As more states enact their own privacy laws, members of the privacy community and those impacted by privacy legislation continue to push for uniformity. The American Data Privacy and Protection Act (ADPPA) addresses this growing concern by drafting a uniform national data privacy framework. On June 23, 2022, the House Committee on Energy and Commerce Consumer Protection and Commerce Subcommittee (Consumer Protection Subcommittee) reported the ADPPA favorably, as amended, to the full committee. Given the reach of this legislation and since some key issues remain in flux, it is worth monitoring the Committee’s upcoming markup.
Background: The ADPPA
The ADPPA is the first bipartisan, bicameral comprehensive privacy and data security proposal with support from both House and Senate committee leaders. The bill’s primary purpose is to provide consumers with foundational data privacy rights, create oversight mechanisms, and establish meaningful enforcement. In a press release offered by the ADPPA’s sponsors, they stated that the effort has been “years in the making,” representing “a critical milestone.”
At the Consumer Protection Subcommittee markup, Chairman Frank Pallone opened the session by addressing privacy rights as civil rights and underlined the growing importance of privacy and privacy protections in the world today. He focused on the importance of protecting children and teens, protecting vulnerable women in abusive relationships by giving them control over their personal information and limiting the data available for their aggressors to exploit, and avoiding discrimination against people of color.
During the markup, Members of Congress on both sides of the aisle discussed important issues such as algorithm impact assessments, preemption of state laws, the private right of action, and the right to cure. Specifically, Committee members focused on including political viewpoint protection considerations in algorithm impact assessments. Additionally, as the ADPPA moves to full committee, discussions about the bill’s insufficient preemption of state laws, right to cure, and the possible negative implications of the private right of action are likely to be front and center.
Some of the ADPPA’s highlights include:
Data protections for children and minors. The bill establishes a Federal Trade Commission (FTC) Youth Privacy and Marketing Division responsible for the privacy of children and minors and marketing directed at children and minors (under age 17). The ADPPA also expressly prohibits targeted advertising to children and minors.
Data broker registry. The bill requires the FTC to establish a searchable, publicly available, central registry of data brokers (referred to as “third-party collecting entities”), which are covered entities whose principal source of revenue is derived from processing covered data, not directly collected from individuals. The proposed registry would provide consumers with the ability to add their names to a “Do Not Collect” list that is shared with all data brokers.
Annual algorithmic impact assessments. The bill requires large data holders that use an algorithm to collect, process, or transfer covered data to submit annual algorithmic impact assessments to the FTC. Algorithmic impact assessments should include a detailed description of steps taken to mitigate potential harm to individuals. During the markup, the Committee approved an amendment to require large data holders to conduct algorithmic impact assessments within two years of passage. The amendment also revised the text to require that assessments must feature a statement of purpose, a detailed description of data used by the algorithm, and an assessment of the necessity and proportionality of the algorithm.
Chief privacy officer requirement. The bill requires all non-exempt entities to appoint a chief privacy officer. In addition to appointing a chief privacy officer, large data holders are subject to annual executive certifications and biennial audits.
State law preemption: The bill preempts a number of state privacy laws, such as the California Privacy Protection Act (CCPA), but excludes well-known statutes such as the Biometrics Information Privacy Act in Illinois. Additionally, the bill does not infringe upon the CCPA’s private right of action provision, general consumer protection laws, civil rights laws, employee and student privacy protections, data breach notification laws, and laws on cyberstalking and cyberbullying.
Sensitive data: The ADPPA now defines “sensitive data” as all precise geolocation information, not just precise geolocation information that reveals the past or present actual physical location of an individual or device. Additionally, the Subcommittee amended the bill to remove references to racial and ethnic information.
Service providers are no longer covered entities: A covered entity is any entity or person that collects, processes, or transfers covered data and is (1) subject to the FTC; (2) a common carrier subject to title II of the Communications Act; or (3) a non-profit. The Subcommittee revised the text to ensure that service providers are not considered covered entities.
Exceptions to Data subject rights: The Subcommittee also added two additional exceptions to data subject requests. In addition to refusing a request due to verification or contractual issues, the ADPPA now allows a covered entity to block an individual’s request if the covered entity determines that the action would require access to or correction of another individual’s sensitive data or if the covered entity reasonably believes that the exercise of the right would require the covered entity to commit an FTC violation.
What’s Next/Primary Takeaway
This legislation will continue to attract significant attention from affected stakeholders, and if the full Energy and Commerce Committee approves the measure in the coming weeks, it is safe to say that it could receive consideration by the full House. We note that the U.S. Chamber of Commerce and the tech industry are very active in their advocacy, and there have been some mentions of concerns regarding public health and access to data, including access to abortion-related information after the recent Dobbs decision. Despite the support of House Energy and Commerce Committee Chairman Frank Pallone (D-NJ), Ranking Member Cathy McMorris Rodgers (R-WA), and Senate Committee on Commerce, Science, and Transportation Ranking Member Roger Wicker (R-MS), the path forward for the ADPPA remains in limbo. The “4th Corner,” Senate Commerce, Science, and Transportation Committee Chairwoman Maria Cantwell (D-WA), has expressed opposition to the bill as currently drafted and may also hold a markup of her own privacy bill later this summer. For further information, please review the ADPPA here.