The U.S. Legislature has proposed the first bipartisan comprehensive consumer data protection law, the American Data Privacy and Protection Act (ADPPA). If enacted, the United States would join over 100 countries and several U.S. states that have enacted comprehensive consumer privacy legislation. The House Committee on Energy and Commerce passed an amended version of the ADPPA on July 20, 2022, and it is now ready for a full House vote.
Here, we have outlined the top ten key takeaways from the revised ADPPA.
The ADPPA would define “covered entities” broadly to entities subject to the Federal Trade Commission (FTC) Act, common carriers under the Communications Act of 1934, or nonprofit organizations that determine the purposes and means of collecting, processing, or transferring covered data, as well as entities that control, are controlled by, or are under common control with a covered entity. The Act would create additional obligations for so-called “large data holders” and would impose reduced obligations on “small data holders”.
In line with other consumer privacy laws like the California Consumer Privacy Act (CCPA), the Act would define “covered data” broadly as “information that identifies or is linked or reasonably linkable to an individual or a device,” which includes “derived data” and “unique identifiers,” which would include persistent digital markers such as cookies and IP addresses. The definition excludes de-identified data, employee data, publicly available information, and inferences made “exclusively from multiple independent sources of publicly available information that do not reveal sensitive covered data with respect to an individual.”
The Act would also impose additional obligations on “third-party collecting entities,” which are covered entities whose principal source of revenue is derived from processing or transferring data that the entity did not directly collect. In addition to the requirements imposed on covered entities, third-party collecting entities would be required to: (i) register with the FTC; (ii) place additional notice on their website to inform consumers of their role as a third-party collecting entity; and (iii) respect signals from the “Do Not Collect” registry.
Many of the covered entity obligations under the ADPPA largely mirror state privacy laws, and companies may be able to leverage existing state privacy law compliance programs should the ADPPA go into effect. For example, the ADPPA would require covered entities to provide a privacy notice describing their data collection, processing, and transfer activities, and including data minimization and privacy-by-design principles. On the security side, the ADPPA would require covered entities to establish, implement, and maintain reasonable administrative, technical and physical data security practices and procedures to protect and secure covered data against unauthorized access and acquisition.
The Act does contain some key differences from the state privacy laws:
Similar to state consumer privacy laws, the Act would define “service providers” as entities that collect, process, or transfer “covered data on behalf of, and at the direction of, a covered entity and which receive covered data from or on behalf of a covered entity pursuant to a written contract” that meets the requirements outlined in the Act. The ADPPA would also prohibit service providers from transferring data without affirmative express consent unless the data is transferred to another service provider.
The ADPPA would include additional obligations for large data holders. Large data holders are entities that either: (i) had annual gross revenues of $250 million or more in the most recent calendar year; or (ii) collected, processed, or transferred the covered data of more than 5 million individuals or linked/linkable devices; or (ii) the sensitive covered data of more than 200,000 individuals or linked/linkable devices, with some exceptions.
In addition to the general requirements applicable to covered entities, large data holders would be required to:
The ADPPA would include certain exemptions for small data holders. Small data holders are covered entities or service providers that: (i) had an average adjusted gross revenue that is less than $41 million over the last 3 years; (ii) collect or process data for less than 200,000 individuals annually; and (iii) generate less than 50% of its revenue from transferring data.
The reduced obligations on small data holders would include:
In line with other privacy laws, the ADPPA would afford individuals certain rights. Specifically, under the ADPPA, individuals would have the right to request: (1) access to covered data collected on the individual’s behalf; (2) correction of any inaccuracies in the individual’s covered data; (3) deletion of covered data obtained about the individual and notification to any third party or covered entity to which such data was transferred of the deletion request; (4) data portability; (5) to withdraw affirmative express consent that was previously provided; and (6) to opt out of transfers of covered data and targeted advertising.
While most covered entities would be required to respond to individual requests within 60 days of verification, the requirement differs for small and large data holders. Large data holders would be required to respond within 45 days of verification, while small data holders would be required to respond within 90 days of verification.
Under the ADPPA, a covered entity would be required to obtain an individual’s affirmative express consent prior to the collection, processing, or transfer of the individual’s sensitive covered data. Under the ADPPA, “affirmative express consent” requires a specific, informed, unambiguous authorization for an act or practice by the covered entity. The request for consent must meet certain content requirements outlined in the Act.
The Act would broadly preempt consumer-focused laws like the CCPA and the legislation in Colorado, Connecticut, Utah, and Virginia. However, the Act would preserve the private right of action for security violations under the unaffected CCPA regulations. The Act also expressly excludes from preemption state laws addressing “health information, medical information, medical records, HIV status, or HIV testing.”
The ADPPA would be enforced by a new FTC bureau and state attorneys general (AG) or, in the case of California, the California Privacy Protection Agency. State AGs would be required to notify the FTC prior to initiating a civil action so the FTC may intervene.
Significantly, the Act would include a delayed private right of action, which would go into effect two years after the ADPPA has been in enacted. The Act would permit any person or class of persons to seek compensatory damages, injunctive or declaratory relief, and reasonable attorneys’ fees for certain violations of the Act in federal court.
Individuals would be required to notify the FTC and state AGs of their intent to bring action. The FTC or state AGs would have 60 days to decide whether to intervene in the suit. Prior to filing suit against small data holders or for injunctive relief, an individual must provide the covered entity with 45 days’ written notice identifying the alleged violations. Covered entities would be provided with 45 days to cure the alleged violation.
Individuals would not be permitted to bring an action against a covered entity that: has less than $25 million in annual revenue; collects, processes, or transfers the covered data of fewer than 50,000 individuals; or derives less than 50% of its revenue from transferring covered data.
While the ADPPA has made it out of committee, the path forward is uncertain. The House is in recess for the month of August. Even if the ADPPA does pass when the House returns, it faces an uphill battle in the Senate. While the ADPPA has bipartisan support in the House, Senator Maria Cantwell (D-WA), chair of the Senate Commerce Committee, opposes the Act due to concerns about enforcement gaps. Senator Cantwell has repeatedly indicated that she would not support the Act in its current form.