Protecting personal information is important to all Americans. In the absence of a comprehensive federal privacy law (the US is one of the few remaining countries without one), states are stepping up. Five states have adopted comprehensive privacy legislation: California, Colorado, Connecticut, Virginia and Utah. And more than half of the country’s state legislatures have considered such measures over the past year.
Even with this emerging patchwork of state laws, the prospect of a comprehensive federal privacy law seemed a remote possibility until recently. Less than a month after Connecticut’s Governor signed An Act Concerning Personal Data Privacy and Online Monitoring[i] (CTDPA)[ii], a discussion draft of the proposed federal American Data Privacy and Protection Act (ADPPA) surfaced on June 3, 2022. It took many (including me) by surprise. Lawmakers formally introduced the bill in the House of Representatives on June 21, 2022.[iii]
I had not expected any push for federal privacy legislation this year and I certainly did not expect a bipartisan proposal. Not only does the ADPPA have bipartisan support, but it is vastly different than the other state laws. And it would preempt most of them, including the recently enacted CTDPA scheduled to take effect on July 1, 2023.
A Bipartisan/Bicameral Attempt
The ADPPA is the first proposed federal data privacy bill with bipartisan and bicameral support (Representatives Frank Pallone Jr. (D-N.J.), Cathy McMorris Rodgers (R-Wash.), and Senator Roger Wicker (R-Miss.)). Notably absent from support is Senator Maria Cantwell (D-WA), a leader in the Senate who has previously proposed data privacy legislation and has expressed concern that the ADPPA does not provide enough protection.
Despite the lack of support from Senator Cantwell, after a mark-up session, the House Committee on Energy & Commerce voted 53-2 to send the bill to the House floor. All sides made concessions to create legislation that could succeed and resolved to not let perfect be the enemy of good.
Federal lawmakers found common ground on the most contentious issues: preemption and private right of action. Generally, Republican law makers want preemption and not a private right of action and the reverse is true for their Democratic counterparts. The ADPPA splits the baby. It preempts most state laws and allows for a private right of action. More on both below.
The House is not in session again until September and given the proximity of the mid-term elections, many question whether the ADPPA will receive consideration this year. Even if it does not, we likely will see this bill again in one form or another.
The ADPPA is Different and More Protective than State Privacy Laws
While the ADPPA provides consumer rights and imposes basic business obligations similar to those in the five states, it offers greater overall privacy protections than any of the state laws. The ADPPA is also structured differently. Transparency and consent are the focus in the state laws. On the other hand, the ADPPA recognizes that bombarding consumers with notices that most will never read does not protect information. Rather, the ADPPA does not permit the collection or processing of data except as necessary to provide a product or service or as otherwise permitted under the ADPPA.[iv]
This approach is more like Europe’s GDPR. It is more protective of consumers because it provides clearly defined boundaries.
Critically important is the fact that the ADPPA is broader in scope than the state laws, which all offer significant exemptions. The ADPPA recognizes only a few entity-level exemptions including governmental entities and entities Congress designates to protect victims, families and children.[v] The ADPPA would apply broadly to businesses, nonprofits and common carriers regardless of size or complexity of operations.[vi]
While size will not exempt an entity, it certainly will impact compliance requirements. The ADPPA would hold massive data holders and social media giants to a higher standard than smaller companies.[vii] It also requires data brokers to register with the Federal Trade Commission (FTC) and provide special notices to consumers.[viii]
Further, the ADPPA would more aggressively protect minors.[ix] The bill prohibits targeted advertising to a minor under 17 years of age. It also prohibits data transfers relating to a minor under 17 years old without affirmative express consent. While the bill requires that the covered entity have knowledge that the minor is under 17, it defines knowledge differently for large data holders and social media giants than for others.
The ADPPA Would Preempt Most State Privacy Laws
Generally, the ADPPA would preempt any state law that addresses issues covered by the ADPPA or its regulations.[x] The bill carves out 16 categories of exceptions to the preemption rule, including data breach notification laws, Illinois’ Biometric Information Privacy Act and California’s private right of action for data breach victims. Further, the bill specifically recognizes the California Privacy Protection Agency, established under California’s privacy law, and empowers it to enforce the ADPPA in the same manner it would have enforced the California law.
Preemption is a divisive issue. Those in favor of preemption generally want a single federal standard to govern privacy instead of a patchwork of state laws, which can make compliance difficult. For that reason, the business community strongly supports preemption.
Those opposed to preemption are concerned that a federal law cannot remain nimble enough to keep up with changes in technology and believe that a federal law should serve merely as a floor for protection, not a ceiling. They believe that states are in the best position to quickly pass legislation needed to address unanticipated changes and new developments in technology. Recently, 10 State Attorneys General, including Connecticut’s Attorney General Tong, wrote to Congressional leaders emphasizing this point.[xi]
Enforcement of the ADPPA Would be a Team Effort
The ADPPA envisions a three-pronged enforcement strategy: (1) the Federal Trade Commission through a newly created Bureau of Privacy; (2) State Attorneys General; and (3) individuals through a private right of action, which will not be available until two years after the ADPPA’s effective date.[xii] Violations of the ADPPA would be deemed an unfair or deceptive act or practice under the Federal Trade Commission Act (FTCA).
A commonly cited ADPPA concern relates to resources for enforcement. Given the breadth of the bill and the lack of current structure and sufficient resources within the FTC to handle enforcement, weak enforcement could take the bite out of the ADPPA.
Additionally, many point to the ramp-up time for the FTC, the time-consuming rule making process and the two-year delay of the private right of action as creating a problematic gap in enforcement. Notably, state privacy laws would be preempted six months after the ADPPA is signed into law leaving a sizable gap in any effective privacy law enforcement efforts on the state or federal level.
Small Business Protections
Entities with annual gross revenues of less than $41 million in the last three years may be eligible for some exemptions to certain ADPPA requirements if they meet two additional requirements.[xiii] First, the entity must not collect or process the data of more than 200,000 individuals for a purpose beyond processing payment. Second, the entity cannot receive more than 50% of its revenue from transferring covered data.
If those criteria are met, then the qualifying entity would have more flexibility with respect to certain consumer rights and less onerous data security, privacy impact assessment and other obligations.
Importantly, smaller entities with annual gross revenues under $25 million that collect the data of fewer than 50,000 individuals and derive less than 50% of revenue from transferring data would be exempt from the private right of action all together.[xiv]
Unique or Notable Aspects of the ADPPA
Civil Rights
Unlike any state law, the ADPPA would prohibit the use of consumers’ data in a way that discriminates based on race, color, religion, national origin, sex or disability.[xv] Large data holders using computerized decision making that could pose “a consequential risk of harm” would be required to perform a algorithm impact assessment annually to assess disparate impact. Other entities that engage in similar computerized decision-making processes would have to perform a less prescriptive algorithm design evaluation prior to deploying the algorithm.
Corporate Accountability
Similar in concept to the Sarbanes-Oxley Act and unlike the state laws, the ADPPA requires corporate accountability for compliance.[xvi] Large data holders would be required to submit annually a certificate of compliance, signed by an executive. Entities with more than 15 employees would have to appoint a privacy and data security officer. Further, there would be a privacy impact assessment requirement, the breadth of which depends on the size of the entity.
Transparency: China, Russia, Iran and North Korea
Privacy notice or privacy policy requirements are commonplace in privacy laws. The ADPPA is no exception. Unlike other laws, however, the ADPPA also mandates that the privacy policy to disclose whether data is transferred to, processed in, stored in or otherwise accessible to China, Russia, Iran or North Korea.[xvii]
Conclusion
The enactment of a comprehensive federal privacy law would be a game-changer in every state and, based on the current version of the federal bill, across every industry. In light of the federal bipartisan effort, we may see fewer states considering privacy measures in upcoming legislative sessions out of concern that their work may be in vain. As for the five states with laws that have not yet become effective[xviii], they are left in limbo wondering if their laws will ever take effect.
[i] Public Act 22-15; https://www.cga.ct.gov/2022/ACT/PA/PDF/2022PA-00015-R00SB-00006-PA.PDF.
[ii] Privacy professionals agreed that “CTPDPOMA” was simply not an acceptable acronym, so we use the shorter acronym of “CTDPA,” which stands for the Connecticut Data Privacy Act, as we have lovingly renamed it.
[iii] H.R. 8152; https://docs.house.gov/meetings/IF/IF00/20220720/115041/BILLS-117-8152-P000034-Amdt-1.pdf.
[iv] Id. at §§ 101 and 102.
[v] Id. at § 2(9).
[vi] Id.
[vii] Id. at Titles II and III.
[viii] Id. at § 206.
[ix] Id. at § 205.
[x] Id. at § 404.
[xi] https://oag.ca.gov/system/files/attachments/press-docs/Letter to Congress re Federal Privacy.pdf
[xii] Id. §§ 401-403.
[xiii] Id. at § 209.
[xiv] Id. at § 403(e).
[xv] Id. at § 207.
[xvi] Id. at § 301 et. al.
[xvii] Id. at § 201(b).
[xviii] California’s Consumer Privacy Act took effect in 2020. Substantial changes to that law, known as the California Privacy Rights Act, are scheduled to take effect on January 1, 2023. The other state laws take effect between July 1 and December 31, 2023.