Why the CPPA opposes the American Privacy Rights Act
Posted: May 3, 2024
The California Privacy Protection Agency (CPPA) has written to lawmakers expressing its opposition to the new US federal privacy bill, the American Privacy Rights Act (APRA).
With bicameral and bipartisan support, early agreement on some contentious provisions, and strong obligations on covered businesses, the APRA represents the second serious attempt at a federal privacy law in the US.
However, California’s regulator says the states should be allowed to regulate privacy for themselves.
Preemption of state laws
The APRA, if enacted, would “preempt” state laws. This means that the new-found rights of consumers, as provided by their respective state privacy laws, would be replaced by the rights granted under the APRA in several states.
While this might represent a net gain in privacy rights for millions of consumers, others would lose out if their state has enacted stronger or more broadly applicable privacy legislation.
“For years, California and other states have typically been the first to step in to address new threats to consumer privacy,” the letter states.
“In this era of rapid technological innovation, (APRA’s) approach is short-sighted.”
Removal of state authority
The APRA would hand enforcement powers to the Federal Trade Commission (FTC) and remove them from state authorities like Attorneys General and, of course, the CPPA.
As the first dedicated privacy regulator in the US, the CPPA is unhappy that its enforcement powers would be snatched away in favor of the FTC.
“The draft seeks to remove the California Privacy Protection Agency’s authority, overriding the will of California voters to create a new state data protection authority.”
Alleged weaknesses in enforcement
Although the FTC is a highly active regulator, having brought several privacy-related actions this year alone, the CPPA argues that the APRA gives businesses an easy ride when it comes to enforcement.
“Though the APRA seeks to vest the Federal Trade Commission (FTC) with new responsibilities, it also prevents the FTC from bringing robust enforcement in certain scenarios by granting compliance safe harbors to businesses.”
Technological advancements and regulatory flexibility
Building on the above arguments, the letter states that the APRA would remove the CPPA and other regulators’ abilities to adapt to technological advancements and regulate dynamically.
“The (CPPA’s) rulemaking authority also permits it to update regulations in response to changes over time, to keep pace with evolving technology,” the CPPA notes.
“But as written, the APRA would lock the country into a standard that stymies California’s rulemaking innovation.”
Treatment of data brokers
California recently enacted the Delete Act, which enables consumers to erase personal information held by data brokers via a centralized online portal.
The APRA also regulates data brokers. But rather than providing individuals with the right to delete the information data brokers hold, the APRA provides a “Do Not Collect” mechanism that prohibits data brokers from collecting further information.
“APRA seeks to weaken protections with respect to data brokers. The California Delete Act… gives consumers the right to request that their personal information held by all registered data brokers be deleted, in a single step,” the CPPA explains.
“Instead, APRA provides for a global data broker ‘Do Not Collect’ request, which would still allow data brokers to retain and sell consumers’ information.”
Gaps in sensitive data protections
The APRA requires covered entities to treat “sensitive data” differently than other types of data in some respects. But the APRA’s “sensitive data” definition doesn’t include all the types of information covered by the California Consumer Privacy Act (CCPA)’s “sensitive personal information” definition.
“APRA lacks critical protections with respect to sexual orientation, union membership, and immigration status. Not including these categories in the definition of sensitive covered data leaves crucial gaps in protections,” the CPPA’s letter states.
Potential for diverse and confusing standards
A common argument in favor of state law preemption is that having such a broad variety of state privacy laws creates confusion among businesses. A federal privacy law that preempts state rules should create uniform standards across the entire country.
But the CPPA argues that the APRA might fail to achieve this uniformity even with its preemption provisions.
“Requiring the FTC to bless compliance plans developed by different businesses could lead to a proliferation of procedures for exercising access, deletion, correction, and opt-out rights. This would shift the burden of compliance to consumers.”
The last serious attempt to pass a federal privacy law, the American Data Privacy and Protection Act (ADPPA), failed after states objected to the law’s preemption rules.
The APRA takes a slightly softer preemption approach than the ADPPA, carving out state-specific exceptions including for the CCPA’s private right of action. But the CPPA’s letter suggests that this sticky issue is still likely to be the APRA’s biggest hurdle.
How to navigate these changes
Given the complexity of navigating varying privacy regulations across different states, and considering the concerns expressed by the CPPA regarding the APRA, deploying Cassie, our Consent and Preference Management Platform (CMP), emerges as a strategic asset. Cassie enables businesses to adapt swiftly to both existing state laws like California’s CCPA and potential new federal laws like the APRA. By using Cassie, companies can ensure they are managing consumer consents and preferences accurately across jurisdictions, thereby maintaining compliance with the specific requirements of each law.
Cassie’s dynamic framework is designed to adapt to legislative changes and differing standards, offering tools that can adjust to various definitions of sensitive data, and manage rights related to access, correction, deletion, and opt-out processes. Cassie enhances consumer trust by providing a transparent and user-friendly interface for managing their privacy preferences, aligning with the evolving expectations of privacy-conscious consumers.
