🧵Here’s a story of how far we have come on privacy regulations – and how far we still have to go. Most countries have baseline privacy laws that set minimum standards for data use. We do not.

Most countries have data protection agencies that enforce privacy laws. We do not. /1

Ten years ago, the Obama Administration called for some fairly weak privacy standards in a Privacy Bill of Rights. But it satisfied neither industry or critics and was dead on arrival. /2

https://www.theatlantic.com/politics/archive/2015/02/obamas-privacy-bill-of-rights-gets-bashed-from-all-sides/456576/

In 2018, California passed the first baseline privacy legislation in the nation. And in 2020, California voters passed an even more privacy-protecting ballot initiative. /3

https://www.getrevue.co/profile/themarkup/issues/tech-on-the-ballot-286520

The California law established the nation’s first-ever data protection agency called the California Privacy Protection agency. It launched last year with guaranteed funding of $10 million a year. /4

https://www.nytimes.com/2022/03/15/technology/california-privacy-agency-ccpa-gdpr.html

The unique thing about the California privacy law is that because it was passed by ballot initiative, the California legislature cannot weaken the law or cut the agency’s funding. This is a unique situation that doesn’t exist anywhere else. /5

https://www.caprivacy.org/u-c-berkeley-constitutional-legal-scholar-says-prop-24-the-california-privacy-rights-act-unequivocally-strengthens-privacy-law/

Recently, other states have been rushing to pass privacy laws as well, many of them weaker than the California law and heavily influenced by the tech industry. /6

https://themarkup.org/privacy/2021/04/15/big-tech-is-pushing-states-to-pass-privacy-laws-and-yes-you-should-be-suspicious

All this action has created momentum for a federal privacy law– finally! This week, the House @energycommerce committee marked up a federal privacy bill known as #ADPPA. It is much stronger than anything the Obama Administration could have dreamed of. /7

In addition to baseline privacy requirements, it requires companies to assess whether their algorithms are discriminatory - and to fix them. It also allows individuals to sue companies directly for damages from privacy violations, with some limitations. /8
https://www.wired.com/story/american-data-privacy-protection-act-adppa/

But there’s a catch: ADPPA doesn’t set up or fund an agency to enforce the rules. It has no statutory fines and turns enforcement over to the FTC which is chronically underfunded and has limited fining authority.

And the biggest catch: ADPPA pre-empts nearly all state privacy laws including California's landmark law. (The author’s home state law - Illinois's Biometric privacy act, is carved out however). /9

https://www.ilga.gov/legislation/publicacts/fulltext.asp?Name=095-0994

Ten state attorneys general have asked Congress to make federal legislation a “floor, not a ceiling.” And California lawmakers voted against the bill yesterday after their amendment to retain California's law was defeated. /11

https://oag.ca.gov/news/press-releases/attorney-general-bonta-leads-coalition-calling-federal-privacy-protections
https://eshoo.house.gov/media/press-releases/citing-lack-protections-californians-eshoo-opposes-federal-privacy-bill

Apologies! I was incorrect in this tweet. California lawmakers voted for an amendment to retain the CA law, but most of them voted for final passage of the bill after their amendment was defeated.