Data privacy bill is flawed, but necessary

A bipartisan data privacy bill that progressed out of a House committee in July has not been getting the attention it deserves in the news. The American Data Privacy and Protection Act (ADPPA), which advanced out of the House Energy and Commerce Committee by a 53-2 vote, is the most significant federal data protection law in the United States since the U.S. Privacy Act of 1974.

The bill isn’t perfect, and it has a few hurdles to clear before it can become law — but it takes a fairly comprehensive approach to protecting privacy, incorporating many of the policies of the European Union’s 2018 General Data Protection Regulation (GDPR), and represents a step forward in how the nation protects people’s rights — and their data.

What’s good about the bill

The bill makes some significant improvements over current policy. To start, it gives people greater control over the types of monitoring performed on their activities by requiring “affirmative express consent.” Rather than lumping permissions together under the familiar “accept all cookies” option, users must grant permissions for each type of monitoring a website wants to conduct.

The bill’s other improvements include:

• A requirement that data collectors must limit the data they collect to the minimum of what they need to support their operations.
• An extensive list of data that cannot be shared with third parties.
• A prohibition against a variety of activities, such as looking into what applications each person is using, without their explicit permission.
• Additional constraints on handling data for users under age 17, and for use of biometric data and any data that can be anonymized.
• A requirement to notify users if any data is stored in Russia, Iran, China or North Korea.

What’s not-so-good

The legislation falls short of ideal privacy protections, granting exemption to some organizations and protecting the practices of large data collectors, government agencies and the advertising industry.

Much of the bill’s data protection requirements focus on selling or sharing data with third parties, but first-party collections — organizations that gather data for their own needs — are given a lot of freedom in their collection, tracking and targeting practices as long as it’s for internal use and doesn’t otherwise violate the statute.

And there is a glaring gap in protections concerning social media. The bill covers “high-impact social media companies,” which it defines as those with more than $30 billion in annual revenue and more than 300 million active users over three months. According to annual reports on social media revenues and usage, that would cover Meta (formerly Facebook), YouTube, WhatsApp, Instagram and about 14 other platforms, eight of which are in China. There’s plenty more social media that falls outside that bucket. Smaller platforms leverage the success of the biggest players and can pose just as much risk to users. A bill intended to protect privacy should apply more broadly to social media.

Thorny issues ahead

Perhaps the biggest issue facing the bill’s passage is that, as currently written, it would weaken protections in certain states. The bill’s proposed nationwide standards would improve protections for people in most states, but it would undercut more restrictive laws in a handful of others.

That would be fine if ADPPA were presented as a national baseline of protections on which states could build, but in its current form it would supersede existing state laws. In states such as California, where the California Consumer Privacy Act of 2018 has had an impact on commercial companies’ privacy practices, the federal law would replace greater protections for consumers.

That provision will likely draw opposition as the House bill and a version that has been introduced in the Senate move forward. At this point, the bill is certainly not guaranteed to pass. But it must pass — and whichever version of it emerges must contain provisions as ambitious as those currently in the House bill.

The bill doesn’t go far enough. It is not — nor should it be — the final word on privacy protections. But despite its flaws and the obstacles it faces, the ADPPA would make significant progress, making some desperately needed improvements over woefully insufficient national laws that predate the existence of modern cyberspace.

If it takes another five years before more improvements are made, then that has already been too long. The ADPPA, at least, is a start toward real progress.

Alexander Applegate is a senior threat researcher at DNSFilter, a DNS threat protection solution that uses artificial intelligence to protect organizations from online security threats. He has previously worked at ZeroFox, LookingGlass Cyber Solutions, and CrowdStrike.