The highly anticipated text of the federal consumer privacy bill that has been in the works for months was released in early June. The American Data Privacy and Protection Act (ADPPA) – H.R. 8152 – is the product of months of negotiation, compromises and input from industry experts on all sides.
The newly introduced 120-page bill authored by Sen. Roger Wicker (R-MS.), Rep. Frank Pallone (D-N.J.), Rep. Cathy McMorris Rodgers (R-WA), Rep. Bilirakis (R-FL), and Rep. Jan Schakowsky (D-IL), is historic as it is the first bipartisan, bicameral piece of legislation with a fighting chance of becoming law. We’ve gone through and pulled out a few points worth paying attention to as discussions continue to get underway. You can also review our thoughts on why privacy legislation is important here.
*Note this does not include all sections listed in the bill.
What are the Politics at Play?
The politics at play might be just as important as the bill itself as it has a direct impact on whether or not the bill passes. The bill authors include three of the “four corners”– Sen. Wicker, Rep. Pallone, Rep. McMorris Rodgers– otherwise known as the Chair and Ranking Member of the House and Senate committees that have jurisdiction over consumer privacy issues. Sen. Maria Cantwell (D-WA), the fourth corner, released her own privacy bill, the Consumer Online Privacy Act late last year and is in the process of working on further updates to her draft. This is important to note because this is a large piece of legislation to pass, and will require bipartisan agreement from, at minimum, all four corners. Without it, getting the necessary committee votes needed to pass the bill into law becomes that much harder.
What does the ADPPA Do?
The ADPPA is an attempt to create a federal consumer privacy law in the United States. Similar to the European Union’s General Data Protection Regulation (GDPR), a federal consumer privacy law would outline the requirements and regulatory business practices for how personal information is collected, stored, transferred, managed, and deleted from everyday users and consumers in areas that are not covered by sectoral privacy laws like the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act (HIPAA). It intends to provide consumers control over how personal information is shared, and would create new practices that allow individuals to be better informed on who has their information and access to it in a way that is easy to understand.
Who Will Need to Comply with ADPPA?
The short answer is most businesses and nonprofits. Both collect information from consumers as a part of their necessary business practices and legal obligations and are not currently covered by a sectoral privacy law. The bill does include certain limited exemptions for smaller businesses that are under a certain revenue or consumer data use threshold.
Some high level compliance points are outlined below:
- Covered Entities: A covered entity is defined as “any entity or person that collects, processes, or transfers covered data” (with some exceptions). The legislation expands FTC oversight on privacy from businesses to now include nonprofits and common carriers. Covered entities are required to adhere to a number of important practices, including:
- Abiding by data minimization requirements so that businesses are only using data that is proportionate and reasonable to the purpose it is intended for;
- Abiding by new requirements for processing sensitive personal information;
- Incorporating transparency policies that are clear, conspicuous and easily accessible;
- Establishing certain individual rights and obligations for consumers to access their data. (Section 2(1)(9) of the ADPPA.); and
- Baking in privacy by design, to ensure that the technology and data used are proactively working to mitigate privacy risks.
In addition, the bill requires covered entities to develop responsible data security practices, create corporate accountability through the hiring of a chief privacy officer to oversee data privacy efforts, and bake in responsibilities for larger entities to establish impact assessments to balance and test any privacy benefits of new technologies using algorithms with their respective harms.
- Special Considerations for Children’s Data: Up until now, children’s data has largely been governed by the Children Online Privacy Protection Act (COPPA) and, in some cases, the Family Educational Rights and Privacy Act (FERPA). COPPA applies to companies with actual knowledge they are collecting information from children under the age of 13. The ADPPA would require companies to extend certain protections to children under a certain age, which is pertinent to companies whose data, products, and services are used by and impact minors. The legislation also bans targeted advertising to those under the age of 17.
The aim of the bill is clear: lawmakers want Americans to have broad privacy rights that they have not had prior to this legislation and more companies to be complying with a baseline standard for responsible data use.
Who Enforces the Law?
The bill outlines three main enforcers of the law. At the federal level, the Federal Trade Commision (FTC) would be the enforcing agency, and at the state level, the State Attorneys General would have the right to enforce. To help the FTC enforce this law in particular, a new agency would be established within the FTC and begin enforcing the Act within one year of becoming law. State Attorneys General can also enforce the law, but must first inform the FTC before taking any actions. There is also a proposed third enforcer of the law: individual consumers. The current version includes a private right of action– the ability for private individuals to pursue legal action– as a mechanism of enforcement as well. This would not take effect until four years after the ADPPA passes. Further, individuals would still need to notify the FTC before taking action to give them an opportunity to intervene.
What Action Has Happened on the Bill So Far?
The latest on the bill was a House Energy & Commerce subcommittee markup on June 23rd which resulted in a favorably subcommittee vote. A few of the key points raised focused on civil rights and preventing discrimination via algorithms, the guardrails for protecting sensitive data – especially the data of those under 17 – and the scope of the agency that would be in charge of enforcing the law. As indicated at the hearing, more changes are anticipated in the coming weeks.
Prior to the markup, the House Subcommittee on Consumer Protection and Commerce held a hearing on an earlier discussion draft of the bill on June 14th. Questions were raised on how to more clearly define who must comply with the law and what their obligations are to prevent mix ups that would unnecessarily complicate daily functions across the digital ecosystem. The initial hearing led to the updated version which now also addresses the need for a business to government (B2G) exception, exclusions to the definition of biometric information, and a limitation on the requirement for algorithmic impact assessments.
So, what do we anticipate as next steps?
While encouraged by the progress that has been made, more clarity on the following is still anticipated:
- Protection of children’s personal information;
- Treatment of “inferences” and related data that can be derived from or combined with publicly available information;
- Clarification of the scope of data minimization for covered entities;
- Refinement on the algorithmic impact assessments;
- Refinement on the scope of sensitive covered data and impact on targeted ads;
- Limitations on the PRA provision;
- Strengthened preemption section.
Questions remain as to whether the Senate will introduce its own federal consumer privacy bill, or if the Senate Commerce Committee – the majority side that is led by Senator Cantwell – will back the House version of the legislation.
The ADPPA is a guidepost for what a comprehensive federal privacy law might look like if passed by Congress this year. Considering the large swaths of business that will be affected, this is only the beginning and there are sure to be rewrites and various iterations before the bill is in an agreeable form that would pass both chambers of Congress.
The most important thing to keep in mind is that whatever the final version of the bill, it will be a significant change in terms of newfound restrictions and rights on both the business and the consumer, especially across states that don’t have current consumer privacy laws on the books – which is all but five.