A Proposed Compromise: the State Data Privacy and Protection Act
February 22, 2023 |
America faces a data privacy crisis. For more than two decades, without any meaningful restrictions on their business practices, powerful technology companies have built systems that invade our private lives, spy on our families, and gather the most intimate details about us for profit. Through a vast, opaque system of databases and algorithms, we are profiled and sorted into winners and losers based on data about our health, finances, location, gender, race, and other personal characteristics and habits.
Last year, in a significant step towards changing these harmful business practices, bipartisan leaders on the House Energy & Commerce Committee and Senate Commerce Committee proposed the American Data Privacy and Protection Act (ADPPA). The bill went through extensive negotiations between members of Congress of both parties, industry, civil rights groups, and consumer protection and privacy groups. ADPPA received overwhelming bipartisan support in the House Energy & Commerce Committee, where it was favorably approved on a 53-2 vote.
Unfortunately, Congress failed to enact ADPPA last session, but state legislators can now take advantage of the outcome of those negotiations by modeling a state bill on the bipartisan consensus language in ADPPA. EPIC has crafted the State Data Privacy and Protection Act to provide that opportunity.
The fact is that many of the “privacy” bills being considered (or even enacted) by state legislatures in recent years were drafted by Amazon, Microsoft, and other industry players who benefit from harmful commercial surveillance. As investigative journalists at the Markup found:
And Reuters found that “[i]n recent years, Amazon.com Inc has killed or undermined privacy protections in more than three dozen bills across 25 states, as the e-commerce giant amassed a lucrative trove of personal data on millions of American consumers.” They did this not only by opposing strong privacy bills, but by pushing weak ones:
While industry complains to Congress of a “50 state patchwork” of state privacy laws, they are quietly pushing their version of what a “privacy” law should look like in an increasing number of states. These laws allow Big Tech to continue on conducting business as usual – collecting endless amounts of personal data and using it in ways that defy consumers’ expectations. They simply allow individuals to access, correct, and delete personal data about them, or opt-out of certain uses of data – if they have the time and expertise to do so, which is not often the case. On their own, these aren’t real privacy protections.
By contrast, the ADPPA, and by extension the State Data Privacy and Protection Act, would impose data minimization obligations on companies that collect and use personal information – taking the burden off individuals to manage their privacy online and instead requiring entities to limit their data collection to better match consumer expectations. It would strictly regulate all uses of sensitive data, including health data, biometrics, and location data. The bill provides special protections for minors, prohibiting targeted advertising to kids under 17. It establishes strong civil rights safeguards online and reigns in harmful algorithms. EPIC believes it is stronger than the strongest state privacy laws on the books today.
A version of the State Data Privacy and Protection Act has already been introduced in the Massachusetts House and Senate (SD745, HD2281), and we expect other states to introduce similar bills in the coming months.
Key provisions include:
- Data minimization: Establishes limits on the unfettered processing of personal data by setting a baseline requirement that entities only collect, use, and transfer data that is reasonably necessary and proportionate to provide or maintain a product or service requested by the individual (or pursuant to certain enumerated purposes.)
- Strict restrictions on sensitive data collection and use: Sets heightened protections for collection and use of sensitive data (i.e., biometrics, geolocation, health data), which is only permitted when strictly necessary and not permitted for advertising purposes.
- Civil Rights: Extends civil rights to online spaces by prohibiting entities from processing data in a way that discriminates or otherwise makes unavailable the equal enjoyment of goods and services on the basis of race, color, religion, national origin, sex, or disability.
- Cross-context behavioral advertising prohibited: The collection, use, and transfer of information identifying an individual’s online activities over time and across third party websites and services is strictly limited and cannot be used for advertising.
- Protections for children and teens: Prohibits targeted advertising to minors under age 17. Covered entities may not transfer the personal data of a minor without the express affirmative consent of the minor or the minor’s parent. Personal data of minors is considered “sensitive data.”
- Algorithmic fairness and transparency: Requires covered entities (which are not small businesses) to conduct algorithmic impact assessments, which include mitigation measures to avoid potential harms from the algorithms. Entities must also conduct algorithm design evaluations prior to deployment in some instances.
- Service Providers: Establishes requirements for service providers handling personal data, including a prohibition on commingling data from multiple covered entities. Service providers can only collect, process, and transfer data to the extent necessary and proportionate to provide service requested by covered entity.
- Data Brokers: Data Brokers must register with the Attorney General. The AG will create a public registry of data brokers.
- Small business protections: Small businesses (as defined) are exempt from compliance with many provisions of the Act.
This is not intended to be a “model” bill from a privacy advocate’s perspective – it is not exactly what EPIC would write if we were crafting an ideal privacy bill from scratch. Rather, the State Data Privacy and Protection Act is meant to mirror that bipartisan compromise at the federal level.
That being said, there were some changes necessary to convert the bill from proposed federal law to state legislation. Some of the changes were made for clarity purposes, some to lessen the burden on state regulators who do not have the resources federal regulators do, and some were made to update language that was still being negotiated at the federal level. Those changes include:
- Biometric information definition: Makes a clarification to the biometric information definition to ensure that the use of face printing to identify demographics such as race and gender falls under the sensitive data protections, even if it is not used to identify a particular individual.
- Closes loopholes in permissible purposes for data collection and use: Clarifying language was added to the permissible purpose that allows covered entities to use covered data to prevent, detect, protect against, or respond to fraud or illegal activity – the change makes clear that that collection for this purpose only applies if the fraud or illegal activity is targeted at the covered entity itself.
- Strengthens the non-retaliation and loyalty program language: The provisions permitting covered entities to operate bona fide loyalty programs were updated to ensure that such programs are not used to transfer vast amounts of personal data to data brokers. The language added is substantively equivalent to language negotiated between business groups in Washington State and consumer advocates in 2022. Language from the California Consumer Protection Act protecting individuals from differential pricing that is unjust, unreasonable, coercive, or usurious in nature was also added.
- “Do Not Collect” system requirements removed: To reduce the burden on state Attorneys General, the provisions requiring the creation of a “Do Not Collect” system where individuals can send a request to data brokers to opt out of collection by such entities was removed.
- Compliance programs that would be difficult to administer at state level removed: Provisions from ADPPA that would have required federal regulators to establish technical compliance programs and compliance guidelines, as well as to report on digital content forgeries were removed to alleviate regulatory burdens on state regulators.
- Private Right of Action updated to exempt small businesses: Individuals may not bring suit against small businesses.
- Preemption language cut since not relevant at the state level: ADPPA would have preempted certain types of state laws covered by the provisions of the Act, but that is not relevant in a state bill and therefore those provisions were cut.
While we still hope that Congress will enact nationwide comprehensive privacy legislation, states should not wait for Congress to act. There are very real harms happening every minute of every day due to the lack of privacy protections in the U.S. It is time to change the business models that have led to today’s commercial surveillance systems. We do not need any more evidence that self-regulation does not work.
EPIC believes that the State Data Privacy and Protection Act presents a reasonable compromise that promotes innovation while going much further to protect consumers than the industry-drafted proposals that have been enacted in states like Virginia and Utah. It would force changes to the abusive data practices driving commercial surveillance and online discrimination, while allowing businesses to continue to innovate. EPIC is happy to be a resource to any state legislator or their staff considering this bill.