On June 3, 2022, a bipartisan group of U.S. Representatives released a discussion draft of a comprehensive federal data privacy bill entitled the American Data Privacy and Protection Act (ADPPA). Though bipartisan compromise on federal privacy legislation has previously proven elusive, the release of the ADPPA should make stakeholders sit up and pay attention. The draft legislation is the first comprehensive privacy proposal to gain bipartisan, bicameral support.
Key Features of the ADPPA
The ADPPA applies broadly to organizations operating in the United States who collect, process, or transfer covered data and fall into one of the following categories:
- Subject to the Federal Trade Commission Act.*
- A nonprofit.
- A common carrier subject to title II of the Communications Act of 1934.
*Note that the Federal Trade Commission enforces various antitrust and consumer protection laws affecting virtually every area of commerce, with some exceptions concerning banks, loan institutions, federal credit unions, insurance companies, nonprofits, transportation and communications common carriers and air carriers. Additionally, the FTC does not have jurisdiction over governmental actions.
Comprehensive Data Privacy Framework
The ADPPA regulates information linked to an individual or an individual’s device. This framework requires Covered Entities to do the following:
- Minimize data collection and processing to what is reasonably necessary.
- Maintain public and internal privacy policies.
- Grant consumer rights, such as access, correction, deletion, and portability.
- Permit individuals to opt-out of, or object to, transfers of covered data (e.g., targeted marketing).
- Collect affirmative consent before collecting or processing sensitive covered data, e.g., geolocation, genetic and biometric information and browsing histories.
- Maintain a Privacy Officer and Data Security Officer.
- Certify that it maintains reasonable controls.
Private Right of Action
Beginning four years after the ADPPA’s effective date, the bill provides a private right of action for consumers alleging violations. This private right of action is subject to certain procedural requirements, including giving notice to the Federal Trade Commission (FTC), the relevant state Attorney General, and the prospective defendant, who has a 45-day right to cure. Remedies include injunctive relief, compensatory damages and reasonable attorneys’ fees. Violations would be considered unfair or deceptive acts under the FTC Act, including penalties up to $10,000 per violation. A new bureau may also bring actions within the FTC or state Attorneys General.
The ADPPA requires data brokers to register with the FTC. Under the bill, the FTC will establish and maintain an online, searchable, central public registry of all registered data brokers, and a “Do Not Collect” registry, which will allow individuals to request that all data brokers delete their data within 30 days. The ADPPA will also enable third-party audits of how data brokers share information with others.
Under the ADPPA, entities may not collect, process or transfer covered data in a manner that discriminates based on race, color, religion, national origin, gender, sexual orientation or disability. Exceptions include:
- The collection, processing, or transfer of covered data for self-testing to prevent discrimination or diversifying an applicant or customer pool.
- Any private club or group not open to the public.
The ADPPA requires covered entities to establish, implement and maintain reasonable administrative, technical and physical data security practices and procedures to protect and secure covered data against unauthorized access and acquisition. The bill sets out specific security requirements, including:
- Vulnerability assessments.
- Preventative and corrective actions to mitigate foreseeable risks.
- Information retention and disposal.
- Employee training.
- Designating a security officer to maintain and implement such practices.
Exemptions and Exclusions
The ADPPA does not apply to:
- Certain employment-related data.
- Data covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Gramm-Leach Bliley Act (GLBA), Fair Credit Reporting Act (FCRA) and Family Educational Rights and Privacy Act (FERPA).
Interestingly, Part 2 regulations (covering mental health and substance abuse facilities) are not expressly exempted.
Small businesses must comply with the ADPPA but are exempt from a few substantive provisions (including the right to export covered data and specific data security requirements, such as employee training and designating a dedicated security officer) under the draft bill’s “small data exception.” This exception applies to businesses that, for the prior three calendar years, met the following criteria:
- Had an annual revenue of less than $41 million.
- Did not collect or process the data of more than 100,000 individuals.
- Did not derive more than 50% of its revenue from transferring personal information.
Preemption of State Laws
The ADPPA would preempt recently enacted state privacy laws, including California, Virginia, Colorado, Utah, and Connecticut. However, the bill carves out sixteen exceptions, including specific statutes on civil rights, criminal codes, student and employee privacy, data breach notification requirements, facial recognition, and financial and health records.
Notably, the ADPPA explicitly does not preempt Illinois’s Biometric Information Privacy Act and Genetic Information Privacy Act, but it does explicitly preempt the California Consumer Privacy Act and California Privacy Rights Act, except for Section 1798.150 of the California Civil Code, which provides a private right of action for certain data breaches. It is not clear whether provisions of the California Privacy Rights Act covering employees would be pre-empted.
ADPPA Challenges Ahead
- Window of Opportunity. Privacy professionals predict that the opportunity to pass the ADPPA arguably ends at the 2022 midterm elections, given the likelihood that Democrats will lose control of either the House or Senate.
- Competing Proposals. Senator Maria Cantwell (D-Washington), Chair of the Senate Commerce Committee, intends to introduce her competing privacy legislation. Senator Cantwell prefers a more broad application of online user rights. Without her support, the ADPPA may stall.
- Critics. The U.S. Chamber of Commerce has come out against the ADPPA. In a draft letter to Congress, the chamber labeled the discussion draft as “unworkable at this time.” By contrast, the ADPPA has garnered some support in the world of Big Tech. Apple CEO Tim Cook said in a letter to Congress that lawmakers should advance the bill “as soon as possible,” and that “the areas of agreement appear to far outweigh the differences.”
What to Watch
- June 14, 2022: Subcommittee Hearing
The U.S. House Committee on Energy and Commerce’s Subcommittee on Consumer Protection and Commerce held a hearing on the ADPPA discussion draft. During her opening remarks, Rep. Cathy McMorris Rodgers said that “this is the best opportunity we’ve had to pass a federal data privacy law in decades.”
- August 1, 2022: August Recess
Privacy professionals predict that any realistic chance of a compromise on the ADPPA must be made before Congress’s August Recess.
- November 8, 2022: Midterm Elections
The legislation will likely stall if Democrats lose the House or Senate before a vote on the ADPPA.
Our team will continue to monitor the progression of the ADPPA this legislative session.