Revised ADPPA: The Top 10 Takeaways

August.24.2022

The U.S. Legislature has proposed the first bipartisan comprehensive consumer data protection law, the American Data Privacy and Protection Act (ADPPA). If enacted, the United States would join over 100 countries and several U.S. states that have enacted comprehensive consumer privacy legislation. The House Committee on Energy and Commerce passed an amended version of the ADPPA on July 20, 2022, and it is now ready for a full House vote.

Here, we have outlined the top ten key takeaways from the revised ADPPA.

1. The ADPPA Would Apply Broadly

The ADPPA would define “covered entities” broadly to entities subject to the Federal Trade Commission (FTC) Act, common carriers under the Communications Act of 1934, or nonprofit organizations that determine the purposes and means of collecting, processing, or transferring covered data, as well as entities that control, are controlled by, or are under common control with a covered entity. The Act would create additional obligations for so-called “large data holders” and would impose reduced obligations on “small data holders”.

In line with other consumer privacy laws like the California Consumer Privacy Act (CCPA), the Act would define “covered data” broadly as “information that identifies or is linked or reasonably linkable to an individual or a device,” which includes “derived data” and “unique identifiers,” which would include persistent digital markers such as cookies and IP addresses. The definition excludes de-identified data, employee data, publicly available information, and inferences made “exclusively from multiple independent sources of publicly available information that do not reveal sensitive covered data with respect to an individual.”

The Act would also impose additional obligations on “third-party collecting entities,” which are covered entities whose principal source of revenue is derived from processing or transferring data that the entity did not directly collect. In addition to the requirements imposed on covered entities, third-party collecting entities would be required to: (i) register with the FTC; (ii) place additional notice on their website to inform consumers of their role as a third-party collecting entity; and (iii) respect signals from the “Do Not Collect” registry.

2. Covered Entity Obligations Largely Mirror State Privacy Laws, with Some Exceptions

Many of the covered entity obligations under the ADPPA largely mirror state privacy laws, and companies may be able to leverage existing state privacy law compliance programs should the ADPPA go into effect. For example, the ADPPA would require covered entities to provide a privacy notice describing their data collection, processing, and transfer activities, and including data minimization and privacy-by-design principles. On the security side, the ADPPA would require covered entities to establish, implement, and maintain reasonable administrative, technical and physical data security practices and procedures to protect and secure covered data against unauthorized access and acquisition.

The Act does contain some key differences from the state privacy laws:

  • Algorithm Design Evaluations: Covered entities would be required to evaluate the design of any algorithm knowingly developed to collect, process, or transfer covered data to reduce the risk of potential harms, and submit such evaluation to the FTC.
  • Restrictions on Use of Children’s Data: A covered entity would be prohibited from engaging in targeted advertising to any individual under the age of 17 if the covered entity knows that the individual is under the age of 17. Moreover, a covered entity would be prohibited from transferring the covered data of an individual to a third party without affirmative express consent from the individual or the individual’s parent or guardian if the covered entity knows that the individual is under 17 years of age.
  • Loyalty Duties: Covered entities would be prohibited from engaging in certain practices unless an enumerated exception applies. Prohibited practices include collecting, processing, or transferring social security numbers; collecting or processing sensitive covered data; transferring sensitive covered data to a third party; or in the case of certain video programming services, transferring covered data to third parties that reveals the video content or services requested or selected by the individual from such service.
  • Civil Rights Protections: Covered entities may not collect, process, or transfer covered data in a manner that discriminates or otherwise makes unavailable the equal enjoyment of goods or services on the basis of race, color, religion, national origin, sex, or disability.

3. Service Provider Obligations are Similar to Terms in State Privacy Laws

Similar to state consumer privacy laws, the Act would define “service providers” as entities that collect, process, or transfer “covered data on behalf of, and at the direction of, a covered entity and which receive covered data from or on behalf of a covered entity pursuant to a written contract” that meets the requirements outlined in the Act. The ADPPA would also prohibit service providers from transferring data without affirmative express consent unless the data is transferred to another service provider.

4. Large Data Holders Have Additional Obligations

The ADPPA would include additional obligations for large data holders. Large data holders are entities that either: (i) had annual gross revenues of $250 million or more in the most recent calendar year; or (ii) collected, processed, or transferred the covered data of more than 5 million individuals or linked/linkable devices; or (ii) the sensitive covered data of more than 200,000 individuals or linked/linkable devices, with some exceptions.

In addition to the general requirements applicable to covered entities, large data holders would be required to:

  • Short-Form Notice: Provide a short-form notice of its covered data practices.
  • Privacy Impact Assessment: Conduct a privacy impact assessment biennially that weighs the benefits of the covered data collecting, processing, and transferring practices against the potential externalities of such practices.
  • Algorithm Impact Assessment: Conduct an annual impact assessment of any algorithm used to collect, process or transfer covered data, and submit such assessment to the FTC.
  • Annual Certification: An executive officer of a large data holder must certify annually to the FTC that the entity maintains (i) reasonable internal controls to comply with the Act, and (ii) reporting structures to ensure certifying officers are involved in, and responsible for, decisions that impact the entity’s compliance with the Act.

5. Compliance Burden is Eased on Small Data Holders

The ADPPA would include certain exemptions for small data holders. Small data holders are covered entities or service providers that: (i) had an average adjusted gross revenue that is less than $41 million over the last 3 years; (ii) collect or process data for less than 200,000 individuals annually; and (iii) generate less than 50% of its revenue from transferring data.

The reduced obligations on small data holders would include:

  • Correction Requests: Small data holders would be exempt from the requirement to correct covered data at the individual’s request. Instead, small data holders may delete data in response to a correction request.
  • Data Security: Small data holders would be exempt from most data security requirements. However, small data holders must delete data that is no longer necessary.

6. Individual Rights

In line with other privacy laws, the ADPPA would afford individuals certain rights. Specifically, under the ADPPA, individuals would have the right to request: (1) access to covered data collected on the individual’s behalf; (2) correction of any inaccuracies in the individual’s covered data; (3) deletion of covered data obtained about the individual and notification to any third party or covered entity to which such data was transferred of the deletion request; (4) data portability; (5) to withdraw affirmative express consent that was previously provided; and (6) to opt out of transfers of covered data and targeted advertising.

While most covered entities would be required to respond to individual requests within 60 days of verification, the requirement differs for small and large data holders. Large data holders would be required to respond within 45 days of verification, while small data holders would be required to respond within 90 days of verification.

7. Consent for Sensitive Covered Data

Under the ADPPA, a covered entity would be required to obtain an individual’s affirmative express consent prior to the collection, processing, or transfer of the individual’s sensitive covered data. Under the ADPPA, “affirmative express consent” requires a specific, informed, unambiguous authorization for an act or practice by the covered entity. The request for consent must meet certain content requirements outlined in the Act.

8. Most State Privacy Laws Would be Preempted

The Act would broadly preempt consumer-focused laws like the CCPA and the legislation in Colorado, Connecticut, Utah, and Virginia. However, the Act would preserve the private right of action for security violations under the unaffected CCPA regulations. The Act also expressly excludes from preemption state laws addressing “health information, medical information, medical records, HIV status, or HIV testing.”

9. Private Right of Action

The ADPPA would be enforced by a new FTC bureau and state attorneys general (AG) or, in the case of California, the California Privacy Protection Agency. State AGs would be required to notify the FTC prior to initiating a civil action so the FTC may intervene.

Significantly, the Act would include a delayed private right of action, which would go into effect two years after the ADPPA has been in enacted. The Act would permit any person or class of persons to seek compensatory damages, injunctive or declaratory relief, and reasonable attorneys’ fees for certain violations of the Act in federal court.

Individuals would be required to notify the FTC and state AGs of their intent to bring action. The FTC or state AGs would have 60 days to decide whether to intervene in the suit. Prior to filing suit against small data holders or for injunctive relief, an individual must provide the covered entity with 45 days’ written notice identifying the alleged violations. Covered entities would be provided with 45 days to cure the alleged violation.

Individuals would not be permitted to bring an action against a covered entity that: has less than $25 million in annual revenue; collects, processes, or transfers the covered data of fewer than 50,000 individuals; or derives less than 50% of its revenue from transferring covered data.

10. The Act has a Long Way to Go Before Becoming Law

While the ADPPA has made it out of committee, the path forward is uncertain. The House is in recess for the month of August. Even if the ADPPA does pass when the House returns, it faces an uphill battle in the Senate. While the ADPPA has bipartisan support in the House, Senator Maria Cantwell (D-WA), chair of the Senate Commerce Committee, opposes the Act due to concerns about enforcement gaps. Senator Cantwell has repeatedly indicated that she would not support the Act in its current form.