The new California privacy regulatory body, the California Privacy Protection Agency (CPPA), has loudly voiced its opposition to the proposed federal American Data Privacy and Protection Act (ADPPA). The bottom line for the unanimous opposition: the ADPPA would preempt California’s privacy laws – both the California Consumer Privacy Act and the California Privacy Rights Act effective as of 1/1/23 – and establishes a ceiling on privacy regulation by states. To provide some context, the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA), establishes a floor for protection of health information covered by the statute. State laws that are “contrary” to the HIPAA Privacy Rule are preemption, unless a specific exception applies. The ADPPA preemption provision is broad and, according to all members of the CPPA, creates a potential future limitation on California’s ability (whether via state legislature, voter ballot, or regulatory rulemaking) to react to new privacy concerns and develop new legal requirements.
In public comment, most commenters agreed with the CPPA and strongly opposed full federal preemption, urged the board to engage in public awareness of the ADPPA and its effects, and collaborate with other states with existing or pending privacy laws which would be preempted by ADPPA to engage in public awareness campaigns. One exception was the former chair of the Federal Trade Commission (FTC). In remarks to the CPPA, Jon Liebovitz urged the agency to help improve the ADPPA rather than oppose it, and said that he believed the ADPPA is “much stronger than the current California law” because it includes broader protections for children and civil rights. Further, Liebovitz pointed out that the ADPPA’s private right of action is broader than that in California law: the private right of action in the CCPA/CPRA is limited only to security breaches.
The CPPA unanimously voted (1) to approve staff recommendation to oppose the ADPPA as currently drafted; (2) approve staff recommendation to oppose any federal bill that in CPPA staff judgment seeks to either (i) preempt California privacy laws, (ii) substantially weakens privacy protections in California,or (iii) prevents the CPPA, the California legislature, or California voters through ballot initiative, from strengthening privacy rights in the future, responding the future changes in data privacy/security, or that limits the CPPA’s ability to fulfill all responsibilities and mandates; and (3) authorized the CPPA staff to support any federal bill that in the CPPA’s judgment either (i) does not broadly preempt California privacy laws, or (ii) that in general, creates a “true” floor for privacy protections.
One of CPPA Chair Jennifer Urban’s closing remarks sums all of this up: “We support privacy for all Americans, we just cannot support it at the expense of Californians.”
Watch this space.