A comprehensive privacy bill has cleared a House committee for the first time, but its flaws on federal preemption and a private right of action may limit its prospects. The way the bill handles exceptions for existing laws is also concerning for higher education.
Earlier this summer, the chairperson and ranking member of the House Energy and Commerce Committee were joined by the ranking member of the Senate Commerce Committee in releasing a draft comprehensive federal privacy bill.Footnote1 While comprehensive federal privacy legislation proposals have come and gone over the last several years, the sponsors of the current bill—the American Data Privacy and Protection Act (ADPPA)—stated that their legislation was different. They argued that it includes the first bipartisan deal on the issues of federal preemption of state privacy laws and a private right of action. (In legal terms, a "private right of action" means that an individual can sue to enforce his/her/their rights under a given law.) Those two issues have been the main barriers to the passage of a comprehensive federal privacy bill, so striking a deal that both parties and both chambers might accept would give the ADPPA a reasonable chance of becoming law.
Cantwell argues that the ADPPA would go too far in overriding state privacy laws and provide an insufficient private right of action for individuals harmed by the violation of their privacy rights.Footnote3 From the perspective of colleges and universities, though, I would argue that the deal struck on federal preemption does not provide institutions with enough certainty about the privacy requirements they might face across the country to justify the eventual risk of individual lawsuits that the proposed private right of action would present.
A strong federal preemption requirement would provide institutions with a national framework for complying with individuals' privacy rights, significantly reducing compliance risks and increasing the efficiency with which they can be managed. That stands in contrast to the existing environment without federal preemption or a possible future environment with weak federal preemption that would require colleges and universities to continue to track and comply with the individual requirements of numerous states. While few states have implemented comprehensive privacy laws, most state legislatures are at least considering one, and some states are actively pursuing passage of their version of the California Consumer Privacy Act (CCPA) or the EU's General Data Protection Regulation (GDPR). A federal law that leaves the door open to multiple state privacy laws would offer institutions no relief from a potential multi-state compliance burden.
The ADPPA (as passed by the House Energy and Commerce Committee) would preempt state privacy laws. Unfortunately, the ADPPA also includes a long list of exceptions to that preemption, including state data breach notification laws, the CCPA, and Illinois' biometric and genetic data privacy laws.Footnote4 While there are likely good and valid reasons for many of the proposed exceptions, they create a context in which the institutional overhead for tracking and fulfilling compliance requirements may remain high. Meanwhile, the exceptions for the specific laws of California and Illinois would invite other states that are drafting privacy laws, or think they might in the future, to seek exceptions for their laws as well. Thus, the price for passing the ADPPA in the first place might be the inclusion of additional exceptions for states that are close to implementing their own privacy laws, with the possibility that federal preemption under the law could be eroded even more over time as additional states pass their privacy laws. If an institution is looking for greater certainty in privacy compliance risks and requirements nationwide, the provision on federal preemption in the ADPPA may not start in a strong enough position or give sufficient assurance that it can maintain even the level of preemption it initially establishes.
The introduction of a private right of action also raises institutional concerns. The U.S. Chamber of Commerce and IT industry groups have expressed significant concern about the potential for lawsuit abuse from including a private right of action with the recovery of attorney's fees in a national, comprehensive privacy law, as the ADPPA does.Footnote5 The sponsors of the bill initially tried to lessen concerns about this provision by giving it an effective date of four years from the date the ADPPA passes. The significant time horizon before the individual right to sue might take effect appears to have created problems for the legislation from potential supporters of the bill since the version that ultimately passed the House Energy and Commerce Committee reduced the delay from four years to two.Footnote6 However, the shorter timeframe will likely only reinforce the concerns of organizations that would ultimately be subject to a private right of action under the ADPPA. Again, higher education institutions might reasonably view heightened accountability through a private right of action as acceptable if a comprehensive federal privacy law includes strong federal preemption since that would have the potential to streamline compliance and reduce the overhead associated with it. As previously discussed, though, there is good reason to think that the ADPPA can't uphold both ends of that bargain.
From a higher education perspective, Sections 404(a)(3) and 404(a)(4) in the proposed legislation include exceptions for the privacy and data security requirements of certain existing laws. It most cleanly draws this equivalence in Section 404(a)(4). For laws such as the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act (GLBA), the bill states that "compliance with the information security requirements of such regulations, part, title, or Act (as applicable), shall be deemed to be in compliance with the requirements of section 208 [ADPPA data security requirements], solely and exclusively with respect to data subject to the requirements of such regulations, part, title, or Act."Footnote7 For colleges and universities, which are subject to the Federal Trade Commission's (FTC) Safeguards Rule that derives from GLBA, this means that Safeguards Rule compliance would equate to ADPPA data security compliance for the "customer information" (as defined by the Safeguards Rule) that would be considered "covered data" (under the ADPPA). Unfortunately, the section continues by saying that the FTC would get a year to develop regulations that implement these exceptions, which opens the door to some risk that the FTC might establish the equivalence between preexisting laws and the ADPPA in problematic ways. Still, the section is straightforward enough that the grounds for concern seem reasonably limited.
The treatment of the privacy requirements of preexisting laws in Section 404(a)(3) of the ADPPA is a bit more troubling from the standpoint of potential regulations. The good news for higher education is that the Family Educational Rights and Privacy Act (FERPA) is included in the list of relevant laws alongside GLBA and HIPAA. However, the equivalency text in this section is more qualified. It states that "compliance with the data privacy requirements of such regulations, part, title, or Act (as applicable), shall be deemed to be in compliance with the related requirements of this Act"Footnote8 (emphasis added). So, where the section on data security exceptions draws more of a straight line—compliance there equals compliance here—this text leaves open the question of which requirements of FERPA would count toward compliance with which privacy requirements of the ADPPA. The bill gives the FTC a year to produce implementing regulations in this area, and with the latitude that the term "related requirements" would give the agency in producing regulations, higher education could see a much more complicated environment emerge for student records privacy. The U.S. Department of Education would no longer be the sole regulatory arbiter of what constitutes the privacy of student records under FERPA. The FTC would be empowered to determine which requirements of FERPA count as opposed to which privacy requirements of the ADPPA apply when talking about the overlap between the two in relation to student records.
I do not want to overstate the potential for troubling regulatory outcomes from the possible work of the FTC at the intersection of the ADPPA and FERPA. The FTC could very well take the same approach to balancing the scales between FERPA and the ADPPA that it did in resolving the overlap between its Privacy Rule under GLBA and FERPA roughly twenty years ago. At that time, the agency established a straight equivalency between FERPA compliance and Privacy Rule compliance, which allowed institutions to maintain their focus on following FERPA from a privacy standpoint while complying with the Safeguards Rule from a data security standpoint. However, the FTC's recent and dramatic revision of the Safeguards Rule, which, at best, reflects very limited consideration of higher education's concerns,Footnote9 leaves room for significant anxiety about what might emerge from an FTC rulemaking process regarding the "related requirements" of FERPA as they pertain to the ADPPA. We simply would not know how justified such anxiety would be until the FTC releases its initial proposal for new regulations at some point during the year following the passage of the ADPPA.
Given Democratic resistance to the proposed bill in the Senate, we are unlikely to have to worry about regulations stemming from the ADPPA any time soon, if ever. However, since future laws are often built on the bones of past bills, it is worth taking the time to understand the flaws of the ADPPA from a higher education perspective. We could very well see them again in future legislation that has a more certain path to becoming law. Should this happen, being prepared to argue in favor of stronger federal preemption and an exception for existing privacy requirements that won't greatly complicate FERPA compliance will come in handy. In the meantime, EDUCAUSE will continue to watch for further developments with the ADPPA and other comprehensive federal privacy legislation proposals. We will work with our members and association partners to encourage the adoption of privacy measures with which colleges and universities could reasonably comply.
- House Committee on Energy and Commerce, U.S. House of Representatives, "House and Senate Leaders Release Bipartisan Discussion Draft of Comprehensive Data Privacy Bill," press release, June 3, 2022. Jump back to footnote 1 in the text.
- Cristiano Lima, "Top Senate Democrat Casts Doubt on Prospect of Major Data Privacy Bill," Washington Post, June 22, 2022. Jump back to footnote 2 in the text.
- Orion Donovan-Smith, "McMorris Rodgers, House Democrats Back Compromise to Pass Historic Privacy Bill. But Will Cantwell Let It Pass?" The Spokesman-Review, July 25, 2022. Jump back to footnote 3 in the text.
- House Energy and Commerce Committee, American Data Privacy and Protection Act (Amendment in the Nature of a Substitute to H.R. 8152), July 18, 2022, 126–129. Jump back to footnote 4 in the text.
- Elizabeth Nolan Brown, "Trade Associations, Chamber of Commerce Warn of Danger in Data Privacy Bill," Reason, June 15, 2022. Jump back to footnote 5 in the text.
- Energy and Commerce Committee, American Data Privacy and Protection Act (Amendment in the Nature of a Substitute to H.R. 8152), 115. Jump back to footnote 6 in the text.
- Ibid., 126. Jump back to footnote 7 in the text.
- Ibid., 125. Jump back to footnote 8 in the text.
- Jarret Cummings, "Policy Analysis: Revised, Highly Prescriptive FTC Safeguards Rule," EDUCAUSE Review, December 2, 2021. Jump back to footnote 9 in the text.
Jarret Cummings is Senior Advisor, Policy and Government Relations, at EDUCAUSE.
© 2022 Jarret Cummings. The text of this work is licensed under a Creative Commons BY-NC-ND 4.0 International License.