HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

ADPPA’s Preemption of State Laws is A Major Sticking Point

The ADPPA is now awaiting a House vote but there are doubts about whether the federal data privacy and protection bill will pass that vote. While there is strong support for the ADPPA, that support is far from universal and several House members have stated that they would not vote in favor of the ADPPA in its current form and would require tweaks to be made before they would give their support.

One of the biggest sticking points is the preemption of state laws. The ADPPA would override state laws, including the California Consumer Privacy Act (CCPA) and the California Privacy Rights and Enforcement Act (CPRA), which provide greater protection for state residents in some key areas. The Health Insurance Portability and Accountability Act (HIPAA) preempts state laws; however, it sets minimum standards for healthcare data privacy and security, but states are permitted to implement their own laws that go further than HIPAA. The ADPPA in its current form does not permit that and sets a floor and a ceiling for data privacy.

House Speaker Nancy Pelosi has recently criticized some provisions of the ADPPA, which has cast further doubt on the ADPPA passing a House vote. Pelosi praised the efforts of California in implementing tough data privacy laws and for giving consumers the right to take action against companies that violate their privacy and obtain damages. Pelosi said it is imperative that California continues to offer and enforce the nation’s strongest privacy rights and that she would be working with Chairman Frank Pallone (D-NJ) about retaining California’s privacy laws.

Several state Attorneys General have also taken issue with the preemption requirements and are calling for changes to the ADDPA to allow states to implement tougher restrictions, with California far from being convinced. Despite concessions being made for California, the California Privacy Protection Agency remains firmly opposed to the ADPPA in its current form due to the preemption of state laws, specifically the removal of the floor of the CPRA and the prevention of California setting more stringent privacy laws in the future. However, if those changes are made to the preemption, there is significant potential for the ADDPA to lose its bipartisan support.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The ADPPA gives U.S. consumers greater power over how their personal data is collected and used, including the right to opt out of the collection and sharing of their personal data. Thoe opt out provisions are a cause of concern for many companies whose business model heavily relies on collection and sharing of personal data, in particular, the collection of data indirectly from third parties.

There has been intense lobbying by data brokers that want a relaxation of the requirements. According to Politico, the spending of five prominent data brokers on lobbying increased by 11% in the second quarter of 2022 compared with the corresponding period in 2021, in response to the ADPPA. One data broker, RELX, claims that if the data sharing restrictions of the ADPPA are not eased it will hamper the investigations of crimes by law enforcement.

RELX collects and shares data with law enforcement agencies which supports law enforcement efforts to target money laundering, human trafficking, and fraud. If individuals are allowed to opt out of data sharing, criminals would be able to do so too and that would hamper the efforts of law enforcement to bring those individuals to justice. RELX says the data it collects is not used for advertising purposes and seeks an exemption to use third-party data for law enforcement purposes. Privacy advocates believe that while there is value in data collection and data sharing for this purpose, the amount of data being collected is excessive, and it currently amounts to extensive nationwide surveillance of the entire population of the United States.

Other data brokers are lobbying for permission to use third-party data for advertising purposes. Large data brokers will be among those most affected by the ADPPA, which to a large extent is why the legislation was drafted – to limit and control how large data holders can use consumers’ data without consent. Currently, they are free to use third-party data collected by companies, which is commonly collected on users that have no direct relationships with those companies. The data fuels a market that has been estimated to be worth $240 billion.

The ADPPA does permit the sharing of de-identified data, but while personally identifiable information can – and often is – stripped out of the data that is collected and shared by data brokers, there is considerable potential for data to be combined with other data sources that can allow individuals to be identified. Data brokers are also pressing to ensure that the preemption requirements stay in place to prohibit states from implementing more stringent privacy laws.

There have already been compromises by Republicans and Democrats to get the ADPPA to the point of a House vote. It is likely that several tweaks will need to be made to the ADPPA for it to be signed into law.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.