On June 14, the U.S. House of Representative’s Subcommittee on Consumer Protection and Commerce met to discuss an ongoing bipartisan effort to bring data protection rights to all U.S. consumers by passing a national bill that aims to reform data collection practices, provide consumers with meaningful controls over their information and to expand Federal resources to protect online privacy. The draft legislation, titled the American Data Privacy and Protection Act (ADPPA or the Act), aims to “provide consumers with foundational data privacy rights, create strong oversight mechanisms and establish meaningful enforcement.”¹

ADPPA is the latest attempt at a national privacy bill to come out of Congress; however, it stands aside from its stymied predecessors as the first comprehensive framework to gain both bipartisan and bicameral support. The ADPPA would represent a shift from the “notice and consent” model of data privacy and security, which predominates our current online environment, and would bring Federal regulations in line with data privacy and cybersecurity regulatory innovation taking place at the state level and abroad. ADPPA aims to provide certainty to both consumers and businesses by forestalling the growing and increasingly unworkable patchwork of privacy legislation at various levels of government.²

The ADPPA, if passed, would require companies to limit their data collection practices to what is reasonably necessary to operate their businesses, to designate a privacy and data security officer responsible for privacy and security compliance and to implement security practices and procedures to prevent unauthorized access or use of customer data. In addition, the ADPPA provides for a private right of action, whereby individuals could sue companies who misuse their data in violation of the Act. Though the Act places certain limitations on an individual’s right to sue, the ADPPA’s private right of action may serve to challenge many companies’ data privacy and cyber security compliance posture.

Notwithstanding the bipartisan support for the bill, an uphill battle remains for the proposal to be finalized prior to this year’s mid-term elections. In particular, it has failed to gain the support of U.S. Senator Maria Cantwell (D-Wash.), who chairs the Senate Commerce Committee. In a statement to the Washington Post, Senator Cantwell said that “any robust and comprehensive privacy law must protect consumers’ personal data with a clear requirement that companies are accountable for the use of that data and must act in consumers’ best interest.”

Key highlights of the ADPPA are summarized below. We will continue to keep you informed of any updates to the ADPPA and Federal privacy legislation.

Scope

Generally speaking, the ADPPA would broadly apply to entities conducting business in the United States and would cover many categories of data that are commonly collected and processed online.

• “Covered Entity” means “any entity or person that collects, processes or transfers covered data and is subject to the jurisdiction of the Federal Trade Commission.” The Act also would apply to all entities controlled by a Covered Entity or those with whom they share common branding. Departing from all but one (Colorado) comprehensive state privacy law, the ADPPA explicitly includes not-for-profit organizations that have traditionally been outside of the scope of FTC regulation. Also included are common carriers subject to title II of the Communications Act of 1934.
  
• “Covered Data” means “information that identifies or is linked or reasonably linkable to one or more individuals, including derived data and unique identifiers.” “Covered Data” does not include de-identified data, employee data and publicly available information.
  
• “Sensitive Covered Data” includes government-issued identifiers, such as social security and passport numbers, diagnostic or healthcare treatment information, financial account numbers, biometric and genetic information, precise geolocation data, private electronic correspondence, device log-in credentials, protected class information, cross-site tracking data, private photographs and information relating to an individual’s use of any television or streaming service. Additionally, any Covered Data relating to an individual under the age of 17 is considered “Sensitive.” The Act also allows the FTC to define additional categories of data as “Sensitive” through subsequent rulemaking.

Small Data Exception

The ADPPA provides a “Small Data Exception,” which relieves a qualifying organization from compliance with certain portions of the Act. In order to qualify for this exception, for the three preceding calendar years, the Covered Entity cannot: (1) have annual revenue in excess of $41,000,000; (2) annually collect or process Covered Data of more than 100,000 individuals; and (3) derive more than 50% of its revenue from transferring Covered Data.

Duty of Loyalty

The ADPPA imposes a duty of loyalty on all Covered Entities not to unnecessarily collect or use Covered Data beyond what is “reasonably necessary, proportionate and limited to” the operation of the organization’s business. This may cause significant upheaval for many organizations’ present data collection practices. In addition, the Act also restricts the collection and processing of certain sensitive information such as precise location data as well as biometric and genetic information. Covered entities are also broadly prohibited from denying services or charging a different price to individuals conditioned upon their agreement to waive any rights under the Act. Finally, organizations will be required to implement internally “privacy by design,” which includes the establishment of reasonable policies, procedures and practices for compliance with the ADPPA restrictions and limitations on the collection and use of customer data.

Consumer Data Rights

Tracking comprehensive state-level privacy law, the ADPPA will provide consumers with the rights of access to, correction, deletion and portability of their Covered Data. Similar to a requirement in the European Union’s General Data Protection Regulation, the ADPPA requires that an organization receive the “affirmative express consent of an individual” prior to the collection or processing of data that the Act defines to be “sensitive” and to also provide an “easy-to-execute” means to withdraw consent in the future. The ADPPA also requires that any organization that engages in target advertising to provide “a clear and conspicuous” opt-out. The Act also prohibits targeted advertising of any individual under the age of 17.

Civil Rights and Algorithms

In perhaps its largest departure from established U.S. privacy law precedent, the ADPPA seeks to prevent covered entities from data practices that in any manner cause discrimination on the basis of a protected class. Specifically, the ADPPA would require Large Data Holders – which are Covered Entities that in the most recent calendar year had annual gross revenues of $250,000,000 or more and have collected Covered Data of more than 5,000,000 individuals or Sensitive Covered Data of more than 100,000 individuals – to conduct an impact assessment of any algorithm used to collect or process Covered Data aimed at identifying potential harms on the basis of age, discrimination in advertising for housing, education, employment, healthcare, insurance or credit opportunities, as well as any other disparate impact on the basis of an individual’s race, color, religion, national origin, gender, sexual orientation or disability status. These assessments must be submitted to the FTC on an annual basis.

The FTC is required to transmit any information it obtains regarding potential discriminatory uses of Covered Date to federal executive agencies with the authority to initiate proceedings related to such a violation.

Data Security and Protection of Covered Data

The ADPPA requires that Covered Entities establish and implement reasonable security practices and procedures to protect Covered Data from unauthorized access. At a minimum, reasonable security practices must include risk assessments of each system that collects, processes or transfers Covered Data, taking preventive, corrective action against foreseeable vulnerability to Covered Data and making reasonable adjustments to safeguards in light of material changes in technology and safely disposing of Covered Data. The Act also requires that Covered Entities provide training to each employee on how to safeguard Covered Data. The FTC, through a future administrative process, will set up a mechanism for Covered Entities to submit technical compliance programs for approval. Those programs, once approved by the FTC, will be made publicly available to individuals whose data is processed by those Covered Entities.

Unified Opt-Out Mechanisms

The ADPPA requires the FTC to conduct a study on the feasibility of creating a privacy-protective, centralized mechanism for individuals to exercise their data rights through a single interface. In theory, unified opt-out may function like the FTC’s National Do Not Call Registry, allowing consumers to communicate their preferences to all Covered Entities prior to having their data collected and processed. If the study determines that a centralized mechanism is feasible, the FTC shall promulgate rules establishing a unified opt-out procedure for Covered Entities to adopt.

Executive Responsibility

The ADPPA provides for expanded corporate accountability for Covered Entities’ data privacy and cyber security compliance that goes beyond what has previously been required by state privacy law. Specifically, the Act requires that a Covered Entity designate a privacy officer and data security officer to implement internal governance to safeguard the privacy and security of Covered Data. Accountability for Large Data Holders goes even further, requiring annual certification to the FTC that the organization maintains internal controls and reporting structures to comply with the Act. Large Data Holders are also required to conduct regular and comprehensive audits of policies and practices and a biennial privacy impact assessment.

Enforcement

The ADPPA codifies broad authority to enforce the Act to both the FTC and state attorneys general. The Act requires that the FTC establish a new bureau to assist in exercising the commission’s new authority provided under the ADPPA.

Private Right of Action

The ADPPA allows individuals to bring civil actions to seek compensatory damages and injunctive or declaratory relief against Covered Entities that collect or process their data in violation of the Act. The Act also allows litigants to recover the cost of suit, including attorneys’ fees. This private right of action is subject to certain limitations, however. First, the Act’s private right of action would not take effect until four years after the Act becomes law, giving Covered Entities time to comply prior to the risk of individual lawsuits. Additionally, an individual or class of individuals must first notify the FTC and relevant state attorneys general of their desire to enforce provisions of the ADPPA through civil action. Upon receipt of the notice, the FTC and AG’s offices will have 60 days to decide if they wish to bring an independent enforcement action. During that 60-day period, any demand for monetary payments sent to a Covered Entity will be considered to be made in bad faith. A demand letter sent after the expiration of the 60-day period must include specific language provided for in the Act reminding Covered Entities of their rights relating to the letter, along with a hyperlink to an FTC website that will describe the provisions of the Act. Finally, the Act requires courts to consider a Covered Entity’s participation in an FTC-approved compliance program when assessing any claims brought against the Entity.

Any private action brought against a Covered Entity that qualifies under the “Small Data Exception” or an action that seeks injunctive relief would be subject to a 45-day notice and cure provision. Other Covered Entities are not afforded a statutory notice and cure opportunity, although the design of the 60-day period may allow for the opportunity to correct existing issues.

Limited Data Exemption

The ADPPA provides for a limited exemption to Covered Entities that are required to comply with other Federal data privacy and cyber security regulations such as Title V of the Gramm-Leach-Bliley Act or the Privacy and Security Rules under the Health Insurance Portability and Accountability Act. This exemption is limited to Covered Data that is subject to additional Federal regulation, however, and only applies to Section 208 of the ADPPA, which relates to data security and protection.

State Law Preemption

Though the ADPPA will preempt state-level comprehensive privacy legislation such as CCPA, the Act will leave many sources of data privacy and security obligations at the state-level unaffected. Generally speaking, the Act will not preempt applicable consumer protection laws, employee and student privacy protections, data breach notification laws, criminal laws relating to fraud, identity theft, cyberstalking or unauthorized use of electronic devices, as well as Illinois’ Biometric and Genetic Information Privacy Act (and any similar acts prepared in the future). The Act’s preemption clause would also leave common law or statutory causes of action unaffected. Though the ADPPA middle-ground approach to preemption may satisfy lawmakers by leaving plenty of opportunities for the states to regulate the collection and use of consumers’ data, the breadth of state-level regulation left undisturbed by the Act may serve to undercut the reduction in compliance costs that would result from a broadly applicable Federal law.