This week, the American Data Privacy and Protection Act (ADPPA), H.R. 8152, was formally introduced in the House by Representatives Frank Pallone (D-NJ), Cathy McMorris Rodgers (R-WA), Janice Schakowsky (D-IL), and Gus Bilirakis (R-FL). The introduced version makes some adjustments to the draft proposal circulated previously. The changes reflect, in part, discussions from the June 14 hearing on the bill in the U.S. House Committee on Energy and Commerce’s Subcommittee on Consumer Protection and Commerce.

The Consumer Protection and Commerce Subcommittee held an open markup session on ADPPA on June 23. The markup signaled how preemption and the private right of action provisions might continue to be sticking point for legislators. The Subcommittee forwarded H.R. 8152 (as amended) to the full Committee by a unanimous voice vote. Although ADPPA is one step closer to potential passage, roadblocks remain. The Act has bipartisan support, but it continues to lack support from Senator Maria Cantwell (D-WA), chair of the Senate Commerce Committee, due to concerns that the bill has major enforcement holes, and she has indicated that (as of now) she would not support the bill.

The changes in the new version of the bill are both substantive and technical in nature. Perhaps the most notable change is that the new version creates specific obligations for entities that fall under the definition of a “service provider” (as opposed to regulating them as “covered entities”). The new version of the bill also adds further clarity on the data minimization, duty of loyalty, and algorithmic impact assessment provisions. Notably, the new version does not include substantive changes to the private right of action or preemption provisions.

Below are the key highlights of the changes to the draft bill. We will continue to provide updates on major developments of federal privacy law. To stay updated with our writings on this topic, please subscribe to the WilmerHale Privacy and Cybersecurity Blog.

Key Highlights

  • Covered Data. “Covered data” was originally defined as excluding de-identified data, employee data, and publicly available information. The introduced bill creates a fourth exclusion for covered data: “inferences made exclusively from multiple independent sources of publicly available information that do not reveal sensitive covered data with respect to an individual.”
  • Covered Entity. Previously, a covered entity was defined as “any entity or person that collects, processes, or transfers covered data.” The new bill treats as covered entities those entities or persons “that alone or jointly with others” determine the purposes and means of “collecting, processing, or transferring covered data.”
  • Service Provider. The introduced bill more clearly differentiates between covered entities and service providers. The draft bill had defined service providers as a type of covered entity, whereas the new bill defines it as an entity that “collects, processes or transfers data on behalf of, and at the direction of, a covered entity and which receives covered data from or on behalf of a covered entity pursuant to a written contract.” The introduced bill also more clearly specifies the responsibilities of service providers, including requirements to have a privacy policy, to comply with civil rights protections, to establish data security practices, and to follow certain corporate accountability requirements. In section 302, ADPPA also sets out additional requirements for service providers, including noting that they should only collect, process, and transfer service provider data to the extent “strictly necessary and proportionate” to provide the covered entity with a service.
  • Large Data Holder. This term is now defined to mean covered entities or service providers that, in the most recent calendar year, had annual gross revenues of $250 million or more and that collected, processed, or transferred (a) the covered data of more than 5 million individuals or devices and b) the sensitive covered data of more than 200,000 individuals or devices.
  • Substantial Privacy Risk. ADPPA requires covered entities and service providers to mitigate privacy risks, including substantial privacy risks. The Act defines this risk as the collection, processing, or transfer of covered data in a way that could result in “any reasonably foreseeable material physical injury, economic injury, highly offensive intrusion into the reasonable privacy expectations of an individual under the circumstances, or discrimination on the basis of race, color, religion, national origin, sex, or disability.”
  • Data Minimization. The guidelines for data minimization were adjusted slightly. The draft bill had prohibited covered entities from dealing with covered data beyond what was reasonably “necessary, proportionate, and limited” to delineated purposes; whereas the new bill states that entities should not deal with covered data “unless the collection, processing, or transfer is limited to what is reasonably necessary and proportionate” to the delineated purposes. The new bill also adds a list of permissible purposes.
  • Loyalty Duties. The introduced bill imposes additional restrictions on the collection and processing of sensitive covered data, and the transfer of sensitive covered data to third parties.
  • Deceptive Marketing. ADPPA prohibits covered entities and service providers from engaging in deceptive advertising or marketing.
  • Right to Access. With respect to the right of access, covered entities do not have to provide access to covered data from back-up or archival systems. And, instead of having to provide the names of service providers (to whom an individual’s covered data was transferred), the covered entity now only needs to provide categories of the service providers.
  • Exceptions to Complying with Consumer Rights. ADPPA as introduced adds more permissive exceptions that allow covered entities to decline complying with a consumer request to exercise a right. The law also grants the FTC the ability to establish additional permissive exceptions.
  • Data Protections for Minors. Lawmakers changed the knowledge requirement for minors from “actual knowledge” to “knows.” This new knowledge standard will not require entities to collect or process an individual’s data or to implement an age gating regime. Determinations should be based on the covered data collected directly from an individual or a proxy that the covered entity would otherwise collect in the normal course of business.
  • Algorithmic Impact Assessment. The new bill provides more details on the scope of impact assessments. For example, the new version requires that entities provide a description of the data used by the algorithm and the outputs produced by the algorithm.