On July 20, the House Committee on Energy & Commerce held an open markup session on the American Data Privacy and Protection Act (ADPPA), which concluded in an affirmative vote (53-2) for an amended version of the bill to make its way to the full House of Representatives. The next step for ADPPA would be to be passed by the House (though there is not yet a counterpart bill introduced in the Senate). Still, this is historic progress for a federal privacy proposal and indicates that there is bipartisan appetite in Congress to address this issue.
The latest version of ADPPA includes many substantive changes from the previous version of the bill. For one, the delay period on the bill’s private right of action is shortened from four years to two years. Additionally, the new bill explicitly provides the California Privacy Protection Agency (CPPA) with enforcement authority, addressing one of the agency’s main concerns regarding the federal privacy proposal. The new version also revises provisions related to the duty of loyalty, state law preemption, and federal law exemptions. We discuss key highlights from the revised version of the bill below.
For now, ADPPA lives to see another day. Below are key highlights from the latest version of the bill.
Key Highlights
- Private right of action. The new draft bill changes the delay period for private right of action from 4 to 2 years. This addresses one of the major concerns that privacy advocates have regarding the enforceability of the law.
- CPPA enforcement authority. The new draft bill provides explicit enforcement authority for the CPPA, granting the CPPA the same enforcement authority that it would otherwise enjoy with respect to the California Privacy Rights Act (CPRA) (though ADPPA, if passed as stands, would still mostly preempt the substantive provisions of the CPRA).
- Expanded exemptions for federal laws. The new draft bill adds the Confidentiality of Alcohol and Drug Abuse Patient Records Act and Genetic Information Non-Discrimination Act to the list of federal laws that are exempted from the scope of ADPPA. Notably, ADPPA only exempts information covered by these federal laws (including the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act (GLBA)) to the extent that a covered entity processes personal information that is protected under these laws. It does not create an entity-wide exemption that exists (for HIPAA and GLBA) under some of the state laws. The new draft bill also explicitly adds a savings clause for federal antitrust enforcement.
- Expanded state law preservation. The updated draft includes preservation of additional categories of state laws, including for laws relating to child pornography, public health activities (including reporting data), and encryption.
- Modified duty of loyalty provision. The duty of loyalty provision in the updated draft adds additional “permissible purposes” for businesses in terms of how they use covered data. Most notably, covered entities would be explicitly permitted to use covered data for first-party advertising purposes and to provide non-advertisement communications to individuals (if they were reasonably anticipated by the individual).
- Expanded requirements for unified opt-out mechanisms. The updated version of ADPPA requires the FTC to adhere to certain requirements relating to its rulemaking for unified opt-out mechanisms. For example, the FTC must require entities to inform individuals about the centralized opt-out choice and be provided in a manner that is reasonably accessible and usable by individuals with disabilities.
- Large data holder metrics reporting requirement. The updated version of ADPPA requires “large data holders” (entities that meet a certain data processing or revenue threshold) to include certain disclosures in their privacy policy regarding how they respond to consumer requests. (This is similar to a requirement that currently exists for large businesses under the CCPA.)
- Modified definition of de-identified data. The updated draft revises the definition of “de-identified data” to a stricter standard. The new definition would require covered entities to take “reasonable technical measures to ensure that the information cannot, at any point, be used to re-identify an individual or device that identifies or is reasonably linkable to an individual.”
- Arbitration. The new draft bill adds a clause stating that no pre-dispute arbitration agreement is enforceable with regard to a dispute under the ADPPA when it concerns a claim related to gender or partner-based violence or physical harm.