California Privacy Agency Implores House to Beef Up Protections in Proposed Federal Privacy Legislation

Earlier this week, California’s newly formed Privacy Protection Agency (CPPA) sent a letter to House Speaker Nancy Pelosi and Minority Leader Kevin McCarthy opposing the American Data Privacy and Protection Act (ADPPA), proposed legislation that would supplant California’s own data privacy bill with weaker protections and tie the agency’s hands.

The CPPA’s news release claims that the ADPPA, which was advanced by the House Committee on Energy & Commerce on July 20, would preempt the privacy laws of states like California, Colorado, and Connecticut, as well as Maine’s broadband privacy law, and data broker registry laws in California and Vermont. It would, however, provide “specific carveouts for some sectoral privacy laws, such as those relating to employee and student privacy, some specific laws such as Illinois’s Biometric Information Privacy Act (BIPA), and portions of certain laws, such as the negligent data breach private right of action in the CCPA,” a recent agency memo explained.

The California agency’s reaction comes after Golden Staters voted by referendum to enhance their online privacy protections in 2020. Presently, the state’s privacy protection act is administered by the CPPA, a first-of-its-kind agency tasked solely with protecting California residents’ privacy rights by issuing regulations, auditing businesses’ compliance, and enforcing the law.

California’s letter to the legislators explained that the ADPPA would preempt the California law’s most important provisions by removing safeguards and creating a privacy “ceiling” rather than a “floor.” The correspondence also alluded to Roe v. Wade’s overruling, explaining that “[t]oday more than ever, it is important that states be able to build on their existing laws and allow their voters to seek out the additional protections they require.”