American consumer privacy has been left in the hands of individual states, while federal consumer privacy legislation has been in deliberation for decades, but Congress has finally made progress.
The American Data Privacy and Protection Act (ADPPA) is a proposed landmark U.S. federal privacy legislation that follows in the footsteps of the European Union’s General Data Protection Regulation (GDPR). The House Committee on Energy and Commerce approved ADPPA on July 20, 2022, and H.R.8152 will be sent to the full U.S. House of Representatives for a vote. However, voting may be delayed due to 2022 mid-term elections. If the Bill is passed by the full House, then it would go to the Senate, and we could have an enacted federal data privacy law in the near future.
Though ADPPA is a bipartisan effort, there is tension between federal and state privacy rights and enforcement. With a growing number of states enacting their own privacy laws, such as California, Virginia, Colorado, Connecticut and Utah, ADPPA would largely preempt state privacy laws. Enforcement of the ADPPA would be by federal and state regulators, such as the Federal Trade Commission (FTC) and state attorneys general (AGs).
ADPPA applies to data controllers and data processors. The legislative intent is to reign in abuses of “Big Tech” companies and restrict their consumer data collection, and the use and transfer of that consumer data. It effectively becomes a consumer “Bill of Rights,” providing greater transparency in the collection, use and sale of consumer data. The law would provide minimum safeguards for data protection and require management oversight of data privacy and security.
Entities Subject to Compliance with ADPPA
Though ADPPA would define a covered entity broadly, there are three specific groups of entities subject to compliance with ADPPA:
- Data controllers, which are covered entities that decide the purpose and means of collecting, processing and/or transferring personal information of U.S. residents
- Service providers, such as data processors that collect, process and transfer personal information at the direction of a covered entity
- Large data holders that have an annual gross revenue of $250 million or more and collect or process data for five million persons (or devices) and the sensitive personal information is greater than 200,000 persons or devices.
Furthermore, government agencies are exempt and are not subject to compliance with ADPPA.
How ADPPA Defines Covered Data
ADPPA would define covered data as personal information, which is generally any information linked to an identifiable individual. Exemptions to this definition are de-identifiable data, employee data and publicly available information.
Though ADPPA will define covered data broadly, one of its primary impacts is to protect sensitive personal information. Sensitive personal information includes government-issued identification (including social security number, driver’s license number and passport number); health condition, treatment, diagnosis; financial account information, debit or credit card number, income level, bank balance; biometric or genetic information; precise geolocation information; account logins, passwords, access codes; sexual orientation; and minors’ data.
Entities are required to disclose to individuals that personal information is being collected and their use of the individuals’ personal information. Entities must disclose the collection and use of personal information in a clear and conspicuous privacy notice that includes:
- Categories of personal information collected and processed
- Purpose for which personal information is collected and processed
- Categories and names of third parties to whom personal information is transferred
- Purpose for which personal information is transferred to the third parties
- Retention time for sorting personal information
- How individuals can exercise their rights over their personal information
- General description of the organization’s data security practices
- Whether personal information is accessible to China, Russia, Iran or North Korea.
The entities also will be required to have a clear and conspicuous link on their internet homepage similar to: “Do Not Sell or Share My Personal Information” and “Limit the Use of My Sensitive Personal Information.” ADPPA also provides limitations on the use of personal information and provides consumers the right to opt out of the sale or sharing of their personal information. In addition, consumers who are minors will require consent by a parent or guardian to opt in.
ADPPA will be enforced primarily by the FTC, allowing the FTC to institute a civil action for violation of the ADPPA. Additionally, no state AG may file its own suit on behalf of a nationwide class of consumers; however, an AG of any implicated state may choose to interview in the FTC action. The ADPPA also will require the FTC to create a new Bureau of Privacy and a separate fund in the U.S. Treasury called the Privacy and Security Victims’ Relief Fund. Moreover, violations of the ADPPA constitute “deceptive practices” under the FTC Act and will require recovery of damages, civil penalties, restitution, attorneys’ fees and costs.
In addition, a state AG may enforce ADPPA violations that impact a number of state residents by bringing a civil action in the name of the state or its residents. Any such AG action must be filed in the appropriate federal court. Prior to bringing an action, the state AG should notify the FTC in writing and provide a copy of the complaint before filing. Furthermore, the amendments to the proposed legislation expressly authorize the California Privacy Protection Agency (CPPA) to enforce the ADPPA “in the same manner” the CPPA “would otherwise enforce the CCPA [California Consumer Privacy Act],” overriding any states’ right issue.
Individual Consumer Rights
In line with many other privacy laws, the ADPPA would provide individuals certain rights. Specifically, individuals will have the right to access personal information that’s collected, processed or transferred (within the past 24 months), the right to correction or deletion of any of their covered data, the right to data portability (if technically feasible) and the right to opt out of data transfer or targeted advertising.
Furthermore, entities are required to respond to consumer requests as follows: While most covered entities would be required to respond to individual requests within 60 days of verification, the requirement differs for small and large data holders. Large data holders would be required to respond within 45 days of verification, while small data holders would be required to respond within 90 days of verification. The response period for any entity is subject to one 45-day extension with notice. The entity shall provide these rights free of charge to a consumer twice in any 12-month period, and the entity can charge a reasonable amount for subsequent requests.
Consumers will have a private right of action; however, before an individual or class of individuals may file suit, they must provide notice to the FTC and the AG of the state in which the individual resides. In the notice, the consumer will outline the desire to commence a civil action for violation of the ADPPA. The FTC and/or the state AG shall decide within 60 days whether they will independently seek to intervene in such action. A private right of action will be allowed starting two years after the effective date of ADPPA and may be brought only in federal court. Moreover, a private civil litigant may seek actual damages, injunctive or declaratory relief, and attorney fees and costs.
As you may gather, lawmakers have compromised on many of the divisive proposals that had hampered previous efforts. Although the House Committee on Energy and Commerce has progressed ADPPA to the House after it proposed changes, the Act probably will remain at a stand-still due to elections, but ADPPA likely will be a priority once a new Congress assembles.