All Things Newz
Law \ Legal

California Privacy Protection Agency Holds Special Meeting To Discuss The ADPPA – Privacy Protection

[ad_1]


To print this article, all you need is to be registered or login on Mondaq.com.

On July 28, 2022, the California Privacy Protection Agency (the
“Agency”) held a special meeting (the
“Meeting”) to discuss and act on the proposed federal
privacy legislation, the American Data Protection
and Privacy Act
(the “ADPPA”) (H.R. 8152)(see our blog on this
topic).

In one go, the Agency unanimously moved to oppose (a) the ADPPA
as it is currently drafted, (b) any federal bill that seeks to
broadly preempt the California Consumer Privacy Act
(“CCPA”), (c) any bill that, seeks to prevent the Agency
from modifying the law based on technological changes, or (d) any
bill that compromises the Agency’s authority to mandate on
behalf of California. This move was supported by a distinctly high
number of public comment speakers including that of Alastair
Mactaggart, privacy activist and founder of Californians for
Consumer Privacy spearheading support for CCPA since 2016.

Notably, the Agency’s decision and the call for this special
meeting serves to highlight that California, and potentially other
states with existing privacy laws, believes the ADPPA would impose
substantial hardships. Additional states such as Colorado,
Connecticut, Virginia, Utah and Nevada, may, as a result, follow
California’s lead in its opposition of any federal privacy law
that preempts provisions from existing privacy state laws.

Though the Agency commended the ADPPA in its approach to extend
privacy protections in states where privacy laws do not currently
exist, the Agency ultimately concluded that the broad preemption
language in the ADPPA would adversely affect California in a number
of ways. The Agency argues that the ADPPA:

  • Removes the unique “floor” of the California
    Privacy Rights Act (“CPRA”).
    The CPRA, an update
    to the CCPA, states that “[t]he provisions of this Act may be
    amended after its approval by the voters by a statute that is
    passed by a vote of a majority of the members of each house of the
    Legislature and signed by the Governor, provided that such
    amendments are consistent with and further the purpose and intent
    of this Act…” (CPRA, Section 25(a)) This provision sets a
    “floor” for privacy protections. In the Meeting, the
    Agency noted that in the event that Congress potentially weakens
    privacy protections in the future by weaking the ADPPA,
    California’s unique “floor” to privacy protections as
    set forth in the CPRA would be preempted.

  • Sets a ceiling on privacy protections. In
    addition to removing the “floor” on privacy protections,
    the Agency notes that Californians would be prevented from
    strengthening privacy laws in the future, which is particularly
    important in light of rapid technological change. The Agency
    underscored that technological innovation moves quickly and that
    the states must be able to continue to act and respond nimbly on
    behalf of its citizens to adjust to new technologies.

  • Minimizes the Agency’s mandate. In passing
    of the CPRA, Californians created the Agency and imbued it with the
    responsibility to implement and enforce the CCPA. The Agency
    responded that preempting most of the substantive provisions of the
    law would eliminate the Agency’s mandate. Further, the Agency
    notes that the ADPPA does not allow California to recover the
    monetary penalties associated with its enforcement of the federal
    law, whereas the CCPA currently allows recovery of significant
    penalties for the violations of the CCPA (with the same applying
    under the CPRA). The Agency commented that “it is the
    Agency’s role and responsibility to act as an independent
    watchdog” and that “[unlike the Agency,] federal law may
    not have the attention or resources to pay attention to [the need
    of] California.” (emphasis added.)

  • Weakens existing privacy protections. The
    Agency argues that the ADPPA as it stands provides fewer
    protections for California residents in a number of key areas:

  • The ADPPA removes the opt-out option of automatic
    decision-making;

  • ADPPA narrows the definition of “personal
    information” as defined in the CCPA because the ADPPA’s
    “Covered Data” “may include derived data and unique
    identifiers” (emphasis added.) This definition is narrower
    than that of the CCPA, which in contrast, includes “inferences
    drawn from any of the information identified.” Moreover, the
    CCPA includes obligations for a broader set of service providers
    that are not mirrored in ADPPA; and

  • The ADPPA removes the mechanism for global opt-out requests.
    Under CCPA, businesses must honor global privacy controls for opt
    outs such that consumers seeking to opt out do not have to initiate
    opt-outs for hundreds of sites. Under the ADPPA, consumers will be
    required to unsubscribe one service at a time.

  • Changes the scope of privacy and security obligations
    for businesses whose data processing creates consumer
    risk.
    Finally, whereas the ADPPA creates obligations for
    cybersecurity audits and data protection impact assessments
    (“DPIAs”) on “large data holders” or entities
    that meet a certain data processing or revenue threshold, the CCPA
    imposes such obligations on “businesses whose processing of
    consumers’ personal information presents significant risk to
    consumers’ privacy or security.” Thus, the ADPPA would
    effectively narrow the need of DPIAs in comparison to the
    CCPA.

The Agency would like Congress to adopt a federal privacy law
that serves as a baseline, while continuing to allow states to make
decisions about additional protections for consumers residing in
their jurisdictions. The Health Insurance Portability and
Accountability Act of 1996 (“HIPAA”) models the
Agency’s preferred approach by providing a national floor for
privacy protections for individuals’ individually identifiable
health information, while giving State Attorneys General concurrent
enforcement authority and only preempting state laws that are
“contrary.” (45 C.F.R. § 160.203.)

We will continue to provide updates on major federal privacy law
developments.

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.

POPULAR ARTICLES ON: Privacy from United States

Privacy Policies – Some Simple Lessons

Jeffer Mangels Butler & Mitchell LLP

Online privacy policies are ubiquitous. Sometimes they are mandated by law – that’s been the case in California for years – and a variety of other states and federal agencies…

[ad_2]

Source link

Related posts

LA Measure ULA: A New Real Estate Transfer Tax On Residential And Commercial Properties Over $5 Million – Landlord & Tenant – Leases

Countdown To DORA: The Regulation Applies From 17 January 2025 – Financial Services

Ten ways IT professionals can avoid the blame game after a cyber breach – Security