On June 21, 2022, the House Energy and Commerce Committee formally introduced a new federal privacy bill: the American Data Privacy and Protection Act (“ADPPA”). Notably, the ADPPA has diverse support from both branches of Congress and both political parties. The ADPPA aims to create a national framework that would preempt many, but not all, state privacy laws.
It is unclear whether the ADPPA has sufficient support to become law, as it reportedly lacks key support in the Senate. Further, the fallout from the Supreme Court’s recent Dobbs decision has drawn closer scrutiny of the ADPPA’s provisions. Critics question whether there are adequate protections for abortion-related data and whether lawmakers should enhance the proposed private right of action.
Despite its uncertain prospects of becoming law, businesses should take note of the ADPPA’s proposed requirements. Even if not enacted, its provisions are likely to influence a future federal privacy law. And, in many ways, the ADPPAmay set a new minimum standard that will shape any state laws passed to fill the void left by the lack of a federal privacy law.
As written, the ADPPA would preempt many state laws while expressly preserving others, as described below. We’ve previously written about the development of U.S. state privacy law, including updates to the California Consumer Privacy Act (“CCPA”) and the California Privacy Rights Act (“CPRA”), the Colorado Protect Personal Data Privacy Act (“ColoPA”), the Connecticut Privacy Act (“CTPA”), the Virginia Consumer Data Protection Act (“VCDPA”), and the Utah Consumer Privacy Act (“UCPA”).
If the ADPPA is enacted, companies will need to comply with its federal standard in addition to certain exempted state law requirements that would not be preempted. Many of the statutory provisions are self-executing, while others would require action by a regulatory agency (such as the FTC) prior to becoming effective.
This post begins with a review of the ADPPA’s scope and applicability. It then highlights key rights and obligations—including artificial intelligence (“AI”) assessment obligations—and details the ADPPA’s approach to enforcement.
Scope and Applicability
The draft defines “covered entities” as entities subject to the FTC Act, common carriers under the Communications Act of 1934, or non-profit organizations, that determine the purposes and means of collecting, processing, or transferring covered data, as well as those related to a covered entity by virtue of a control-based relationship. ADPPA § 2(9). Large data holders are subject to heightened requirements, while small businesses have fewer obligations than other covered entities.
The ADPPA adopts a broad definition of “covered data” similar to the EU’s General Data Protection Regulation (“GDPR”) and the CCPA. “Covered data” includes information that identifies or is linked or reasonably linkable to (1) an individual or (2) a device that identifies an individual. Both data derived from information about an individual or device and technologically created identifiers, like IP addresses and customer numbers, could be covered data. De-identified data, employee data, and publicly available information are among the enumerated exemptions. ADPPA § 2(8).
The ADPPA introduces a new term, a “third-party collecting entity” as a covered entity whose principal source of revenue is derived from processing or transferring data that the entity did not directly collect. ADPPA § 2(32). Third-party collecting entities must provide consumers with notice of their activity and register with the FTC if a processing threshold is met. ADPPA § 206.
Similar to the CCPA and other state privacy laws, the ADPPA defines “service providers” as entities that collect, process, or transfer “covered data on behalf of, and at the direction of, a covered entity and which receive covered data from or on behalf of a covered entity pursuant to a written contract,” provided that certain contract requirements are met. ADPPA § 2(25). The ADPPA places direct obligations on service providers, including obligations not found in other state privacy laws such as a prohibition on transferring data (except to another service provider) without affirmative express consent. ADPPA § 302(a).
State Law Preemption, with Exceptions
The ADPPA expressly preempts a host of existing state privacy laws, as well as certain federal laws that regulate covered data. It contains exemptions from preemption for general categories of law, such as civil rights laws and data-breach notification laws. In addition, the ADPPA expressly exempts specified state laws, including the Illinois Biometric Information Privacy Act, and the private right of action for personal information security breaches in the CCPA, as amended by the CPRA. ADPPA § 404(b)(1)‑(3).
Entities that are subject to and compliant with certain federal laws will be deemed in compliance with the ADPPA for data covered by those laws, except for the ADPPA’s provision on cybersecurity requirements. These laws include the Health Insurance Portability and Accountability Act (“HIPAA”), the Fair Credit Reporting Act, and the Gramm-Leach-Bliley Act (“GLBA”). ADPPA § 404(a)(2).
Key Provisions—What’s New?
Much of the ADPPA echoes (in many cases with its own twist) existing state privacy laws, including transparency requirements, purpose limitations on the use of data, limitations with respect to sensitive data, and the provision of certain rights—such as the right to request deletion and data portability—to consumers.
Like other comprehensive state data privacy laws, the ADPPA overturns the longstanding paradigm of U.S. privacy law—that notice alone is often more or less sufficient. Instead, the ADPPA requires notice and purpose limitations for the collection and use of covered data, opt-out rights for certain data uses (such as targeted advertising) and affirmative consent in some circumstances, such as the transfer of sensitive covered data to a third party.
Because the ADPPA shares similarities with current state privacy laws and the forthcoming 2023 laws, companies will likely be able to leverage their ongoing state privacy law compliance efforts should the ADPPA be enacted. Companies should pay particular attention to the several areas of new terrain covered by the ADPPA, some of which are addressed below.
AI Evaluations and Assessments
Unlike its predecessor state privacy laws, the ADPPA would require covered entities and service providers to conduct algorithm design evaluations. Large data holders would be required to conduct additional impact assessments for certain algorithms. For both the design evaluation and the impact assessment, entities must use an external, independent researcher or auditor to the extent possible. Both design evaluations and impact assessments must be submitted to the FTC within 30 days of completion.
Algorithm Design Evaluations: Any covered entity or service provider that knowingly develops an algorithm to collect, process, or transfer covered data must produce an algorithm design evaluation. Those evaluations must specifically consider any data used to develop the algorithm to reduce the risk of potential harms. ADPPA § 207(c)(2).
Algorithm Impact Assessments: Large data holders must additionally conduct an annual impact assessment of any algorithm that (1) is used to collect, process, or transfer covered data, and (2) may cause potential harm to an individual. Entities must describe the algorithm’s design process, purpose, foreseeable uses, data inputs, and the outputs the algorithms generate. The assessments must also describe steps taken to mitigate potential harms. ADPPA § 207(c)(1). Harms related to the following areas must be addressed:
- Individuals under the age of 17.
- Advertising for housing, education, employment, healthcare, insurance, or credit opportunities.
- Access to, or restrictions on the use of, a place of public accommodation.
- A disparate impact on the basis of protected characteristics.
ADPPA § 207(c)(1)(B)(vi)(I)–(IV).
The ADPPA contemplates that the FTC may promulgate rules that would allow entities to exclude algorithms that present minimal or low risk of harms from their design evaluations and impact assessments. ADPPA § 207(c)(5)(B).
The ADPPA would codify a prohibition on the collection, processing, use or transfer of covered data in ways that would discriminate or make goods or services unavailable on the basis of protected characteristics. This prohibition would not apply to: (1) self-testing to prevent discrimination; (2) diversifying an applicant, participant, or customer pool; or (3) a private club or group. ADPPA § 207(a).
Duty of Loyalty
The ADPPA imposes a duty of loyalty on covered entities (called for by some academics and questioned, most notably, by FTC Chair Lina Khan), although the ADPPA’s provisions in many ways mirror requirements under existing data privacy laws. In addition to general obligations of data minimization, privacy by design, and loyalty to individuals regarding pricing, the ADPPA prohibits covered entities from engaging in restricted practices, absent an exception. ADPPA § 101–04. The four restricted practices involve:
- Handling social security numbers;
- Collecting or processing sensitive covered data;
- Transferring sensitive covered data to a third party; and
- Collecting, processing, or transferring aggregated Internet search or browsing history.
ADPPA § 102(a)(1)–(4).
Federal and State Enforcement
As drafted, the ADPPA not only vests the FTC and state attorneys general with enforcement authority but also introduces a controversial “private right of action” that would permit private parties to enforce the statute.
Federal Trade Commission
The ADPPA would create a Bureau of Privacy at the FTC to enforce the ADPPA, as well as an Office of Business Mentorship for covered entities. ADPPA § 401(a)–(b). Any ADPPA violation would be treated as violation of a rule defining an unfair or deceptive act or practice under Section 18 of the Federal Trade Commission Act. ADPPA § 401(c)(1). If the FTC institutes an action against a covered entity, state attorneys general and chief consumer protection officers cannot bring their own civil action against the same entity during the pendency of the FTC’s action. ADPPA § 402(c).
State Law Enforcement
The ADPPA also grants state attorneys general and states’ chief consumer protection officers the power to enforce the ADPPA through federal civil actions. A state attorney general must notify the FTC prior to initiating a civil action so that the FTC can intervene. ADPPA § 402(a)–(b). State attorneys general and chief consumer protection officers may seek injunctive relief and recover damages, civil penalties, restitution, other compensation, and reasonable attorney’s fees. ADPPA § 402(a).
Private Rights of Action
The ADPPA includes a delayed private right of action that would go into effect four years after the law’s enactment—a controversial feature. If passed, there is a potential for private party litigation risk not presented by most comprehensive state privacy laws.
The ADPPA permits plaintiffs and classes of plaintiffs to bring suit for compensatory damages, injunctive or declaratory relief, and reasonable attorney’s fees for violations of certain of the ADPPA’s provisions. ADPPA § 403(a)(2). There are no statutory damages provided.
The ADPPA also limits private rights of action in several ways. ADPPA § 403.
- First, as noted, the private right of action would not become available until four years after the ADPPA takes effect.
- Second, before filing a civil action, a potential plaintiff must notify both the FTC and relevant state attorney(s) general. Both the FTC and attorney(s) general would then have 60 days to determine whether to intervene in the action.
- Third, before bringing an action for injunctive relief or against a small business, plaintiffs must give written notice and a 45-day right to cure.
- Fourth, while individuals may serve a demand letter on a covered entity to request monetary payment, the letter must state, “Please visit the website of the Federal Trade Commission to understand your rights pursuant to this letter,” with a hyperlink to the FTC’s website, or this right is forfeited. ADPPA § 403(d).
The ADPPA should prompt companies that are not already readying themselves for 2023 compliance into action—as it is clear that federal legislation encompasses many obligations imposed by existing state privacy laws.
Companies should make note of what additional burdens—compliance or operational—the ADPPA or similar legislation would create. Even if the ADPPA is not enacted, its provisions are likely to influence a future federal law, as well as any state laws that are passed in the absence of a federal standard. Questions companies may consider include:
- Whether any current or planned business practices are restricted by the ADPPA or other privacy regulations coming into force.
- Whether any existing or planned user interface requires affirmative consents that are currently not being obtained.
- Whether the use of personal data in automated decision-making could harm individuals and if so, what steps can be taken to reduce risks.
Finally, as privacy obligations grow, the easiest way to avoid violations is to not have so much sensitive personal data. Accordingly, the ADPPA is another reason for companies to map their sensitive personal data, assess which collections are “reasonably necessary” and delete data that is not needed for legal or business reasons.
This post comes to us from Debevoise & Plimpton LLP. It is based on the firm’s memorandum, “What the ADPPA Means for U.S. Data Regulation,” dated July 12, 2022, and available here.