By a 53-2 vote, the House Committee on Energy and Commerce advanced the American Data Privacy and Protection Act (ADPPA) to the full House of Representatives on July 20, 2022. This bill is not only the latest attempt by Congress to introduce a federal comprehensive data privacy legislation after over 20 years of fruitless debate but also the closest it has gotten to this goal with bipartisan support enabled by a long-sought compromise.
Loosely analogous to existing comprehensive state privacy laws, the ADPPA addresses many of the same topics covered by state laws, though in a different way in many aspects. As for its scope, it covers both for-profit businesses and nonprofit organizations, which are currently exempt from most state privacy laws. It distinguishes between and imposes different obligations on “covered entities” that determine the purposes and means of data collection and “service providers” that process data at the direction of covered entities. Covered data under the ADPPA also has a broad scope, generally covering any information that “identifies or is linked or reasonably linkable” to an individual or a device identifying an individual, including derived data and unique identifiers like cookies and IP addresses. The ADPPA, however, specifically excludes de-identified data, employee data, and publicly available information from covered data, as opposed to the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), which extend various protections to employee data. It also does not cover information that is already governed under certain federal laws like the Health Insurance Portability and Accountability Act (HIPAA).
As for rights and obligations, the ADPPA allows individuals to access, correct, delete, and export covered data and opt out of data transfers and targeted advertising. Individuals enjoy increased protections with regard to their “sensitive covered data,” the scope of which goes beyond that of its equivalents in existing state privacy laws and the EU’s General Data Protection Regulation (GDPR) to include login credentials, calendar information, private photos and recordings, and information revealing an individual’s online activities over time or video content selected by her among others. For covered entities, the ADPPA creates a “duty of loyalty” absent in existing state laws and the GDPR, which primarily boils down to obligations as to data minimization, sensitive data protection, and privacy by design. It also requires businesses to adopt specific practices to ensure data security and prevent discrimination and harm by the use of data and algorithms.
In terms of enforcement, the ADPPA authorizes the Federal Trade Commission (FTC), state attorneys general, and state privacy authorities to enforce it. Most notably, the ADPPA also introduces a private right of action allowing a person (or class of persons) to sue for violations. However, this right does not begin until two years after the bill’s enactment and is subject to restrictions. Restrictions include, for example, that a person shall not initiate a civil action before notifying the FTC and the relevant state attorney general for them to decide whether to intervene, nor shall she ask an alleged violator in writing for a monetary payment until 60 days after the notice. This represents a compromise reached on one of the main sticking points between Republicans and Democrats. Unsurprisingly, the allowance of a private right of action is facing backlash from businesses, who contend that it would lead to abusive class action lawsuits, create further confusion with privacy rights being interpreted on a district basis, and hinder innovation. Proponents of the right, on the contrary, rebut by pointing to the impacts of the 1986 Electronic Communications Privacy Act (ECPA), which also provides a private right of action that has prompted compliance by businesses without overwhelming them with lawsuits or barring courts from providing clear precedent and easy-to-follow compliance guidelines.
The ADPPA also includes a preemption provision, which was the other sticking point in previous negotiations and is still highly controversial. It is currently designed to preempt any state laws covered by its provisions, including comprehensive state privacy laws, with the exception of several specified categories of state laws, such as general consumer protection laws. The preemption is welcomed by businesses as it would stop the patchwork of state privacy laws and make the privacy regulatory framework across the US easier to comply with. On the other hand, the preemption has received opposition from state attorneys general, the California Privacy Protection Agency (CPPA), California Governor Gavin Newsom, and Speaker Nancy Pelosi, who believe that federal legislation should be a floor rather than a ceiling limiting higher or broader privacy protections granted by state laws and impeding the ability of states to respond in real-time to emerging issues brought by rapidly changing technology.
With debates ongoing, a commentator projected that the bill was unlikely to pass this year, wary of the further “uphill struggle” it would face in the Senate even if it squeezed through the House.