Skip to content

ADPPA and Twitter: eight questions and an elephant

Does the proposed consumer privacy bill prevent Twitter's data abuses?

Eight question marks, in different colors
Please share your perspectives in the Nexus of Privacy Dreamwidth community, on Mastodon at mastodon.social or on Twitter (unless we get suspended for having a Mastodon link in our profile 🤣)
"One effective tactic we've used to cut through the complexity of the legislation is to focus on real-world privacy abuses.  How effective will proposed legislation actually be at stopping them?  If it falls short, how can it be strengthened?"

– Three lessons from “the other Washington”, June 2022

With only a few days left before Congress wraps up for the year, it’s hard to know what’s up with the American Data Privacy and Protection Act (ADPPA) consumer privacy bill. The situation hasn't changed since ADPPA and a “coordinated effort” not to mention the elephant: ADPPA has no chance to go forward in the House unless the roadblock over its preemption of current and future state and local privacy laws is resolved.  Even if that happens, ADPPA still has a big problem in the Senate where Senators Maria Cantwell and Ron Wyden have criticized it as too weak. Still, ADPPA’s supporters continue to express confidence, and Big Tech has a track record of late-in-sessions shenanigans ... so we shall see. As we say here in "the other Washington", it ain’t over til it’s over.  

Even if ADPPA doesn’t move forward in the lame duck session it will be back next year – and as Laying the groundwork for 2023? discusses, it'll influence state legislation as well.  ADPPA’s supporters admit that it's a flawed bill, so whether it’s before a last-minute lame duck vote in Congress, or as starting the prep for next year, it's worth looking at where it falls short and should be strengthened.

Recent events at Twitter provide some clear examples of what’s at stake with real-world privacy-abuses to test how effective ADPPA is going to be in practice. For example, consider the issue Sara Morrison explored in What happens to your Twitter data when Elon takes over: Twitter doesn’t ever actually delete your private messages, even if you delete your account.[1]  This leads to some very concrete questions to evaluate how effective the bill is:

  • Does ADPPA give you the ability to force Twitter to delete your data?
  • If Twitter refuses to delete your data, does ADPPA allow you to sue them for damages?
  • If Twitter refuses to delete the data of any Washington state residents, can AG Ferguson (who  has a long track record of taking on Big Tech companies and winning) use his full investigative and enforcement powers to hold them accountable?
  • If there’s some data about you that you can’t make Twitter delete, does ADPPA at least give you the ability to prevent them from using your data to improve their product and service?

And the new Chief Twit is an anti-trans bigot who’s reinstatating accounts of anti-trans people suspended for hate speech, having chummy discussion with an anti-trans hate group …so it’s a good time to apply Antoine Prince Albert III’s suggestton in Hiding OUT: A Case for Queer Experiences Informing Data Privacy Laws: stress-test the law against the harsh and worsening realities of queer experiences. A couple of specific questions:

  • Does ADPPA prevent Twitter from sharing information about people’s sexual orientation, gender identity, and gender expression [2] without their consent?
  • Does ADPPA prevent Twitter from sharing queer people's location data with hate groups and law enforcement in states that have criminalized gender-affirming health care or passed “don’t say gay” bills?

And as well as the  queer lens, it’s important to look from the perspective of other groups facing harsh and worsening realities as well.  For example:

  • Does ADPPA protect the privacy of Twitter employees or contractors whose are engaging in worker activism?
  • Does ADPPA prevent Twitter selling or sharing pregnant people's data with anti-abortion “crisis pregnancy centers,” bounty hunters, or law enforcement in states that have criminalized abortion?  This is the elephant in the room that ADPPA supporters do their best to avoid talking about. As Kim Clark of Legal Voice says, “This bill, at least from the perspective of pregnant people, it really doesn’t do much.”

Some of these questions have fairly straightforward answers; others are tricky. Unsurprisingly, I have thoughts, and I'll do a follow-up post with my take on it ... but first, I'd love to hear what others have to say.

I've started up threads on Dreamwidth, Mastodon, and Twitter to discuss – links coming soon.  Please let us know what you think!

Notes

[1] Zack Whittaker originally reported this in Twitter doesn’t actually delete your direct messages when you try to delete them in 2019 on TechCrunch.  For those of you in the European Union, Michael Veale’s Deleting DMs from Twitter using the GDPR lets you file a request.

Worth mentioning: Twitter’s investors (including Larry Ellison, Andreessen-Horowitz, Saudi Prince Alaweed, and the Qatar investment Fund) all have undisclosed “special rights” to the data ... more good reasons to want to delete it!

[2] Ontario Human Rights Commission's page on Gender identity and gender expression is a good short reference on the distinctions between gender identity, gender expression, sexual orientation, and sex.


Image credit: from “Question Mark” by Hana Chramostova licensed under CC1.0 Universal Public Domain license, via PublicDomainPictures.net