Keypoint: The House Committee on Energy & Commerce reported out the American Data Privacy and Protection Act by a vote of 53-2, referring the bill to the full House.
On July 20, 2022, the House Committee on Energy & Commerce reported out an amended version of the American Data Privacy and Protection Act (ADPPA) (H.R. 8152) after holding a markup. The bill passed by a vote of 53-2 and is now eligible for a full House floor vote. Lawmakers previously voted the bill out of a House subcommittee on June 23, 2022.
In the below article, we provide a brief overview of the amendments to the ADPPA as well as a discussion of recent objections raised by various entities and individuals.
Prior to the markup, on July 19, 2022, the committee published an amended version of the bill – called an Amendment in the Nature of a Substitute or AINS. The AINS made a number of significant changes. The Washington Post’s Cristiano Lima provided a three-page summary of the most significant changes, including:
- The California Privacy Protection Agency was expressly included as a State Privacy Authority that has the power to enforce the ADPPA in California. This change was made to try to assuage criticisms levied by the CPPA earlier this month that it would not have authority to enforce the ADPPA.
- The private right of action grace period was shortened from 4 years to 2. Qualifying businesses could now be sued 2 years after the bill’s effective date, not 4 years. In addition, a small business exemption to the private right of action was added. Businesses with annual revenue of less than $25 million, that engage with the covered data of less than 50,000 individuals, and that earn less than half of their revenue from transferring covered data would no longer be subject to the private right of action.
- The definition of “employee data”, which is exempt from the bill’s provisions, was expanded to include “information processed by an employer relating to an employee who is acting in a professional capacity for the employer, provided that such information is collected, processed, or transferred solely for purposes related to such employee’s professional activities on behalf of the employer.” The amendment significantly expands the employee data carveout.
- The definition of sensitive covered data was expanded to include race, color, ethnicity, religion, union membership, and internet browsing history overtime and across third party websites or online services.
- A new tiered knowledge approach was created for targeted advertising to children.
In addition to the AINS, committee members offered numerous amendments, the vast majority of which were bi-partisan and passed on voice votes. However, an amendment offered by Representative Anna Eshoo (D-California) did not pass. That amendment would have modified the bill’s preemption provision to allow states to create stricter laws. The other partisan amendments were withdrawn by their sponsors.
On a final vote, the committee approved the bill by a vote of 53-2. According to the Congressional Research Service’s explanatory memorandum and comments made at the markup, the bill is now eligible for a floor vote. That said, the House will start its August recess at 3:00 pm on July 29, 2022.
Despite the bill’s continued progress in the House, there are still headwinds. There still is no indication from Senate Commerce Committee Chair Maria Cantwell that she will support it. As we previously reported, Senator Cantwell – whose support is crucial to the bill passing the Senate – has been unwilling to support the bill to date.
Further, according to Bloomberg, on July 1, 2022, the California Privacy Protection Agency’s Deputy Director of Policy and Legislation, Maureen Mahoney, sent a memo to lawmakers arguing that the “ADPPA’s preemption approach would hurt Californians.” Also, on July 19, 2022, ten state Attorneys General sent a letter to congressional leaders asking that “Congress . . . adopt legislation that sets a federal floor, not a ceiling, for critical privacy rights and respects the important work already undertaken by states to provide strong privacy protections for our residents.” The ADPPA preempts many state privacy laws, including the new laws in Colorado, Connecticut, Virginia and Utah and almost all provisions of the law in California.
Finally, while the bill passed out of committee, a handful of committee members expressed concerns during their remarks. In particular, California Democratic Representatives Anna Eshoo, Doris Matsui, and Raul Ruiz took issue with the ADPPA’s current preemption provisions in light of the existing privacy rights provided to Californians. Other members stated that they were voting in support of the bill to enable the bill to move forward but that the bill would not have their support on a floor vote without further modifications.