The American Data Privacy and Protection Act (ADPPA): What’s happening?

The American Data Privacy and Protection Act (ADPPA) is making its way through the US legislative process. Unlike Australia, NZ , the UK and the EU, the U.S. has never had a comprehensive national law governing online privacy.  But this might be about to change.

In July 2022, a key US House committee (the House Energy & Commerce Committee) approved a federal privacy bill, the bipartisan American Data Privacy and Protection Act (ADPPA). This is the furthest any federal privacy legislation has previously advanced, though it is still a long way from becoming law. The progress of the ADPPA is perhaps as a response to a growing number of potentially conflicting US state laws, together with the emergence of strong international privacy laws, like the GDPR, Brazil’s LGPD and China’s new PIPL.

Given the importance of this potential new USA privacy law, it is worth taking note of some of its most important provisions… just in case it does become law.

What’s in the ADPPA?

The American Data Privacy and Protection Act is a long-awaited, comprehensive, federal privacy law that aims to restrict the collection, processing, and transfer of the personal data of Americans and gives U.S. citizens greater rights over their personal data.

As a general comment, the ADPPA moves away from a consent-based privacy structure, and towards a data minimisation one: requiring covered organisations to minimize the personal data they collect.  It also focuses on big tech and organisations that could be regard as ‘large data holders’ and has specific provisions around targeted advertising, particularly as it relates to children under 17 years old.

Which entities will be covered by the ADPPA?

The ADPAA will cover most entities, including non-profits and telecommunication companies.

It will apply to entities or persons that, alone or jointly with others, collect, process, or transfer covered data, if they are either:

1. subject to the Federal Trade Commission Act (15 U.S.C. 41 et seq.);
2. a common carrier subject to the Communications Act of 1934 (47 U.S.C. 20 151 et seq); or
3. an organization not organized to carry on business for their own profit or that of their members.

However, there are carveouts for HiTech, HIPAA, GLBA, the Social Security Act.

There are also different obligations depending on the size or nature of a given business.

Large Data Holders

There are stronger provisions for data brokers, big tech, and other organizations that process large volumes of data are protecting and processing consumer data.

“Large data holders” are defined as any organization that meets any of the following criteria:

• Had an adjusted gross revenue of over $250 million in the last calendar year; and
• Collected, possessed, or transferred data for more than 5,000,000 individuals, or the sensitive data for more than 100,000 individuals

Large data holders must have at least one officer responsible for the implementation and review of data policy programs, employee privacy training, records maintenance, and serving as the point of contact with enforcement agencies.

This officer must report to the CEO or highest-ranking official within an organization.

Within one year of the ADPPA becoming law, the CEO or highest-ranking officer, along with each privacy officer and data security officer at a larger data holder, must certify with the FTC by showing that “reasonable” controls are in place to comply with the ADPPA. They must also show that reporting structures are in place so certified officers are involved in decisions regarding compliance with the law.

Also within a year of the ADPPA going into effect, and every 2 years thereafter, large data holders are required to conduct a privacy impact assessment that measures the effectiveness of their privacy protection methods and the potential risk to individuals whose data is being collected, processed, and transferred.

Small Data Holders

Included in the ADPPA are some exemptions for small data holders which are defined as an organization that:

• Has an average adjusted gross revenue that is less than $41 million over the last 3 years
• Collects or processes data for less than 100,000 individuals annually
• Generates less than 50% of its revenue from transferring data

Small data holders are exempt from most of the data security practice requirements, the exception being the requirement to delete data that is no longer necessary. Small data holders are also exempt from the requirement to make data corrections at the individual’s request. The organizations are allowed to simply delete the data.

Third Parties Collecting Entities

Specific obligations will apply to third-party collecting entities.  Third-party collecting entities are defined as “covered entity whose principal source of revenue derived from processing or transferring the covered data of individuals that the covered entity did not collect directly from the individuals to which the covered data pertains.”

They will have to comply with FTC auditing regulations and, if they collect data above the threshold amount of individuals or devices, would have to provide the required information for the Third-Party Collecting Entity Registry.  They will also be required to place a clear notice on their websites or apps stating they are collecting data on behalf of another organization

What information is covered by the ADPPA?

The ADPPA uses a definition of personal information similar to that used in privacy regimes like the GDPR and the Australian Privacy Act.  It will apply to information that “identifies or is linked or reasonably linkable” to an individual.

Exclusions are de-identified data, employee data, publicly available information, and “inferences made exclusively from multiple independent sources of publicly available information that do not reveal sensitive covered data with respect to an individual.”

There is also a definition of “sensitive covered data” which is defined by a list of sixteen different
categories of data. These include health, financial, precise geolocation, sexual behaviour, biometric, and racial data, the information of individuals under the age of 17 and government-issued identifiers such as social security numbers, among other types. The definition also includes “information identifying an individual’s online activities over time and across third-party websites or online services.”

Greater restrictions will apply to sensitive covered data. Targeting ads towards minors and those using “sensitive covered data” would be banned, which means that the various ways in which companies track users across the web (and off their specific websites) would be curtailed or eliminated.

The data of minors under 17 cannot be collected and processed if the covered entity is aware that the consumer is under 17. To further protect youth, there will also be a Youth Privacy and Marketing Division established as part of the Federal Trade Commission (FTC).

What is required by the ADPPA?

Under the draft legislation, covered entities must minimize their collection, processing, and transferring of data to what is “necessary, proportionate, and limited to” their ability to provide or maintain a specific product or service or communicate with the individual.

If the ADPPA becomes law, the FTC has 12 months to establish what constitutes “necessary, proportionate, and limited to”. The data minimization principle is a key principle of the GDPR and other privacy laws, and should be  a core component of any data privacy program.

Under the ADPAA, covered entities must adopt a privacy by design approach and mitigate privacy risks – those which could result in “any reasonably foreseeable material physical injury, economic injury, highly offensive intrusion into the reasonable privacy expectations of an individual under the circumstances, or discrimination on the basis of race, colour, religion, national origin, sex, or disability.”

Covered entities will also be prohibited from engaging in deceptive advertising and marketing practices.

The bill currently provides for 17 purposes where collecting data is deemed necessary and permitted. Critically, this includes targeted advertising, albeit a far more limited form of the practice as compared to the virtual free-for-all that is the current federal landscape.

Individual rights under the ADPPA

The ADPAA will give individual various rights over covered data, including the right to access, correct, and delete their data held by a particular covered entity.  The subjects of personal data will also have the right to:

• Access their data through a downloadable file;
• Be given the name of a third party also in possession of their data;
• Know the purpose of the data.

Depending on how an organization is classified (large data holder, covered entity, or a covered entity as described in 209(c)), it will have 30, 60, or 90 days to respond to a request.

The new law will also increase the requirements for valid consent – requiring that covered entities get an individual’s affirmative, express consent before using their “sensitive covered data” (It would further require covered entities to give individuals an opportunity to object before the entity transfers their data to a third party or targets advertising toward them.

There will be new transparency requirements. Covered entities will be required to disclose, among other things, the type of data they collect, what they use it for, , how long they retain it, to which categories of service providers the data will be transferred to and whether they make the data accessible to the People’s Republic of China, Russia, Iran, or North Korea.

Individuals must be informed in clear and easy-to-understand language.

Who Will Enforce ADPPA Compliance?

The FTC will be the main enforcer of ADPPA compliance, through a newly created FTC Bureau of Privacy. State Attorneys General will also have the power to bring civil suits over privacy violations that affect residents of their respective states.

Will it be Possible to Sue for an ADPPA Violation?

There is a private cause of action, although it does have limitations. For a start, the private right of action will not be introduced for some period after the bill takes effect, then the right of action is limited. Individuals could seek compensatory damages and injunctive relief against the holders of their personal data; however, they would first be required to notify their state attorney general and the FTC about their intention to file suit in order to prevent duplicative enforcement.

If either the state Attorney General or FTC decides to pursue a civil action, the individual right to action would not apply.  However, the private right of action may be one of the elements that need to be dropped to get the bill signed into law.

What does the ADPAA mean for businesses?

The draft requirements differ somewhat from the GDPR and other privacy laws as well as US state privacy laws and will likely require serious examination and shifts in data privacy practices. Every organization will need to evaluate its existing data privacy program to see how it holds up to the ADPPA.

The implementation of the core principle of data minimisation should not be underestimated. Data minimisation can be one of the more challenging and impactful requirements to implement as it has ripple effects across the entire business and not just the privacy or compliance department.

There are other requirements which also need to be considered. For example, for all companies, biennial impact assessments will be required, which may be a burden for those companies unfamiliar with the practice.

The new time limits for responding to individuals’ requests to exercise their rights (30, 60 or 90 days depending on the size of the organisation) could impact that organization’s current process of honouring consumer requests as the majority of states set the time to 45 days with a 45-day extension. Organizations will need to ensure procedures are updated if this law passes.

What are some of the issues with the ADPPA?

Several conflicts are dogging the bill’s path to becoming law, despite its support from key bipartisan lawmakers. Barriers to the passing of the ADPPA include lobbying by companies over details they don’t like, disagreements over whether the law should pre-empt state rules, and tensions between the House and the Senate.

California in particular will be an issue, as it has led the US with the introduction of privacy laws and its lawmakers want to protect the privacy regime they have established.  They would like any federal law to establish national minimum standards that states can then build on to increase privacy protections.

California Attorney General Rob Bonta and 10 state attorneys general sent the U.S. House Committee on Energy and Commerce a letter urging reconsideration of preemption provisions in the proposed American Data Privacy and Protection Act. Bonta said U.S. Congress should draft a federal privacy law that “creates a floor, not a ceiling” and allows states “to continue building on state privacy laws that currently exist.” The attorneys general explained states have played “a critical role” in “setting new minimum data privacy standards that have not impeded business or curtailed technology.”

However, Republicans and many businesses aim to set uniform protections nationwide (which would be included in the ADPPA – as a uniform privacy protection standard).

This may lead to an impasse between Democrats (who see the ADPPA as setting a minimum) versus Republicans won’t support it unless it overrides state laws.

Major tech companies, their trade groups and interested organizations are also involved in lobbying on provisions to be included in the ADPPA.  For example, IBM urged lawmakers to remove a provision that would give consumers the ability to sue companies for violations of the law, known as a private right of action.

What’s next with the ADPPA?

This law would fundamentally change the American data privacy landscape. It would, at least partly do away with the patchwork of state laws and offer covered entities a clear and comprehensive path towards compliance.

However, it would also drastically alter the way that online advertising works, shifting the industry away from hyper targeting users and into a model where users have more control over their data and over what type of advertisements they see, as opposed to what companies/advertisers would like them to see.

However, time may be running out.  According to those in the know, if US lawmakers don’t vote on the bill before the upcoming US midterms and possible changes in party control, it’s unlikely to become law.