Perspectives of the American Data Privacy and Protection Act (“ADPPA”) in Comparison to the California Privacy Rights Act (“CPRA”)

Abstract

This paper provides two distinct perspectives on the adoption of the American Data Privacy and Protection Act (“ADPPA”). The first section examines the case for retaining current California privacy law, while in the second section, I move into an analysis of the case for applying the ADPPA protections.

§I Case Against Adoption of the “ADPPA”

While a federal privacy law may seem to offer the benefits of a comprehensive data protection plan without the challenges of developing one from scratch, there are two key issues that result from the preempting of state privacy laws (such as the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA)), which is a major provision under the ADPPA [1]. The CPRA, which came after the CCPA, provides significant provisions for California constituents [1][2]. There are several issues that would arise if the ADPPA preempted these provisions.

I.1 California’s Legislative Edge

First, California sees technological innovation more readily than Washington, and is thus able to regulate it faster and more efficiently. Given the rate of advancement within the technology sector, rapid legislation is critical. California is uniquely qualified to write legislation governing technology because California policymakers have more direct exposure to the technology industry and, perhaps more importantly, exposure to the technology workforce. In fact, data provided in CompTIA’s Cyberstates 2021 report shows that California accounted for approximately 15.42% of the 2019 net tech employment in the entire United States, far higher than any other state [1]. Further, California 100 wrote that “the tech sector alone now accounts for nearly one-fifth of the economic value produced in the state” [3]. It is clear that California is central to the technology industry, and is often the first to see emerging technologies, unlike Washington, which accounted for only ~3.3% of net tech employment in 2019 [4]. Given this, it stands to reason that California policymakers are more qualified and incentivized to write effective legislation that relates to the data protection challenges resulting from emerging technologies.

In addition, California has more of a vested interest in data privacy and protection, given that so much of California’s economy is tied to the technology sector. Thus, California must carefully consider the economic ramifications of data regulation. Washington policymakers seek to balance individual data protection with the economic interests of the country as a whole. However, given the uneven distribution of the net technology workforce based in California, it is reasonable to assume that the interests of California policymakers will differ from those of federal legislators. In this regard, the preempting of state privacy laws under the ADPPA could have significant negative implications on California residents and the state’s economy overall.

I.2 Weaker Federal Provisions

Second, several of the provisions and restrictions outlined in the ADPPA are more lenient than those afforded under current California state privacy laws. One example of this can be found in the requirement of conducting privacy impact assessments. While businesses are required to conduct privacy impact assessments under both the CPRA and the ADPPA, the CPRA requires that businesses submit their assessments to the CCPA, while the ADPPA has minimal accountability for businesses and does not require that assessments are submitted to any form of governing entity. A cyber data company, Securiti, related these policies to GDPR requirements, reporting that the risk assessment requirements “are similar to the more popular and well-known Data Protection Impact Assessments (DPIAs) under Article 35 of the GDPR” [5].

There are several other restrictions that are more lenient under the ADPPA than current California state regulation. As an example, according to Tech Policy Press, “CA offers a right to opt-out of automated decision making that ADPPA does not” [6]. In regards to pay-for-privacy policies, they also report that “CA law is slightly stronger as it places guardrails on financial incentives and discounts to ensure fairness” [7]. Ultimately, the restrictions on pay-for-privacy under California law could positively impact on the economy because if users must pay to prevent their data from being shared, many users may decide to stop using the services altogether. Furthermore, the pay-for-privacy business model is detrimental to the goal of increasing or maintaining security for constituents. This is because it incentivizes companies to collect more personal data than they currently do so that consumers are more concerned about providing their data, thus incentivizing them to pay for data protection.

These key issues indicate that the adoption of the ADPPA may have adverse effects on both supporting U.S. economic growth and retaining or improving overall privacy protections for constituents in California.

§II Case For Adoption of the “ADPPA”

Although there are legitimate arguments against the adoption of the “ADPPA”, there are several benefits to federal regulation on the nation as a whole. While there are many advantages to federal regulation over state regulation, there are two specific issues the ADPPA would address, which I would like to highlight.

II.1 Interstate Conflict and Regulatory Fragmentation

First, we must consider the challenges arising from states with different and potentially contradictory data privacy laws. Not only would the lack of federal regulation make data privacy compliance difficult and unnecessarily cumbersome for business owners, but it also has the potential to create unhealthy competition between the states. If businesses in California view the California Privacy Rights Act as too restrictive, they may decide to begin moving their operations and customer base out of state. Differences in data privacy legislation between states would ultimately have two negative ramifications. First, as businesses began to leave the technology innovation hub in California, workplace staffing would become a growing challenge. Ultimately, this would lead to a stifling of innovation within emerging technologies. Second, smaller states with less emphasis on technology may not see data privacy as essential, thus deciding regulation is unnecessary. In turn, states with more comprehensive policies, such as California, will be required to consider whether they are willing to lose business and constituents to states with more lenient privacy laws. If not, they must reduce the scope of regulations, ultimately leading to diminished data privacy protections for California constituents.

II.2 International Data Transfer and EU Adequacy

A second disadvantage presented by differences in data privacy legislation across state lines is the ability of the United States to receive data from other countries. The European Union is largely credited with having the most comprehensive data privacy protection laws in the world, which has led, in part, to 157 countries enacting codified data privacy laws as of 2022 [8]. The report goes on to say that “most of these laws are influenced substantially by the EU’s GDPR” [9]. Because the EU puts stipulations on data transfer outside of the EU, it is essential that comprehensive data privacy laws are deemed adequate by the EU. If each state enacted their own data privacy laws in the United States, data transfer from the EU to the U.S. could become quite complex, as the adequacy of data privacy laws as defined by the EU may vary between states. A federal data privacy law would make it much easier to receive transmitted data from the EU, and from the non-EU countries that have adopted some modified version of GDPR. This would ultimately have negative ramifications for the economy, as foreign countries may decide that it is easiest not to deal with data transfer to the United States.

These disadvantages to state regulation, among others, serve to show the advantages of a federal data privacy regulation, as provided by the ADPPA.

References

1. “Text - H.R.8152 - 117th Congress (2021-2022): American data privacy and …,” Congress. [Online]. Available: https://www.congress.gov/bill/117th-congress/house-bill/8152/text. [Accessed: 08-Feb-2023].
2. “Text of the CPRA,” CA Privacy, 10-Mar-2021. [Online]. Available: https://www.caprivacy.org/cpra-text/. [Accessed: 08-Feb-2023].
3. “2022 state of the Tech workforce by CompTIA | Cyberstates,” CyberStates. [Online]. Available: https://www.cyberstates.org/pdf/CompTIA_Cyberstates_2021.pdf. [Accessed: 08-Feb-2023].
4. “The Future of Advanced Technology and basic research - california 100,” California 100, 2022. [Online]. Available: https://california100.org/app/uploads/2022/03/The-Future-of-Advanced-Technology-and-Basic-Research-ISSUE-REPORT-Single-pages-Round-3-2.pdf. [Accessed: 08-Feb-2023].
5. S. A. Sultan, “The Ultimate Guide to Privacy Impact Assessments for CPRA,” Securiti, 24-Nov-2022. [Online]. Available: https://securiti.ai/blog/cpra-privacy-impact-assessment/. [Accessed: 08-Feb-2023].
6. “Comparison of American Data Privacy and Protection Act vs. California Privacy Laws,” 28-Jul-2022. [Online]. Available: https://techpolicy.press/wp-content/uploads/2022/08/EPIC-ADPPAvCCPA-07292022.pdf. [Accessed: 08-Feb-2023].
7. “Comparison of American Data Privacy and Protection Act vs. California Privacy Laws,” 28-Jul-2022. [Online]. Available: https://techpolicy.press/wp-content/uploads/2022/08/EPIC-ADPPAvCCPA-07292022.pdf. [Accessed: 08-Feb-2023].
8. “Comparison of American Data Privacy and Protection Act vs. California Privacy Laws,” 28-Jul-2022. [Online]. Available: https://techpolicy.press/wp-content/uploads/2022/08/EPIC-ADPPAvCCPA-07292022.pdf. [Accessed: 08-Feb-2023].
9. “Now 157 Countries: Twelve Data Privacy Laws in 2021/22,” 15-March-2022. [Online]. Available: https://ssrn.com/abstract=4137418. [Accessed: 08-Feb-2023].