There's a lot of discussion right now about how a federal privacy bill, the American Data Privacy Protection Act (H.R.8152), will affect state privacy laws. EFF has a clear position on this: federal privacy laws should not roll back state privacy protections. The ADPPA, as currently written, would override a broad swath of existing state laws and prevent states from future action on those areas, a structure called "preemption." We have expressed disappointment and called on Congress to do better.
The debate around the ADPPA's preemption provisions has centered largely on whether or not it's stronger than current state privacy laws, therefore lowering the bar for the country right now. But that's only part of the issue: we must also look to the future. So the ADPPA's current preemption language is bad for everyone in the country—not only those who happen to live in one of the states that have passed data privacy statutes.
Flattening Many Existing Privacy Laws
At least five states have enacted comprehensive consumer data privacy statutes in the past few years: Connecticut, Utah, Colorado, Virginia, and California. Like ADPPA, these laws govern how companies can collect, use, store, or share data, and they allow people to access, delete, or stop sale of their data. EFF wanted more from these laws, but they nonetheless demonstrate the ongoing commitment of state legislators to protect their residents’ data privacy. Some provisions of these state laws are stronger than parallel features of ADPPA. But the ADPPA would preempt them all.
Of course, current state and local protection of data privacy extends far beyond these recent comprehensive statutes. For example, ADPPA would roll back rights to data privacy that states have enshrined in their state constitutions. Based on the text of the current bill, ADPPA also endangers state privacy rules that address just some types of businesses, such as broadband providers or data brokers.
This stops states from acting on areas where we have seen some recent gains. State legislation often moves in waves: a strong statute in one state will inspire lawmakers in other states to follow suit. For example, Illinois' Biometric Information Privacy Act, passed in 2008, prompted Texas, Washington, and New York City to pass laws addressing biometric privacy (though Illinois’ is by far the strongest). And, as concern about biometric data collection and use have grown in recent years, lawmakers in Maine, Maryland, and Montana—wishing to see those protections for their own communities—have stepped up to try and replicate this gold-standard law.
Under ADPPA’s preemption, Illinois will get to keep its biometric privacy law, but no other state or city will be able to keep or pass similar, or even identical, legislation to protect their own constituents. Furthermore, the ADPPA doesn't grant equivalent protection to the rest of the country: Illinois requires opt-in consent to collect or transfer biometrics, and provides a strong private right of action, while ADPPA does not. Illinois keeps its law, but everyone else loses out.
There's strong precedent for federal privacy laws to serve as a floor but not a ceiling. For example, while every person in the United States enjoys the medical privacy protections of the federal Health Information Portability and Accountability Act (HIPAA), states can keep their existing, stronger laws and retain the ability to make protections stronger. Several have done so, including New York, Texas, Washington, and Louisiana, giving their residents additional needed protections. States have been able to react more quickly than Congress to emergent problems. Many other federal privacy laws, such as the Fair Credit Reporting Act, also take this approach.
Some states don't currently have data privacy laws, and their residents would benefit from a federal baseline. But there must be room for states to build on that federal foundation. We can't just do the minimum and call it a day. The ADPPA alone doesn't fix all the problems we face right now.
Freezing Further Action
Today’s ADPPA also does not fix all the currently unknown problems we are sure to face in the future. Congress is not nimble and often does not react to privacy concerns in a timely way. The last comparable chance to pass federal privacy legislation was in 2011, eleven years ago. That's the year Uber launched nationally. It's the year before Facebook went public. It predates the Apple Watch, consumer augmented reality, and products from companies such as TikTok, Slack, and Zoom.
Each of those developments has changed the privacy landscape, introducing new wrinkles and angles to consider when it comes to the legislation of privacy. Policymakers have to be able to react to changes. When it comes to privacy in the United States in the past decade, we've seen states lead the conversation—in many cases, acting as the impetus to address these issues at the federal level.
Big technology firms have fought tooth-and-nail to stop strong privacy laws at every level. They have only recently begun expressing some openness to federal legislation because of activity in the states. While working to stop states from passing strong legislation, they have also advocated for federal preemption to stop this so-called "patchwork" of state laws—because they are working.
The ability to pass bills at the state and local level is one of the strongest points of leverage that people have in the fight for data privacy. It is exciting that, at long last, there is bipartisan and bicameral agreement that there must be a federal privacy law to protect consumers. We ask that, in crafting that law, Congress does not compromise our privacy rights by undercutting the very state-level action that got us to this point in the first place.