Legislators Announce Compromise U.S. Federal Privacy Bill with Support in both the House and Senate

Sponsors

The ADPPA is sponsored by House Energy and Commerce Committee Chair Rep. Frank Pallone (D-NJ); Ranking Member Rep. Cathy McMorris Rodgers (R-WA); and Senate Commerce, Science and Transportation Committee Ranking Member Sen. Roger Wicker (R-MS). Absent from the list of sponsors are Sen. Maria Cantwell (D-WA), Chair of the Senate Commerce Committee (who has raised concerns with the bill) and California legislators. Without support from Sen. Cantwell and a broader group of legislators (including some from California), the bill could stall. 

Scope

• Covered entities. The ADPPA’s key obligations apply to “covered entities,” defined as any entity or person that collects, processes, or transfers “covered data” and:
  • is subject to the Federal Trade Commission Act;

• is a common carrier subject to the Communications Act of 1934;

• is not organized for the financial profit of itself or its members; or

• controls, is controlled by, is under common control with, or shares common branding with another covered entity.

• Covered data. Covered data is defined broadly.  Following recent trends, the ADPPA would govern information that identifies or is linked or reasonably linkable to an individual.  Covered data also includes information associated with a device that identifies or is linked or reasonably linkable to one or more individuals.  And the ADPPA expressly states that derived data and unique identifiers are in scope. De-identified data, employee data, and publicly available information are expressly excluded from the scope of covered data.

• Individuals. An “individual” is a natural person who is residing in the United States.

• Sensitive covered data. Designated portions of the ADPPA regulate sensitive covered data (e.g., a requirement to obtain affirmative express consent prior to collecting or processing sensitive covered data). The ADPPA defines sensitive covered data more broadly than U.S. state privacy laws to include:

• Government-issued identifiers, such as social security numbers or driver’s license numbers;

• Health and healthcare treatment information;

• Financial account and credit information;

• Biometric information;

• Genetic information;

• Precise geolocation information;

• Private communications and voice communication metadata;

• Log-in credentials;

• Information revealing race, ethnicity, national origin, religion, union membership status, sexual orientation, or sexual behavior when used in ways inconsistent with reasonable expectations;

• Information identifying online activities over time or across online services;

• Information stored for private use on devices, such as calendars, contacts, phone or text logs, videos, and audio recordings;

• Photos, videos, and other medium that show private areas of an individual;

• Information about individual’s access or viewing of television, cable, or streaming services; and

• Information about individuals under the age of 17. 

• Exemptions. The ADPPA would impose more limited requirements on organizations that: (1) have annual revenues of $41M or less; (2) collect or process data of 100,000 or fewer individuals per year; and (3) derive 50% or less of their revenues from transferring covered data. Organizations processing data in compliance with specified sections of HIPAA, GLBA, FCRA, and FERPA would be deemed to be in compliance with the law with respect to that data, though organizations subject to those laws would not be granted an entity-wide carveout.

• Large data holders. As proposed, large data holders would be any covered entity that, in the previous calendar year, (A) had annual gross revenues of $250,000,000 or more; and (B) collected, processed, or transferred (i) the covered data of more than 5,000,000 individuals or devices that identify or are linked or reasonably linkable to 1 or more individuals; or (ii) the sensitive covered data of more than 100,000 individuals or devices that identify or are linked or reasonably linkable to 1 or more individuals. Large data holders are subject to additional obligations, such as a requirement to provide short-form notices to consumers, an obligation for privacy or security officers to report directly to the highest official of the company, and to undergo privacy impact assessments.

• General exceptions. The ADPPA provides a set of general exceptions, including broad exemptions from the bill’s requirements for certain uses such as completing a transaction or service requested by an individual and to comply with legal obligations.

Obligations

The ADPPA establishes a number of core compliance requirements for covered entities:

• Affirmative express consent. The ADPPA would require covered entities to obtain affirmative express consent in a number of situations, including to collect, process, or transfer sensitive covered data, to transfer the covered data of an individual who is between the ages of 13 and 17, to retain covered data longer than necessary for the purposes for which it was collected, and for service providers to transfer covered data that they process on behalf of a covered entity to a third party, other covered entity, or another service provider.   

• Data minimization. Covered entities would be required to collect, process, and transfer data only as reasonably necessary, proportionate, and limited in support of providing goods or services or communicating with individuals with whom covered entities have a relationship or as expressly permitted. 

• Prohibited practices. Covered entities may not process social security numbers, geolocation information, biometric information, passwords, nonconsensual intimate images, and health information except for specified purposes.

• Privacy by Design. Covered entities must establish and implement reasonable policies and practices to assess and address privacy risks. 

• Conditional pricing/service. Subject to exceptions, covered entities may not deny, charge different prices, or condition, refuse to provide, or terminate a service or product based on an individual’s refusal to waive any privacy rights guaranteed by the bill.

• Data security. Covered entities must establish and maintain reasonable security practices to protect covered data against unauthorized access and acquisition. Minimum requirements include assessing vulnerabilities, taking preventive and corrective action to mitigate foreseeable risks, evaluating such actions, destroying data according to retention schedules, training employees on safeguarding data, and designating employees to maintain security practices. The FTC would have rulemaking authority to establish processes to comply with these requirements.

• Protections for minors.  Covered entities must not target advertising to individuals under 17 or transfer to third parties information relating to individuals between 13 and 17 years of age  if the covered entities have actual knowledge that the individuals are under 17. 

• Discrimination and algorithms. Covered entities may not process personal information in a manner that discriminates on the basis of race, color, religion, national origin, gender, sexual orientation, or disability, subject to limited exceptions.  As part of the requirements relating to algorithmic assessments, covered entities must consider potential disparate impacts arising from algorithmic decision making. 

• Third-party collecting entity registry. The ADPPA requires third-party collecting entities (i.e., organizations whose principal source of revenue is derived from processing or sharing personal information that was not collected directly from individuals) to register with the FTC and maintain logs of information processing. The ADPPA also provides the FTC with authority to create and maintain a “Do Not Collect” registry to which third-party collecting entities must respond.

Consumer Rights

The ADPPA would grant individuals in the U.S. novel privacy rights. These rights include:

• Access. An individual can request any covered data relating to the individual that the covered entity or its service providers process and other information about that processing, including the name of any third party, other covered entity, or service provider to whom such covered data was transferred.

• Correction. An individual can ask a covered entity to correct any inaccurate or incomplete covered data and to notify any third party, other covered entity, or service provider to which the individual’s covered data was transferred of the correction request.

• Deletion. An individual can ask a covered entity to delete any covered data relating to the individual that the covered entity processes and to notify any third party, other covered entity, or service provider of the deletion request.

• Data portability. To the extent technically feasible, individuals would have the right to obtain copies of their covered data in both human-readable and machine-readable formats.  Importantly, this right does not extend to derived data or data subject to licensing restrictions on the transfer.

• Consent to processing of sensitive data. As described above, covered entities would need an individual’s affirmative express consent to collect, process, or transfer sensitive covered data relating to the individual.

• Consent withdrawal. Covered entities would need to provide individuals with clear and conspicuous, easy-to-execute means to withdraw any affirmative express consent previously provided by the individual.

• Right to opt out of covered data transfers. Individuals could object to the transfer of their covered data to a third party as defined in the law, which means this right would not disrupt transfers to service providers. Individuals would be permitted to object to such transfers via a uniform opt-out mechanism to be established by the FTC.

• Right to opt out of targeted advertising. Individuals could opt out of targeted advertising through a clear and conspicuous means to opt out or the uniform opt-out mechanism to be established by the FTC. The ADPPA’s definition of “targeted advertising” appears to be broader than similar definitions in forthcoming state privacy legislation.

Enforcement

The ADPPA vests enforcement with the FTC, state attorneys general, and private plaintiffs.

• FTC enforcement:  Within the FTC, a new bureau would be established and tasked with enforcing the law within one year of its enactment. Violations would be treated as an unfair or deceptive practice and subject companies to penalties of up to $46,517 per violation (the civil penalty amount in 2022).

• State attorneys general:  State attorneys general can bring civil actions to (1) enjoin an act or practice; (2) enforce compliance with the law or implementing regulations; (3) obtain damages, civil penalties, restitution, or other compensation on behalf of the residents of the State; or (4) obtain reasonable attorneys’ fees and other litigation costs reasonably incurred.  Before initiating such actions, attorneys general must notify the FTC in writing so that the Commission has the opportunity to intervene.

• Private right of action:  Beginning four years after the ADPPA takes effect, private plaintiffs may also bring claims for compensatory damages, injunctive or declaratory relief, reasonable attorney’s fees and litigation costs.  Plaintiffs would be required to notify the FTC and state attorneys general prior to filing such suits, and actions for injunctive relief or against small businesses would be subject to a 45 day cure period. 

Preemption

The ADPPA would preempt state laws that are “covered by” the law, but there are a number of exceptions, including among others: 

• Generally applicable state consumer protection laws;

• Civil rights laws;

• Contract and tort laws;

• Common law rights and remedies and statutes that grant civil relief;

• Privacy laws governing employee, student, or health/medical information; and 

• Illinois’s Biometric Information Privacy Act and Genetic Information Privacy Act. 

* * *

The ADPPA is under active consideration and will be the subject of a House Committee on Energy & Commerce Subcommittee of Consumer Protection & Commerce hearing on June 14, 2022, at 10:30 am ET. Other proposals for federal legislation are also being circulated. The situation remains fluid and the details of any enacted federal privacy legislation are likely to differ from the current draft. Despite the fluidity, however, the current text of the ADPPA provides a clear starting point of bipartisan negotiations and is likely to substantially inform any final privacy laws.

Authored by Filippo Raso, W. James Denvil, Mark Brennan, Bret Cohen, Scott Loughlin, and Marcy Wilder.

Soojin Jeong, a summer associate in our Washington D.C., office contributed to this entry.