A (2:40)

Sure, the we've had the variety of fits and starts with privacy legislation at the federal level going back decades, honestly, and But I'll just cover the last several years. In 2022, we had the American Data Privacy and Protection act, which is adpa, that was the first, first big push for comprehensive privacy legislation at the federal level after states had started passing comprehensive privacy legislation. So I think by then California, Connecticut, Virginia and a couple of others had passed legislation. And yeah, ADPA was the first big push. It was bipartisan, it got out of committee, and then ultimately never made it to the House floor. So it didn't move beyond that. And then in 2024, we had another opportunity with the American Privacy Rights act, or apra, that did not get as far as ADPA did. It had a bunch of newer thinking from, from the privacy space on, like advertising and a variety of other things, that it was a bit more specific and a bit more well thought out. But that bill also did not make it to a vote. It didn't even make it out of committee. So we have the third attempt now, although this one is not bipartisan like ADPA and APRA were before. This is just the sort of Republican salvo of here's what we can agree on as, as the Republican Party on a privacy platform, and that's what we have. That's what we got on Wednesday.

B (4:06)

So who is to blame for the failure to advance fundamental privacy regulation in the United States? How would you characterize why those prior bills have never made it past Go?

A (4:18)

Well, I think a lot of people have a lot of different interests in privacy. You hear a lot of people say, like, privacy means different things for different people. Some people want to include law enforcement, access to data in a privacy bill. Some people want to include cybersecurity provisions. Some people think the nuts and bolts of the privacy protections in the bill are not calibrated correctly. And I think it's really hard given how broad of an issue privacy is and how it affects pretty much every sector and every person in the country. It's really hard to get everyone to agree on the same vehicle. And so each vehicle in the past has had outspoken critics and they are just able to stop. It's much harder to stop something in Congress than it is to get it passed. So once a particular stakeholder or set of stakeholders decides this isn't the right thing, there are a lot of opportunities to basically sink the bill and make it so it can't progress any further.

B (5:17)

Well, things haven't sat still either way. There's been a lot of progress, as you mentioned, in the states, yet it still feels like to me, this is like fundamental issue that we have not addressed in the United States and that in the age of artificial intelligence this is really sneaking up on us. This is really becoming a major problem. I don't know, how would you characterize the challenge as it stands right now? How far behind are we?

A (5:41)

Well, AI is inherently a data issue. Regardless of what the purpose of the AI system is, it is generally trained on a wide swath of data. I think we're seeing this more and more with the consumer facing like Chatbots and chatgpt and these services that people are seeing now that sort of speak in natural language and can create images out of nowhere, et cetera, et cetera. And the way that they're able to do that is they are fed data and then they take correlations from that data and then make, then that's how they're able to make their outputs. The general wisdom so far has been that more data is necessary to make AI better. I don't actually think that's necessarily true, but we even saw an announcement recently from Meta that they're going to start tracking everyone's what they write on their keyboards and how they move their mouse around the screen to try to learn how to do the job of a Meta employee to help train AI that presumably will eventually replace those employees. So we see, and we've seen articles saying like, companies have already run out of data to train it on because they've already crawled the entire Internet, they've already bought all the data they can buy from data brokers and other companies and they fed it all in. I don't necessarily think it's totally true that more data means better outputs. I think if you're trying to get a particular type of quality output, then it actually might behoove companies to trade it on less, more accurate data. And we have problems with hallucinations, we have problems with non factual information coming out of AI systems. And that's at least in part a training data problem. So I think companies should be on the lookout for how to not just feed more unorganized data into an AI training data set, but actually trying to figure out how to create the best outputs from the system based on the training data sets they use.

B (7:30)

Okay, so we've got this new acronym, secure, which stands for Securing and Establishing Consumer Uniform Rights and Enforcement Over Data Act. In your piece for Tech Policy Press this week, you called it a major step backward. Why is it a step backwards?

A (7:48)

This bill essentially takes the industry friendly approach that many states have taken. And that meant that industry has gotten through the process in a lot of states and peels back even more from that. And so, like this is, I believe the reporting said that is, this is mostly based on the Kentucky law, but even the Kentucky law includes language around impact assessments. It includes Data from smart TVs as a form of sensitive data. Neither of those is in the Secure Data Act. There's a variety of other protections that states provide. Some define sensitive data as including financial data. Some define it as including health data. Beyond diagnosis, the definition of sensitive data in this bill is limited. The health data is limited to diagnosis and nothing else. So anything else that's not a diagnosis is somehow not sensitive data. Neural data, contents of communications. There's a variety of different things that are not covered. But I think the big thing, there are two big things here. One is that they've adopted the data minimization standard from most of the states, which is essentially status quo. Companies, as long as they disclose what they do in a privacy policy, they're allowed to keep doing it. That is not a meaningful change in privacy. That is basically just stating that whatever you're doing, you can continue to do. And now we can pretend that we actually protect your privacy when really we don't. I think the other thing is that there are very wide exemptions in this bill that basically allow companies to not have to comply with this bill at all. Some of those exemptions, which I talk about a little bit in the, in the op ed, is there's one about providing a service to a specific service to an individual. I think companies could very likely make an argument that a lot of the data that they collect is to provide service to an individual, and therefore they're essentially exempt from the bill. There's another one. There's another exemption that covers contracts. And some jurisdictions consider terms of service and privacy policies to be contracts. So the irony here is that if you write a privacy policy, you actually don't need to follow the privacy law at all. And then there is another exemption for internal research to improve and develop new products, services and technologies. And that, in my view, is basically the AI training data exemption. If you collect data for, to train an AI system, none of that data is subject to the law. This bill.

B (10:20)

Okay, so let's just break it down maybe in even more basic terms. So when it comes to data minimization, a company has to disclose to a consumer in a privacy policy, you know, here's the information we're collecting and here's how we're going to handle it. As I understand it right now, companies have to abide by whatever commitments they make. This is basically just making it the case that companies can set the rules.

A (10:48)

Yeah, I think that's pretty much right. I think that's how it's played out in the states that have the same standard. The, the, the one caveat here is that for sensitive data, which again is defined quite narrowly in this bill, you do have to get what's called opt in consent before you can collect or process that data. However, companies are highly incentivized to get people to opt into that data collection. So if a company wants, say, precise geolocation, which is defined as sensitive in the bill, they need to get the consumer's opt in consent for that if it's not service related. And there are no protections against what we call dark patterns, which is essentially designing an interface or making design choices that are, that incentivize consumers to give over more information than they otherwise would. So the most common one that we all see is when you see a cookie pop up banner, the accept all is like bright and blue and everyone. It's very obvious that it's there. And then the reject all, if there even is a reject all button, which is not required in the US is grayed out, dark, you can barely see it. Or another one is, it'll just say accept all and then there'll be another one that says more options. And then it requires you to go to another page to then decide which types of cookies you want to collect. So without a dark patterns protection, companies can just bombard customers over and over and over again to collect their sensitive data. And consumers are rightly going to just get annoyed and say, you know what, I'm sick of these pop ups. I'm just going to say yes. And then even though they wouldn't necessarily want to allow the company to collect location data, they end up being forced to do it. So it ends up being a very weak protection for sensitive data. And then for non sensitive data, there's essentially no protections at all.

B (12:32)

So another area you're concerned about is civil rights. I'll just point out it's not just. You saw a statement by Alejandra Montoya Boyer from the Leadership Conference's center for Civil Rights and Technology, basically saying that the bill falls short in protecting our civil rights in the digital economy, that privacy rights are civil rights, that we don't see the types of protections against bias and discrimination that we would like to see perhaps in a bill like this. I don't know. How would you characterize the challenge when it comes to civil rights.

A (13:05)

So one of the big challenges right now is that the administration is trying to undermine the enforcement of civil rights in general. They're trying to get rid of disparate impact as a form of civil rights protections at the federal level. They're basically making it very difficult to prove discrimination based on a protected class. So that's the overarching concern that we have now. Generally speaking, what we see with technology, and particularly with what we used to call, or still call automated decision making systems, but increasingly just call artificial intelligence generally, is that these systems can discriminate based on protected classes. And this gets back to the training data, at least in part. Like if you have training data that says white men are the most successful in these positions at my company, then when you ask the system to recommend people out of 10,000 resumes, chances are you're going to get mostly white men back. And that's not good. Arguably illegal, probably is illegal, and that's the kind of thing we're trying to get at. But because there's very little transparency, there's very little ability to go after these companies for civil rights violations. We've seen a couple of reports, and that's basically the extent that we have right now. The transparency around these systems is very limited. So it's hard to tell whether a company denied a person for a loan because they have some legitimate reason they denied them the loan or because they're black and that their automated decision system decided that black people are less likely to pay it back or whatever. And so that's the kind of discrimination that we're trying to address. And the protections that are included in this Cured Data act are basically not protections at all. It basically says whatever is already illegal is still illegal under, under federal civil rights laws. And that's that which, like we already know that's illegal. That's the. Whether it's illegal is not. Is not the problem. It's whether we can actually, we have the transparency and the knowledge to go after these companies to do it. And also whether disparate impact continues to be a cause of action at the federal level. And this administration, as I said, is going after that. I think the biggest problem with including this throwaway line on civil rights in the bill is that preemption, which is another thing I wrote about in the op ed cover basically says no state locality or a locality is allowed to enforce a law or a rule that relates to anything in the actual. They've included this one line about civil rights, which means state civil rights laws are probably going to get preempted if this passed, which is a huge problem because state civil rights laws are where we're going to get most of our civil rights enforcement, at least during this administration, and especially if this administration is not enforcing disparate impact liability.

B (16:04)

So let's tunnel into that just a bit. This is section 15 of the bill, this relationship to state laws. You write that it could wipe out every state civil rights law, Texas biometric privacy law, Illinois Biometric Information Privacy Act. These have been some of the laws out there that have had the most teeth. We've seen fairly large settlements and judgments against companies under these laws. I don't know how does that mechanism work? Why would it necessarily neuter those laws?

A (16:33)

There's a variety of different types of preemption, and they're all scoped in different ways. It goes from narrow to broad. Usually the narrowest is what we call conflict preemption, which is basically if a company, if a federal law and a state law directly conflict, like a company cannot comply with both at the same time, the federal law wins and the state law gets preempted. That is generally what we want in terms of privacy protections, because we want states to be able to go above and beyond and protect privacy in a more protective way. And then you get the other side, which is what's called field preemption, which is to say Congress has regulated this entire field. So privacy, civil rights, AI, algorithms, whatever you want to. And the scope of the field would also be subject to litigation. But that's the broadest. That's like, okay, nothing can touch AI, for instance, would be field preemption. They've included what's called relates to preemption, which is basically one step back from field preemption. Anything that relates to any provision in this bill would get preempted. So that's why I say putting in this line about civil rights. This means the federal government has addressed civil rights in this bill. Anything that relates to civil rights protections and data use at the state level would get preempted. The same thing with biometric data. Biometric data is protected as a sensitive category in this bill. It is therefore regulated by the federal government. And anything that regulates biometrics at the state level is going to get going to get preempted. And so, and so on and so forth throughout the entire bill. Anything that's related to the provisions in the bill, no state can enforce or pass any laws on those topics.

B (18:15)

Hey, let's talk about another sticking point, at least in Prior negotiations over privacy legislation, which has been the private right of action that seems to be completely abandoned here.

A (18:27)

Yes, there is unsurprisingly, no private right of action in this bill. The way that that has progressed in prior attempts at privacy legislation is that. So the Republicans tend to disfavor them for a variety of reasons, including like an overactive plaintiff's bar. And so they, they're generally more, more opposed to like statutory damages or like liquidated damages, which we see less and less of now because there's been a series of cases at the Supreme Court level that have made it difficult to enforce statutory damages on data related harms. And then on the other side, you generally have the Democrats who are pro private rights of action, pro allowing individuals to vindicate their rights in court. And what happened in ADPA and APRA Back in 2022 and 2024, that was there, there was a middle ground where he came to an agreement on a private right of action that was focused on injunctive and equitable relief. And that essentially means if a company is violating the law, you can't get damages from them necessarily, but you can get injunctive relief. So you can prevent them from engaging in the practice. And that particularly for civil rights protections, I think that is very important. But even for minimization purposes and other data practices that are subject to the law, it's important to have an ability to force the companies subject to this law to not be engaging in illegal activity. And one of the ways that we do that is through the private right of action. Because we love our FTC, we love our state AGs, they're chronically under resourced. They obviously cannot vindicate all the harms that the hundreds of millions of people in the United States experience based on these company practices. So we in generally am the default for most of the country. The time the country has been around is that we let people enforce their rights in court. And so for some reason privacy is an exception to that rule.

B (20:23)

And if you are reading this bill in one of the states that does have a strong privacy law, what do you think you're thinking right now if you're in Sacramento?

A (20:32)

Yeah. So if you're in one of the many states that has stronger privacy protections, California, Virginia, arguably Kentucky, Maryland in particular, which has a, has actually pretty decent minimization language, obviously you definitely don't want your stronger privacy law to be preempted by a weaker federal law, even though the, the law. So the bill allows state AGs to enforce it, but it only allows it to enforce it in federal law. States. State AGs like their state courts. They have state courts. They use them. They're most familiar with them. They don't necessarily want to be forced into federal court, which is what preempting their laws would do, and would force them into enforcing the Secure Data act in federal court. But I think in general, there are many states that have stronger protections than this bill has, and so they certainly should be making their case that their better state laws should not be preempted by a weaker federal standard.

B (21:35)

So what do you think are the prospects for this bill to move forward in. In this Congress? We've got a kind of fractured scenario. Folks are distracted by a war. There's a lot happening on Capitol Hill. How do you read the politics? Is this going to make it out of committee?

A (21:52)

I'm not a political expert. I will caveat that I think this year is particularly difficult to move something because of the election, because of the war, because of a variety of different things. ADPA and APRA came out around the same time of year as this, but they were already bipartisan at that point, and so it could move through the process faster. And I think either of those bills could have gone through the full process during those years. I think this one is further behind. And as Republicans have said many times, like this is a starting point. They do expect it to change, which I think is good, but I think it's just so fundamentally weak that it just. We really should be starting from the ADPA or APRA model rather than something like this.

B (22:36)

Okay, so we've talked about a lot of things, right? We've talked about the civil rights challenges. We've talked about the challenges to the state picture. We've talked about AI's privacy implications. Do you think in the near term, looking even beyond this bill, there are scenarios where we get meaningful federal privacy legislation in the United States?

A (23:01)

Predicting this has basically become an impossible task. I think there is, like, hope springs eternal. It is something that I would love to see happen in my lifetime. And I have a long life ahead of me, so hopefully it does happen. I do think that I do have some hope for the states. There have been some pretty close calls on passing good privacy legislation. Obviously, Maryland has a good privacy law. Maine got very close. Massachusetts is working on a good law. I think there's a lot of hope to be had there. At the federal level, it's a little harder to have hope, but I still do hope that we can come together. We have twice in the past And I think we can again in the future, whether it's using this as a base or using ADPA and APRA as a base, although I'd strongly prefer the latter. I don't think I can predict whether, whether or when it will happen. But I remain hopeful that something that we can get something out of Congress at some point because it would be great to not have just a small or some percentage of Americans have privacy protections. But everybody has privacy protections. And ideally the sort of world I'm envisioning in my head is people just go online, they buy things, they interact with people, they upload stuff, they just get to interact with people and hang out and do cool stuff and they just don't have to worry about their privacy because they know they have a strong federal privacy law protecting them. They know that if the the company is violated that there's going to be strong repercussions as a result. But right now we don't have that. We have cookie banners and companies that do not care at all about your privacy and will extract anything they can out of you to further train AI, to better target behavioral ads to you, etcetera, etcetera.

B (24:52)

And ultimately to sell it back to the government and law enforcement.

A (24:55)

Also that to anyone you know, they'll sell to a data broker. The data brokers will sell to any buyers that come along.

B (25:02)

So let me ask you about one last thing you're working on, which is in California, something called the BASED Act. What's this all about?

A (25:09)

So there's obviously been a big push recently to come up with new competition protections, new competition remedies. A lot of people feel that companies are getting too big, they're getting too powerful, there are monopolies, et cetera. I am not a competition expert. As I said at the beginning of this, CDT has lots of teams, competition is one of them. But I did work with my competition counterpart to put together a letter because the BASED act out of California is a law that would have forced. There's a lot of like not self preferencing these sorts of things that we see in a lot of different bills. But in particular there was a provision that required forced interoperability between essentially large, large platforms and then essentially any third party that sought to interoperate with those services. And often what you'll see in these bills is some form of privacy protection to allow for a company to say, oh, there's actually a privacy interest here that matters. And so we're actually not going to share data. And as long as that's not a false pretense to just hoard data. That's actually a good thing in general. But the based act doesn't have any privacy protections built into it. And so essentially what we said was there's a variety of different data related harms that could come out of forced interoperability. One of them is forced decryption of encrypted messages. Imessage is encrypted end to end by default. WhatsApp at least consumer to consumer is end to end encrypted by default. There's also many of the major companies have built in protections for when law enforcement comes seeking data they will challenge over broad subpoenas or warrants or whatever whatever to try to narrow them to protect the data that they collect from getting into the hands of law enforcement. None of those protections necessarily exist at any of the third parties that would be interoperating with these, with these companies. We already saw with the signal prior notifications being held in your phone memory being used to to check your even deleted messages were still there. Like that was just a small thing and that was just like by happenstance Apple happened to keep that data for some reason although I believe they've since fixed it. But here we're talking about like forced decryption to share with any third party that wants to interoperate with imessage or something like that. Like if you want to get a third party watch and you want your notifications sent to your watch, Apple would have to decrypt the message to send it to the tend to Watts Watch or WhatsApp would have to do the same thing. So there are serious privacy issues with with a competition bill like that and I think they can be balanced but in the based act we did not feel like they were properly balanced.

B (27:59)

Is that a problem that extends, you know, beyond our borders as we see that problem and potentially other interoperability measures?

A (28:07)

Yeah, so I think I'm not an expert on these areas of law but I do believe that Japan's law has a pretty decent privacy prot built into their competition law and I believe that the EU could be better although it still also does incorporate some privacy protections. So yeah, it's all over the place. But yeah, our view is if you want to, if you want expanded competition, we're all for it. We just want not to have serious unintended privacy consequences on the way.

B (28:39)

Eric Noll, I appreciate it very much, would recommend folks follow your work over at CDT and hope that we can have you both on the pages of Tech Policy Press back on the podcast again in future.

A (28:49)

Thank you very much. Appreciate it.

C (29:03)

That's it for this episode. I hope you send your feedback. You can write to me at Justin at TechPolicy Press. Thanks to my guest, thanks to my co founder, Brian Jones, and thank you for listening.

A (29:21)

Tech policy press.