On June 21, the U.S. House of Representatives introduced a draft federal privacy bill named the American Data Privacy and Protection Act (ADPPA). This bill, if enacted, would bring more transparency and base-line data privacy protections to U.S. residents. Although the ADPPA is already facing challenges from industry groups and members of Congress, its introduction demonstrates the bipartisan interest to enact a federal data privacy law.
This article provides a brief overview of what businesses are covered by the ADPPA, their obligations under the law, certain exceptions to the law, the proposed enforcement mechanisms, and what rights are provided to individuals.
Who Must Comply with the ADPPA?
The ADPPA would apply to all persons engaged in commerce, non-profit organizations, and telecommunications carriers that collect, process, or transfer certain data classified as “covered data.” The law would also apply to their subsidiaries or affiliates. Together, these organizations and persons would become the “covered entities.” Covered entities may be a person running a business, a corporation or a non-profit if they collect, process, or transfer “covered data.” This leads to the next question: what is covered data?
Covered data is information that identifies or is reasonably linkable to an individual. It also covers “derived data” and unique identifiers.” Derived data may be assumptions and conclusions reached about an individual from other sources of information, and unique data may be technical identifiers like Internet Protocol (IP) addresses and cookies. Covered data, however, would not include employee data (regardless of whether the employee is paid), de-identified data, or publicly available information.
What Are the Obligations of a Covered Entity?
ADPPA would obligate covered entities to establish certain data security practices and organizational measures. Covered entities would be required to establish, implement, and maintain reasonable administrative, technical and physical data security practices and procedures to protect and secure covered data against unauthorized access and acquisition. As a related requirement, covered entities would have to exercise due diligence in selecting its service providers and deciding to transfer covered data to a third party.
For organizational measures, covered entities would be required to designate one or more qualified employees as privacy officers and data security officers. These officers would then implement a data privacy program and data security program and facilitate the covered entity’s ongoing compliance with the ADPPA. If enacted, this federal privacy law would require appointing a data privacy officer similar to the European Union’s current General Data Protection Regulation (GDPR) requirements.
What Are Large Data Holders?
The ADPPA establishes a new category of covered entities called large data holders that would have to comply with additional requirements. Of course, not all covered entities would be classified as large data holders. The ADPPA adopts a framework similar to the California Consumer Privacy Act’s “business” definition to define the scope of a large data holder. A large data holder is a covered entity that:
- had annual gross revenue of $250,000,000 or more; and
- collected, processed or transferred—
- the covered data of more than 5,000,000 individuals’ devices that identify or are linked or reasonably linkable to 1 or more individuals; or
- the sensitive covered data of more than 100,000 individuals or devices that identify or are linked or reasonably linkable to 1 or more individuals, excluding any instance where the covered entity would qualify as a large data holder solely on account of processing—
- personal email addresses;
- personal telephone numbers;
- log-in information of an individual or device to allow the individual or device to log in to an account administered by the covered entity.
The large data holder requirement contemplates the collection, processing, and transfer of “sensitive covered data” which is a special category of personal data defined in the ADPPA. In contrast to the GDPR, sensitive personal data covers:
- government issued identifiers such as social security number
- any information that reveals the health information of an individual
- financial information and security access information to such account
- biometric information
- genetic information
- precise geolocation that is reasonably linkable to an individual
- individual’s private communications
- account or device log-in information
- information revealing an individual’s race, ethnicity, national origin, religion, or union membership or non-union status
- information identifying sexual orientation or sexual behavior of an individual
- information identifying online activities over time across websites
- information stored on individuals’ devices for private use
- visual media that shows the naked or undergarment-clad private area of an individual
- information identifying or revealing the extent or content of any individual’s access or viewing or other use of television service, cable service, or streaming service
- information of an individual under the age of 17
- any other covered data collected, processed, or transferred for the purpose of identifying the data types from (1)-(16)
The large data holder definition exempts covered entities that use email addresses or cell phone numbers as part of the account login information from becoming a large data holder.
What Are the Additional Obligations of Large Data Holders?
The ADPPA places a number of requirements on covered entities classified as large data holders. These additional requirements range from disclosure and reporting obligations to performing privacy impact assessments.
For their disclosure obligations, large data holders would be required to provide a short notice of their covered data practices that are readily accessible to an individual. Large data holders would also be required to annually certify that they have reasonable internal controls to comply with the ADPPA and reporting structures in place to ensure that privacy and security officers would be involved in the decision making to comply with the ADPPA.
Large data holders would also be required to provide additional authority to their privacy officers and/or data security officers. Large data holders would be required to provide one of these officers with the authority to report directly to the highest official of the large data holder as a privacy protection officer. The privacy protection officer would be tasked to perform periodic reviews of privacy policies, regular and comprehensive audits, develop training programs, maintain clear compliance records, and serve as a contact point between the large data holder and enforcement authorities.
Under the ADPPA, large data holders would also be required to conduct a privacy impact assessment biannually. This assessment would weigh the benefits of the large data holder’s covered data collecting practices against the potential adverse consequences to individual privacy. Furthermore, any large data holder that uses an algorithm to collect or transfer covered data must conduct an algorithm impact assessment. As required, the algorithm assessment would describe steps the large data holder has taken or plans to take to mitigate potential harms to an individual, especially in areas of race, religion, national origin, gender, sexual orientation, or disability.
Are there Exceptions for Certain Industries to Comply with ADPPA?
The ADPPA provides exceptions to entities in an industry that must already comply with the privacy rules of certain laws. For example, a covered entity that is required to comply with title V of the Gramm-Leach-Bliley Act (GLBA), the Health Information Technology for Economic and Clinical Health Act (HITECH), part C of title XI of the Social Security Act (SSA), the Fair Credit Reporting Act (FRA), the Family Educational Rights and Privacy Act (FERPA), or the regulations promulgated pursuant to section 264(c) of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) would be deemed to be in compliance with the ADPPA’s related privacy requirements. Similarly, covered entities that comply with the GLBA, HITECH, SSA, and HIPAA are deemed to be in compliance with the ADPPA’s data security practices requirements for data already subject to those regulations.
Enforcement of the Act
The ADPPA would provide the Federal Trade Commission (FTC) and the State Attorney Generals the authority to enforce compliance against covered entities.
The ADPPA also would provide a private right of action to individuals. However, the ADPPA would require specific procedures for individuals to follow before filing suit, making it a difficult option to pursue. For example, individuals must first notify the state attorney general of their intent to file suit, and the state attorney general will then have 60 days to determine whether to independently seek action. In addition, any communication for monetary payment that is sent to the covered entity is deemed to have been made in bad faith if (a) the communication is sent before the 60-day determination period by the state attorney general or (b) the attorney general made the determination to independently seek action. Even if the attorney general does not seek action, an individual must notify the covered entity, at which point the covered entity is provided 45 days to cure its violation under the ADPPA.
What Rights Are Provided to Consumers?
The ADPPA would also afford certain access rights to individuals. Similar to state data privacy laws, these include the right to: (1) access the covered data collected on the consumer’s behalf, (2) correct any inaccuracies of the consumer’s personal data, (3) delete covered data obtained about the consumer, (4) notify any third party or covered entity to which the covered entity transferred such covered data of the individual’s deletion request, (5) opt-out of covered data transfers and targeted advertising, (6) express consent is needed to collect, process, transfer an individual’s sensitive covered data.
Covered entities would be required to respond to individuals’ requests within 60 days of verification. Large data holders have a shorter deadline. They must respond to these requests within 30 days of the request being verified.
The long-awaited, bipartisan federal privacy bill has received mixed reception from different industries and from certain members of Congress. For example, the U.S. Chamber of Commerce has opposed the bill for the inclusion of an individual’s private right of action. In Congress, Senator Maria Cantwell (D-WA) also expressed her opposition to the bill, noting “major enforcement loopholes.” We will continue to follow any developments concerning this bill.