US is one of the few industrialized countries in the world that lacks a single national privacy law. Instead, there is a patchwork of various federal laws that regulate data privacy. These federal laws, however, relate to different types of data and have limited applicability, depending on the type of entity that collects the data. Though several states have implemented comprehensive state privacy laws, personal data of consumers continues to be collected and used with little to no restrictions in the majority of states.
A federal privacy law covering use of consumer data has been several years in the making. However, so far all efforts to establish a comprehensive federal consumer privacy framework have proved futile for lack of necessary support. Therefore, the American Data Privacy and Protection Act (“ADPPA”), which enjoys the support from both branches of Congress and both political parties, is a long-awaited piece of federal legislation that - if passed - would be the first comprehensive privacy law to cover the entire country.
The ADPPA would apply to “covered entities”, that is entities or persons who – alone or jointly with others – collect, process or transfer covered data and who are subject to the Federal Trade Commission (FTC) Act or are common carriers within the meaning of the Communications Act of 1934 (i.e. companies providing public telecommunications facilities) or are non-profit organizations. Similarly to the GDPR “household exception”, the ADPPA explicitly exempts individuals acting in a non-commercial context. The notion of “covered entity” would also encompass entities that “control or are controlled by or are under common control with another covered entity”, which appears to suggest that – unlike the GDPR – the ADPPA does away with the distinction between various entities within the same capital group, treating the group as a whole.
Since entities such as banks, insurance companies, transportation and air carriers, fall outside of the purview of the FTC Act, the ADPPA would not apply to them. As a consequence, the new law would paradoxically apply to charities and churches but not to large corporations such as banks or airlines. It would not apply to federal, state, or other local government entities either.
The ADPPA provides for a separate classification for large data holders ("LDH"), that is entities with gross annual revenue in the most recent calendar year of $250 million or more, which collect, process, or transfer covered data of more than 5 million individuals or devices, or sensitive covered data of 200,000 or more individuals or devices. The ADPPA imposes additional requirements on LDHs. For example, they would be obliged to provide individuals with a short-form notice of their covered data practices , or maintain copies of all of their previous privacy policies for at least 10 years and publish them on their websites (an obligation that would not apply to small and medium businesses).
SMBs are entities whose annual gross revenue was below $41 million for each of the prior three years AND who process the data of no more than 200,000 individuals AND do not derive more than 50% of their revenues from transferring covered data (during any year). SMBs would still be regulated by ADPPA but would be exempt from some substantive obligations under the so-called “small data exception”. For example, they could respond to a consumer’s request to correct their data by deleting the data, rather than by correcting it. Moreover, they would not have to appoint a privacy and data security officer and would be exempt from most of the data security and data portability requirements. Individuals who would want to bring a suit against a SMB for damages would be required to give the violator an opportunity to cure the violation first.
The ADPPA would also apply to service providers. These – much like data processors under the GDPR – are entities that collect, process or transfer data on behalf of, and at the direction of, a covered entity.
Additionally, the ADPPA would impose specific obligations on third-party collecting entities, that is entities whose main source of revenue comes from processing or transferring data that has not been collected by them directly from the consumers (e.g. data brokers). Third party collecting entities who collect data of more than 5,000 individuals or devices, would have to comply with FTC auditing regulations and register with the FTC. The concept of a third party collecting entity is somewhat comparable to a GDPR controller who receives personal data from another controller through data sharing.
The ADPPA would apply to information that „identifies or is linked or reasonably linkable, alone or in combination with other information, to an individual or a device that identifies or is linked or reasonably linkable to an individual” (the so-called “covered data”). Similarly as the term “data subject” under the GDPR, the term “individual” under the ADPPA encompasses natural persons to whom the covered data relates and who reside in the US (individuals residing in the EU would not enjoy the protection of the ADPPA!).
The ADPPA does not apply to the same scope of personal data as the GDPR. The law would NOT apply to: (a) de-identified data, (b) employee data, (c) information that is publicly available (except where it contains obscene visual depiction, intimate nonconsensual images, biometric and genetic information, or is combined with covered data) as well as (d) to any inferences made from such publicly available information. Covered data may also include unique identifiers such as IP addresses, cookies, beacons, pixel tags, mobile ad identifiers, customer numbers, unique pseudonyms, user aliases, telephone numbers, device identifiers etc.
Similarly to the GDPR, the ADPPA awards additional protection to sensitive information. The so-called “sensitive covered data” includes not only traditionally sensitive material such as health, biometric, genetic data, racial and sexual behavior information (not sexual orientation though!), but also government-issued identifiers (i.e. social security numbers, driver’s license number, passport number), precise geolocation data, financial information, log-in credentials, address book and calendar information. It also includes more unconventional categories such as television viewing data, intimate images, and “information identifying an individual’s online activities over time or across third-party websites or online services”. A covered entity would be required to obtain an individual’s affirmative express consent prior to the collection, processing, or transfer of the individual’s sensitive covered data.
Covered data of children (minors under the age of 17) are deemed sensitive when the covered entity knows the individual is under the age of 17. Targeted advertising is prohibited with respect to such minors and data transfers to third parties require covered minor’s or parental consent.
The ADPPA establishes the duty of loyalty, which boils down to the duty to abide by the general data processing principles similar to the key data processing principles set forth in the GDPR. In particular, the covered entities would be required to abide by data minimization principle, or the principles of necessity and proportionality and would have to demonstrate compliance with the above principles. Covered entities would also have to adopt a privacy by design approach, meaning that they would have to implement and maintain reasonable policies, practices and procedures for collection, processing and transferring of the covered data, reasonable in light of the size and nature of the given covered entity and the covered data.
Pursuant to the ADPPA collecting, processing or transferring of covered data shall be prohibited unless reasonably necessary and proportionate to provide or maintain a specific product or service requested by the individual or to achieve one of the 17 permitted purposes set forth in Section 101(2)(b) of the bill. Unlike the GDPR, the ADPPA does not recognize the concept of legitimate interest which would allow covered entities for a certain degree of flexibility. Instead, it identifies and exhaustively lists all of the interests that the covered entities may have and identities them as “permissible”. These include, for example: the necessity to initiate, manage or complete a transaction, or fulfil and order for a product or service requested by the individual; to fulfil a product or service warranty; to comply with legal obligation; to provide advertising and marketing (except where the recipient of such advertising is a covered minor!) or to prevent, detect, or respond to a security incident or a fraud.
Covered entities and service providers are required to provide individuals with a privacy policy, that would disclose the processing activities to the individual in an understandable manner. The required information largely corresponds to that which is required of controllers under the GDPR (i.e. contact information, categories of data they collect, the purpose for which they use that data, the intended retention period, a prominent description of how individuals can exercise the rights awarded to them by the act, and indication of third parties that the covered entity intends to transfer the data to). Covered entities are also required to specify whether they transfer covered data to People’s Republic of China, Russia, Iran, or North Korea. Any material changes to the said policies or practices would have to be notified to the individuals affected and the individuals would have to have a reasonable opportunity to withdraw their consent to any further, materially different processing.
The ADPPA awards consumers various rights over covered data, which are similar to those awarded to data subjects under the GDPR. These include: the right to access data, the right to correct data, the right to delete data and finally, the right to export covered data either to the individual or directly to another entity. As a general rule, covered entities shall respond to consumer rights requests within 60 days of their receipt (30 days in case of LDH and 90 days in case of SMBs).
ADPPA does not provide for consent as a ground for processing. Instead, consent is required only in some cases. For example, an affirmative express consent shall be required for transfers of sensitive covered data to third parties. In fact, all sensitive covered data is subject to “opt-in” consent by individuals: covered entity may not collect, process or transfer sensitive covered data, without first obtaining the individual's “affirmative, express consent”. Moreover, individuals should be provided with a clear and conspicuous, easy-to-execute means to withdraw previously given consent, that is as easy to execute as the means to provide it. By contrast, regular (non-sensitive) covered data would be subject to “opt-out” rights.
The ADPPA would require covered entities and service providers to designate one or more qualified employees as privacy and data security officers, who would be responsible for developing and implementing a data privacy and data security program and for ensuring ongoing compliance with the ADPPA. Unlike the GDPR, the bill does not set any thresholds (e.g. number of employees) that would trigger the obligation to appoint a privacy and a data security officer. Instead it establishes a general obligation for all covered entities (though – as already discussed - SMBs are exempt from this duty).
ADPPA contains a prohibition on conditional service or pricing: covered entities are not allowed to deny, change the price, or effectively condition a service or product to an individual on condition that the individual waives any privacy rights guaranteed under the act.
Unlike the GDPR, the ADPPA does not provide for a general data protection impact assessment requirement that would apply to all types of covered entities. In fact, only LDHs are required to assess the privacy impact of their data processing in general as well as to conduct an impact assessment on algorithms that they use for processing of covered data. These algorithm impact assessments would need to describe the algorithm’s design process, the purpose of the use, the foreseeable uses, data inputs and the outputs that the algorithm generates. These assessments would also have to indicate steps that the covered entity has taken to mitigate any potential harm resulting from the use of algorithm. The assessments would have to be submitted to the FTC and made available to Congress upon request.
The ADPPA would be enforced by the FTC, under its existing enforcement authorities, with any ADPPA violation being treated as an unfair or deceptive act or practice. Also the state attorneys general (SAG) and State Privacy Authorities who have the power to bring civil suits over privacy violations affecting residents of their respective states, could enforce the ADPPA. However, where the FTC institutes an action against a covered entity, SAGs could not bring their own civil action against the same entity during the pendency of the FTC’s action. Under the most recent draft of the bill, the California Privacy Protection Agency would explicitly be granted the power to enforce the ADPPA in California, in the same manner as it would otherwise enforce the California Consumer Privacy Act.
The bill also introduces a private right of action (similar to claims under Article 82 of the GDPR), that would permit individuals to file a suit in a federal court to seek compensatory damages, injunctive or declaratory relief, and reasonable attorney’s fees and costs for the ADPPA violations. Unlike Article 82 of the GDPR (which exists independently of the enforcement by the authorities), the private right of action would be limited to cases where the FTC or the SAG decide not to pursue a civil action themselves (individuals would first have to notify them of the intent to sue). The private right of action has been delayed and will start 2 years after the law’s enactment.
If passed, the ADPPA would generally pre-empt any current or soon to be enacted state privacy laws, including the new laws in Colorado, Connecticut, Virginia and Utah and almost all provisions of the law in California.
Unlike the GDPR there are no statutory damages provided for in the ADPPA. Failure to comply with the ADPPA, would be treated in the same manner as other compliance failures described in the Federal Trade Commission Act (as unfair or deceptive acts or practices) and would be subject to the same penalties as described in the FTC Act. The maximum fine adjusted for inflation in 2022 is USD 46,517.
Though exceptionally strong (coming from both the Republicans and the Democrats, the FTC, and many human rights organizations) the support for the bill is not unanimous. The major bone of contention has been the preemption of state laws provision. There has been serious backlash from states that have already adopted comprehensive privacy laws (most notably California) and which accuse the federal bill of awarding fewer privacy protections than those already existing under their state laws. Moreover, critics of the bill argue that Congress is not as capable as state legislatures to keep its laws updated and will fail to continuously adapt the federal law to rapidly changing technologies and new threats to privacy.
The bill will continue to be negotiated. If passed by the full House of Representatives, the ADPPA would still require the approval from the Senate. If granted, the law in its current version would take effect 180 days after its enactment. Update: On September 1, Speaker Nancy Pelosi issued a statement comparing the ADPPA unfavorably to California data privacy laws by outlining concerns that it may not meet the standards for consumer protection set by California privacy laws. Speaker Pelosi pledged to work with her House counterparts to address Californians’ concerns about the federal bill.
More related information? Follow us on LinkedIn.