On June 3, 2022, leaders from the House of Representatives and the Senate released a discussion draft of a comprehensive federal privacy bill, known as the American Data Privacy and Protection Act (ADPPA). The ADPPA aims to create a strong national framework for protecting personal data by providing broad protections for individuals and introducing strict requirements for covered entities. Many of these requirements resemble provisions of the GDPR such as data minimization, Privacy by Design (PbD), and conditions for consent.
“This bill strikes a meaningful balance on issues that are critical to moving comprehensive data privacy legislation through Congress, including the development of a uniform, national data privacy framework, the creation of a robust set of consumers’ data privacy rights, and appropriate enforcement mechanisms. We believe strongly that this standard represents the best opportunity to pass a federal data privacy law in decades, and we look forward to continuing to work together to get this bill finalized and signed into law soon”
– Cathy McMorris Rodgers (R-WA), Frank Pallone (D-NJ), and Roger Wicker (R-MS)
Who would the American Data Privacy and Protection Act apply to?
The scope of the ADPPA is broad. The discussion draft defines a covered entity as any organization that falls under the jurisdiction of the Federal Trade Commission (FTC), common carriers under the Communications Act of 1934, non-profit organizations, and any organization in common control with another covered entity.
The ADPPA further defines Large Data Holders, where additional obligations apply, and a small business exemption. However, the latter are only exempt from a narrow set of provisions.
A Large Data Holder is defined as an organization that, within the past 12 months, has:
- Had annual gross revenues of $250,000,000 or more, and
- Collected, processed, or transferred the covered data of more than 5,000,000 individuals or devices that identify or are linked or reasonably linkable to one or more individuals, or
- Collected, processed, or transferred the sensitive covered data of more than 100,000 individuals or devices that identify or are linked or reasonably linkable to one or more individuals, excluding any instance where the covered entity would qualify as a large data holder solely on account of processing
Covered entities that are classified as a Large Data Holder will be subject to annual compliance reports and algorithmic impact assessments as well as privacy impact assessments (PIAs), among other things.
Covered entities are considered to be a small and medium business if, within the prior three years they:
- Earned a gross annual revenue of $41,000,000 or less
- Did not collect or process the data of 100,000 individuals in a year, and
- Did not derive more than half their revenue from transferring covered data
Small and medium businesses will be exempt from:
- Requirements to appoint a privacy and data security officer
- Data security requirements of the bill (except for data retention obligations)
- Data portability requirements
Small and medium businesses will also have the choice to delete, rather than correct, an individual’s data upon receiving a verified request.
What are the provisions of the ADPPA?
The draft version of the ADPPA is broken down into four titles covering Duty of Loyalty, Consumer Data Rights, Corporate Accountability, and Enforcement and Applicability.
Duty of Loyalty
Title I of the ADPPA would impose a data minimization requirement for covered entities. The draft uses similar language to the GDPR stating that covered entities are prohibited from collecting, processing, or transferring personal data beyond what is necessary, proportionate, and limited to a specific purpose.
Again, like the GDPR, the draft includes a provision for PbD highlighting that covered entities “have a duty to implement reasonable policies, practices, and procedures for collecting, processing, and transferring covered data. These should correspond to the entity’s size, complexity, activities related to covered data, the types and amount of covered data the entity engages with, and the cost of implementation compared to the risks posed.” It is also noted that covered entities cannot make conditions or terminate services based on an individual’s choice to waive their privacy rights contained within the bill.
In a section similar to the CCPA, the draft mentions a prohibition on conditional service or pricing. This means that a covered entity is not allowed to deny, change the price, or effectively condition a service or product to an individual if they have chosen to waive any privacy rights guaranteed by this Act. They are also not allowed to refuse a service or product to an individual because of an individual refusing to waive any privacy rights.
Consumer Data Rights
Under Title II, the ADPPA outlines transparency requirements for organizations to post privacy notices and for the FTC to publish the provisions of the bill informing consumers of the rights they are entitled to under the bill. As part of privacy notices, organizations would be required to detail their processing activities in an understandable manner as well as provide contact information, the categories of data being collected, processed, or transferred, as well as third parties that personal data is transferred to.
Privacy policies should also include details of consumer rights afforded to individuals, including:
- Right to access
- Right to correct
- Right to delete
- Right to portability
- Right to opt out
Large Data Handlers are required to respond to consumer rights requests within 30 days, within 60 days if you are a covered entity, and within 90 days if you fall into the category of small and medium businesses.
Title II also includes detail on the protection of children’s data, rules for third parties, and data security measures as well as the prohibition of discrimination and inequality related to how individuals can access goods or services based on the way the covered entity processes covered data. This translates into a broader accountability requirement for businesses that rely on automated decision-making and AI to prevent bias and discrimination in such processing.
Corporate Accountability
One of the provisions of the ADPPA that will have a significant impact on organizations, as well as the privacy industry in general, is the requirement for all covered entities to “designate one or more privacy and data security officers who must implement privacy and data security programs and ensure ongoing compliance with the Act.” This would lead to large numbers of organizations appointing Chief Privacy Officers (CPOs) and Chief Information Security Officers (CISOs) in order to comply with the bill.
Further requirements for Large Data Handlers would include conducting Privacy Impact Assessments (PIAs) as well as annual compliance reviews to be certified by the CEOs, CPOs, and CISOs that their company maintains compliance with the bill.
Enforcement and Applicability
The draft ADPPA provides for the establishment of a new bureau within one year of its enactment to assist the FTC in exercising its authority. State Attorney Generals (AGs) will also have the power to bring a civil action in the name of the state if they have reason to believe that a covered entity has violated the bill.
A private right of action is included in the draft text of the ADPPA, however it will only become applicable four years after the Act takes effect and will allow any individual who has suffered damages to bring civil action to federal court for monetary compensation.
The draft text of the law acknowledges the interplay between the ADPPA and other data related laws in Title IV of the draft. Organizations will be deemed to be compliant with the ADPPA if they are already compliant with existing laws including the Gramm-Leach-Bliley Act (GLBA) and the Health Insurance Portability and Accountability Act (HIPAA) for data that is in scope for such laws. However, COPPA will not be preempted by the ADPPA and will be updated within 180 days of the enactment of the Act with new regulations.
Existing state privacy laws will be preempted by the Act, however there are certain protections such as facial recognition laws, employee privacy rights laws, cyber-criminal laws, and consumer protection laws that will stay in effect at the state level.
What does this mean for businesses?
In the short term, this is a development that organizations should watch closely. There are still several hurdles to clear before this federal bill can be considered a possibility, however, the bipartisan support of both the Democrats and the Republicans makes it one of the most intriguing proposals yet.
In the long term, if the bill passes, organizations should only have a short amount of time to amend their privacy programs to meet the requirements of the ADPPA, many of whom will need to appoint Chief Privacy Officers (CPOs) and Chief Information Security Officers (CISOs). Many of the provisions such as PbD, data minimization, and the consumer rights provided by the bill shouldn’t be a far cry from what organizations already have in place for their GDPR compliance programs. However, as with any new laws, there will be nuances and it will be these areas of difference that will add complexity.
While any final decision on the ADPPA is some way off, the overlap between existing state laws and any potential requirements of the ADPPA means that there are a few things that organizations can do now that would benefit their privacy programs.
For example, the ADPPA includes language that would invite the FTC to examine the possibility of a unified opt-out mechanism, such as Global Privacy Control (GPC), allowing users to easily exercise their rights across different websites. Adopting these universal opt-out methods now will also help with fulfilling opt-out requests across all five privacy laws set to take effect in 2023, especially in California where companies are required to fulfill opt-out of sale requests made by consumers through GPC.
The same can be said about consumer rights on a broader level. The ADPPA provides consumers with rights that closely align with the rights coming into effect across state law in 2023. As a result, organizations can develop a privacy framework that encapsulates the highest standard for consumer rights to meet the compliance requirements of each state and potentially the ADPPA.
Similarly, with requirements for PbD, PIAs, and privacy notices, organizations in the position to do so should consider working with one single framework to help strip some of the complexity of complying with the current patchwork of US privacy laws.
The Trust Intelligence Platform from OneTrust is underpinned with real-time regulatory intelligence which helps to inform all areas of your privacy program and keep you compliant with the latest requirements your organization needs to uphold. In the event of the ADPPA passing, organizations can rely on the OneTrust Privacy & Data Governance Cloud to deliver automated solutions for fulfilling privacy rights requests, conducting privacy impact assessments, and managing data privacy policies.
