By: Hayden McGuire

Data privacy is rightfully a growing concern among many Americans, and the federal regulation governing the area is patchworked and outdated.  The federal government finally seems to be attempting to ease these concerns, evident by the advancing of the American Data Privacy Protection Act (“ADPPA”).  The ADPPA is a popular data privacy bill, intended to create the comprehensive data privacy protection seen in state and foreign statutes.  But could inadequate federal involvement weaken consumer protection?  Concerns about the preemption clauses within the ADPPA has concerned experts working in the field.

The federal regulations that cover data privacy are spotty and not “comprehensive”.  The patchworked federal statutes have, among a variety of effects, caused many states to create their own schemes for protecting important data of its residents and consumers.  This includes data like personal information, where even those who use technology daily have little to no idea the scope of collection or how to protect themselves.  One area of data protection that the federal government has acted in a fairly substantial way is the Children’s Online Privacy Protection Act (“COPPA”), a statute that protects children under thirteen years old.  But, given the high level of technological integration into daily life, the status of federal regulation is insufficient and creating a clear body of federal laws governing data privacy is critical for consumer protection – a task other governments have started to address.

Recently the ADPPA, which has received bi-partisan support, has been working its way through committee.  The support within the committee for the ADPPA is overwhelming, particularly for such a partisan time.  It received fifty-three yeas and two nays, both nays from Californian representatives.  Those two representatives are not the only Californian voices opposing the ADPPA; the California Privacy Protection Agency (“CPPA”) is against passing the ADPPA in its current form.  The CPPA is an agency created by the California Consumer Privacy Act (“CCPA”) to enforce the regulations within the CCPA.  The concern they both raise is the ADPPA would preempt the CCPA and would shift enforcement powers of any data privacy regulations to the Federal Trade Commission (“FTC”).  Ashkan Soltani, the Executive Director of the CPPA, addressed a letter to Nancy Pelosi, Speaker of the House, and Kevin McCarthy, Minority Leader of the House.  In the letter, Soltani claims the ADPPA is “substantially weaker than the CCPA,” that its preemption clauses are an “anomaly for federal privacy legislation,” and that it erases the ability for a state to set a higher standard – granting the federal government total control over the world of data privacy law.

Currently, issues of data privacy preemption are being litigated in the Ninth Circuit Court of Appeals.  Google LLC and YouTube LLC are asserting that COPPA’s preemption clause limits a state’s ability to legislate on privacy rights of children under thirteen years old.  California’s data privacy laws allow the State and private plaintiffs to seek relief, while under COPPA – the federal statute – only the FTC and state attorney generals can make a claim.

Judge Freeman from the Northern District of California made the initial holding that state law was preempted by COPPA and that a private plaintiff cannot seek relief for violations of California law.  If on appeal the court agrees with the District Judge, there could be no remedy based on a state law for a parent and child when a company illegally collects personal information of that child.  However, Judge Gabriel P. Sanchez, one judge from the three-judge panel, seems skeptical of this sweeping preemption.  In an article written by Greg Lamm from Law360, Judge Sanchez is quoted as saying “I guess where I am falling short is why Congress also wanted to wipe away any sort of state law protections of any kind for children under the age of 13.”

Looking at the litigation concerning preemption of COPPA is somewhat valuable to understanding preemption of laws within the world of data privacy.  However, when attempting to predict what the level of state autonomy over data privacy protections would be like under the ADPPA, it becomes minimally instructive.  The ADPPA has a specific clause on preemption, while COPPA only preempts “inconsistent” state law.  Section 404(b)(1) of the ADPPA expressly says,

No State or political subdivision of a State may adopt, maintain, enforce, or continue in effect any law, regulation, rule, standard, requirement, or other provision having the force and effect of law of any State, or political subdivision of a State, covered by the provisions of this Act, or a rule, regulation, or requirement promulgated under this Act.

This clause makes clear that all state laws that regulate types of conduct, or information, that the ADPPA regulates will become moot – even if consistent with the ADPPA.  This would mean that the CCPA and the CPPA would become preempted by the ADPPA, thereby making them unenforceable or obsolete.  This extends even to those provisions that would enhance consumer protection laws but regulate conduct or information subject to the ADPPA.  There may be hope to those skeptical of the sufficiency of the ADPPA, since Section 4 (b)(2) carves out some exceptions of areas that states may still act.  Some notable areas are: laws about the privacy rights of employees and students, health information and medical records, and consumer protection laws of “general applicability”.  Though, until there is some type of resolution of the current issue on COPPA’s preemption capabilities before the Ninth Circuit – a clause written to preempt only inconsistent state laws – it is unclear how the exceptions from Section 4(b)(2) may be utilized by states to enhance consumer protections.  But with how explicit the ADPPA preemption clause is, it seems unlikely that courts would accept an argument that Congress had any intention but to give the maximum level of federal deference and control over the field of data privacy regulation.  This opinion seems inevitable if the comparatively lenient preemption clause within COPPA stops even consistent regulations.

The future of data privacy regulation looks to be one of total federal control.  It is likely that states will be restricted in their ability to create greater protections for their citizens or further oversight on how companies can collect or maintain consumer information.  If the concerns of the officials from California are correct, the scheme that would be nationally established by the ADPPA may be insufficient and difficult to adjust if it remains in its current form.

 

Student Bio: Hayden McGuire is a 2L at Suffolk University Law School and a staffer for the Journal of High Technology Law.  He received a Bachelor of Arts Degree in Politics, Philosophy and Economics, from Suffolk University.

Disclaimer: The views expressed in this blog are the views of the author alone and do not represent the views of JHTL or Suffolk University Law School.