US bi-partisan data protection push meets resistance from Nancy Pelosi as Sephora becomes the first big scalp under Californian law

Just when things seemed to be heading in the right direction on US federal data privacy legislation, House Speaker Nancy Pelosi has made a somewhat unhelpful intervention, expressing her concerns with certain aspects of the proposed American Data Privacy and Protection Act (ADPPA).

Specifically Pelosi is worried that the Act in its current form would override the California Consumer Privacy Act (CCPA) and other state-level regulation. She says that she’s being told by the likes of California Governor Gavin Newson that the ADPPA would not provide the same level of consumer protection as the California legislation.

The ADPPA was approved on a 53-2 vote by the House Energy & Commerce Committee in July with bi-partisan support, teeing it up for a potential vote on the House floor in the relatively near future. As diginomica noted last month, the Act is the closest we’ve got to date on the idea of workable nationwide US data protection after years of resistance and lobbying by vested interests.

Pelosi’s comments are unlikely to derail progress completely, but they may slow things down. In a statement, she said:

The Energy and Commerce Committee is to be commended for its work on federal data privacy legislation.  Importantly, Democrats won the right for consumers for the first time to be able to seek damages in court for violations of their privacy rights.

However, Governor Newsom, the California Privacy Protection Agency and top state leaders have pointed out the American Data Privacy and Protection Act does not guarantee the same essential consumer protections as California’s existing privacy laws. 

Proudly, California leads the nation not only in innovation, but also in consumer protection.  With so much innovation happening in our state, it is imperative that California continues offering and enforcing the nation’s strongest privacy rights.  California’s landmark privacy laws and the new kids age-appropriate design bill, both of which received unanimous and bipartisan support in both chambers, must continue to protect Californians — and states must be allowed to address rapid changes in technology. In the days ahead, we will continue to work with Chairman [Frank] Pallone to address California’s concerns.

Pelosi’s intervention was welcomed by the California Privacy Protection Agency (CPPA), which in July voted unanimously to oppose the ADPPA in its current form, arguing then that:

ADPPA seeks to prevent the states from strengthening privacy protections in the future. ADPPA is not only substantively weaker than the CCPA, but it would remove important protections that benefit not just Californians, but the rest of the country…Everyone in the United States should enjoy strong privacy protections. But those rights should not come at the expense of existing rights. This is particularly important in an era in which Roe v. Wade has been overruled. Today more than ever, it is important that states be able to build on their existing laws and allow their voters to seek out the additional protections they require.

CPPA Executive Director Ashkan Soltani said of Pelosi’s comments:

The California Privacy Protection Agency applauds Speaker Pelosi’s commitment to ensuring strong privacy protections, in California and across the country. We look forward to working with the Speaker and Chairman Pallone to ensure that any federal privacy legislation sets a true floor for privacy protections and preserves the key role of the states to innovate, particularly in response to rapidly evolving threats to privacy.

First scalp

The focus on the CCPA's clout comes shortly after the legislation claimed its first major scalp in the shape of cosmetic retail giant Sephora, which has settled a lawsuit alleging it sold customer information in breach of the terms of the Act. According to California state officials, Sephora failed to tell consumers that it was selling their personal data, failed to allow them to opt out of those sales, and didn’t fix the problem within 30 days after being informed of the violation.

The retailer has agreed to pay $1.2 million and to correct the breach. Specifically, Sephora must:

• Clarify its online disclosures and privacy policy to include an affirmative representation that it sells data.
• Provide mechanisms for consumers to opt out of the sale of personal information, including via the Global Privacy Control.
• Conform its service provider agreements to the CCPA’s requirements.
• Provide reports to the Attorney General relating to its sale of personal information, the status of its service provider relationships, and its efforts to honor Global Privacy Control. 

California Attorney General Rob Bonta said of the settlement with Sephora:

I hope today’s settlement sends a strong message to businesses that are still failing to comply with California’s consumer privacy law. My office is watching, and we will hold you accountable. It’s been more than two years since the CCPA went into effect, and businesses’ right to avoid liability by curing their CCPA violations after they are caught is expiring. There are no more excuses. Follow the law, do right by consumers, and process opt-out requests made via user-enabled global privacy controls.”

For its part, Sephora is clearly less enamoured of the supposed robustness of the CCPA. In a statement, the retailer said:

Sephora respects consumers’ privacy and strives to be transparent about how their personal information is used to improve their Sephora experience. It is important to note that Sephora uses data strictly for Sephora experiences. However, the California Consumer Privacy Act does not define ‘sale’ in the traditional sense of the term. ‘Sale’ includes common, industry-wide technology practices such as cookies, which allow us to provide consumers with more relevant Sephora product recommendations, personalized shopping experiences and ads. Consumers have the opportunity to opt out of this personalized shopping experience by clicking the ‘CA – Do Not Sell My Personal Information’ link on the footer of the Sephora.com website or by using a browser that broadcasts the Global Privacy Control.

My take

I’m not entirely sure that Pelosi’s intervention is going to be at all helpful. The need for a Federal level approach to data privacy and protection in the US has been a long-running argument. Just as progress seems to be being made - and is desperately needed in light of the potential data privacy-related problems that might arise around the striking down of Roe v Wade - it’s bad timing to be putting any brakes on. The level of bi-partisan support for ADPPA has been strong. It would be foolish of the Democrat leadership to risk that now.