On June 14, the House Energy and Commerce Committee convened a hearing on the proposed American Data Privacy and Protection Act (ADPPA), representing the first major bipartisan effort by Congress to provide nationwide data protections. Although the draft legislation delivers on the demand for greater privacy regulations, the financial burdens placed on small and medium-sized enterprises (SMEs) could force firms to raise prices for consumers or leave the market entirely, leaving much to be desired for the American consumer. Moreover, despite learning from some of the shortcomings of the EU’s General Data Protection Regulation (GDPR), the bill simultaneously fails to include some of the GDPR’s best features which actively protect SMEs and consumers.
The ADPPA includes several popular provisions that would force companies to give their customers greater ownership over the content, usage, and distribution of their private data. For America’s large corporations, many of these proposed changes in the ADPPA would not require much operational adjustment. This is because since the enactment of GDPR, all firms seeking to do business in Europe must comply with similar data protection regulations.
Most affected by ADPPA would be SMEs that lack the resources and IT infrastructure to comply with the requirements. The good news for small businesses is that the ADPPA, unlike the GDPR, contains far more scalable provisions for SMEs. For example, while the GDPR forces all firms to comply with user requests to edit how their personal data is represented, the ADPPA allows smaller firms to delete rather than correct users’ data while larger firms must comply with the request.
In general, the ADPPA dramatically improves upon the GDPR with regards to safeguarding the interests of SMEs, but problems remain when it comes to preemption. For small businesses, navigating differences between state and federal laws can be costly, therefore a federal law should supersede state regulation to increase simplicity.
One of the principal benefits of the GDPR is its universal application throughout the European Economic Area which provides companies with clear and consistent guidelines. Although there are some differences in how GDPR is enforced between member states, the data protection law virtually creates a universal standard throughout Europe, greatly reducing businesses’ administrative costs.
In the absence of an existing federal law in the United States, state governments have taken the initiative to enact data privacy regulations, with some, such as California having robust protections while others like Alabama have weaker restrictions. This approach has forced firms to navigate a complex patchwork of regulations between states, resulting in higher operational costs to meet compliance. As noted by the Washington Legal Foundation, this ZIP code lottery has created “operational inefficiencies” that only “drive up costs, imposing a drag on economic actors who shift resources to compliance” instead of hiring, innovating, or developing new products.
The ADPPA would provide a national floor of data privacy regulations but only represents a partial preemption of state laws. Under the current draft proposal, any state regulation that is not explicitly covered in the ADPPA, such as the California Consumer Privacy Act’s (CCPA) data portability requirements, could still be enforced. In effect, SMEs would have to pay more in costs to adhere to the new national regulations while still having to operate under the patchwork of laws that provide additional challenges for small businesses.
This continuation of a balkanized system of data protections provides a massive disadvantage for SMEs compared to larger firms that can better weather compliance costs. According to the Information Technology and Innovation Foundation, it was estimated that SMEs would have to spend $20-23 billion dollars annually provided there was no federal legislation that would replace state laws.
The other major flaw of ADPPA comes from its enforcement mechanism. Under the current draft, ADPPA would allow private citizens to sue for alleged violations. Given the well-established American culture of legal challenges by trial lawyers, it is not improbable to imagine small companies getting bogged down in litigation which would give large firms a significant advantage.
This phenomenon can be seen when California’s CCPA created a limited private right of action. Since its introduction in 2018, the amount of litigation increased 44.1% between 2020 and 2021. Given the expanded scope of the ADPPA’s private right of action, it is reasonable to assume that litigation would be even higher and faced by more companies, which would stifle innovation, depress investment, and increase consumer prices.
After nearly five years of seeing the effect of the GDPR play out in Europe, the ADPPA must learn from both the failings and successes of the European regulation model. In providing more scalable regulations that adjust based on the size of the firm, the draft legislation is already learning from the EU’s failures by moving away from a one size fits all approach. Given the continuation of the balkanized data protections system and the enforceability through private right of action, however, the ADPPA still has much to learn from the EU’s successes. Responsible lawmakers in Congress must enact legislation that builds from GDPR’s success and corrects for its failures.
Dylan Shepard is a Policy Intern at the American Consumer Institute, a nonprofit educational and research organization. For more information about the Institute, visit www.TheAmericanConsumer.org or follow us on Twitter @ConsumerPal.