Privacy and Marketing Division, with a new director and staff. It requires third-party collectors (i.e., data brokers) to register with the FTC and authorizes it to enforce a Do Not Collect program. It directs large data holders to file reports on algorithmic impacts and compliance certifications with the FTC. And it authorizes appropriations to the FTC that may be necessary to carry out the ADPPA. More will be needed, but I’m not prepared to dismiss the FTC as a meaningless enforcement mechanism under the law.

* * *

The debate about preemption is worth having, but the benefits of consistency and harmonization, which are real and immediate, outweigh the perceived costs, most of which are speculative or overstated. Most important, we should stop viewing preemption as a necessary evil whose only virtue is getting the ADPPA passed. While I have several reservations with the ADPPA more generally that I hope Congress will address, strong preemption is not one of them—we should welcome it as a key component to strengthen privacy and data protection across the U.S.