Keypoint: The chances for the United States to finally enact a federal privacy bill appear to have increased with the circulation of a bipartisan discussion draft although its chances for passage are far from clear.
On Friday, June 3, House and Senate leaders released a bipartisan discussion draft of a comprehensive data privacy bill called the American Data Privacy and Protection Act (ADPPA). Although there have been many federal privacy bills introduced in the past, this discussion draft is gaining widespread attention because of its timing, bipartisan support, and the fact that it reaches compromise positions on state law preemption and enforcement (the two primary obstacles for passing a federal privacy law).
In the below article, we first discuss the background of the discussion draft, including its chances for passage. We then provide a list of high-level takeaways.
How Did We Get Here and Where are We Going (If Anywhere)?
On June 1, Politico reporter Rebecca Kern broke the story that House Energy and Commerce Chair Frank Pallone (D-N.J.), ranking member Cathy McMorris Rodgers (R-Wash.) and Sen. Roger Wicker (R-Miss.), ranking member of the Senate Commerce Committee, had reached consensus on a bipartisan draft federal privacy bill. In particular, Kern reported that the lawmakers had agreed on the two biggest obstacles standing in the way of federal privacy legislation – preemption of state laws and enforcement. However, Politico was quick to point out that a key negotiator – Senate Committee Chair Maria Cantwell (D-Wash.) – has not yet agreed to the compromise draft and believes it is not strong enough.
The content of the draft bill, however, remained a mystery until Friday, June 3, when lawmakers released a sixty-four page discussion draft.
In a follow-up article, Kern discussed the release of the draft bill and its current prospects. According to Kern, Senator Cantwell is still “skeptical” of the bill and has released a revised version of a competing bill she first offered in 2019. Kern also observed that “there is little time left in the Congressional calendar before Congress breaks for its August recess and then heads into the midterms. It is unclear whether Congress could get a federal privacy bill across the finish line this year.” Yet, “Cantwell wants to hold a markup this month on a bipartisan federal privacy bill along with bills related to children’s privacy.”
Kern also noted that there is a short time frame for passing a bill because of pending Senate committee leadership changes, in particular, Senator Wicker’s expected move from the Senate Commerce Committee to the Senate Armed Service Committee.
In his weekly post, IAPP Managing Director, Washington D.C., Cobun Zweifel-Keegan, provided more background on the bill’s chances, including noting that at least one other Democratic Senator, Brian Schatz (D-Hawaii) has joined Senator Cantwell in demanding stronger consumer protections.
That said, it does feel like the discussion draft is tangible progress in the advancement of federal privacy legislation (although the IAPP’s Joe Duball was quick to throw a “wet towel” on optimism). The prospect of more movement occurring in the coming weeks also has encouraged privacy professionals that there is at least some hope that 2023 could finally be the year for federal privacy legislation.
Below are high-level takeaways from a review of the ADPPA. This analysis is not intended to summarize every provision of the ADPPA, but rather is intended to provide the reader with a general understanding of the discussion draft’s provisions.
- A New Model – The draft bill is not modeled on existing laws in California, Connecticut, Colorado, Utah and Virginia. It also is not modeled on GDPR. That said, certain concepts and definitions within the bill are similar to existing laws.
- Scope; Covered Data – The bill would apply to “covered data” which is defined as “information that identifies or is linked or reasonably linkable to an individual or a device that identifies or is linked or reasonably linkable to 1 or more individuals, including derived data and unique identifiers.” Covered data excludes de-identified data, employee data (broadly defined), and publicly available information (also defined broadly).
- Scope; Covered Entity – The bill would apply to “covered entities” which is defined as “any entity or person that collects, processes, or transfers covered data and — (i) is subject to the Federal Trade Commission Act (15 U.S.C. 41 et seq.); (ii) is a common carrier subject to title II of the Communications Act of 1934 (47 U.S.C. 201–231) as currently enacted or subsequently amended; or (iii) is an organization not organized to carry on business for their own profit or that of their members. It also includes any entity or person that controls, is controlled by, is under common control with, or shares common branding with another covered entity. The draft bill contains numerous exemption, including an exemption for small businesses. It appears that there are data-level exemptions for entities subject to GLBA, HIPAA, FERPA, and other federal statutes although the FTC would need to provide guidance.
- Data Minimization – Covered entities would be required to limit their collection, processing and transferring activities to certain activities and purposes.
- Data Processing Restrictions – Covered entities would be prohibited from engaging in eight data processing activities such as collecting, processing and transferring biometric and genetic information without affirmative consent, unless an exception applies.
- Privacy by Design – Covered entities would need to implement privacy by design policies and procedures.
- Privacy Policies – In a provision that will surprise no one, covered entities would need to publish privacy policies explaining their data processing activities. In a unique twist, the policy would need to state “whether or not any covered data collected by the covered entity is transferred to, processed in, or otherwise made available to the People’s Republic of China, Russia, Iran, or North Korea.”
- Rights – Upon verification, individuals could access, correct, delete, and port covered data. Individuals also could opt out of the transfer of covered data to third parties and targeted advertising. The FTC would be charged with studying the feasibility of a universal opt out mechanism.
- Consent; Sensitive Data – Covered entities would not be permitted to collect or process sensitive data without affirmative express consent.
- Children’s Data – Covered entities could not engage in targeted advertising to individuals under the age of 17. Whether a covered entity needs actual knowledge of the individual’s age appears open for discussion. A new “Youth and Marketing Division” would be established within the FTC.
- Data Brokers – Data brokers (or what the bill calls third-party collecting entities) would be required to provides notices, create audit logs, and register with the FTC.
- Data Security – Covered entities would need to implement and maintain reasonable administrative, technical and physical security practices and procedures to protect covered data.
- Large Data Holders – There would be additional requirements for large data holders such as certification responsibilities, the designation of a data privacy and data security officer, and creation of privacy impact assessments. Large data holders are covered entities that have annual gross revenue of $250,000,000 or more and either collect, process, or transfer the covered data of 5,000,000 individuals or devices or the sensitive covered data of 100,000 individuals or devices.
- Enforcement – The FTC and State Attorneys General would enforce the ADPPA.
- Private Right of Action – Starting four years after the ADPPA’s effective date and subject to providing 60 days’ notice to the FTC and relevant State Attorneys General, persons or classes of persons who suffer an injury could bring civil actions for compensatory damages, injunctive or declaratory relief, and reasonable attorney’s fees and costs. Pre-dispute arbitration provisions and joint action waivers would be prohibited for individuals under the age of 18. In addition, certain types of civil actions would be subject to a right to cure.
- State Preemption – Most state laws would be preempted although there are exemptions, including for the Illinois Biometric Information Privacy Act and the CPRA’s personal information security breach section.
- FTC Rulemaking – Various parts of the bill authorize the FTC to issue guidance and promulgate rules. For example, the FTC would be authorized to issue rulemaking on the bill’s data minimization and consumer requests requirements.