[ad_1]
To print this article, all you need is to be registered or login on Mondaq.com.
On July 28, 2022, the California Privacy Protection Agency (the
“Agency”) held a special meeting (the
“Meeting”) to discuss and act on the proposed federal
privacy legislation, the American Data Protection
and Privacy Act (the “ADPPA”) (H.R. 8152)(see our blog on this
topic).
In one go, the Agency unanimously moved to oppose (a) the ADPPA
as it is currently drafted, (b) any federal bill that seeks to
broadly preempt the California Consumer Privacy Act
(“CCPA”), (c) any bill that, seeks to prevent the Agency
from modifying the law based on technological changes, or (d) any
bill that compromises the Agency’s authority to mandate on
behalf of California. This move was supported by a distinctly high
number of public comment speakers including that of Alastair
Mactaggart, privacy activist and founder of Californians for
Consumer Privacy spearheading support for CCPA since 2016.
Notably, the Agency’s decision and the call for this special
meeting serves to highlight that California, and potentially other
states with existing privacy laws, believes the ADPPA would impose
substantial hardships. Additional states such as Colorado,
Connecticut, Virginia, Utah and Nevada, may, as a result, follow
California’s lead in its opposition of any federal privacy law
that preempts provisions from existing privacy state laws.
Though the Agency commended the ADPPA in its approach to extend
privacy protections in states where privacy laws do not currently
exist, the Agency ultimately concluded that the broad preemption
language in the ADPPA would adversely affect California in a number
of ways. The Agency argues that the ADPPA:
- Removes the unique “floor” of the California
Privacy Rights Act (“CPRA”). The CPRA, an update
to the CCPA, states that “[t]he provisions of this Act may be
amended after its approval by the voters by a statute that is
passed by a vote of a majority of the members of each house of the
Legislature and signed by the Governor, provided that such
amendments are consistent with and further the purpose and intent
of this Act…” (CPRA, Section 25(a)) This provision sets a
“floor” for privacy protections. In the Meeting, the
Agency noted that in the event that Congress potentially weakens
privacy protections in the future by weaking the ADPPA,
California’s unique “floor” to privacy protections as
set forth in the CPRA would be preempted. - Sets a ceiling on privacy protections. In
addition to removing the “floor” on privacy protections,
the Agency notes that Californians would be prevented from
strengthening privacy laws in the future, which is particularly
important in light of rapid technological change. The Agency
underscored that technological innovation moves quickly and that
the states must be able to continue to act and respond nimbly on
behalf of its citizens to adjust to new technologies. - Minimizes the Agency’s mandate. In passing
of the CPRA, Californians created the Agency and imbued it with the
responsibility to implement and enforce the CCPA. The Agency
responded that preempting most of the substantive provisions of the
law would eliminate the Agency’s mandate. Further, the Agency
notes that the ADPPA does not allow California to recover the
monetary penalties associated with its enforcement of the federal
law, whereas the CCPA currently allows recovery of significant
penalties for the violations of the CCPA (with the same applying
under the CPRA). The Agency commented that “it is the
Agency’s role and responsibility to act as an independent
watchdog” and that “[unlike the Agency,] federal law may
not have the attention or resources to pay attention to [the need
of] California.” (emphasis added.) - Weakens existing privacy protections. The
Agency argues that the ADPPA as it stands provides fewer
protections for California residents in a number of key areas:
- The ADPPA removes the opt-out option of automatic
decision-making; - ADPPA narrows the definition of “personal
information” as defined in the CCPA because the ADPPA’s
“Covered Data” “may include derived data and unique
identifiers” (emphasis added.) This definition is narrower
than that of the CCPA, which in contrast, includes “inferences
drawn from any of the information identified.” Moreover, the
CCPA includes obligations for a broader set of service providers
that are not mirrored in ADPPA; and - The ADPPA removes the mechanism for global opt-out requests.
Under CCPA, businesses must honor global privacy controls for opt
outs such that consumers seeking to opt out do not have to initiate
opt-outs for hundreds of sites. Under the ADPPA, consumers will be
required to unsubscribe one service at a time.
- Changes the scope of privacy and security obligations
for businesses whose data processing creates consumer
risk. Finally, whereas the ADPPA creates obligations for
cybersecurity audits and data protection impact assessments
(“DPIAs”) on “large data holders” or entities
that meet a certain data processing or revenue threshold, the CCPA
imposes such obligations on “businesses whose processing of
consumers’ personal information presents significant risk to
consumers’ privacy or security.” Thus, the ADPPA would
effectively narrow the need of DPIAs in comparison to the
CCPA.
The Agency would like Congress to adopt a federal privacy law
that serves as a baseline, while continuing to allow states to make
decisions about additional protections for consumers residing in
their jurisdictions. The Health Insurance Portability and
Accountability Act of 1996 (“HIPAA”) models the
Agency’s preferred approach by providing a national floor for
privacy protections for individuals’ individually identifiable
health information, while giving State Attorneys General concurrent
enforcement authority and only preempting state laws that are
“contrary.” (45 C.F.R. § 160.203.)
We will continue to provide updates on major federal privacy law
developments.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
POPULAR ARTICLES ON: Privacy from United States
[ad_2]
Source link