New Bicameral, Bipartisan Data Privacy Bill Attempts to Break Through Congressional Stalemate

Recently, bipartisan privacy leaders in Congress unveiled a new bicameral federal privacy bill discussion draft that they hope to enact before year’s end. The bill draft, which has since been updated on June 21, is titled the American Data Privacy and Protection Act (ADPPA). The bill is being led by House Energy and Commerce leadership Frank Pallone (D-NJ) and Cathy McMorris Rogers (R-WA) and Senate Commerce, Science, and Transportation Committee Ranking Member Roger Wicker (R-MS). The original version of the ADPPA had a hearing in the House Energy and Commerce Subcommittee on Consumer Protection on June 14, 2022. A subcommittee markup of the latest version of the bill is scheduled for June 23, 2022..

Noticeably absent from this committee leadership list for the ADPPA is Senate Commerce, Science, and Transportation Committee Chairwoman Maria Cantwell (D-WA) who is supporting an updated version of her previous 2019 bill, the Consumer Online Privacy Rights Act (COPRA), as a starting point for Senate negotiations. Her bill would define a “substantial privacy harm” as an alleged financial harm to an individual of $1,000 or more, or an alleged physical, mental or reputational harm. Cantwell’s draft bill would prevent companies from using user-agreements to force individuals to go through arbitration to settle disputes rather than sue in court. By contrast, the ADPPA does not block companies from forcing customers to use arbitration, except when it comes to children. Businesses regularly include such clauses in user agreements and have pushed to maintain that right.

The most notable and much-discussed inclusions in the bipartisan ADPPA is federal preemption of most state privacy laws and a four-year delayed implementation of a private right of action (PRA). Rather than solely relying on a “notice and consent” framework that we’ve seen in existing state privacy laws, the ADPPA tries to avoid placing the burden for privacy on the consumer; instead, it utilizes “duty of loyalty” provisions, barring covered entities from collecting, processing or transferring covered data beyond what is reasonably necessary, proportionate, and limited to provide specific products and services.The ADPPA authorizes the Federal Trade Commission (FTC) to issue guidance and promulgate rules, including on data minimization and consumer request requirements. The effective date would begin 180 days after enactment.

The 4As has joined many in the business community and the Privacy for America coalition in trying to amend the ADPPA to protect responsible data for advertising. We are committed to working with other partners in the advertising community and members of both parties to enact a reasonable, preemptive, federal data privacy law.

Key provisions in the latest ADPPA version include:

•  Scope; Covered Entity:
  •  Applies to “covered entities” which is defined as “any entity or person that collects, processes, or transfers covered data and — (i) is subject to the Federal Trade Commission Act (15 U.S.C. 41 et seq.); (ii) is a common carrier subject to title II of the Communications Act of 1934 (47 U.S.C. 201–231) as currently enacted or subsequently amended; or (iii) is an organization not organized to carry on business for their own profit or that of their members. It also includes any entity or person that controls, is controlled by, is under common control with, or shares common branding with another covered entity.
  • The ADPPA contains numerous exemptions, including an exemption for small businesses. It appears that there are data-level exemptions for entities subject to GLBA, HIPAA, FERPA, and other federal statutes, although the FTC would need to provide guidance.
  • Covered Data: The bill includes an exception for pseudonymised data and publicly available information.
• Federal and State Enforcement:The FTC and State Attorneys General would enforce the ADPPA.
• Limited private right of action: A PRA becomes active four years after the ADPPA’s effective date. It would require individuals to first notify the Federal Trade Commission and their state attorney general of their intent to bring action, and give the agencies 60 days to make a determination.The PRA is limited in that it does not provide for statutory damages, only compensatory damages, attorney’s fees, etc.
• Right to Cure: There is also a limited right to cure, whereby if a data holder successfully addresses an alleged problem within 45 days, they can seek dismissal of a demand for injunctive relief.
• Federal preemption with some exceptions: Preempts most state privacy laws, although there are a list of noted exceptions including the Illinois Biometric Information Privacy Act and the California Privacy Rights Act’s (CPRA) personal information security breach section.
• Definition of “Sensitive” Data: Defines sensitive data broadly and gives the FTC rulemaking authority to add new categories. The definition of sensitive data includes health, financial, biometric, genetic, and precise geolocation data; a person’s private communications, and calendar information; data revealing race, religion, (if such data isn’t public); video viewing data, and information about an individual when the covered entity knows that the individual is under the age of 17.
• Rights to Consent & Object:
  • Affirmative, express opt-in consent is required before a covered entity can process, collect, or transfer sensitive data.
  • Opt-out consent is required for data transfers to third parties (called “sales” in State laws) and targeted advertising (defined to exclude contextual advertising, ad reporting and measurement, and certain first party marketing).
• Global Privacy Control: Within 18 months of enactment, tasks the FTC with establishing one or more acceptable privacy protective centralized mechanisms including GPC signals, such as browser or device privacy setting, to allow individuals to exercise opt-out rights.
• Service Providers & Third Parties: Service providers may only use data to perform services on behalf of covered entities, must promptly delete it thereafter, and may only transfer data to third parties with the affirmative express consent of the relevant individual (obtained via the covered entity). Third parties may not process data obtained from another entity contrary to individuals’ reasonable expectations.
• Targeted Advertising:
  • Requires that businesses allow consumer opt-outs from targeted advertising, including intra-corporate family targeted marketing.
  • Allows users to opt-out of targeted advertising using universal opt-out mechanisms.
• Children & Teens:
  • Bans targeted advertising to individuals under the age of 17 as well as data transfers without consent. The determination of whether an individual is under 17 shall be based on the covered data collected directly from an individual or a proxy thereof that the covered entity would otherwise collect in the normal course of business.
  • Requires the FTC to create a division for Youth Privacy and Marketing and implores the FTC’s Inspector General to survey COPPA’s safe harbor provisions for their effectiveness.
• Algorithmic Fairness:
  • Restricts collecting, processing, or transferring data in a manner that is discriminatory or that makes unavailable equal enjoyment of goods or services on the basis of race, religion, disability, or other protected categories.
  • Starting two years after enactment, requires “large data holders” to conduct annual algorithmic impact assessments, and other entities to do design evaluations of their algorithms.
• Data Minimization:
  • Requires businesses to limit their collection, processing and transferring activities to certain activities and purposes.
  • Provides limited exceptions to allow covered entities to provide first party marketing or advertising of products or services provided by the covered entity, to use data to perform system maintenance or diagnostics, to maintain a product or service for which such data was collected, to conduct internal research or analytics, to improve a product or service for which such data was collected and to perform inventory management or reasonable network management, to protect against spam, to debug or repair errors that impair the functionality of a service or product for which such data was collected, to protect against a cybersecurity incident, etc.
  • Requires opt-in consent for a covered entity to collect, process, or transfer an individual’s aggregated internet search or browsing history, except pursuant to one of the permissible purposes enumerated above.
• Privacy by Design: Covered entities would need to implement privacy by design policies and procedures.
• Data Brokers:
  • Requires data brokers to register with the FTC.
  • The FTC will establish and maintain an online, searchable, central public registry of all registered data brokers, and a “Do Not Collect” registry, which will allow individuals to request that all data brokers delete their data within 30 days

The timeline for action on ADPPA is limited due to expected Republican committee leadership changes next year and the election year’s shortened legislative calendar. Congress also has several other priorities to address this year that could make getting adequate floor time to debate a bipartisan privacy bill difficult; these include funding the federal government, defense spending authorization, bipartisan gun control reform, tech company antitrust reform, a scaled back “Build Back Better” package, and others. Recent amendments to the bill, however, make it more likely that such a bill could pass both chambers.