The American Data Privacy and Protection Act (ADPPA) has been formally introduced in the House of Representatives and seeks to introduce a comprehensive Federal consumer data privacy law.
This is not the first such privacy law to be proposed, but all other attempts to introduce a comprehensive Federal consumer data privacy law have failed. The bill (H.R. 8152), introduced by Reps. Frank Pallone (D-NJ), Cathy McMorris Rodgers (R-WA), Janice Schakowsky (D-IL), and Gus Bilirakis (R-FL), is bicameral and bipartisan and has considerable support, including the U.S. Federal Trade Commission and many civil rights organizations. The ADPPA is viewed by many as being the best opportunity to pass such a law in decades.
Currently, the United States has a patchwork of state-level data privacy laws, with only California, Colorado, Connecticut, Utah, and Virginia having passed comprehensive consumer data privacy and protection laws. A federal consumer privacy law is long overdue.
ADPPA Updated from Discussion Draft
A discussion draft of ADPPA was issued in early June that was co-authored by U.S. Senate Committee on Commerce, Science, and Transportation Ranking Member Roger Wicker (R-MS) and House Committee on Energy and Commerce members Frank Pallone, (D-NJ) and Cathy McMorris Rodgers (R-WA). The discussion draft introduced robust consumer data privacy rights with appropriate enforcement mechanisms.
The bill aims to restrict the uses and disclosures of the personal data of citizens without consent, will give consumers a host of new rights over their personal data, and there is also a private right of action, which will allow consumers to take legal action against entities that violate their privacy and misuse their personal data.
ADPPA Passes Committee Hearing
On June 23, 2022, the U.S. House Energy and Commerce Committee’s Subcommittee on Consumer Protection and Commerce hosted a hearing about ADPPA and discussed the importance of introducing federal privacy legislation. Over 3 hours the committee discussed elements that needed to be added and removed, ways to make such a law workable, and how to best strike a balance between providing important privacy protections for consumers while making those regulations practical for businesses. The formally introduced bill takes those discussions into account and attempts to restrict data uses without hampering data-driven innovation, while limiting the compliance burden for businesses.
According to Rep Pallone, “This legislation represents a fundamental shift in how data is collected, used, and transferred. It rejects the coercive ‘notice and consent’ system that has totally failed to protect Americans’ data privacy and security.”
Key Requirements of the ADPPA
APDDA has seen several amendments following the committee discussion, which received a unanimous voice vote by the full committee. The key requirements of the bill are detailed below.
ADPPA-covered entities are those that alone or jointly with others determine the purposes and means of collecting, processing, or transferring covered data; are subject to the Federal Trade Commission Act; are common carriers subject to the Communications Act of 1934; are organizations not organized to carry out business for their own profit or that of their members; and any entity or person that controls, is controlled by, or is under common control with another covered entity.
Government entities and persons or entities that collect, process, or transfer covered data on behalf of federal, state, tribal, territorial, or local government entities are exempt.
Large Data Holders
Large data holders are defined as entities with gross annual revenues of $250 million or more that collect, process, or transfer the data of more than 5 million individuals or devices, and the sensitive data of more than 200,000 individuals or devices.
ADPPA-covered data is any information that identifies or is linked or reasonably linkable – alone or in combination with other information – to an individual or device that identifies or is linked or reasonably linked to an individual and may include derived data and unique identifiers.
Covered data does not include de-identified data, employee data, publicly available information, and inferences made exclusively from multiple independent sources of publicly available information that do not reveal sensitive covered data with respect to an individual.
Sensitive Covered Data
Sensitive covered data has been defined by the ADPPA and limitations are placed on the collection and processing of these sensitive data types. Sensitive data is defined as:
Government-issued identifiers, such as a social security number, passport number, or driver’s license number; any information that describes past, present, or future physical health, mental health, disability, diagnosis, or healthcare condition or treatment of an individual; financial information such as account number, debit/credit card number, income level/bank account balances; biometric data; genetic information; precise geolocation information; individuals’ private communications; account or device log-in credentials/access codes; sexual orientation; photos, films and videos of naked/undergarment-clad private areas of an individual; information about individuals under 17; and information that reveals the video content or services requested or selected by an individual from a provider of broadcast television service, cable service, satellite service, or streaming media service.
Requirement to Mitigate Privacy Risks
All entities covered by ADPPA are required to mitigate privacy risks, including the collection, processing, or transfer of covered data that could result in “any reasonably foreseeable material physical injury, economic injury, highly offensive intrusion into the reasonable privacy expectations of an individual under the circumstances, or discrimination on the basis of race, color, religion, national origin, sex, or disability.”
The ADPPA introduces data minimalization requirements, which limit the collection, processing, or transferring of covered data to what is reasonably necessary and proportionate to the purposes for which the data has been collected. The allowable purposes are to provide or maintain a specific product or service requested by the individual to whom the data relates, or to deliver a communication that is reasonably anticipated by the individual recipient within the context of the individual’s interactions with the covered entity.
Deceptive Marketing Provisions
ADPPA prohibits covered entities from engaging in deceptive advertising or marketing practices for products or services
Consumers are given the right to access, correct, and delete the covered data held, processed, or transferred by a covered entity, and have the right to data portability – have the information transferred to them in a human-readable and machine-readable format. Access requests will cover the 24 months preceding the request, errors in the data must be corrected on request, and covered entities must delete an individual’s data on request, including sending instructions to the third parties to whom the data has been transferred requesting they also delete the data. Covered entities have either 60 (or 90 days in some cases) to honor the requests. Large data holders have 45 days.
Covered entities must not condition, effectively condition, attempt to condition, or attempt to effectively condition the exercising of any individual rights.
Civil Rights Protections
The ADPPA has several civil rights protections to prevent the use of collected data for the purpose of discrimination, including making unavailable equivalent enjoyment or goods or services on the basis of race, color, religion, national origin, sex, or disability.
Large data holders are required to conduct an impact assessment on any algorithms they use, to determine the potential for harm to an individual. They must provide a detailed description of the process and methodologies used by the algorithm, and the data used by the algorithm.
The FTC is required to set up a Bureau of Privacy which will be tasked with enforcing compliance. A victims’ relief fund must be established using funds from civil monetary penalties and settlements related to violations. State attorneys general will also have the authority to bring civil actions in the name of the state if state residents have been adversely affected by ADPPA violations.
Private Right of Action
There is a private right of action that allows any individual who suffers an injury as a result of a violation of the ADPPA to bring a civil action against the covered entity. Individuals may obtain damages, injunctive relief, and reasonable attorneys’ fees and litigation costs, although this provision will not come into force until 4 years after the effective date.
Potential Stumbling Blocks
While the bill has considerable support, two of the major sticking points are likely to be the preemption of state privacy laws and the private right of action. If the American Data Privacy and Protection Act is signed into law, it would take data privacy issues away from state legislatures and there is concern that even if the private right of action is restricted, it could easily result in a huge wave of lawsuits. There is also concern that restricting the uses of consumer data will be an impediment to data-driven innovation and that the compliance requirements could prove harmful to small businesses. Concern has also been raised by Senator Maria Cantwell (D-WA), chair of the Senate Commerce Committee, about the number of enforcement holes.
While there is strong support, there is still some way to go to get this bill over the line and signed into law, but there is hope that it could be achieved by year-end.