Here’s an endorsement of the recently proposed federal data privacy law, the American Privacy Rights Act (APRA):
“The privacy bill unveiled by Chairs Cantwell and McMorris Rodgers is a good deal. Their willingness to work across party lines on an issue of common cause has led to a bill that would give all consumers in the U.S. robust rights and protections.”
That’s a strong endorsement. But it is not coming from a privacy rights or consumer advocacy group. It’s coming from Microsoft, a tech company that collects a lot of data on people. The company’s endorsement of APRA should alone raise red flags about the nature of the legislation given Microsoft’s history of storing sensitive dating through Office and LinkedIn, two major platforms consumers use all the time.
Meanwhile, Microsoft is a top campaign contributor to the bill’s co-sponsors, Sen. Maria Cantwell (D-WA) and Rep. Cathy McMorris Rodgers (R-WA), as is Meta, T-Mobile, AT&T, Alphabet (Google) and Amazon, other bigger hoovers of people’s data. Cantwell, a former tech executive at Real Networks, has maintained a strong relationship with Microsoft dating back to her beginnings in Congress 30 years ago, when Microsoft was in her district (Amazon was as well). Over the course of her Congressional career, Microsoft has been Cantwell’s number one contributor, donating over half a million dollars to her campaigns. When software manufacturers like Microsoft wanted to relax controls on certain wiretapping technology exports in the mid-90s, Cantwell helped Microsoft by convincing the Clinton Administration to change its stance in favor of wiretapping deregulation. And when the Department of Justice decided to not break up Microsoft in 2001, Cantwell, who was a member of the Senate Judiciary Committee, struck a conciliatory tone toward the company. She’s also literally hired Microsoft employees to fill roles in her office.
So it’s clear the bill’s author is firmly in Microsoft’s camp. A look at who else is supporting APRA raises eyebrows. CTIA, The Wireless Industry, also supports it. The Software and Information Industry Association supports it. Its members include Goldman Sachs and JP Morgan Chase. NetChoice, whose members include Waymo, X, TikTok, Meta, Google and Amazon, also supports it.
So why are all these very un-private companies supporting the bill? Because it isn’t very good for consumers. And by throwing their weight behind the APRA, large tech companies like Microsoft are hoping to invalidate a number of state privacy laws, including in California, that give stronger protections for our personal information. Because of preemption language in APRA, the bill will wipe away years of progress made in California.
For example, California’s own data privacy law, the California Consumer Privacy Act (CCPA), established a floor but not a ceiling on rights surrounding personal information. Since a ballot initiative amended CCPA, only voters can change it, and not legislators. But with APRA, Congress can weaken the law at any time.
APRA would also virtually eliminate the authority of the California Privacy Protection Agency (CPPA), which has been building up its privacy enforcement division over the past three years, and developed rules and regulations that are in effect right now.
“For example, the draft seeks to remove the California Privacy Protection Agency’s authority, overriding the will of California voters to create a new state data protection authority,” wrote CPPA Executive Director Ashkan Soltani in a letter to the House Energy & Commerce Committee.
Instead, the CPPA will be replaced with the Federal Trade Commission (FTC), which is in the middle of many important anti-trust battles and doesn’t have the extra resources. Per the bill, the FTC will have two years from when the law is enacted to draft regulations. That’s a lot of time for rogue algorithms to do damage. But California is taking action right now.
APRA would put a lid on progress, likely never to be opened again.
Even putting the preemption issue aside, let’s look at some of the provisions in the bill. While, yes, APRA would give Americans rights surrounding how companies use, share or sell their data, it only on the surface looks to give people more control over personal information trafficked by companies. In reality, the law would spring a thicket of notice and consent pop-ups that will likely do little to rein in the Google/Meta/Microsofts of the world.
Here are some other protections Californians would lose if APRA becomes law :
- The use of sensitive information, such as sexual orientation, union membership, and immigration status are not protected under APRA because the bill does not include those categories in the definition of sensitive covered data. That information is protected under the CCPA.
- It hampers California rules surrounding artificial intelligence, including automated decisionmaking technology. The privacy agency is currently drafting rules surrounding a right to opt-out of the use of personal information with respect to training automated decisions.
- It will be harder to seek remedy in court, as a private right of action will only be able to be brought in federal court, which is less friendly to plaintiffs.
- It exempts service providers who collect or provide data to a government entity from complying with the law, meaning Americans won’t be able to stop a company from sharing data with a local or federal agency.
- Other new California privacy laws such as the Delete Act, which will allow for consumers to direct data brokers to delete their personal data in one step, will no longer be in effect.
Looking at the text of the bill, APRA contains many portions that are similar to the stalled American Data Privacy and Protection Act (ADPPA), which also was not a good bill. Californians voted for rights such as the California Privacy Rights Act, and they possess them now. Wiping away years of work for something worse will only give companies that abuse our data an easy out.