A Collection is a selection of features, articles, comments and opinions on any given theme or topic. It allows you to stay up‑to‑date with what interests you most.
Login here to access your saved articles and followed authors.
We have sent you an email so you can reset your password.
Sorry, we had a problem.
Tags related to this article
Published 30 September 2022
Although American consumer privacy legislation has been left in the hands of individual States, Federal consumer privacy legislation has been deliberated for decades. However, it seems that Congress has finally made progress with the American Data Privacy Protection Act (“ADPPA”) having been proposed as landmark U.S. Federal privacy legislation, following in the footsteps of the GDPR.
The House Committee on Energy and Commerce approved ADPPA on July 20, 2022 and the Bill will be sent to the full U.S. House of Representatives for vote. However, voting may be delayed due to 2022 mid-term elections. If the Bill is passed by a full House, then it would go to the Senate, and the U.S. could have an enacted Federal data privacy law in the near future.
Though ADPPA is a bipartisan effort, there is tension between Federal and State privacy rights and enforcement. With a growing number of States enacting their own privacy laws, such as California, Virginia, Colorado, Connecticut, and Utah, ADPPA would largely pre-empt state privacy laws. Enforcement of the ADPPA would be by Federal and State Regulators, such as Federal Trade Commission (“FTC”) and State Attorney Generals (“AG”).
ADPPA applies to data controllers and data processors. The legislative intent is to reign in abuses of “Big Tech” companies and restrict their consumer data collection, and the use and transfer of their consumer data. It ultimately becomes a consumer “Bill of Rights,” providing greater transparency in the collection, use, and sale of consumer data. The law would provide minimum safeguards for data protection and require management oversight of data privacy and security.
Though ADPPA would define a covered entity broadly, there are three specific groups of entities subject to compliance with ADPPA:
Furthermore, government agencies are exempt and are not subject to compliance with ADPPA.
ADPPA would define covered data as personal information, which is generally any information linked to an identifiable individual. Exemptions to this definition are de-identifiable data, employee data, and publicly available information.
Though ADPPA will define covered data broadly, the importance of ADPPA is covering sensitive personal information. Sensitive personal information includes government-issued identification (including social security, driver’s license number, and passport number), health condition, treatment, diagnosis, financial account information, debit or credit card number, income level, bank balance, biometric or genetic information, precise geolocation information, account logins, passwords, access codes, sexual orientation, and minors’ data.
Entities are required to disclose to individuals that personal information is being collected and their use of the individual’s personal information. Entities must disclose the collection and use of personal information in a clear and conspicuous privacy notice that includes:
The entities will also be required to have a clear and conspicuous link on their Internet homepage in the manner of: “Do Not Sell or Share My Personal Information” and “Limit the Use of My Sensitive Personal Information.” ADPPA also provides limitations on the use of personal information and provides consumers the right to opt-out of the sale or sharing of their personal information. In addition, consumers who are minors will require consent by parent or guardian to opt-in.
ADPPA will be primarily enforced by the FTC, allowing the FTC to institute a civil action for violation of the ADPPA. Additionally, no State AG may file its own suit on behalf of a nationwide class of consumers, however, an AG of any implicated State may choose to interview in the FTC action. The ADPPA will also require the FTC to create a new Bureau of Privacy and a separate fund in the U.S. Treasury called the Privacy and Security Victims’ Relief Fund. Moreover, violations of the ADPPA constitute “deceptive practices” under the FTC Act and will require recovery of damages, civil penalties, restitution, attorney’s fee and costs.
A State AG may also enforce ADPPA violations that impact a number of State residents by bringing a civil action in the name of the State or its residents. Any such AG action must be filed in the appropriate Federal Court. Prior to bringing an action, the State AG should notify the FTC in writing and provide a copy of the complaint before filing. Furthermore, the amendments to the proposed legislation expressly authorize the California Privacy Protection Agency (“CPPA”) to enforce the ADPPA “in the same manner” the CPPA “would otherwise enforce the CCPA,” overriding State’s right issue.
In line with many other privacy laws, the ADPPA would provide individuals certain rights. Specifically, individuals will have the right to access personal information that’s collected, processed or transferred (within the past 24 months), the right to correction or deletion of any of their covered data, the right to data portability (if technically feasible), and the right to opt-out of data transfer or targeted advertising.
Furthermore, entities are required to respond to consumer requests. The requirement for response differs for small and large data holders. For larger data holders, the entity must respond in writing by 45 days; and 60 days, if not considered a large data holder. Smaller covered entities are required to respond within 90 days. The response period for any entity is subject to one 45-day extension with notice. The entity shall provide these rights free of charge to a consumer, twice in any 12 month period, but the entity can charge a reasonable amount for subsequent requests.
Consumers will also have their right of action, however, before an individual or class of individuals can file suit, they must provide notice to the FTC and State AG, in which the individual resides. In their notice, the consumer will outline their desire to commence a civil action for violation of the ADPPA. The FTC and/or the State AG shall decide within 60 days whether they will independently seeks to intervene in such action. A private right of action will be allowed starting 2 years after the effective date of ADPPA and may be brought in only Federal Court. Moreover, a private civil litigant may seek actual damages, injunctive or declaratory relief, and attorney fees and costs.
As you may gather, lawmakers have compromised on many of their divisive proposals that had hampered previous efforts. Though the House Committee on Energy and Commerce has progressed ADPPA to the House and the House Committee has already proposed changes, the ADPPA will likely remain in a standstill. The time to consider is limited due to elections, but ADPPA will likely be a priority issue once a new Congress assembles.
London - Walbrook
+44 (0)20 7894 6930
+44 (0) 20 7894 6925
Hans Allnutt, Astrid Hardy
Patrick Hill, Sonali Malhotra
Julian Miller, Clare Hughes-Williams
Patrick Hill, Camilla Elliot
Hans Allnutt, Camilla Elliot
Hans Allnutt, Stuart Hunt
Astrid Hardy, Hans Allnutt
Julian Miller, Tom Evans
Jade Kowalski, Astrid Hardy
Louise Gallagher, Katie Anderson