On Friday, June 3, 2022, a bipartisan group of lawmakers published a discussion draft for the proposed American Data Privacy and Protection Act (the “ADPPA”). The ADPPA is a draft bill that has yet to be introduced in the U.S. House or Senate, which means that any provision is subject to amendment. However, even in draft form, the ADPPA is a notable advance in the efforts for a federal privacy law with sponsorship from both democrats and republicans, as well as members of the U.S. House and Senate.

Who and what is covered by the ADPPA?

The ADPPA would apply broadly to organizations and businesses operating in the United States. The ADPPA defines a covered entity as one that “collects, processes, or transfers covered data and is subject to the Federal Trade Commission Act,” in addition to nonprofit organizations and common carriers. “Covered data” is defined as “information that identifies or is linked or reasonably linkable to an individual or a device that identifies or is linked or reasonably linkable to one or more individuals, including derived data and unique identifiers.” Importantly, employee data and publicly available data are excluded from “covered data.” Some “covered data” may be considered “sensitive covered data,” to include both government identifiers (such as Social Security numbers and driver’s license numbers) as well as traditionally sensitive material such as health, geolocation, financial, log-in, racial, and sexual information. Sensitive covered data may also include unconventional categories such as television viewing data, intimate images, and “information identifying an individual’s online activities over time or across third-party websites or online services.”

Although “covered entity” is broadly defined, the ADPPA identifies several different types of entities, each with additional obligations or exemptions. Covered entities are divided by impact (annual global revenue and number of data subjects affected by the entity’s operations) and are further divided by a relationship with the data subject (direct, third party, or service provider). For example, some covered entities may be considered “large data holder[s]”, which is an entity with gross annual revenues of at least $250 million “and” has collected covered data on more than 5 million individuals or devices “or” has collected “sensitive covered data” on more than 100,000 individuals or devices. Small and medium enterprises are still regulated by ADPPA, but are exempt from some substantive provisions under the “small data exception.” Small data exception entities must meet each of the following requirements: (1) annual gross revenue below $41 million for each of the prior three years; (2) do not process the data of more than 100,000 individuals; and (3) do not derive more than 50% of its revenue from transferring covered data.

What is required under the ADPPA?

Consent

All sensitive covered data is subject to “opt-in” consent by individuals. Accordingly, a covered entity may not “collect or process” sensitive covered data, nor transfer it to a third party, without receiving the individual’s “affirmative express consent.” Non-sensitive covered data, by contrast, is subject to “opt-out” rights. In addition, the ADPPA directs the Federal Trade Commission to examine the feasibility of a “unified opt-out mechanism,” which would allow “individuals to exercise all such [opt-out] rights through a single user interface.” An opt-out user interface may function similar to a “do not track” feature on a web browser.

Algorithmic Decision-Making

Section 207 of ADPPA prohibits the collection, processing, or transfer of covered data “in a manner that discriminates or otherwise makes unavailable the equal enjoyment of goods or services on the basis of race, color, religion, national origin, gender, sexual orientation, or disability.” Further, large data holders are required to conduct annual “impact assessment[s]” on algorithms used “solely or in part, to collect, process or transfer covered data” The impact assessment must also “describe steps the large data holder has taken or will take to mitigate potential harms to an individual.” Examples of potential harm include (a) those that affect youth under 17; (b) advertising for various commercial activities; (c) public accommodations; and (d) any “disparate impact on the basis of an individual’s or class of individuals’ race, color, religion, national origin, gender, sexual orientation, or disability status.”

Duty of Loyalty

The ADPPA imposes data minimization requirements on covered entities by prohibiting such entities from collecting, processing, or transferring covered data that is “beyond what is reasonably necessary, proportionate, and limited to” a product or service provided by the covered entity. Specifically, the ADPPA prohibits, in some cases, transferring Social Security numbers, geolocation information, biometric data, and passwords. Covered entities would also need to implement “reasonable policies, practices, and procedures” regarding data collection, processing, and transfer addressing privacy risks related to “design, development, and implementation” of the entity’s products/services, as well as mitigation of privacy risks to children under the age of 17.

Separate from a duty of loyalty, but related to data subject empowerment over data, the ADPPA requires covered entities to provide individuals, upon a valid and verified request, with access, correction, deletion, and portability rights similar to those afforded under General Data Protection Regulation and California Consumer Protection Act.

Information Security

Covered entities are required to “establish, implement, and maintain reasonable administrative, technical, and physical data practices and procedures to protect and secure covered data against unauthorized access and acquisition.” Reasonable data practices are scalable depending on the size and nature of both the covered entity and the covered data. However, as a baseline, the ADPPA requires covered entities to conduct vulnerability assessments, maintain preventative and corrective action plans, develop data retention plans, conduct employee training and awareness relating to safeguarding data, and designate personnel responsible for implementing these policies.

How would ADPPA be enforced?

The ADPPA is designed to be enforced by the FTC, state attorneys general, and through a private right of action. The private right of action would allow an individual to file suit in federal court to seek compensatory damages, injunctive or declaratory relief, and reasonable attorneys’ fees and costs for ADPPA violations.

In addition, Section 404 of the ADPPA largely preempts the current and soon-to-be enacted state privacy laws in California, Virginia, Colorado, Utah, and Connecticut, as well as any similar state privacy laws currently considered at the legislative phase (e.g., Ohio and Indiana). Some exceptions to preemption exist, such as the Illinois Biometric Information Privacy Act any common law or statutory causes of action, and federal privacy laws, such as the Gramm-Leach-Bliley Act and Health Insurance Portability and Accountability Act.

At 64 pages, the ADPPA has a lot to digest and will become the subject of discussion and debate if and when it is formally introduced into Congress. The House Energy & Commerce Committee is scheduled to hold a full committee legislated hearing regarding ADPPA on June 14, 2022.