Overview of Looming Federal Data Privacy Legislation
The American Data Privacy and Protection Act (ADPPA), H.R. 8152
Executive Summary
The ADPPA would prohibit covered entities from engaging in at least eight practices:
Collecting, processing, or transferring social security numbers, except when necessary;
Transferring geolocation information to a third party;
Collecting, processing, or transferring biometric information;
Transferring any password, except to a designated password manager or if the transfer is solely for the identification of passwords being re-used;
Collecting, processing, or transferring known nonconsensual intimate images;
Collecting, processing, or transferring genetic information;
Transferring an individual’s aggregated internet search or browsing history; and
Transferring an individual’s physical activity information from a smart phone or wearable device.
Most of these restrictions can be waived through affirmative express consent of the consumer. The bill appears to have bi-partisan support yet was unable to pass in 2022. With a divided congress coming, passage may be even less likely in 2023. Yet, hope springs eternal. Many businesses believe that federal legislation would make navigation of U.S. privacy law significantly less complex, while also protecting consumers more effectively.
Background
On July 20, 2022, the House Energy and Commerce Committee voted 53-2 to advance the American Data Privacy and Protection Act (ADPPA), H.R. 8152, to the full House of Representatives. The ADPPA would create a comprehensive federal consumer privacy framework. Some commentators have noted the bill’s novel compromises on two issues that have impeded previous attempts to create a national privacy framework: whether to preempt state privacy laws and whether to create a private right of action. Both of these issues remain hotly contested as the bill moves forward.
Highlights
Covered Entities. The bill would apply to most entities, including nonprofits and common carriers. Some entities, such as those defined as large data holders that meet certain thresholds and service providers that use data on behalf of other entities (including covered entities, government entities, and other service providers), would face different or additional requirements.
Covered Data. The bill would apply to information that “identifies or is linked or reasonably linkable” to an individual.
“Sensitive” Covered Data. The ADPPA would also provide special treatment to “Sensitive” covered data, which includes information such as government-issued ID numbers (e.g., SSN), private communications, information relating to individuals under age seventeen, and several other categories., “Sensitive” covered data would also include several requirements applicable only to “large data holders” (based on revenues or collection/processing activity). General exceptions exist under the ADPPA for certain types of collection, processing, and transfer, as well as for certain smaller entities in terms of revenues or collection/processing activity.
Excluded data. “Covered data” under the proposed ADPPA does not include de-identified data, employee data, or publicly available information. This is significant, especially if federal preemption remains in the bill, as it would render unenforceable all employee-related requirements in the CCPA except for the obligation to maintain reasonable security measures and the private right of action for data breaches.
Duties of Loyalty. The bill would prohibit covered entities from collecting, using, or transferring covered data beyond what is reasonably necessary and proportionate to provide a service requested by the individual, unless the collection, use, or disclosure would fall under one of seventeen permissible purposes. It also would create special protections for certain types of sensitive covered data, defined as covering sixteen different categories of data. Among other things, the bill would require covered entities to get a consumer’s affirmative, express consent before transferring their sensitive covered data to a third party, unless a specific exception applies.
Transparency. The bill would require covered entities to disclose, among other things, the type of data they collect, what they use it for, how long they retain it, and whether they make the data accessible to the People’s Republic of China, Russia, Iran, or North Korea.
Consumer Control and Consent. The bill would give consumers various rights over covered data, including the right to access, correct, and delete their data held by a particular covered entity. It would further require covered entities to give consumers an opportunity to object before the entity transfers their data to a third party or targets advertising toward them.
Youth Protections. The bill would create additional data protections for individuals under age seventeen, including a prohibition on targeted advertising, and would establish a Youth Privacy and Marketing Division at the Federal Trade Commission (FTC). These additional protections would only apply when the covered entity knows the individual in question is under age seventeen, though certain social media companies or large data holders would be deemed to “know” an individual’s age in more circumstances.
Third-Party Collecting Entities. The bill would create specific obligations for third-party collecting entities, which are entities whose main source of revenue comes from processing or transferring data that they do not directly collect from consumers (e.g., data brokers). These entities would have to comply with FTC auditing regulations and, if they collect data above the threshold amount of individuals or devices, would have to register with the FTC. The FTC would establish a searchable registry of third-party collecting entities and a “Do Not Collect” mechanism by which individuals could request that all registered entities refrain from collecting covered data relating to the individual.
Civil Rights and Algorithms. The bill would prohibit most covered entities from using covered data in a way that discriminates on the basis of protected characteristics (such as race, gender, or sexual orientation). It would also require large data holders to conduct algorithm impact assessments. These assessments would need to describe the entity’s steps to mitigate potential harms resulting from its algorithms, among other requirements. The bill would require large data holders to submit these assessments to the FTC and make them available to Congress on request.
Data Security. The bill would require a covered entity to adopt data security practices and procedures that are reasonable in light of the entity’s size and activities. It would authorize the FTC to issue regulations elaborating on these data security requirements.
Small- and Medium-size Businesses. The requirements the bill would impose are significantly reduced for entities that fit certain criteria under what could be considered the “small business exception.” Businesses fall under the ADPPA’s small business exception if, for the prior three calendar years, they
did not exceed $41 million in average annual gross revenues, or
did not collect or process covered data of more than 100,000 individuals on average annually, or
did not derive more than 50% of their revenue from transferring covered data during any of the prior three calendar years.
This would exempt the business from having to respond to any consumer request (such as a request to produce a copy of the consumer’s data) and from having to hire a data security officer or data privacy compliance officer, as well as from other requirements. The proposed bill leaves room for the FTC to issue regulations providing more clarity on the full scope of this exception.
Enforcement. The bill would be enforceable by the FTC, under the agency’s existing enforcement authorities, and by state attorneys general and state privacy authorities in civil actions. The bill also would give the California Privacy Protection Agency authority to enforce the ADPPA in the “same manner it would otherwise enforce” California’s privacy law, the California Consumer Privacy Act (CCPA).
Private right of action. The bill would create a delayed private right of action starting two years after the law’s enactment, giving covered entities lead time to comply. After the two years is up, injured individuals, or classes of individuals, would be able to sue covered entities in federal court for damages, injunctions, litigation costs, and attorneys’ fees. Individuals would have to notify the FTC or their state attorney general before bringing suit. Before bringing a suit for injunctive relief or a suit against a small- or medium-size business, individuals would be required to give the violator an opportunity to address the violation. The bill also would render pre-dispute arbitration agreements or joint-action waivers with individuals under the age of eighteen unenforceable in disputes arising under the ADPAA.
Preemption. The bill would generally preempt any state laws that are “covered by the provisions” of the ADPPA or its regulations, although it would expressly preserve sixteen different categories of state laws, including consumer protection laws of general applicability and data breach notification laws. It would also preserve several specific state laws, such as Illinois’ Biometric Information Privacy Act and Genetic Information Privacy Act and California’s private right of action for victims of data breaches.