When it comes to data protection laws, the United States has long lagged behind Europe, whose  General Data Protection Regulation (GDPR) came into effect in 2018 as the gold standard in data protection.

Also, in 2018, California passed the California Privacy Protection Act, further expanding it to the California Privacy Rights Act (CPRA) in 2020. In August 2022, a new federal bill — the American Data Privacy and Protection Act (ADPPA) — passed Congress with a landslide 53-2 vote. The proposed federal law is similar to the CPRA but contains a few key differences that have Californian data privacy advocates concerned.

What are the compliance implications for businesses with both state and federal data privacy laws running in tandem? Is ADPPA’s preemption of state privacy laws good for businesses and consumers? Read on to learn more about the two bills, their differences and what it would mean for businesses if federal law preempts state laws.

What do both the California and federal laws have in common?

Who is included

Businesses that handle consumer data must adhere to these laws. CPRA only pertains to businesses and consumers in California. The ADPPA — if passed — would cover businesses across the United States.

Collecting and sharing data

Both laws restrict how much personal data a business can collect from consumers and that they only collect data necessary to provide the service. Consumers can opt out of both unnecessary data collection and any data sharing or selling to third parties.

Plus, they have the right to:

  • Know when companies collect their data
  • Request their data from the past 12 months
  • Request that companies delete their data.

Sharing or selling data to third parties

Under both laws, consumers can opt out of having their data shared with or sold to third parties and request that organizations delete that data. Businesses must clearly indicate when they intend to share or sell that data to third parties.

Reasonable data security measures 

Both laws include provisions that require businesses to take reasonable steps toward data security. Neither bill outlines specifically the minimum threshold for security, stating that it is the responsibility of the business to make every effort to keep consumer data secure.

While both bills have much in common, some key differences concern data privacy advocates.

For more information about what CPRA does and does not cover, click here. To review the proposed federal bill, click here.

Learn about IBM Security Guardium Insights

Contested differences between state and federal data privacy laws

While both bills have much in common, some key differences concern data privacy advocates. When a federal law preempts a state law, the federal law takes precedence over the state law or “overrides” it.

Here are some of the most significant differences between CPRA and ADPPA that could pose a challenge.

Does the law consider governments to be covered entities?

According to the proposed federal law, “Federal, State, Tribal, territorial or local government entities” need not meet data privacy requirements. This means that consumers cannot opt out of businesses sharing data with government entities. In contrast, CPRA does include government entities, limiting the ability of the government to use personal data.

IF ADPPA does pass into law, businesses will not be able to cite data protection laws as a reason for not sharing personal data with government entities.

Can the legislature amend these laws in the future? 

One of the more important discussions about the ADPPA versus CPRA is if they can be amended. CPRA states that the law can only be amended to introduce more consumer protections; it cannot be amended to be weaker. On the other hand, there is no such protection for ADPPA. The past few years have illustrated that federal bills protecting rights can easily be reversed or amended to be less stringent.

Data privacy activists are concerned that Congress can amend ADPPA to be weaker. If a more ineffective federal law preempts the stronger state law, it can leave Californians with flawed data protections.

Are there loopholes to opting out of data collection? 

Proponents of the CPRA law have criticized ADPPA for a massive loophole in opting out of data collection and storage. ADPPA outlines specific exceptions to opting out of data collection. The contested exception says that consumers cannot opt out if the data collection is used “to develop, maintain, repair or enhance or improve a product or service for which such data was collected.”

Critics of the bill suggest this exception is too large of a loophole.

Private right of action 

Private right of action refers to a consumer’s ability to sue a business for noncompliance with data protection laws. This is especially relevant in the case of data breaches. Both tech leaders and the U.S. Chamber of Congress were concerned that including private right of action to the federal law could open the door for class action lawsuits.

While ADPPA does include private right of action, critics point out that the consumer’s right to action is severely limited and excludes monetary compensation. Also contentious is that the weak private right of action provision severely stifles data security requirements. Privacy advocates worry that if consumers cannot hold businesses accountable by suing when their data falls into the wrong hands, businesses will not be motivated to meet security requirements.

CPRA’s private right of action only applies to data breaches. Still, it gives a lot more power to consumers to sue for monetary compensation, even if they cannot prove direct damages due to the data breach.

What would it mean for businesses if ADPPA preempts state law?

Differences between the proposed federal law and CPRA affect businesses and consumers in California only if the federal law preempts the state law.

In the current language, ADPPA preempts all state laws — including California laws — except for some specific provisions.

For these exceptions, state law will still hold:

  • State laws governing the collection and use of biometric and genetic information
  • The security breach private right of action provisions of CPRA
  • State laws regarding the privacy rights of students and employees
  • Specific state laws about the collection and use of personal data related to crimes, public safety, medical or health information and marketing or spam.

If ADPPA passes into law, it will supersede California law in every way except for the private right of action. That means businesses will not need to adhere to stricter California laws if the legislature amends the federal bill to be weaker in the future. In addition, federal law would not restrict businesses from sharing personal consumer data with government entities.

General wording regarding the exception of data collection can allow businesses to forgo opt-out options if they can prove they are collecting data to improve their products and services. In the age of personalized user experiences, proving this is a low bar to clear.

Legal security requirements put significant potential liability on businesses if they fall prey to cyberattacks. Under CPRA, the company is more liable, and a data breach means opening the business up to potential lawsuits. The proposed federal law gives fewer options for private right of action. This shields businesses from having to potentially offer monetary compensation. Unfortunately, the ADPPA does not preempt CPRA for this specific provision, so businesses operating in California should be aware of consumers’ comprehensive private right of action.

The future of data protection law

While ADPPA has passed in Congress, it still has a long way to go before being passed into law. Even if the law does not ever pass, the ADPPA is a comprehensive data protection law that can serve as an outline for businesses drafting their data protection compliance strategies.

More from Government

How the FBI Fights Back Against Worldwide Cyberattacks

5 min read - In the worldwide battle against malicious cyberattacks, there is no organization more central to the fight than the Federal Bureau of Investigation (FBI). And recent years have proven that the bureau still has some surprises up its sleeve. In early May, the U.S. Department of Justice announced the conclusion of a U.S. government operation called MEDUSA. The operation disrupted a global peer-to-peer network of computers compromised by malware called Snake. Attributed to a unit of the Russian government Security Service,…

How NIST Cybersecurity Framework 2.0 Tackles Risk Management

4 min read - The NIST Cybersecurity Framework 2.0 (CSF) is moving into its final stages before its 2024 implementation. After the public discussion period to inform decisions for the framework closed in May, it’s time to learn more about what to expect from the changes to the guidelines. The updated CSF is being aligned with the Biden Administration’s National Cybersecurity Strategy, according to Cherilyn Pascoe, senior technology policy advisor with NIST, at the 2023 RSA Conference. This sets up the new CSF to…

Why keep Cybercom and the NSA’s dual-hat arrangement?

4 min read - The dual-hat arrangement, where one person leads both the National Security Agency (NSA) and U.S. Cyber Command (Cybercom), has been in place since Cybercom’s creation in 2010. What was once touted as temporary 13 years ago now seems established. Will the dual-hat arrangement continue? Should it? Experts have discussed the pros and cons of both viewpoints for years. It remains in place for now, but is that likely to change in the future? That remains to be seen, and points…

New Hive0117 phishing campaign imitates conscription summons to deliver DarkWatchman malware

8 min read - IBM X-Force uncovered a new phishing campaign likely conducted by Hive0117 delivering the fileless malware DarkWatchman, directed at individuals associated with major energy, finance, transport, and software security industries based in Russia, Kazakhstan, Latvia, and Estonia. DarkWatchman malware is capable of keylogging, collecting system information, and deploying secondary payloads. Imitating official correspondence from the Russian government in phishing emails aligns with previous Hive0117 campaigns delivering DarkWatchman malware, and shows a possible significant effort to induce a sense of urgency as…