Congress mulls data privacy bill that would void California’s tougher protections

A key congressional committee is pushing a federal bill to bolster protections for consumers’ online data privacy, but California lawmakers have launched an aggressive bid to amend or block the legislation because it would unravel the state’s own tougher protections.

Speaker Nancy Pelosi (D-San Francisco) delivered a potential death knell for the American Data Privacy and Protection Act late last week when she said it should not be allowed to override California’s law.

“It is imperative that California continues offering and enforcing the nation’s strongest privacy rights,” Pelosi said, adding that she would work with Energy and Commerce Committee Chairman Frank Pallone (D-N.J.), the bill’s author, to address California’s concerns.

Pallone said in a statement that he’s “laser focused on building support for final legislation.” He had hoped to bring the bill to the floor this month. But neither he nor committee aides addressed what sort of compromise might resolve the conflict.

Pelosi’s public opposition, which echoes concerns from Gov. Gavin Newsom and the California Privacy Protection Agency, marks an escalation in the standoff between California lawmakers and a large bipartisan group of supporters.

The bill was approved by the committee in July, 53 to 2. The two votes in opposition came from Rep. Anna Eshoo (D-Menlo Park) and Nanette Barragan (D-San Pedro). Five other California lawmakers supported the bill in committee, although Rep. Doris Matsui (D-Sacramento) said she wouldn’t support the bill on the floor without changes.

At that time, Eshoo pitched an amendment that would set the federal law as a floor, allowing other states to enact more aggressive legislation. Pallone opposed that idea, saying it would undermine compromises already in the bill and risk losing the support of Republicans, who favor preempting the state laws.

“I had my head handed to me on a platter, but I don’t regret it because my concerns stand,” Eshoo said. “We absolutely need a federal umbrella, a federal privacy law. But as written, it comes at the cost of California.”

In an apparent attempt to appease the state, the bill was updated to grant the state privacy agency authority to enforce the federal law, but it is unclear whether Congress has the legal authority to grant a state agency such power.

The bill attempts to limit the ways in which tech companies can collect, share or sell consumers’ personal information, such as location tracking, health data and private messages.

The legislation is widely supported by the tech industry. But skeptics say industry leaders are trying to push the federal bill to block the California law before it takes full effect and prevent a patchwork of varying state standards. Enforcement of the state law begins in July.

The federal bill “is weaker than the California law,” said Ashkan Soltani, executive director of the California Privacy Protection Agency, created by the 2018 California Consumer Privacy Act and its accompanying 2020 proposition, to enforce the law. “This is a false choice. Congress does not need to preempt the California law in order to give the country effective privacy enforcement.”

He cited the California law’s ability to allow consumers to opt out of programs that use artificial intelligence to create a profile based on their personal data. That benefit would be lost if the federal law can preempt state law.

Under California law, a consumer can opt out of the sale of information that makes inferences about the consumer, such as location-tracking data that suggest a consumer may have visited an abortion clinic, Soltani said. A California consumer can delete that information, too. The federal law does not currently provide such protections.

The California preemption issue is not the only dispute over the bill.

Since the Supreme Court overruled the Roe vs. Wade decision, Democrats have grown increasingly worried about securing consumers’ privacy in terms of their reproductive health choices.

Critics of the Energy and Commerce bill say it has too broad of a loophole for law enforcement to demand data related to a state crime, something that could open the door to the disclosure of location-tracking information, period-tracking information or messages related to abortion access in states where the procedure is illegal. Another concern is whether third parties can access the information.

Rep. Sara Jacobs (D-San Diego) has pending legislation that would limit how much information personal health applications can collect, retain and disclose. It attempts to prevent period-tracking apps from being used by law enforcement or third parties against consumers who get an abortion. It would give consumers the right to delete that information if they choose to and create a private right of action against entities that violate the rules.