As envisioned, the proposed American Data Privacy and Protection Act would change the way personal data is handled by: requiring organizations to limit their collection of personal information, allowing consumers direct access to their own data, enhancing data protections for children under 17, requiring organizations to implement reasonable security measures and holding companies accountable for discriminatory algorithms.
The proposal sets limitations and rules for the treatment of “covered data,” including information identifying, linked, or reasonably linkable to an individual or device, and would apply to “covered entities,” which include any entity that collects, processes, or transfers covered data and is subject to the jurisdiction of the Federal Trade Commission (FTC), including businesses, nonprofits and telecommunications carriers.
Key provisions of the draft proposal include the following. Note that these proposals are not final legislation, and as the proposed legislation advances through the House and Senate, these provisions will certainly be subject to ongoing negotiation, debate and amendment.
- Data Minimization: The Act imposes a baseline duty on covered entities not to unnecessarily collect or use covered data, but rather, only collect data that is reasonably proportional and necessary to provide their services. (A similar principle is found under the GDPR).
- Privacy by Design: Covered entities must implement reasonable policies, practices, and procedures for collecting, processing, and transferring covered data. The proposal also requires large data holders to conduct a privacy impact assessment (like the GDPR, but with a wider scope) biannually, and annually in the case of large data holders using algorithms to collect covered data that may cause potential harm to individuals.
- Data Privacy Rights: Mirroring provisions of the California Consumer Privacy Act and portions of the GDPR, the Act would recognize a private individual’s right to their own data. Under the proposal, covered entities would be required to respond and comply with consumer requests to access, alter, delete or move their data held by the entity. Further, entities would be required to obtain affirmative consent to collect or process “sensitive covered data,” which includes government identifiers, health/biometric data, financial data, data revealing race, ethnicity, national origin, religion, trade union membership (in certain circumstances), sexual orientation, data relating to children under 17, precise geolocation, and information revealing viewing habits or use of television or streaming media services, among other data categories. Information identifying an individual’s online activities over time or across third party websites or online services is also considered “sensitive covered data” in the bill, although this category was removed in the amended bill (see below).
- Privacy Policies: Covered entities must provide individuals with privacy policies outlining their data collection, usage and security activities, along with information on how individuals may exercise their data privacy rights.
- Protections for Minors: The proposal takes extra care to protect children ages 13 to 17, prohibiting companies from focusing on children under 17 for targeted ads or transferring the child’s data without affirmative express consent.
- Civil Rights: The proposal would prohibit entities from collecting, processing, or transferring covered data in a manner that discriminates on the basis of race, color, religion, national origin, gender, sexual orientation or disability.
- Data Security Requirements: Covered entities must implement and maintain data security practices and procedures to protect covered data against unauthorized use or acquisition, including implementing practices to identify vulnerabilities, test systems and provide employee training.
- Corporate Accountability: Under the proposal, all data holders must designate at least one individual as a privacy officer and one individual as a data security officer who are both responsible for ensuring compliance with the Act. Large data holders are further subject to higher standards and must have a privacy officer who reports directly to the head of the organization.
- Service Providers: Under the proposal, service providers have responsibilities vis-à-vis covered data. Service providers may only collect or process covered data for the purposes directed by the covered entity, and must assist covered entities in fulfilling requests by individuals to exercise their data rights. Further, covered entities must conduct reasonable due diligence in working with service providers or transferring covered data to third parties.
- Small Business Exemptions: The proposal contemplates exemptions for certain small and medium-sized covered entities.
- Enforcement: Violations of the Act would be treated as a violation of the rule defining unfair or deceptive practices under the Federal Trade Commission Act. Violations would be enforced by State Attorneys General, the FTC or private individuals.
- State Attorneys General: Attorneys General may prosecute companies for violations of the Act affecting the state’s residents and either: 1. Enjoin the act or practice; 2. Enforce compliance with the act; 3. Obtain damages; or 4. Obtain reasonable attorneys’ fees.
- Federal Trade Commission: The proposal contemplates the FTC creating a new Bureau of Privacy to handle monitoring and enforcement of the Act. The agency will also provide guidance and education for covered entities. Penalties recovered by the Commission will be deposited in a Victims Relief Fund.
- Private Right of Action: Four years after enactment, any person suffering an injury arising from a violation of the act can sue a covered entity. Under a civil action, the plaintiff can recover monetary damages, injunctive relief and attorney’s fees.
- State Law Preemption: The Act sets a new federal standard for data privacy laws, ensuring that no state may enforce laws which pertain to the topics covered in this legislation. However, there are multiple exceptions to state preemption which include consumer protection laws, civil rights laws, cyberstalking laws, breach notification laws and the Biometric Information Privacy Act in Illinois. Outside stakeholders have criticized the long exception list for further complicating the patchwork of state laws that companies must comply with, while others argue that states who have higher privacy standards should be allowed to maintain those stricter requirements.
One version of the American Data Privacy and Protection Act proposal was formally introduced in the House of Representatives as H.R. 8152 on June 21, 2022. That same week, on June 23, 2022, the House Energy and Commerce Subcommittee on Consumer Protection and Commerce held a markup, ultimately adopting a slightly amended version of H.R. 8152 and clearing this House version of the bill for consideration by the full Energy and Commerce Committee.
H.R. 8152 largely tracks the initial proposal, with a number of changes including (among other things):
- First, the amended bill modifies the approach to service providers and third parties treating them as “processors,” and it requires a written contract between a covered entity and service provider that must include similar provisions to those required under the CCPA and GDPR.
- Second, the amended bill introduces “Permissible Purposes” for processing covered data which includes processing “reasonably necessary and proportionate” to fulfill an order or provide a service requested by an individual, system maintenance and diagnostics, internal research or analysis to improve products or services, to authenticate users and fraud prevention, among other purposes. The amended bill provides that the FTC will publish guidance as to what “reasonably necessary and proportionate” means in reality to aid in compliance.
- Third, the amended bill also expands exemptions to privacy requirements, by exempting government agencies and their service providers and broadening the original small business exception thresholds.
Next Steps and Ongoing Challenges: While lawmakers seek to find common ground to advance a privacy bill, the scope and contents of such legislation will subject to tense negotiations and compromise. Currently, Republican and Democratic leaders have yet to reach firm agreement on threshold issues, including state preemption and the proposed private right of action.
Further, assuming that the legislation passes in the House, there will be additional challenges in the Senate. On the Senate side, the legislation will fall within the jurisdiction of the Science, Commerce & Transportation Committee and must win approval there to succeed. While the Committee’s Ranking Member Wicker supports the American Data Privacy and Protection Act framework, the Committee’s Chair, Senator Maria Cantwell (D-WA) has not joined the coalition backing the bill, instead advocating for an alternative privacy initiative and preparing to introduce competing legislation.
As the debate over a federal privacy law continues, Pillsbury is engaging with stakeholders and government players on the evolving scope, requirements, and implications on businesses across the country. Pillsbury is carefully monitoring new proposals, compromises, and the status of this critical legislation, and we are working with our clients to advance their priorities.
The authors would like to thank summer law clerk Amaris Trozzo for contributing to this alert.