California is gearing up to write rules to enforce its California’s Privacy Rights Act (CPRA). Regulators, led by California Privacy Protection Agency Director Ashkan Soltani, are preparing to write rules to guide that enforcement and those rules could address the new forms of identity technologies that advertisers and publishers are currently testing. Soltani criticized email-based…
On June 3, the U.S. Senate released a draft of the bipartisan American Data Privacy and Protection Act (ADPPA). If passed into law, it would be the nation’s first comprehensive federal data privacy standard. Currently, data privacy in the United States is governed by what has been called a “patchwork” of several state privacy laws—a model considered to be behind comprehensive legal frameworks like those that have been enacted in China—which passed the Personal Information Protection Law of the People’s Republic of China in 2021—and the European Union (EU), which enacted the General Data Protection Regulation (GDPR) in 2016.
According to the U.S. Senate Committee on Commerce Science & Transportation, “The Act defines “covered entity” to include any entity that collects, processes, or transfers covered data and is subject to the jurisdiction of the Federal Trade Commission (FTC), including nonprofits, and telecommunications common carriers.
Meanwhile, “covered data” is defined as information identifying, linked, or reasonably linkable to an individual or device linkable to an individual. This includes derived data and unique identifiers, but does not include de-identified data, employee data, or publicly available information (each of which is separately defined).
The draft version of the ADPPA requires covered entities to comply with the following key provisions:
- Refrain from collecting, processing, or transferring personal consumer data beyond what’s reasonably necessary for providing a service or product that the consumer requested or communicated with the consumer, “within the context of the relationship.” Data that’s reasonably necessary for processing will be defined by the Federal Trade Commission (FTC) down the road.
- Refrain from collecting, processing, or transferring the following types of information without first receiving the consumer’s “affirmative express consent” through a clear and conspicuous standalone notice:
- Social security numbers;
- Geolocation information ;
- Biometric information, except where necessary for legal matters;
- Genetic information, unless required for medical purposes; and
- Consumers’ internet history.
- Establish and implement “reasonable policies, practices, and procedures regarding the collection, processing, and transfer of covered data” that consider the requirements or factors outlined in the ADPPA;
- Deny services, charge different prices or rates, or make provision of goods or services exclusive to consumers who agree to waive any rights granted under the ADPPA;
- Provide consumers with access to any covered data—belonging to said consumer—that’s been collected, the name of any third party or service provider that received a copy of the covered data, and a description of the purpose of the transfer. In addition, consumers must be given an option to:
- Correct any inaccurate or incomplete consumer information—as well as notify third parties and service providers that have received a transfer of inaccurate or incomplete information of their obligation to do the same; and
- Delete any consumer information that’s been improperly collected or transferred—and notify third parties and service providers who have received a transfer of such information of their requirement to do the same.
- Refrain from collecting, processing, or transferring “sensitive covered data” of a consumer, unless “affirmative express consent” has been given by the consumer;
- Provide consumers with a mechanism to opt out of, the collection of their personal information, and/or the receipt of targeted advertising;
- Refrain from issuing “targeted advertising” to—or transferring collected data of—persons actually known to be under the age of 17, as determined by the Youth Privacy and Marketing Division;
- Conduct an “impact assessment,” that assesses any algorithm a covered entity utilizes for discriminatory impact;
- Establish, implement, and maintain “reasonable administrative, technical, and physical data security practices and procedures to protect and secure covered data against unauthorized access and acquisition[,]” in accordance with the ADPPA’s requirements; and
- Establish executive responsibility in accordance with the ADPPA and impact assessments to assess the effectiveness of the responsibilities imposed one year from the enactment of the ADPPA.
Chances for Passage
According to a joint statement by House Energy and Commerce Chair Frank Pallone (D-NJ), ranking member Cathy McMorris Rodgers (R-WA) and Sen. Roger Wicker (R-MS), “this bipartisan and bicameral effort to produce a comprehensive data privacy framework has been years in the making, and the release of this discussion draft represents a critical milestone.”
Indeed, Politico notes that, legislators “have been attempting to pass a national privacy law since the 1970s,” and that the success of the proposed legislation will hinge largely on an “agreement between Republicans and Democrats on two key issues that have blocked previous efforts: whether a federal privacy law can preempt state laws and whether individuals should have the right to sue companies that illegally share their data or use it in ways the law prohibits.”
In that vein, the ADPPA, according to The Hill, “would for the most part preempt the state privacy laws that have been advanced in the absence of federal action, but would leave some exceptions for rules covering a list of topics including civil rights, data breach notifications and facial recognition technology.”
Industry players, including tech companies like Apple, and activists like David Brody, Managing Attorney of the Digital Justice Initiative at the Lawyers’ Committee for Civil Rights Under Law, are also in favor of the legislation. Brody released a statement in support of the Act’s ability to “curb the rampant data-driven discrimination that occurs due to a lack of privacy protections.”
The bill includes a four-year post-enactment moratorium on private lawsuits stemming from ADPPA violations. This provision has been met with some disfavor. For example, Senate Commerce Chair Maria Cantwell (D-WA) stated ”[f]or American consumers to have meaningful privacy protection, we need a strong federal law that is not riddled with enforcement loopholes. Consumers deserve the ability to protect their rights on day one, not four years later.”
Additionally, Politico notes that the “U.S. Chamber of Commerce has strongly opposed any bill that includes a private right of action[,]” due to the “potential to generate class action lawsuits” via awards of attorney’s fees.
Due to her dissatisfaction with the ADPPA and the controversy surrounding a private right of action, Sen. Cantwell has reportedly distributed a revised version of the Consumer Online Privacy Rights of Act, which she originally introduced in 2019, as an alternative avenue for consumer protection. Cantwell proposes that her bill differs from the ADPPA when it comes to matters of mandatory arbitration.
Due to the controversial nature of the ADPPA, the small amount of time before Congress’s August recess, and the pending midterm elections this year, there is uncertainty as to whether the Act—or any comprehensive privacy legislation—will be passed this year. However, businesses and consumers should continue to monitor the progress of this legislation to ensure they remain in compliance and are prepared for the potential shift from state-based privacy protections to federal.
ADCG will be monitoring and tracking this bill as it makes its way through the legislative process. We are in the process of creating a page dedicated to the ADPPA and will make an announcement once it is ready.
* * * * * * *
For ADCG’s Breach Report and more news updates discussing: Cybersecurity being named the top driver of legal disputes; Cybersecurity firms working closely with the Biden administration and other government entities to shape cybersecurity frameworks and policies; and Regulatory bodies in healthcare responding to cyber attacks by issuing their own frameworks, click here.
To browse through our previously published articles and news alerts, please visit our website, and don’t forget to subscribe to receive free weekly Data and Cyber Governance news and Breach Reports directly to your email.
Leslie Lamb also joins Jody Westby on our Privacy and Cybersecurity podcast later today to discuss “Learning About Cyber Risk Management from a Risk Manager”. Our Podcasts are released every Thursday, here. They can also be enjoyed on Spotify and Apple Podcasts. Don’t forget to subscribe!