The American Data Privacy and Protection Act (the “ADPPA”), a bill that would establish a comprehensive federal data privacy framework in the U.S., was formally introduced in the U.S. House of Representatives on June 21, 2022. Should the ADPPA become law, the United States will join the European Union and a handful of other countries such as Canada, Brazil, and New Zealand, in having a comprehensive data protection framework on a national level.
Applicability and Definitions
The ADPPA applies to any “covered entity”, which means any entity or person (other than an individual acting in a non-commercial context) that determines the purposes and means of collecting, processing or transferring covered data and:
(i) is subject to the Federal Trade Commission Act;
(ii) is a common carrier subject to the Communications Act of 1934; or
(iii) is an organization not organized to carry on business for their own profit or that of their members.
The term “covered entity” does not include a governmental entity or political subdivision of the Federal, State or local government, or any person or entity that is collecting, processing or transferring covered data on behalf of a Federal, State, Tribal, territorial or local government entity.
The ADPPA protects “covered data” which means information that identifies or is linked or “reasonably linkable” (alone or in combination with other information) to an individual or a device that identifies or is linked or “reasonably linkable” to an individual. This may include derived data and unique identifiers, but excludes de-identified data, employee data, publicly available information, and inferences made exclusively from multiple independent sources of publicly available information that do not reveal sensitive covered data with respect to an individual.
General Provisions in the ADPPA
While the ADPPA is far from its final form, some key provisions of the current version of the bill are detailed below:
The ADPPA’s data minimization provision requires covered entities to limit the collection, processing and transferring of covered data to what is “reasonably necessary and proportionate” to (i) provide or maintain a product or service requested by the individual, (ii) deliver a communication that is reasonably anticipated by the recipient, or (iii) effect a purpose expressly permitted under the ADPPA (g., completing a transaction or fulfilling an order requested by the individual, authentication, preventing or responding to a security incident, etc.).
- Additional restrictions are imposed on the collection, processing and transfer of specific types of data (g., social security numbers, sensitive covered data, aggregated internet search or browsing history).
- Covered entities and service providers must establish, implement and maintain reasonable policies, practices and procedures regarding the collection, processing and transfer of covered data. These policies, practices and procedures should take into account (among other things): (i) the size of the covered entity or service provider; (ii) the nature, scope and complexity of the activities; (iii) the sensitivity of the covered data collected, processed or transferred; and (iv) the cost of implementing such policies, practices and procedures in relation to the risks and nature of the covered data.
- The ADPPA provides for certain individual data rights, including the right to (i) access covered data, (ii) correct any material inaccuracy or incomplete information, (iii) delete covered data, and (iv) export data. Entities must fulfill verified requests to exercise rights free of charge the first two times in a 12-month period and for a reasonable fee for any request after.
- Covered entities must make a privacy policy publicly available in a “clear, conspicuous, not misleading and readily accessible manner”. Like the California Consumer Privacy Act (the “CCPA”), the privacy policy must disclose (among other things) the categories of covered data collected, the processing purposes for each category, and a description of how an individual can exercise any applicable data rights.
- Covered entities must provide opt-out options for the transfer of covered data and for targeted advertising as well as provide an easy to execute means to withdraw consent with respect to the processing of covered data.
- Covered entities may not generally condition services or pricing on an individual’s agreement to waive any privacy right guaranteed by the ADPPA or regulations promulgated under it.
- The ADPPA includes provisions related to civil rights and algorithms that prohibit covered entities from collecting, processing, or transferring data in a discriminatory way or in a manner that makes the equal enjoyment of goods or services unavailable based on race, color, religion, national origin, gender, sexual orientation, or disability.
- The ADPPA imposes additional restrictions on service providers and third-party collecting entities. Service providers, for example, may only collect, process, or transfer data to the extent strictly necessary to provide services requested by the covered entity. Third-party collecting entities must provide privacy notices using language developed by the FTC and (if collecting data regarding more than 5,000 people) must also register with the FTC.
- The ADPPA would generally preempt state laws. However, there are enumerated exceptions, including for consumer protection laws, civil rights laws, laws that govern privacy rights or other protections of employees or students or their information, data breach notification laws, Illinois’ Biometric Information Privacy Act and the Genetic Information Privacy Act, and Section 1798.150 of the California Civil Code.
Enforcement of the ADPPA & Private Right of Action
The ADPPA would be enforced by the FTC, which may promulgate regulations and guidance pursuant to the ADPPA. In order to assist the FTC in exercising its authority under the ADPPA, the FTC must establish both a new “Bureau of Privacy” and a “Youth Privacy and Marketing Division”. The ADPPA may also be enforced by State Attorneys General, who may bring civil actions to enjoin practices, enforce compliance with the ADPPA or obtain damages or civil penalties. However, the relevant Attorney General must first notify the FTC before initiating a civil action so that the FTC can choose to intervene.
Individuals who suffer an injury can also bring a civil action against an entity for violation of the ADPPA. However, the individual must first notify both the FTC and the relevant Attorney General, who may choose to take action, superseding the individual’s action. This private right of action would not go into effect until 4 years after the enactment of the ADPPA.
Any civil penalties obtained by the FTC or an Attorney General in enforcing the ADPPA must be deposited into the “Privacy and Security Victims Relief Fund”, which would be established in the U.S. Treasury. The fund can be used to compensate individuals affected by an act or practice for which relief has been obtained, to conduct technological research the FTC considers necessary to enforce the ADPPA, and to fund the activities of the Office of Business Mentorship, which will be established by the new Bureau of Privacy to provide guidance and consultation to entities regarding compliance with the ADPPA.
Points of Contention and Current Status
Two major points of contention in the ADPPA that will need to be resolved before it moves forward are (1) the private right of action and (2) the preemption provisions. In particular, some believe that a private right of action is unnecessary given the other enforcement methods that the ADPPA provides. Others, however, not only believe the private right of action is necessary but that it is not strong enough given that it will not become effective until 4 years after the law goes into effect. Similarly, the California Privacy Protection Agency opposes the current preemption provision, stating that the ADPPA is weaker than the CCPA, and that the ADPPA’s preemption provision would essentially “lower the bar on privacy protections for Californians”.
The bill underwent markup on June 23, 2022, in the Consumer Protection and Commerce Subcommittee and was then referred to the full House Committee on Energy and Commerce. If it is passed by the full Committee, it would then be considered by the full House of Representatives and later by the Senate.
While there are still several hurdles for the ADPPA to overcome before it becomes the law of the land, this is the first federal privacy legislation in the U.S. to make it this far, which gives proponents of a comprehensive federal privacy law a glimmer of hope.
Anvi is a Moore & Van Allen summer associate and a rising third year law student at Vanderbilt Law School. Her professional interests include data privacy, cybersecurity, and intellectual property matters.
About Data Points: Privacy & Data Security Blog
The technology and regulatory landscape is rapidly changing, thus impacting the manner in which companies across all industries operate, specifically in the ways they collect, use and secure confidential data. We provide transparent and cutting-edge insight on critical issues and dynamics. Our team informs business decision-makers about the information they must protect, and what to do if/when security is breached.