Clifford Chance

On June 3, 2022, a coalition of lawmakers from the United States House and Senate released a discussion draft of the American Data Privacy and Protection Act ("ADDPA). The 64-page bill represents a crucial bipartisan and bicameral compromise¹ to give Americans unprecedented rights over their data. The legislation, if passed in its current form, would create a comprehensive nationwide data privacy framework that addresses issues including data access and deletion rights, privacy by design and data minimization requirements, civil rights protections against discriminatory data processing, opt-out and strict consent mechanisms, and restrictions on third-party data collection. The draft bill also includes a private right of action and some state law preemption, two significant areas of focus for advocacy groups and lawmakers. If enacted, the law would create a dedicated privacy bureau within the Federal Trade Commission (FTC), with most of the provisions becoming enforceable within 180 days of passage.

Why is this draft unique?

• Currently, the United States has no comprehensive federal privacy law. Although many federal bills have been previously introduced, none of them have received bicameral and bipartisan support until now.
• The ADPPA draft also represents an important departure from the basic "notice and consent" approach to privacy, the long-standing US framework that many privacy experts have considered deficient in light of increasingly robust laws around the world.

Who is covered under the bill?

• The ADPPA draft defines "covered entity" to include every entity subject to the jurisdiction of the FTC that collects, processes, or transfers covered data, including nonprofits (which have typically been exempted from most data privacy laws).
• The legislation would not apply to government entities, and it provides some carve-outs for small businesses.

What types of data are covered?

•  "Covered data" is broadly defined as "information that identifies or is linked or reasonably linkable to an individual or device that identifies or is linked or reasonably linkable to one or more individuals." This definition includes browser history, device IDs, and IP addresses in some circumstances.
• The ADPPA draft specifically excludes employee data.²

What are some of the key provisions under the bill?

• Grants individuals the right to access, correct, delete, and control their data.
  
  • Access: users can request to view their data in a human-readable format, along with who has access to it and the purposes for which it was transferred to third parties.
  • Correct: users can correct inaccurate or incomplete information.
  • Delete: covered entities must comply with requests to delete users' data or inform third parties to delete the data.
  • Control: data must be provided to users in portable, readable formats, with no licensing restrictions limiting transfers.
• Includes a sweeping data minimization requirement that prohibits companies from collecting or using more data than is reasonably necessary, proportionate, and limited to accomplish specified purposes.
• Includes a "privacy by design" principle that requires entities to implement reasonable policies, practices, and procedures regarding their collection, processing, and transfer of covered data.
• Prohibits covered entities from changing pricing based on whether a data subject agrees to waive privacy rights.
• Requires all entities to have a privacy policy and prescribes requirements on the content of the policy and how to notify individuals regarding policy changes.³
• Provides strong civil rights protections forbidding entities from collecting, processing, or transferring data in a manner that discriminates based on race, color, religion, national origin, gender, sexual orientation, or disability.⁴
• Requires entities to implement and maintain data security procedures.⁵
• Mandates all covered entities to have a privacy officer and data security officer.⁶
• Requires affirmative express consent for most collection or processing of sensitive data. Affirmative express consent requires companies to specify the data and purpose for which the consent is being sought, as opposed to a general consent request or simply directing users to pre-existing privacy policies. Sensitive data includes health conditions, individual characteristics, geolocation, and web browsing history.
• Includes a private right of action subject to certain limitations (including providing notice to the FTC and state enforcers, and the opportunity to cure in certain circumstances).
• Provides individuals with the right to opt out of third-party data transfers and targeted advertising.
• Includes additional requirements and prohibitions relating to children and minors' data.

How would this law affect pre-existing privacy laws?

• State Preemption
  • The ADPPA would preempt most comprehensive state data privacy laws to the extent they regulate the same issues. If state laws regulate additional issues or cover additional entities, those would not necessarily be preempted.
  • The bill includes a list of state laws that will be preserved, including facial recognition laws, Illinois's Biometric Information Privacy Act, the California Consumer Privacy Act's private right of action, civil rights laws, employee and student privacy protections, data breach notification laws, contract and tort laws, and others.
• Pre-existing Federal Laws
  • A covered entity that is required to comply with data privacy requirements in certain existing federal laws (such as the Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act, and the Fair Credit Reporting Act) and is in compliance with those requirements will be deemed to be in compliance with some related provisions in the Act.

What's next?

• On  Tuesday, June 14, 2020, the House Subcommittee on Consumer Protection and Commerce held a hearing on the future of the ADPPA, at which lawmakers from both parties agreed to move forward with the draft bill.
• Once the subcommittee is satisfied with the discussion draft, it would move on to a vote by the full Commerce Committee. However, the window of opportunity is closing as the midterm elections approach.
• Senate Commerce Committee Chair Senator Maria Cantwell did not join the ADPPA draft, with press reports indicating she will promote her own competing draft bill with, among other things, a stronger private right of action. Cantwell's support is likely needed to pass any comprehensive privacy legislation, so further negotiations will be necessary.

How is the law different from the GDPR?

• The ADPPA has significant alignment with the GDPR, including requiring data minimization and privacy by design principles and granting individuals rights associated with their personal data. However, there are key differences in approach, including more prescriptive requirements (e.g., regarding the content of privacy policies, and restrictions with respect to sensitive data processing). 
• The United States' well-developed class action mechanism means any private right of action that accompanies a federal privacy law (like the one found in the ADPPA draft) will likely spur a wave of private enforcement efforts. 

Notes/References 

1. Meaning it has support in both major political parties and both legislative bodies.

2. Employee data is covered in some states, including in part in the California Privacy Rights Act . While much of the CPRA would be preempted by the ADPPA, its regulations regarding employee data would still be enforceable.

3. Large data holders are also required to have clear and conspicuous short form policies in addition to their standard privacy policies.

4. Data holders that use algorithms must assess them annually and submit impact assessments to combat discrimination in online marketplaces.

5. In determining what procedures are reasonable, the FTC will consider the entity's size, complexity, types and amount of data the entity engages with, the current state of the art, and costs.

6.Large data holders are also required to conduct privacy impact assessments weighing the benefits of data practices against potential consequences to individual privacy on a biennial basis.