Stress-testing privacy legislation with a queer lens

It turned out to be a very interesting process!

Stress-testing privacy legislation with a queer lens
Redlined version of changes to the American Data Privacy and Protection Act (ADPPA) by the House Energy and Commerce committee. The words "sexual orientation" are struck out.

Last updated: September 8.  See Updates at the end for a change log.

The best way for any federal or state legislature to assure all consumers’ privacy is protected online is to stress-test their laws against the harsh and worsening realities of queer experiences. If a law can protect queer interests, it will ensure that all consumers are maximally protected.

Hiding OUT: A Case for Queer Experiences Informing Data Privacy Laws, Antoine Prince Albert III on Public Knowledge

Civil rights groups and privacy advocates are very justifiably excited about the inclusion of civil rights protections in the proposed American Data Privacy and Protection Act (ADPPA).  Getting strong bipartisan support for the principle that privacy rights are civil rights is hugely important – and the fact that privacy legislation with a civil rights focus has advanced from committee (on a 53-2 vote!) is a significant milestone.

But as Professor Daniel Solove says in  Further Thoughts on ADPPA, the Federal Comprehensive Privacy Bill,  "many parts of privacy laws have pretty-sounding rhetoric but ultimately are not any deeper."  How deep are the protections in the current version of the ADPPA?

So I decided to take Antoine Prince Albert III's excellent suggestion and stress-test ADPPA through a queer lens.  It turned out to be a very interesting exercise.

Ten stress tests

Here are ten stress tests of how well ADPPA protects the interests of LGBTAIQ2S+ people.*  The first seven come from Hiding OUT's "Queering Ya Privacy" section, with some minor restructuring and wording changes; the last three focus on some specific hot spots in the ADPPA debate so far.

This isn't meant to be definitive; there are a lot of other possible stress tests, and I'd love to hear what others come up with.   But I haven't seen much other discussion of this, and it's an important topic, so hopefully this will spark additional discussion.

Each test is phrased as questions. I’ve included a emoji to reflect how I think the current version of ADPPA responds to the questions.

yes! ADPPA passes the test
I’m not sure or it's complex
no.  ADPPA does not currently pass the test  

  1. Does ADPPA protect private media, personal correspondence, informational data, and metadata by default?
  2. ❌ Does ADPPA protect sensitive data like a romantic video, an emotional voice note, or an online private message threads?
  3. ❌ Does ADPPA protect information about people’s communications patterns?
  4. ✅ Does ADPPA contain heightened protection of individuals’ account or device log-in credentials, activities over time and across third-party websites or services?
  5. ❓ Does ADPPA contain heightened protection information about television, cable or streaming service subscriptions, preferences, and usage?
  6. ❓ Does ADPPA tightly secure health and genetic information?
  7. ❓ Does ADPPA include intentionally inclusive civil rights protections?
  8. ❌ Does ADPPA tightly secure location data that could put LGBTAIQ2S+ people at risk?
  9. ❌ Does ADPPA protect pregnant LGBTAIQ2S+ people in states that have criminalized abortion?
  10. ❌ Does ADPPA allow pro-LGBTAIQ2S+ cities and states to protect residents by passing stronger protections?

If your first thought is "yikes, this is not good, we should do something about it," feel free to skip ahead to Time for an Intervention.

Otherwise, read on for the details.  

Does ADPPA protect private media, personal correspondence, informational data, and metadata by default?

This is an easy and unambiguous one: no.  ADPPA only protects sensitive data by default. Data that reveals sexual orientation, gender identity or experession, or sex is not considered sensitive – so isn’t protected by default.  As Albert says, “Safeguarding data that facially connects people to nontraditional sexual orientations or activities is paramount.”

❌ Does ADPPA protect sensitive data like a romantic video, an emotional voice note, or an online private message threads?

The previous version of ADPPA would have been a yes on this.  Videos, voice notes, private message threads are all considered sensitive data in ADPPA.  So are Albert’s other examples including background data and metadata like calendar events, address book contacts and contact notes, and phone logs.

Unfortunately, the latest version added a major exception: much of this information is not considered sensitive if it’s on employer-issued machines.  Work-related discussions may include very sensitive data; and many queer people blur the boundaries between work machines and personal business.

❌ Does ADPPA protect information about people’s communications patterns?

No.  For one thing, communications patterns employer-issued machines are not protected.  And as EFF noted in their June comments on the discussion draft, ADPPA’s definition of sensitive data should be expanded to include familial and social relationships.

✅ Does ADPPA contain heightened protection of individuals’ account or device log-in credentials, activities over time and across third-party websites or services?

Yes, ADPPA treats these all as sensitive data.

Does ADPPA contain heightened protection information about television, cable or streaming service subscriptions, preferences, and usage?

I think so but the language just changed in the last version and I haven ‘t seen any analyses of it yet so am not sure.

Does ADPPA tightly secure health and genetic information?

ADPPA considers both health and genetic information as sensitive data but there are some significant exceptions so the answer here is not straightforward.

One big potential loophole is that "de-identified" data is completely exempted from the ADPPA.  I put air quotes around “de-identified” because it is almost always easy to re-identify people.  Indeed, as HIPAA and the Leak of “Deidentified” EHR Data in the New England Medical Journal discusses, HIPAA's exception for "de-identified" health data has allowed "massive troves of digital health data to traverse the medical–industrial complex unmonitored and unregulated."  There’s been a lot of discussion of “de-identified” location data under ADPPA (and we’ll mention it too in the next section), but as far as I know there hasn’t been any discussion of “de-identified” health data as a potential loophole.

Also, ADPPA’s data minimization rules have exceptions allowing data to be used without consent for internal research and public interest research.  A bipartisan amendment in the latest version, described in terms of making it easier to do clinical research, changed the public interest research language. I haven’t yet seen a discussion of whether it opened up some loopholes but it seems worth looking at.

❓ Does ADPPA include intentionally inclusive civil rights protections?

At first it seems like this is a clear "no". The list of protected classes in ADPPA's anti-discrimination language (§207(c)) does not mention sexual orientation, gender identity, or gender expression.

But it's more complex than that.  The Supreme Court's 2020 Bostock ruling found that "on the basis of sex" includes discrimination on the basis of sexual orientation or gender identity, meaning that they're implied by the current language in ADPPA as well.  Then again, just last month, a judge in Tennessee issued an injuction blocking the Department of Education from Title IX protections to transgender and gay employees/students.  So the law is potentially unsettled.  

On the one hand, as Albert says, queer people cannot rely on “interpretive generosity.”  On the other hand, I don't know the political landscape around this issue; it could be that there's some reason that it's actually better to rely on the current language.  So I'm going to leave this as a ❓ for now in hopes until it's clear what LGBTAIQ2S+ organizations and activists think is the right answer.

❌ Does ADPPA tightly secure location data that could put LGBTAIQ2S+ people at risk?

"Precise geolocation data" (§2(24)) is considered sensitive data under ADPPA so it seems like the answer to this should be yes.  But there’s a big caveat here: a lot of data that you and I might think of as precise location data isn't considered "precise geolocation data" under ADPPA.

For example, Californians for Consumer Privacy notes that location data inferred from a surveillance camera or a photo taken in a gay bar aren’t considered sensitive data – meaning it can be shared without consent.

And remember just last year when “de-identified” data from gay dating app data Grindr was apparently sold off and linked to a Catholic priest, who then resigned from his job?  ADPPA completely exempts “de-identified” data.  Sen. Ron Wyden, who’s usually right about stuff like this, has flagged this as a major loophole.

❌ Does ADPPA protect pregnant LGBTAIQ2S+ people in states that have criminalized abortion?

Probably not.

  • Rep. Anna Eshoo has said ADPPA has a loophole that leaves pregnant people at risk of having their data shared with"sinister prosecutors" in states that have criminalized abortion
  • Sen. Wyden says the de-identified data loophole lets companies sell location data to the government about visits to reproductive health facilities
  • Senate Commerce Committee staffers warn that the bill "makes it harder for people to seek redress when their sensitive health data has been used against them” and would force people to “jump through arbitrary, drawn-out hoops” to sue over privacy violations.
  • Kim Clark of Legal Voice says “This bill, at least from the perspective of pregnant people, it really doesn’t do much”

❌ Does ADPPA allow pro-LGBTAIQ2S+ cities and states to protect residents by passing stronger protections?

No. ADPPA preempts most existing and future state and local privacy laws.  Daniel Solove's A Faustian Bargain: Is Preemption Too High a Price for a Federal Privacy Law? looks at the tradeoffs around preemption in general.  From an LGBTAIQ2S+ perspective, this means that if a city like Seattle or a state like Washington wants to better protect its LGBTAIQ2S+ residents by addressing some these problems ... we can't.

Important: This generalizes to other lenses

There is nothing uniquely powerful about the LGBTAIQ2S+ lens.  Other targeted and marginalized communities also have harsh and worsening realities.  Stress-testing legislation from the perspectives pregnant people and potentially-pregnant people, immingrants, disabled people, Native American and Indigenous people, people without their own devices and/or access to a network, seniors ... all of those lenses can yield insights – and highlight issues that aren't getting attention in the broader conversation.

For example, over two dozen disability rights groups have written to Speaker Pelosi which includes a good description of the harsh realities of how disabled people are at particular risk from the misuse of data, including unscrupulous, exploitative, risky, or even dangerous uses of data.  It also describes three important stress tests for ADPPA

defining health and disability data as sensitive and thus given extra protection, defining disability as a protected class, and requiring that covered entities make their policies and consent mechanisms accessible to people with disabilities

They also ask Pelosi (and the legislators from both parties they CC'ed) to retain and improve the protections.  Stress tests from a disability perspective can identify specific improvements. It's good that ADPPA defines health and disability data as sensitive; however, employee data is exempt, so what about disability-related HR and benefits information?  Is purchasing behavior involving books about long Covid sensitive?   Do companies need consent to use "non-sensitive" data to target ads for those books?  And so on ...  

There are plenty of other disability stress tests to consider it as well.  The groups who have written the letter, as well as other disability advocates, have the clearest picture of what they want to see in legislation, so are likely to come up with the most relevant tests.  And the same is true for other stress tests.  Who best knows the privacy and surveillance threats to immigrants?  Immigrants!

Time for an intervention

Based on this set of stress tests, ADPPA needs a lot of improvement to get to the point where it provides strong protections for queer people.  The good news is that there's still time to improve it.  The more pressure there is for strengthening LGBTAIQ2S+ protections, the more likely it is that there will be some improvement. 267 House members voted in favor of marriage equality, including 47 Republicans, so some progress may be possible.  

So if you care about protecting LGBTAIQ2S+ people's privacy, now's a good time to get involved.  Here are a few things you can do:

  • Call your representative, or leave them a message through their web form.  It doesn't have to be fancy – just "make sure the ADPPA consumer privacy bill is strengthened to protect LGBTAIQ2S+ people."  Congress.gov lets you look up your representative based on your address – or here's a directory if you know their name or what congressional district you live in.
  • If you work at a company that positions itself as LGBTQ-friendly, and it's safe for you to speak up, press them to take a stand in support of protecting LGBTAIQ2S+ people in privacy legislation. This is especially important if you're at a big tech company, data broker, or other industry that's lobbying on the bill . If your company has an executive sponsor for LGBTQ employees, consider contacting them; if you've got an LGBTQ+-focused employee resource groups, this is also a good time for collective action.  Ask them to make a public statement, use their lobbying influence, and ask trade associations they're part of to do the same.  
  • If you're a privacy professional at a company that positions itself as LGBTQ-friendly, let your management chain and the government affairs organization know that this is a problem.
  • Get the word out.  The more people contact legislators and companies, the more likely they are to support improvements.

It's certainly worth pushing for improvements. Even if Congress doesn't pass ADPPA this session, big tech lobbyists are likely to use it as the basis for state legislation in 2023 – and right now that legislation would be based on a very anti-LGBTAIQ2S+ template.  

If Congress decides to go ahead with ADPPA, we’re likely to see a new version of ADPPA sometime in the next couple of weeks.    How wil it look through a queer lens?  

What about all those other lenses?  

Stay tuned - and get involved!!


* I'm using  LGBTAIQ2S+ as a shorthand for lesbian, gay, gender non-conforming, genderqueer, bi, trans, asexual, agender, intersex, queer, questioning, two-sprit, and others who are not straight, cis, or heteronormative.  Julia Serrano's trans, gender, sexuality, and activism glossary has definitions for most of terms, although resources like OACAS Library Guides' Two-spirit identities page to into a lot more detail. Serrano also discusses the tensions between ever-growing and always incomplete acronyms and more abstract terms like "gender and sexual minorities". For this particular essay, the specific perspectives matter in the section highlighting why sex, sexual orientation, and gender identity all need to be treated as sensitive data, so I decided to go with the acronym despite its problems.

Ontario Human Rights Commission's page on Gender identity and gender expression is a good short reference on the distinctions between gender identity, gender expression, sexual orientation, and sex.

Updates

September 8:

  • Added new "Important: This generalize to other lenses" section.
  • Changed the title; it was originally "Stress-testing ADPPA with a queer lens" but other than hard-core privacy people nobody knows what ADPPA is.