By Patrick Hill & Hans Allnutt

|

Published 30 September 2022

Overview

Although American consumer privacy legislation has been left in the hands of individual States, Federal consumer privacy legislation has been deliberated for decades. However, it seems that Congress has finally made progress with the American Data Privacy Protection Act (“ADPPA”) having been proposed as landmark U.S. Federal privacy legislation, following in the footsteps of the GDPR.

The House Committee on Energy and Commerce approved ADPPA on July 20, 2022 and the Bill will be sent to the full U.S. House of Representatives for vote. However, voting may be delayed due to 2022 mid-term elections. If the Bill is passed by a full House, then it would go to the Senate, and the U.S. could have an enacted Federal data privacy law in the near future.

Though ADPPA is a bipartisan effort, there is tension between Federal and State privacy rights and enforcement. With a growing number of States enacting their own privacy laws, such as California, Virginia, Colorado, Connecticut, and Utah, ADPPA would largely pre-empt state privacy laws. Enforcement of the ADPPA would be by Federal and State Regulators, such as Federal Trade Commission (“FTC”) and State Attorney Generals (“AG”).

ADPPA applies to data controllers and data processors. The legislative intent is to reign in abuses of “Big Tech” companies and restrict their consumer data collection, and the use and transfer of their consumer data. It ultimately becomes a consumer “Bill of Rights,” providing greater transparency in the collection, use, and sale of consumer data. The law would provide minimum safeguards for data protection and require management oversight of data privacy and security.

 

Entities Subject to Compliance with ADPPA

Though ADPPA would define a covered entity broadly, there are three specific groups of entities subject to compliance with ADPPA:

  1. Data controllers, covered entities that decide the purpose and means of collecting, processing, and/or transferring personal information of U.S. residents;
  2. Service providers, such as data processors that collect, process, and transfer personal information at the direction of a covered entity; and
  3. Large data holders that have an annual gross revenue of $250 million or more AND collect or process data for five million persons (or devices) AND the sensitive personal information is greater than 200,000 persons or devices.

Furthermore, government agencies are exempt and are not subject to compliance with ADPPA.

 

How ADPPA Defines Covered Data

ADPPA would define covered data as personal information, which is generally any information linked to an identifiable individual. Exemptions to this definition are de-identifiable data, employee data, and publicly available information.

Though ADPPA will define covered data broadly, the importance of ADPPA is covering sensitive personal information. Sensitive personal information includes government-issued identification (including social security, driver’s license number, and passport number), health condition, treatment, diagnosis, financial account information, debit or credit card number, income level, bank balance, biometric or genetic information, precise geolocation information, account logins, passwords, access codes, sexual orientation, and minors’ data.

Entities are required to disclose to individuals that personal information is being collected and their use of the individual’s personal information. Entities must disclose the collection and use of personal information in a clear and conspicuous privacy notice that includes:

  • Categories of personal information collected and processed,
  • Purpose for which personal information is collected and processed,
  • Categories and names of third parties to whom personal information is transferred to,
  • Purpose for which personal information is transferred to the third parties,
  • Retention time for sorting personal information,
  • How individuals can exercise their rights over their personal information,
  • General description of the organization’s data security practices, and
  • Whether personal information is accessible to China, Russia, Iran, or North Korea.

The entities will also be required to have a clear and conspicuous link on their Internet homepage in the manner of: “Do Not Sell or Share My Personal Information” and “Limit the Use of My Sensitive Personal Information.” ADPPA also provides limitations on the use of personal information and provides consumers the right to opt-out of the sale or sharing of their personal information. In addition, consumers who are minors will require consent by parent or guardian to opt-in.

 

Regulatory Enforcement

ADPPA will be primarily enforced by the FTC, allowing the FTC to institute a civil action for violation of the ADPPA. Additionally, no State AG may file its own suit on behalf of a nationwide class of consumers, however, an AG of any implicated State may choose to interview in the FTC action. The ADPPA will also require the FTC to create a new Bureau of Privacy and a separate fund in the U.S. Treasury called the Privacy and Security Victims’ Relief Fund. Moreover, violations of the ADPPA constitute “deceptive practices” under the FTC Act and will require recovery of damages, civil penalties, restitution, attorney’s fee and costs.

A State AG may also enforce ADPPA violations that impact a number of State residents by bringing a civil action in the name of the State or its residents. Any such AG action must be filed in the appropriate Federal Court. Prior to bringing an action, the State AG should notify the FTC in writing and provide a copy of the complaint before filing. Furthermore, the amendments to the proposed legislation expressly authorize the California Privacy Protection Agency (“CPPA”) to enforce the ADPPA “in the same manner” the CPPA “would otherwise enforce the CCPA,” overriding State’s right issue.

 

Individual Consumer Rights

In line with many other privacy laws, the ADPPA would provide individuals certain rights. Specifically, individuals will have the right to access personal information that’s collected, processed or transferred (within the past 24 months), the right to correction or deletion of any of their covered data, the right to data portability (if technically feasible), and the right to opt-out of data transfer or targeted advertising.

Furthermore, entities are required to respond to consumer requests. The requirement for response differs for small and large data holders. For larger data holders, the entity must respond in writing by 45 days; and 60 days, if not considered a large data holder. Smaller covered entities are required to respond within 90 days. The response period for any entity is subject to one 45-day extension with notice. The entity shall provide these rights free of charge to a consumer, twice in any 12 month period, but the entity can charge a reasonable amount for subsequent requests.

Consumers will also have their right of action, however, before an individual or class of individuals can file suit, they must provide notice to the FTC and State AG, in which the individual resides. In their notice, the consumer will outline their desire to commence a civil action for violation of the ADPPA. The FTC and/or the State AG shall decide within 60 days whether they will independently seeks to intervene in such action. A private right of action will be allowed starting 2 years after the effective date of ADPPA and may be brought in only Federal Court. Moreover, a private civil litigant may seek actual damages, injunctive or declaratory relief, and attorney fees and costs.

 

Conclusion

As you may gather, lawmakers have compromised on many of their divisive proposals that had hampered previous efforts. Though the House Committee on Energy and Commerce has progressed ADPPA to the House and the House Committee has already proposed changes, the ADPPA will likely remain in a standstill. The time to consider is limited due to elections, but ADPPA will likely be a priority issue once a new Congress assembles.

Authors