Last week, Representatives Frank Pallone (D-NJ) and Cathy McMorris Rodgers (R-WA) and Senator Roger Wicker (R-MS) released a draft federal privacy proposal titled the American Data Privacy and Protection Act (ADPPA). ADPPA is Congress’s latest effort to pass a comprehensive privacy law, loosely analogous to the already-effective California Consumer Privacy Act (CCPA) and the privacy laws going into effect next year in Utah, Colorado, Virginia, and Connecticut. However, ADPPA also goes beyond what is required under these state laws and would create relatively robust enforcement mechanisms (including a limited private right of action). The bipartisan and bicameral nature of the proposal also indicates that it has the potential to gain traction in Congress, though it is still lacking support from some key stakeholders, particularly Senator Maria Cantwell (D-WA), Chair of the Senate Commerce Committee.
ADPPA addresses many of the same topics as the CCPA and other recently passed privacy legislation at the state level. The law’s passage would create certain data privacy rights for consumers (including the right to access, delete, and correct their personal information) and additional protections for more “sensitive” data. ADPPA also mandates certain privacy by design and data security standards for businesses. Like the state laws, ADPPA exempts from its scope information that is already regulated under certain federal laws, such as the Gramm-Leach-Bliley Act (GLBA) and the Health Insurance Portability and Accountability Act (HIPAA).
However, as noted earlier, ADPPA would also impose additional obligations on businesses that are not required under current state laws. For one, ADPPA would require businesses to be subject to a “duty of loyalty,” which would create limitations on what information a business could process and for what purposes. Businesses would also have specific obligations related to corporate accountability for privacy, including requirements to designate privacy and data security officers and conduct annual certifications regarding their compliance with the law (for businesses that meet a certain revenue or data processing threshold). ADPPA would also create obligations related to the use of algorithms, including a requirement for businesses of a certain size to conduct algorithm impact assessments.
Perhaps the most notable development in ADPPA (and why it may gain traction compared to previous privacy proposals) is that it reaches compromise positions on preemption and a private right of action. These issues have been the primary sticking points between Republican and Democrat privacy proposals in the past. Republican proposals generally included broad preemption provisions and no private right of action, while Democratic proposals tended to take the opposite stance.
ADPPA reaches a compromise on both issues. The proposal preempts many state privacy laws, including comprehensive privacy laws such as the CCPA, but leaves in place other state laws aimed at regulating specific categories of information that may fall outside of ADPPA (such as employment data, the state breach notification laws, and the Biometric Information Privacy Act in Illinois). Notably, ADPPA would also leave intact the CCPA’s private right of action provision. On a private right of action, the law would allow private litigants to bring lawsuits under the law but only in federal court and only after the FTC or a relevant state attorney general refused to conduct their own investigation. The private right of action provision would also only go into effect four years after the law’s effective date.
The House Energy and Commerce Committee (chaired by Congressman Pallone) announced that a hearing is scheduled for ADPPA on June 14. The quick timing of this hearing (after the draft bill was released just last week) indicates that there is some appetite in Congress to potentially address this issue before the midterms. However, while promising, ADPPA still faces significant challenges on its way to becoming law. Notably, Senator Cantwell has yet to sign on to the bill and has expressed her displeasure with the private right of action provision. And, although the ADPPA has bipartisan support in the House, it lacks support from a Senate Democrat. Lawmakers also face a time constraint, with the August recess and the midterms looming. If the bill were to be enacted, the current draft lists the effective date as 180 days after enactment, though this may be subject to change.
Below are the key highlights of the ADPPA. We will continue to provide updates on major developments of federal privacy law. To stay updated with our writings on this topic, please subscribe to the WilmerHale Privacy and Cybersecurity Blog.
Key Highlights
- Covered Entities. ADPPA applies to entities that collect, process, or transfer covered data and are either: (1) subject to the Federal Trade Commission Act; (2) common carriers subject to the Communications Act of 1934 title II; or (3) not organized to carry on business for their own profit or that of their members. This broad definition of a Covered Entity means that ADPPA will apply to most for-profit businesses, as well as non-profits (which are currently exempt from all comprehensive state privacy laws, except the Colorado Privacy Act).
- Exemptions. Like the state laws, ADPPA exempts information that is governed under relevant federal laws, including the GLBA and HIPAA. Notably, this exemption is narrower than how some of these exemptions are framed under the relevant state laws. Based on its text, ADPPA does not create entity-wide exemptions for businesses subject to the GLBA or HIPAA. It applies “solely and exclusively to data subject” to such laws.
- Duty of Loyalty. The concept of a “duty of loyalty” in privacy law has appeared elsewhere, such as in academic literature, the New York Privacy Act, and in other federal privacy bills. While other bills have defined the duty as forbidding controllers from engaging in unfair or deceptive practices, ADPPA’s duty of loyalty imposes more specific data minimization requirements, loyalty duties, and privacy by design principles. Under ADPPA, entities should only collect, process, or transfer data that is reasonably necessary, proportionate, and limited to a set of purposes allowed by the law. ADPPA also establishes loyalty duties, restricting entities from collecting, processing, or transferring certain kinds of information (e.g., social security numbers, biometric, and genetic information) absent a permitted purpose. With respect to privacy by design, entities are guided to implement reasonable policies, practices, and procedures regarding their collection, processing, and transfer of “covered data.”
- Preemption. ADPPA preempts many state privacy laws, including comprehensive privacy laws like the CCPA. However, exceptions are provided for a number of different laws, such as consumer protection laws of general applicability (i.e., state unfair and deceptive acts and practices laws), civil rights laws, laws governing the privacy of employees and students, data breach notification laws, laws that solely address facial recognition technologies and electronic surveillance, among others. Moreover, the ADPPA specifically states that it does not prevent two Illinois laws (the Biometric Information Privacy Act and the Genetic Information Privacy Act), as well as the security breach section of the California Privacy Rights Act (CPRA).
- The exemption for employment privacy laws is particularly notable because the CPRA ends the CCPA’s exemption for employment data, which means that (based on how ADPPA currently reads), it would not preempt the CPRA to the extent that it would apply to employment data.
- This section may be subject to further modifications because it is likely to be a hot button issue for both Democrats and Republicans.
- Private Right of Action. The private right of action would not take effect until four years after the bill’s enactment. Persons can bring civil actions against entities in Federal court, if they have suffered an injury that can be addressed by the bill. Courts can award plaintiffs the following: (a) compensatory damages; (b) injunctive or declaratory relief; and (c) reasonable attorney’s fees and litigation costs. While the private right of action appears at first glance to be broad, ADPPA imposes various requirements on potential plaintiffs. Prior to filing, persons must notify the FTC and their state attorney general of their desire to exercise their right. Within sixty days, the FTC and the state attorney general should determine whether they will independently take action and notify the person accordingly. If a plaintiff requests a monetary payment from an entity in writing, either (a) prior to a sixty-day expiration (starting from when the state attorney general or the FTC receives notice) or (b) after the FTC or the state attorney general determine they would independently seek civil action, then the person’s request will be considered to be in bad faith and unlawful. Any demand letters to covered entities requesting monetary payment should also include specific language noted in the bill, along with a hyperlink. If the disclosure is not included, the person or class must forfeit their right to bring an action.
- Consumer Data Rights. Like the state comprehensive privacy laws, ADPPA provides consumers with numerous data rights. Under ADPPA, consumers have the right to access, the right to correct, the right to delete, and the right to export covered data. Consumers also have the right to consent with respect to the collection, processing, and transfer of their sensitive covered data. Covered entities must give consumers the opportunity to opt out of covered data transfers, and to opt out of targeted advertising. Covered entities are also required to obtain consumer consent prior to collecting or transferring “sensitive” covered data.
- Corporate Accountability. The draft bill imposes corporate accountability requirements, an area that is gaining prominence in privacy legislation. Notably, ADPPA’s provisions are broader than what has been required for businesses at the state level thus far. The relevant requirements include the designation of privacy and data security officers. Large data holders (that meet a certain data processing or revenue threshold) also face additional requirements, including biennial privacy impact assessments and annual certifications (by the CEO, privacy officers, and data security officers) that their entity maintains: (1) reasonable internal controls to comply with ADPPA; and (2) reporting structures that allow those certifying to be a part of the decisions that dictate compliance.
- Data Security. ADPPA requires that covered entities establish, implement, and maintain reasonable data security practices and procedures. At a minimum, the practices should: (a) assess vulnerabilities in the security of the system; (b) take preventive and corrective action to mitigate risks, including the use of safeguards; (c) evaluate and adjust the safeguards implemented; (d) conduct appropriate data retention and disposal; (e) train employees on data safeguards; and (f) designate an employee to maintain the practices.
- Unified Opt-Out Data Mechanisms. Several states, including California, have begun to address unified opt-out mechanisms, and this appears to be an area of priority for federal legislation as well. ADPPA mandates the FTC to conduct a study on whether a privacy protective, centralized mechanism can exist, whereby individuals can exercise their right to opt-out in one interface. If this interface is feasible, then the FTC must conduct rulemaking to designate an opt-out mechanism that entities should adopt.
- Civil Rights and Algorithms. Although algorithm use is not strictly a privacy issue, regulators are beginning to take on a more holistic approach to data protection, including to address how these tools affect marginalized communities. ADPPA requires large data holders that use algorithms to collect, process, or transfer covered data to conduct an algorithm impact assessment and to evaluate the design of their algorithms. The assessment should outline the steps the entity takes to mitigate harms, such as harms related to minors; to advertising for housing, education, employment; and to disparate impact on the basis of a protected class. ADPPA also states that, absent some narrow exceptions, entities cannot collect, process, or transfer covered data in a discriminatory way.
- Enforcement. In addition to the private right of action, ADPPA gives the FTC and state attorneys general the authority to enforce the law. The FTC would also need to establish a new bureau within a year of the law’s enactment to exercise the Commission’s authority under ADPPA. Given the fact that the FTC recently reached full strength, it may welcome this new authority and enforcement resources.