The American Data Privacy and Protection Act: Is the US About to Get its Own Comprehensive Privacy Law?
America has been in a unique position among developed nations in that it does not have a comprehensive data protection and privacy law like the EU's GDPR or China's PIPL. Only five states have a comprehensive law and each of them have slightly different standards and requirements.
That state of affairs may soon change, as the bill for the American Data Privacy and Protection Act has garnered substantial bipartisan support. Outside Congress, privacy advocates and experts have been fairly optimistic about the proposed law. The ADPPA is comparable to other international data privacy laws, but also has its own unique features.
As expected from such a landmark law, the bill is massive--the currently-available draft stands at 132 pages--but Ardent Privacy has reviewed the text of the bill and presents a simplified version of its biggest changes and most impactful requirements.
What The ADPPA Covers
The ADPPA covers any entity that collects, processes, or transfers covered data. It does not apply to any governmental bodies or those providing services to the government. "Covered data" includes any information that identifies or is reasonably linkable to an individual or their devices. It does not include de-identified data, publicly available info, or employee data (like job applications, information about professional activity, and business contact info). It also does not include information inferred from multiple public sources so long as they do not reveal sensitive data.
Sensitive data protected by the law includes especially personal and identifying information, such as an individual's finances, health, biometrics, passwords, and ID numbers like a driver's license or Social Security number.
The ADPPA grants enforcement authority to the Federal Trade Commission (FTC). The ADPPA sets out a general legal framework to direct the FTC and empower it to regulate in this area. The FTC will have a lot of discretion in how to implement the ADPPA's legal requirements.
Duty of Data Minimization
The ADPPA imposes a duty of data minimization on covered entities--they are only permitted to collect and save the minimal amount of data needed to achieve their stated purpose. The ADPPA forbids entities to collect, process, or transfer data beyond what is needed for a list of specific responsibilities:
- Provide specifically-requested products and services
- Perform a transaction or fulfill a requested order
- Develop, maintain, repair, enhance, manage, or debug one of the entity's products, services or systems
- Authenticate users of a product or service
- Fulfill a warranty
- Detect, protect against, or respond to a security incident (digital or physical)
- Detect, protect against, or respond to fraud, harassment, or other harmful illegal activity
- Comply with other legal obligations or prepare for legal claims
- Protect people from harm if the covered entity believes in good faith that there is a risk of death or serious harm
- Perform a product recall
- Conduct a public/peer-reviewed research project in the public interest that follows all other research laws
- Communicate with people in a way they reasonably anticipate
- Deliver a message from an individual at that person’s request
- Transfer assets to a party assuming control of the covered entity in merger, acquisition, bankruptcy, etc., so long as affected individuals are notified and given opportunity to withdraw consent
- Ensure data security and integrity as required by law
- Detect, protect against, or respond to a public safety incident, but only if acting at the direction of a gov’t entity and as otherwise authorized by law
- Process data to provide first-party advertising of the entity’s own products or services
- Provide targeted advertising
The biggest difference between ADPPA and comparable data protection laws is how it handles user consent. In GDPR and similar laws, entities can collect data as long as they get user consent--the most familiar form of this being a pop-up asking for consent to accept cookies. Under the ADPPA, however, covered entities can't use personal data for anything outside the approved list, even if the user consents. This means the protection is stronger and can more effectively cover people who might not understand their data subject rights, but it also means the law is relatively inflexible.
Individual Rights
The ADPPA bestows data subject rights similar to other data privacy laws. Individuals have the right to access, correct, export a copy of, or delete any of their covered data in the possession of a covered entity.
Additionally, sensitive data collected by a covered entity cannot be transferred to a third party without the data subject's express consent. There are a few exceptions where consent is not needed--for example, if the transfer is necessary to comply with the law, protect an individual from imminent harm, respond to a public safety emergency, or perform medical research or care.
Privacy by Design
The ADPPA will require covered entities to establish reasonable policies, practices, and procedures that reflect the duties imposed by the law, as well as the entity's own role. Covered entities also have a list of elements they need to satisfy in their internal procedures. Proper procedures and policies under the ADPPA will:
- Consider laws and regulations affecting the entity and the data they handle (like HIPAA for health data).
- Identify and mitigate privacy risks to minors.
- Mitigate privacy risks related to the entity's products/service.
- Implement reasonable training and safeguards within the organization to promote compliance with all applicable privacy laws.
The law says that in an entity's procedures, it must factor in its size and nature, scope, and complexity of its processes. Entities will also need to be aware of the volume and sensitivity of the data they manage, as well as implementation cost. For example, larger data holders or sensitive data processors will have to be conscious of their vulnerabilities, and smaller entities will need to be aware of their limited resources. Exactly what constitutes reasonable policies is not established in the ADPPA, but it does direct the FTC to publish standards within a year of the law passing.
Opt-Out
In addition to requiring consent to transfer sensitive data ("opting in"), the ADPPA also gives individuals the right to opt out of the transfer of other covered data to any third party. For example, an individual may opt out of allowing their activity on an online storefront to be used in targeted advertising, even though targeted advertising is is a permitted use.
The ADPPA will require the FTC to set standards for a "universal opt out," allowing users to opt out on all sites by default without having to select it on a site-by-site basis. This would most likely take the form of a selectable option in a user's browser that covered entities would be required to comply with by law, but actual implementation has not been designed yet.
As part of the opt-out and other consent requirements, entities cannot get consent through "dark patterns." Dark patterns are subtle elements of website design to manipulate users towards a desired outcome, such as making the "Accept" button larger and more colorful than "Reject," or using phrasing that shames the user into accepting. While dark patterns are not strictly privacy-related on their own, entities covered by GDPR have used them to manipulate users into consenting--the EU recently had to pass a separate law, the Digital Services Act, to ban the practice.
Algorithmic Impact Assessments
Annual Algorithmic Impact Assessments (AIAs) are one of the additional obligations the ADPPA will impose on "large data holders." Large data holders are any covered entities with an annual gross revenue of $250 million or more, and handle either the covered data of at least 5 million people or the sensitive data of at least 200,000.
Data-processing AI and automated decision-making processes have a substantial connection to data privacy--read our article here. The ADPPA imposes an AIA requirement to ensure that large and powerful data processors are considering the full potential impacts of their data algorithms as they develop and implement them.
An AIA will have to include:
- Design process and methodologies of the algorithm
- Foreseeable capabilities of the algorithm outside the proposed use
- Data input used by the algorithm
- Information output produced by the algorithm
- Steps taken/to be taken to mitigate potential harm caused by the algorithm
Registry of Data Brokers
The ADPPA will direct the FTC to create a registry of "data brokers"--third party entities that gather data from collectors to use or sell. This registry will have to be online, public, and searchable. Data brokers will have to register with the FTC to operate.
Consumers may use the registry to find who has their data and demand that it be deleted, and brokers will be compelled by law to delete it.
Protection for Youths
In addition to its general data protections, the ADPPA has much stricter controls and protections on the data of youths under 17. When entities know that an individual is under 17, all of that individual's data is to be treated with the same protections as sensitive data, even if it would not otherwise qualify.
The ADPPA establishes the Youth Privacy and Marketing Division under the FTC. This Division will be responsible for addressing privacy and marketing concerns related to minors, and will make annual reports on this subject to Congress. Targeted advertising to any individual under 17 is strictly forbidden.
Compliance Officers
All covered entities will have to appoint officers to ensure that the organization complies with ADPPA. The officer will also be responsible for implementing the entity's ADPPA-approved privacy and data security programs. Smaller entities may join technical compliance guideline programs designed to simplify compliance without violating their duties.
Enforcement
The ADPPA can be enforced by the FTC, state agencies or attorneys general, or by individuals with a private right of action.
The FTC will have the authority to bring a civil suit against ADPPA violators with the powers granted to it by the Federal Trade Commission Act--notably, civil penalties to fine the violator. The FTC is also given enforcement authority of the ADPPA over non-profits and telecom carriers.
State Attorneys General and privacy authorities can sue violators in federal court to enjoin the violating activity and seek damages. This is different from the FTC's authority, since damages are limited to actual monetary harm and the FTC's civil penalties are not.
Private individuals will also be able to sue violators in federal court, but with more restrictions. Individuals will be able to sue for damages, injunction, or declaratory relief (the court's statement that the violator is at fault, but without damages or injunction).
Since California has already created a state agency for enforcing and regulating its own privacy laws, ADPPA grants the California Privacy Protection Agency enforcement authority. California is often given more authority regarding tech laws, so this is a concession to that practice while still keeping the ADPPA's strict preemption of state law.
Preemption
In many cases, states can pass their own laws in areas that already have a federal law, provided that the state law provides at least as much protection as the federal one. In what might be the ADPPA's most controversial section, the federal law will preempt other state data privacy laws. If and when the ADPPA passes, it will nullify the existing privacy laws of California, Virginia, Connecticut, Utah, and Colorado.
While states will generally be preempted, the ADPPA includes a number of exceptions for state data protection laws in certain fields:
- General consumer protection laws
- Civil rights laws
- Employee & student privacy protections
- Contract & tort law
- Data breach notification laws
- Certain criminal laws
- Laws on cyberstalking/bullying, nonconsensual pornography, and sexual harassment
- Laws on certain financial, public, library, and tax records
- Facial recognition software laws
- Certain surveillance laws
- Laws regarding medical info
- Laws to address unsolicited phones calls, texts, and email
- Illinois’ Biometric Information Privacy Act and Genetic Information Privacy Act
- California Civil Code 1798.150 (protection against unauthorized online account access)
As of writing, there is some ongoing effort in committees to remove the preemption, but most bipartisan support is behind the version that preempts state law. Preemption is one of the compromises made to get Republican support behind the bill.
FTC Privacy Bureau
The ADPPA will also establish the Bureau of Privacy under the authority of the FTC. The Bureau will assist the FTC in its new privacy-related duties by providing expertise in enforcing the law and drafting new regulations.
The Bureau will also run the Office of Business Mentorship, which will teach covered entities how to comply with the ADPPA and provide compliance advice for any entity that submits a proposed action.
Opinions of Advocates and Experts
The reactions of privacy advocates and experts to this bill have been cautiously positive. The fact that it has bipartisan support and has a good chance of passing overcomes its faults for many.
While advocacy groups are skeptical at allowing targeted advertising--they would prefer a full ban--they are supportive of the ADPPA placing any limits on the practice at all. According to Alan Butler, president of the Electronic Privacy Information Center, the law's ban on targeted ads based on sensitive data is a "fundamental shift" away from "an ad tech industry that just gorges on personal information in every possible way it can, grabbing every possible piece of data they can find about people." The data minimization-first focus of the bill has also gotten a lot of interest, since its clear limits mean fewer chances for manipulation of consent or misinterpretation.
Not all privacy advocates support the bill. For example, the Electronic Frontier Foundation, one of the premier privacy law organizations, expressed its disapproval of the bill's current draft. The EFF opposes the bill's preemption clause, stating that it denies states the opportunity to develop their own higher standards.
According to the EFF, the bill will also stop federal regulators from enforcing the Federal Communications Act, which prevents telecom providers from disclosing certain sensitive customer data without consent. Privacy controls on telecom companies have been managed and enforced by the Federal Communications Commission, but the ADPPA would transfer much of this authority to the FTC. The EFF is concerned about this because the ADPPA gives fewer enforcement tools to the FTC than the FCC has, and the FTC lacks the FCC's specialized expertise in this field. The private right of action for individuals to sue for enforcement is also much weaker than the EFF would like because of its various exceptions and limits.
California is outspokenly against the bill because of the preemption clause. The California Privacy Protection Agency sent an open letter to Speaker Nancy Pelosi opposing preemption. Like the EFF, California opposes preemption because it worries that the protections under ADPPA are weaker than those provided under the state's CCPA and CPRA laws. A number of other states, mostly Democrat-leaning, have also spoken out against preemption.
What Comes Next?
There is still a lot to come before the ADPPA becomes the USA's comprehensive federal privacy law. At the time of writing, the bill is still being discussed in committee and has not yet been voted on in the House. If and when it passes the House, the Senate will have its own committees examine and mark up the bill based on their concerns. The preemption clause and concerns about effective enforcement will continue to be points of contention for stakeholders. The final version may have some substantial differences from this draft. Regardless, this is the most promising prospect for an American federal general data privacy law and has exciting implications for the future.
About Ardent Privacy
Ardent Privacy is an "Enterprise Data Privacy Technology" solutions provider based in the Maryland/DC region of the United States and Pune, India. Ardent harnesses the power of AI to aid companies with data discovery and automated compliance with RBI Security Guidelines, GDPR (EU), CCPA/CPRA (California), COPPA, ADPPA and other global regulations by taking a data-driven approach. Ardent Privacy's solution utilizes machine learning and artificial intelligence to identify, inventory, map, minimize, and securely delete data in enterprises to reduce legal and financial liability.
For more information visit https://ardentprivacy.ai/ and for more resources here.
Ardent Privacy articles should not be considered legal advice on data privacy regulations or any other specific facts or circumstances.