It's not clear that ADPPA will move forward. The current version preempts California's CCPA/CPRA legislation, and (big surprise) California doesn't like that. But, that's far from the only issue with it. Here's an update from a couple of weeks ago which discusses some of the problems, as well as potential next steps. https://thenexusofprivacy.net/adppa-new-compromise/

And, here's EFF's position: " Americans Deserve More Than The Current American Data Privacy Protection Act" https://www.eff.org/deeplinks/2022/07/americans-deserve-more...

You can also see which companies sent lobbyists to work on this bill.


I see they are also annoyed at cookie banners:

> SEC. 210. UNIFIED OPT-OUT MECHANISMS. For the rights established under sections 204(b) and (c), and section 206(c)(3)(D) not later than 18 months after the date of enactment of this Act, the Commission shall establish one or more acceptable privacy protective, centralized mechanisms, including global privacy signals such as browser or device privacy settings, for individuals to exercise all such rights through a single interface for a covered entity to utilize to allow an individual to make such opt out designations with respect to covered data related to such individual.

> (B) any time beyond the initial 2 times described in subparagraph (A), may allow the individual to exercise such right for a reasonable fee for each request.

Paying any sum of money to receive a copy of or request to delete my private data is unreasonable in nature.

Now if we could just get a bill that actually limited the governments ability to collect data on its citizens. I'm not really worried about targeted ads, I'm worried about targeted assassinations.

You talk to people and ask them why they are worried about companies collecting data, and a certain percentage will tell you they don't like that the government could get it with a court order. That'd be a HUGE improvement over the current situation where they don't have to, they just collect it directly.

The ADPPA seems like a great example of regulatory capture and gridlock of the federal government by rich corporations and individuals and how federalism (state's rights) is a crucial and increasingly fragile element in holding our economy and our society together. Privacy is a particularly fraught area. SCOTUS says it's not a constitutional right at all (unless it's your money, in which case it's speech), which means states will have to define not data privacy and the limits of the surveillance economy but abortion and marriage and contraception too.
because of the "war on drugs" was supposed to be about the health of americans, which turned out to be a lie...

I think this is not about protecting the rights to data and privacy of american indivudal citizens...the other kind of american citizen, the american corporation, on the other hand, stands to gain a lot from this.

> To provide consumers with foundational data privacy rights, create strong oversight mechanisms, and establish meaningful enforcement.

ah, so corporations can well-foundedly and meaningfully consume the data of 'consumers' (an euphenism for fuel) in a way such that the historic shadow suckers of everything's energy (banks) can continue to partake on the sucking down of everybody's data/information (with real time measurements, which is a novelty in this ancient system build around trade, commerce, insurance, and power-authority concentration).

For those following along at home:

So far five states have passed local Data Privacy laws (CA, VA, UT, CT, MA). They are all different. This situation makes it much more likely that federal data privacy legislation will happen: while companies wish they could have 0 laws, they would still much rather prefer 1 law rather than 5 (trending towards 50) different laws that contradict each other.

There's a whole buncha specifics about what data is covered and what companies are covered and bleh blah bluh. That's not the most important thing. There are two things which are more important than that. These two issues also happen to be the topics most hotly debated between Dems & Repubs.

1. Private Right of Action, aka "Can I, a private citizen, sue someone?"

Everyone violates GDPR a dozen ways to Sunday, and nothing happens. Why? Because no one can actually enforce the law except for the local regulators who are underfunded. By contrast, the ADA lets anyone sue over violations, and as a result companies care a lot about handicap accessibility.

To my understanding the current negotiations are trending towards a limited Private Right of Action. Meaning it will exist for some violations but not others. This is how CCPA works in California right now: private citizens can sue over data breaches, but any other violation can only be enforced by the Office of the Attorney General.

2. Pre-emption, aka "Does this repeal CCPA."

Can states give additional protections to their residents, or is the Federal government removing the ability of states to define additional requirements for businesses. Again, the current state of negotiations seems to trend towards partial, but not total, pre-emption.



  (e) Verification And Exceptions.—

  (1) REQUIRED EXCEPTIONS.—A covered entity shall not permit an individual to exercise a right described in subsection (a), in whole or in part, if the covered entity—

  (C) determines that the exercise of the right would require access to or correction of another individual’s sensitive covered data; or
Simple: store all your user data in an intermingled fashion, such that a read or update of any individual record necessarily involves a read or update of one or more unrelated records. Now you don't need to act on data access requests.
Can't read legalese much, and -judging by how these things tend to go- I bet it's butchered beyond recognition before it gets to a vote (if at all). Instead, we should consider a constitutional amendment that enshrines digital privacy as a fundamental human right.
Just a reminder any email you have online that is over six months old can be read without a warrant.
Ten years or so ago, I was participating in a small business roundtable discussion with one of our state senators. At the time, I ran a consumer research agency and would often have multinational projects involving consumer data collection in both the US and EU; this is before GDPR had become ratified, but Safe Harbor was failing and there was ambiguity about what the future state would look like.

Of the 15 or 20 business owners in the room, I was the only "pro privacy" voice. People were very focused on what would be the perceived additional cost of complying with any GDPR-style rules in the US, and weren't yet thinking about the negative effects of having different privacy rules in different markets. "Different markets have different rules all the time," in short.

I maintain that it would be less complicated, less expensive, and more human-friendly to use data privacy rules as globally universal as can be achieved. There will always be capitalism leeches that drain money through arbitrage between the policy gaps, yes, but it would help.

(Also: there is zero chance this gets through the current US Senate. Would never clear filibuster.)

The corporate captured government will only protect their privacy and profits. The quicker people realize this, the better.
Always good to see links to direct text of bills.

Reading the tea leaves a bit, Speaker Pelosi seems dead set against it and I dont think will allow it to be moved as is. she has publicly stated that "states must be allowed to address rapid changes in technology", IE, the bill preempts to many state privacy regulations, esp in California. But as a rule my default assumption for the "real reason" why Pelosi is against something is because she thinks it will harm chance of caucus holding majority in house.


Skeptical as I am of her motives / methods, I'm inclined to agree with her in this case. Act should be a floor not a ceiling.

If we can let lobbyists write bills, we should be able to let privacy advocates write bills. We can do better than this.
One of the logistical issues with a law like this, and with the CCPA, is verification of the user requesting things such as account deletion. How are people supposed to do that without providing KYC-level details to every service provider?
Will you guys get to click popups on every.single.site.? If so believe it’s annoying. There must be a better way.
Why on earth would we want MORE restrictions and government interference / intrusion in our affairs? Especially in this era of worldwide creeping authoritarianism?

The only way implement these sorts of mandates is stomping all over a developer's right to freedom of expression. I'm a firm believer that code is speech and that limiting what a developer can do is infringing on his own right to free speech.

Could they have picked a better sounding acronym? Maybe APPA (American Privacy and Protection Act)?
anyone know the gist of what tech companies will have to do in order to be compliant?
Maybe I'm too romantic, but I'd like to see an american GDPR (not saying that the eu name or the bill itself is better), and then an Asian and so on till we have one global GDPR protecting all consumer data.


Not sure what y'all are complaining about. The amount of privacy work that happens with governments at big tech companies is substantial. The language in this doc seems like a better, less oppressive version of GDPR.
2nd rate claptrap of a bill. Just make the CCPA national.
The effort put in is commendable but this doesn't yet reach the levels of GDPR and the US market is too large for it to be likely to pass. Maybe eventually ...
Worst administration in History.
This is the proverbial shaking of the tree, whereby elected officials will ask (threaten) tech lobbyists for campaign contributions in exchange for their vote against the act
Lol.. gotta love when they propose acts before even understanding technology. Things like this need to be collectively written by some of the best privacy advocates. Not a bunch of interns that have no clue how technology works.