As more U.S. states pass comprehensive data privacy legislation, there is a growing belief that a federal privacy bill could become law.
The American Data Privacy and Protection Act (ADPPA) looks to succeed where its predecessors failed and give the United States a wide-ranging data protection law on par with Europe’s GDPR.
Although many in the privacy industry remain skeptical that the ADPPA has enough bipartisan support to pass, the fact that we’re even talking about the possibility represents significant progress.
The ADPPA still has a narrow path forward that includes making compromises on several key issues. But enough optimism on a deal getting done exists that it’s worth a preliminary dive into the bill.
How we got here with the ADPPA
The current U.S. data privacy landscape is a patchwork of state and federal laws. Since the advent of the Internet and the proliferation of personal data generated by online activity, privacy advocates have pushed Congress to pass a national law that grants Americans basic privacy rights. In 2000, the Federal Trade Commission (FTC) called on Congress to pass such a law, and since then, it has been a series of fruitless legislative starts and stops, with bipartisan legislation failing to advance beyond committee level—until now.
On June 3, 2022 Congressional leaders from consumer protection and technology committees released a “discussion draft” of the ADPPA. The release of the draft represents a crucial milestone in the effort to produce a wide-ranging data privacy framework. Even more significant, in July 2022 the House Committee on Energy and Commerce voted overwhelmingly (53-2) to advance the bill to the House for a vote by all members of Congress. And should the ADPPA pass the House, it could then proceed to a Senate vote.
Some are pumping the brakes, citing past privacy legislation that showed promise, only to fizzle out. The ADPPA has made it further than its predecessors by finding a middle ground on two key issues: federal preemption of state privacy laws and a private right of action. But further compromise is needed on issues that conflict with a competing bill—the Consumer Online Privacy Rights Act (COPRA), advanced by Sen. Maria Cantwell (D-Wash.). Cantwell’s support is critical to the ADPPA passing the Senate if it gets that far, and she has been critical of the ADPPA.
Law firm Wilson Sonsini describes the overlap and similarities of the two bills and the sticking points between them that will need to be agreed on before the legislation can proceed further. Wilson Sonsini and others say that the significance of the sticking points, together with the clock ticking on Congress to finalize a deal before new Republican leadership next year, are reasons to doubt the ADPPA passing.
Another inauspicious sign for the bill is that House Speaker Nancy Pelosi signaled in a September 1 statement that she will not support it. Pelosi’s comment that the ADPPA “does not guarantee the same essential consumer protections as California’s existing privacy laws” is telling. It indicates that California lawmakers will oppose any version of federal privacy legislation that does not meet or exceed the state’s existing privacy laws, which are among the strongest in the country.
The substance of the ADPPA
Any version of the ADPPA that reaches the Senate could look significantly different from the House bill due to ongoing negotiations and markups. However, even if the ADPPA fails to pass this year, language from the current draft is likely to appear in future drafts. With an eye toward requirements in the ADPPA and how it could impact regulated businesses, we describe some of the bill’s most important provisions. You can read a section-by-section summary of the ADPPA by the U.S. Senate Committee on Commerce, Science, & Transportation here.
Duty of Loyalty and Data Minimization
Data minimization figures heavily in the ADPPA, which only allows companies to collect and use personal information from users if the activity falls under one of 17 permitted purposes described in the bill. This includes activities such as authenticating a user’s ID, completing transactions, and preventing fraud.
Important for marketers, the bill does not ban targeted advertising altogether, but it does place restrictions on the practice and bans specific types of targeted ads, such as those targeting minors and ads based on “sensitive data” (things like biometric data, genetic data, government-issued identifiers, private communications, and information identifying a person’s race, ethnicity, national origin, and sexual orientation). Data subjects would have the right to opt-out of targeted advertising as well.
“Duty of loyalty,” as defined in the bill, broadly encompasses principles of data minimization as well as privacy by design (defined in the bill as “reasonable policies, practices, and procedures”) in regard to data collection, processing, and transfer. But as IAPP explains, the term “duty of loyalty” is defined differently in the ADPPA than traditionally understood and is a potential sticking point in negotiations.
FTC Enforcement and Private Right of Action
The ADPPA gives the FTC authority to enforce violations of the law as unfair or deceptive trade practices under the FTC Act. FTC enforcement would be undertaken by a new bureau within the agency that is directed to hire “adequate staff."
In addition, state attorneys general and individuals (or classes of individuals) also have the right to enforce violations. This private right of action is another sticking point and, as presently written, rather convoluted. For starters, the private right of action only takes effect four years after the law is enacted. Further, before an individual or class can file a lawsuit, they would first be required to notify the FTC and their state attorney general of their intention to commence a civil action. The FTC and AG would then have 60 days to respond and inform them whether “they will independently seek to take action.”
In a civil action, an individual/class could be awarded compensatory damages, injunctive or declaratory relief, attorneys’ fees, and litigation costs.
Data Subject Rights
It is a staple of data protection laws to contain a set of enumerated consumer rights, and the ADPPA is no different. Individuals would have the following rights under the ADPPA:
- The right to access, “in a human-readable format,” the data that a covered entity collects, processes, or transfers to a third party. A data subject also has the right to know who the information was transferred to and why.
- The right to correct inaccurate or incomplete information processed by a covered entity, which must notify third parties that received transferred data of the corrected information.
- The right to delete data collected by a covered entity and to have their deletion request passed along to other parties that the data was shared with.
- The right to obtain a portable copy of their covered data in an easy-to-read format that can be downloaded.
Data subjects could only exercise these rights over their “covered data.” This is defined in the bill as information that identifies, is linked to (or reasonably linkable to) an individual or an individual’s device. Exclusions are made for de-identified data, employee data, and publicly available information.
A handful of states have already passed data privacy legislation. The legal principle of federal preemption generally means that federal law trumps state law, but the ADPPA includes a few exemptions.
For example, while the ADPPA would preempt the CCPA/CPRA, the VCDPA, the UCPA, and other state privacy laws, it would not preempt the Illinois Biometric Information Privacy Act and similar laws that “solely regulate facial recognition.” The CCPA’s private right of action around data breaches also would not be preempted, nor would unfair and deceptive acts and practices laws at the state level.
Existing federal privacy laws, like HIPPA and the Children’s Online Privacy Act, would remain in place. But passage of the ADPPA would put an end to most future state privacy lawmaking, says IAPP. This would likely be a sigh of relief for marketers, who would no longer have to navigate the obstacle course of different state privacy laws.
The initial version of the ADPPA defines a covered entity as any entity that collects, processes, or transfers covered data and is subject to the Federal Trade Commission Act.
The bill also has provisions that cover “service providers” processing data on behalf of another entity. But Brookings notes that covered entity obligations could be imposed on service providers in certain circumstances.
A separate classification is created for so-called “large data holders,” defined as entities with annual gross revenues of $250,000,000 or more that collect, process, or transfer the covered data of more than 5 million individuals or devices, or the sensitive covered data of more than 100,000 individuals/devices.
Government entities are excluded from the ADPPA, as are entities or persons that collect, process, or transfer covered data on behalf of a government entity (including federal, state, local, tribal, and territorial governments).
Preparing for new legislation
Whether the ADPPA makes it onto the books or goes the way of its predecessors and fizzles out in bipartisan bickering remains to be seen. But one thing that’s for sure is the data privacy revolution is only going to keep spreading to new jurisdictions.
A national privacy law would spell relief for marketers that right now have to handle data differently depending on the states they’re operating in.
If the ADPPA or similar legislation fails to pass, states will continue to pass their own privacy laws. Regardless of what happens, companies shouldn’t be passively sitting back and waiting for the next shoe to drop. They should be tailoring their consent and preference management to comply with regulations worldwide.
Companies that view privacy as an opportunity and lean into a user-centric marketplace can future-proof their data strategy and create value with trust. With a compliance solution from Didomi, you are ready for whatever comes next.