ADPPA vs. CPRA

ADPPA is marginally stronger than the CPRA.

Many California based or affiliated proponents of the “California Privacy Rights Act” (Proposition 24) (CPRA) have argued that the American Data Privacy and Protection Act” (ADPPA) (H.R. 8152) is weaker and would leave Californians with diminished privacy rights. There has been pushback from national civil liberties and privacy groups that have argued the contrary. Hence, this edition of the Wavelength will compare and contrast the two bills to see which side has the better case.

Even before the House Energy and Commerce Committee marked up and reported out an amended version of the “American Data Privacy and Protection Act” (ADPPA) (H.R. 8152), proponents of California’s data privacy laws have been claiming the latter regime provides better protection for residents of California. These claims have been part of overt and covert efforts to press California Members, especially those in the House, to oppose ADPPA unless and until language is added softening the language preempting state privacy laws or ideally exempting California’s state privacy law. When the committee considered the bill, only the eight California Democrats on the committee voted for an amendment to carveout California.

Thereafter, ADPPA hit the considerable roadblock named Speaker of the House Nancy Pelosi’s (D-CA). It is not news that Speaker Nancy Pelosi (D-CA)  has been iffy on any data privacy law that would preempt California’s laws. In 2019, Pelosi said“[w]e in California are not going to say, “You pass a law that weakens what we did in California.”..[t]hat won’t happen.” In a recent statement, Pelosi asserted that “Governor Newsom, the California Privacy Protection Agency and top state leaders have pointed out the American Data Privacy and Protection Act does not guarantee the same essential consumer protections as California’s existing privacy laws.” It is interesting that Pelosi herself is not making the claims that ADPPA falls short; rather she is quoting Newsom, the CPPA, and state officials. This could give Pelosi the wriggle room she needs to permit the House to pass something short of what California state officials want. Moreover, their claims that ADPPA is weaker than California’s privacy laws, the soon-to-be moot “California Consumer Privacy Act” (AB 375) (CCPA) and soon-to-be operative “California Privacy Rights Act” (Proposition 24) (CPRA), is debatable.

Pelosi’s refusal to bring ADPPA to the floor without major change has endangered the quid pro quo that gave us the bill. For years, Democrats have resisted preemption of state privacy laws when California had the only data privacy law in the U.S. Republicans and many industry stakeholders demanded one national data privacy standard because they claimed businesses would not be able to navigate many different state privacy laws. And yet, U.S. businesses have managed to navigate different data breach laws in every state and territory, but I digress. However, after extensive negotiation and the passage of weaker state laws, key Congressional stakeholders came to agreement. The bargain they struck would preempt almost all state privacy laws in exchange for one of the strongest data privacy laws that has ever received serious legislative consideration. If Pelosi prevails in rolling back the preemption provisions, Republicans would lose a significant incentive to support the bill, probably leading to the collapse of the effort to pass data privacy legislation in this Congress.

Given how crucial preemption of state laws is to the bargain struck on U.S. data privacy legislation, if Pelosi and California Democrats insist on something less than full preemption, the effort to pass ADPPA could fall apart before coming to a vote in the House. In any event, Senate Commerce, Science, and Transportation Committee Chair Maria Cantwell (D-WA) opposes ADPPA for different reasons, making passage of the bill all but impossible at present.

As all this was occurring, some stakeholders were making their views public on which bill is better. In early July, the CPPA sent Pelosi a memorandum on how ADPPA “could remove protections from Californians, likely including nearly all of the authority for the CPPA, the independent agency that implements regulations and will provide administrative enforcement of the law; California’s unique privacy floor that prevents protections from being weakened in the future; could preclude the California legislature (and the public through the ballot initiative) from adding new, stronger protections; and compromise additional existing protections.” In mid-August, the CPPA wrote Pelosi and House Minority Leader Kevin McCarthy (R-CA) arguing that “ADPPA’s sweeping preemption seeks to remove important protections and significantly weaken the privacy Californians currently enjoy under the CCPA…[and] could nearly eliminate the ability of the California Privacy Protection Agency, the first data protection authority in the United States, to fulfill its responsibility to protect Californians’ privacy rights.” The Californians for Consumer Privacy (CCP), the organization behind enactment of the CPPA and CPRA, claimed the CPRA is stronger than ADPPA and wrote Pelosi making their case for the CPRA earlier this month.

A number of advocacy organizations think ADPPA is stronger and are urging lawmakers to pass the bill. In response to the mid-July CPPA memorandum, the Center for Democracy and Technology (CDT), Electronic Privacy Information Center (EPIC) and the Lawyers' Committee for Civil Rights Under Law made available a side-by-side comparison of ADPPA and the CPRA and found the former to be much stronger. In late August, “48 civil rights, privacy, and consumer organizations” wrote Pelosi urging her “to expeditiously move H.R. 8152, the American Data Privacy and Protection Act (ADPPA), to a vote by the full House of Representatives.”