The American Data Privacy and Protection Act (ADPPA) is a long-awaited, comprehensive, federal privacy law that aims to restrict the collection, processing, and transfer of the personal data of Americans without content, and gives U.S. citizens greater rights over their personal data. A federal privacy law covering the use of consumer data has been several years in the making, with previous attempts to introduce a nationwide privacy law failing to get the necessary support. The ADPPA could well be the bill that succeeds where others have not, and the early signs suggest it has a good chance of being enacted. The bill has strong support and the backing of the Federal Trade Commission and many human rights organizations.
ADPPA was released in draft form in early June and is a bipartisan bill that has gone through a bicameral development process. On June 23, 2022, the U.S. House Energy and Commerce Committee’s Subcommittee on Consumer Protection and Commerce discussed the bill and probed an 8-witness panel during a 3-hour session. After taking the discussions into account, ADPPA was formally introduced into the House of Representatives (H.R 8152) by Reps. Frank Pallone (D-NJ), Cathy McMorris Rodgers (R-WA), Janice Schakowsky (D-IL), and Gus Bilirakis (R-FL).
Just getting to this stage has been a major achievement, as just a few years ago the idea of a federal consumer privacy law in the United States – akin to the EU General Data Protection Regulation (GDPR) – which preempts state laws seemed like a fantasy. Attitudes are changing and the importance of a federal privacy law is now widely appreciated by Democrats and Republicans alike. The current patchwork of state-level privacy laws could give way to a federal law that ensures that irrespective of where a consumer lives, they will have the same rights over their personal data. Based on the momentum ADPAA has gained, it could even be signed into law before the end of the year.
At present comprehensive consumer privacy laws have been introduced in California – The California Consumer Privacy Act and the soon-to-be-effective California Consumer Privacy Rights Act; Colorado – The Colorado Privacy Act which is part of the Colorado Consumer Protection Act; Connecticut – The Personal Data Privacy and Online Monitoring Act; Utah – The Utah Consumer Privacy Act; and Virginia – The Consumer Data Protection Act. Other states have enacted privacy laws that do not go as far, or are considering introducing legislation to improve privacy protections for state residents.
Then there are federal laws such as HIPAA, FCRA, FERPA, GLBA, ECPA, and COPPA that relate to different types of data but have limitations based on the entities that collect the data. Without a federal privacy law, there are considerable gaps, and many companies are able to collect and use consumer data with little to no restrictions. If ADPPA is signed into law that will finally change.
“This legislation represents a fundamental shift in how data is collected, used, and transferred,” said Rep. Pallone. “It rejects the coercive ‘notice and consent’ system that has totally failed to protect Americans’ data privacy and security.”
Who Will ADPPA Apply To?
ADDPA will apply to entities or persons that, alone or jointly with others, collect, process, or transfer covered data, if they are either a) subject to the Federal Trade Commission Act (15 U.S.C. 41 et seq.); b) are a common carrier subject to the Communications Act of 1934 (47 U.S.C. 20 151 et seq); or c) an organization not organized to carry on business for their own profit or that of their members.
ADPPA will also apply to service providers, which are classed as an entity that “collects, processes or transfers data on behalf of, and at the direction of, a covered entity and which receives covered data from or on behalf of a covered entity pursuant to a written contract.”
What Data Will be Covered by ADPPA?
Covered data is “any information that identifies or is linked or reasonably linkable, alone or in combination with other information, to an individual or a device that identifies or is linked or reasonably linkable to an individual, and may include derived data and unique identifiers.”
Exclusions are de-identified data, employee data, publicly available information, and “inferences made exclusively from multiple independent sources of publicly available information that do not reveal sensitive covered data with respect to an individual.”
There is also a definition of sensitive covered data, which includes a wide range of data types such as government-issued identifiers such as social security numbers, health data, biometric data, financial information, and the information of individuals under the age of 17. Greater restrictions will apply to sensitive covered data, and the data of minors under 17 cannot be collected and processed if the covered entity is aware that the consumer is under 17.
How Will ADPPA Protect Consumer Data?
In addition to requiring informed consent, ADPPA requires all covered entities to implement reasonable data security practices. Entities covered by other federal privacy laws such as the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach Bliley Act will be deemed to be compliant with the data security requirements of ADPPA provided they are compliant with those federal laws.
ADPPA has data minimization requirements, so covered entities will need to limit the amount of data collected to the minimum needed to achieve the purpose for which the data is being collected and they must adopt a privacy by design approach. Covered entities must also mitigate privacy risks – those which could result in “any reasonably foreseeable material physical injury, economic injury, highly offensive intrusion into the reasonable privacy expectations of an individual under the circumstances, or discrimination on the basis of race, color, religion, national origin, sex, or disability.” Covered entities will also be prohibited from engaging in deceptive advertising and marketing practices.
What Are the Rights for Consumers?
Like the GDPR, consumers will get several rights over their personal data. First, they must give their consent for their personal data to be processed, and they must be informed in clear and easy-to-understand language exactly what they are consenting to, what data will be collected, how it will be used, and to which categories of service providers the data will be transferred to.
They will be given the right to access their data, to check for errors and have errors corrected, the right to stop the processing of their data by withdrawing consent, to request their data be deleted, and to be provided, as far as possible, with a human-readable and machine-readable copy of their data.
Who Will Enforce ADPPA Compliance?
The Federal Trade Commission (FTC) will be the main enforcer of ADPPA compliance, through a newly created FTC Bureau of Privacy. State Attorneys General will also have the power to bring civil suits over privacy violations that affect residents of their respective states.
Will it be Possible to Sue for an ADPPA Violation?
There is a private cause of action, although it does have limitations. For a start, the private right of action will not be introduced until 4 years after the bill takes effect, then the right of action is limited. Individuals could seek compensatory damages and injunctive relief against the holders of their personal data; however, they would first be required to notify their state attorney general and the FTC about their intention to file suit in order to prevent duplicative enforcement. If either the state Attorney General or FTC decides to pursue a civil action, the individual right to action would not apply. The private right of action may be one of the elements that need to be dropped to get the bill signed into law.
There are Still Some Hurdles to Overcome
Support for the bill is strong, but it is far from unanimous. Critics have voiced concern about several aspects of the bill, with some considering the requirements unworkable. There has been criticism of the preemption of state privacy laws, although there are carve-outs, and the private right of action is an issue due to the risk of a barrage of lawsuits, even though the private right of action is limited. The bill has also been criticized for the potential compliance burden that will be placed on businesses, although these concerns have been eased to some extent by not adopting a one-size-fits-all approach, which will make compliance easier for SMBs. As with any consumer privacy law, there is the potential to negatively impact data-driven innovation, although again, this has been considered and steps have been taken when drafting the bill to ensure that is not the case.
The American Data Privacy and Protection Act is far from perfect, but there cannot be a perfect federal privacy law that will appeal to everyone. Whether these sticking points can be adequately addressed remains to be seen, but in the words of Cathy McMorris, “This is the best opportunity we’ve had to pass a comprehensive privacy law in decades.”
ADPAA Compliance: FAQ
If passed, will ADPAA take priority over state laws?
Yes, ADPAA will preempt the majority of state laws. State laws vary in the level of protection that they grant consumers, leading to a patchwork of protections across the states. This means that consumers living on either side of a state boundary might have vastly different rights regarding the privacy of their data. ADPAA is a federal privacy law that will fill these gaps, evening out the consumer rights landscape. However, it also prevents states from passing laws that are “stronger” than the ADPAA.
How does ADPAA improve consumer rights?
There are a number of features of ADPAA that will improve consumer privacy and give them more autonomy over their data. ADPAA requires that data privacy is a feature “by design”, and that consumers should not be required to pay more for privacy. Consumers will also be able to access their data, correct any errors, or request that their data is deleted. They may also withdraw consent and opt out of targeted advertisements. There are also additional protections for minors (anyone under the age of 17).
What is an ADPAA covered entity?
ADPAA defines covered entities (CEs) as entities that determine the purpose and process of data collection, processing, and transfer. The CEs must also be subject to the Federal Trade Commission Act, is a common carrier under the Communications Act of 1934, or is a non-profit.
What is a private cause of action?
A private cause of action means that individuals can sue if they believe that a business has violated ADPAA. However, the individual must notify the business and give them 45 days to correct the violation. After this, the private individual will need to inform their state’s attorney general or the Federal Trade Commission, who will then decide whether they will intervene in the case.