American Data Privacy and Protection Act

Congress has tried and failed to pass comprehensive federal privacy legislation for over 20 years. The American Data Privacy and Protection Act (ADPPA) is the latest attempt by Congress to introduce and enact federal privacy protections. The agreement was reached by Sen. Commerce Committee Ranking Member Roger Wicker (R-MS) and House Energy and Commerce Chair and Ranking Member, Reps. Frank Pallone (D-NJ) and Cathy McMorris Rogers (R-WA). Importantly, Sen. Maria Cantwell (D-WA), the Chair of the Senate Commerce Committee, has her own privacy bill and opposes several provisions of the compromise proposal. We were able to read Sen. Cantwell’s draft, which is widely circulating around the Hill. The draft is an updated version of the Consumer Online Privacy Rights Act (COPRA), which was first introduced in 2019.

Privacy

The right to privacy has often been called the “right to be left alone,” but it is now far more than just that. Privacy can include revealing secrets to close friends or not having unwanted inquiries into your personal life. Privacy is also about protecting personally identifiable information (PII) like your credit card number. With the growth of the Internet, privacy has taken on a greater importance due to the massive amount of data being collected by online products and services. Internet platforms may now know more about you than anyone else – including your partner, family, and close friends. Some have expressed concerns that platforms can even influence the way you think. More importantly, the information can end up in the wrong hands, like authoritarian governments or malicious actors, where it can be used to sway public opinion, target key allies, or conduct corporate espionage.

History

In the absence of a federal privacy standard, a patchwork of laws and enforcement agencies govern individual data. The FTC is asked to enforce privacy protections for consumer financial information (Fair Credit Reporting Act of 1970), government-held personally identifiable information (Privacy Act of 1974), data for minors under 13 (Children’s Online Privacy Protection Act of 1998), and information-sharing practices (Financial Services Modernization Act of 1999). Nowadays, other agencies are also tasked with ensuring the privacy of data, including the Consumer Financial Protection Bureau (financial data) and the Department of Human and Health Services (health data).

Even though the American public overwhelmingly supports a federal privacy standard, there has never been a federal law protecting baseline privacy rights. In the absence of such a law, privacy regulation has shifted to individual states; as of this writing, seven states have passed their own privacy legislation, while another 20 states have introduced bills. That doesn’t include legislation to specifically protect biometric data, such as Illinois’ Biometric Information Privacy Act. Further, Europe passed its General Data Protection Regulation (GDPR) in 2018 that regulates data privacy and collection for European citizens. Due to the global nature of the Internet, many firms have decided to extend GDPR requirements to everyone, not just European residents.

Provisions

The ADPPA includes several important privacy protections for Americans. It requires firms to only collect and transfer data that is “reasonably necessary and proportionate,” which is known as data minimization and creates an expectation of privacy by design. It allows consumers to control and own their data by accessing, correcting, and deleting their data, and it bans targeted advertising for minors under 17. It mandates algorithmic impact assessments for the largest firms to identify and correct any civil rights violations arising from the use of algorithms. It also prohibits the transfer of data to third parties without the express affirmative consent of the user, and it creates a public registry of data brokers. To help carry out the measure, the Act creates a new Bureau of Privacy at the FTC. Finally, the ADPPA charts a compromise on the two major points of contention: private right to action and preemption of state laws.

Compromise

While both political parties are in favor of privacy regulations, previous attempts have been derailed due to disagreements over the details, especially the two major issues of the private right to action and preemption of state laws. The ADPPA has found a compromise on these issues with members of both parties, but so far they remain a sticking point with Chairwoman Cantwell.

The first major issue is the private right to action, which is an individual’s ability to sue businesses for violations. In addition to enforcement by the FTC and states (both Attorneys General and state privacy authorities), the ADPPA allows for individuals to sue companies, provided they first follow a series of notices and steps. On the one hand, a private right to action allows damaged parties to press their own claims in court without relying on the FTC, which tends to focus on the biggest cases due to limited resources. On the other hand, businesses could face countless lawsuits from individuals which could be costly and potentially disruptive to innovation. The brokered compromise of the ADPPA attempts to balance these two concerns by limiting what individuals can sue for and granting a two-year grace period after passage of the bill.

The second major issue is the preemption of state laws, or determining which laws (federal or state) take priority over the other. As mentioned, several states have already passed privacy laws, and some are stricter than the ADPPA in certain aspects. Privacy advocates do not want a federal law to prevent states from passing stricter requirements, as several already have. However, part of the impetus to create a federal privacy law is to ensure that businesses do not have to comply with 50 different sets of laws; allowing states to pass their own laws on top of the federal law defeats the purpose of a national standard. Again, the ADPPA attempts to balance these two concerns by having the federal law generally preempt state laws, except for a long list of exceptions which includes the entire Illinois Biometric and Genetic Information Privacy Acts and the private right to action from the California Consumer Privacy Act.

Support and Opposition

The ADPPA has the support of both civil and industry groups. Civil groups are excited by the prospect of a federal privacy law that imposes a duty of loyalty and data minimization on companies as well as the mandate to conduct algorithmic impact assessments. Industry groups support the creation of a federal standard that will generally preempt state privacy laws and the provision to a 45-day right to cure before a lawsuit may be filed.

While the bill has the bipartisan support of the Chair and Ranking Members of the House Energy and Commerce Committee, it has come under attack from members of both parties. Democratic Senator Maria Cantwell, as mentioned above, believes the bill has too many enforcement loopholes and takes too long for the private right of action to go into effect. (Update: the delay on the private right to action was reduced from 4-years to 2-years, but Sen. Cantwell has said the updated bill still does not contain strong enough enforcement.) On the flip side, Republican Representatives introduced amendments during Subcommittee markup to preempt states from passing additional privacy laws in the future and prohibit the private right to action for 60 days, while the federal government and states get the first opportunity to sue. Finally, the U.S. Chamber of Commerce opposes the bill’s approach to the private right of action and state preemption, arguing the former is too broad and the latter not strict enough.

Conclusion

With the August recess and midterm elections quickly approaching, the number of legislative days is quickly dwindling. The ADPPA has already made history by becoming the first piece of consumer privacy legislation to make it out of committee. Without support from key senators, the ADPPA is unlikely to be enacted, but it does represent an important step in the long march to establish a federal privacy standard.