Is the U.S. Finally Getting a Comprehensive Cybersecurity and Data Protection Law?: What You Need to Know About the Proposed American Data Privacy and Protection Act
July 20, 2022
In the beginning of the 2000s, as a result of the advance in technology, the Federal Trade Commission (“FTC”) looked to Congress to pass legislation that would ensure protection of citizens' privacy rights. However, Congress thus far has been unable to pass comprehensive privacy protection legislation, leaving it instead to the states to pass their own such legislation in a piecemeal fashion. On the other hand, in 2018, the European Union passed the General Data Protection Regulation (“GDPR”), which is comprehensive throughout the EU and takes a firm stance on data privacy and security, imposing obligations on businesses and organizations that collect consumer data, and levying large fines for violations of the regulation.
In June 2022, Representatives Frank Pallone (D-NJ), Cathy McMorris Rodgers (R-WA), and Senator Roger Wicker (R-MS) introduced the American Data Privacy and Protection Act (“ADPPA”). The ADPPA will be the nation’s first comprehensive consumer data privacy and security framework, if passed. This bill is largely modeled after the GDPR, with a few key differences and incorporates provisions from previously failed privacy legislation. The ADPPA covers a broad range of substantive areas, including child privacy, data breach/security, health care, and internet/mobile app privacy.
The ADPPA includes portions of previous failed data security bills, including the Application Privacy, Protection and Security Act of 2020 (“APPS”), H.R. 6677, and the Digital Accountability and Transparency to Advance Privacy Act (“DATA”), H.R. 8749. APPS was introduced on May 1, 2020 with the goal of achieving “greater transparency in and user control over the treatment of data collected by mobile applications and enhance the security of such data.” APPS dealt specifically with mobile application collection of personal data and was narrowly focused on the user’s ability to withdraw consent. APPS also did not contain a private right of action for individuals. DATA was introduced on November 12, 2020 with the goal of achieving greater digital accountability and transparency. DATA required covered businesses to provide consumers with accessible notice of the businesses’ privacy practices, and if needed, appoint a privacy officer to oversee compliance with this bill. The entities covered under the DATA were defined extremely narrow, and the DATA did not cover data related to employment or publicly available government records. Both of these bills were ultimately unsuccessful because they do not provide a private right of action for individuals that have been injured as a result of a violation of either bill. Accordingly, previous partisan bills included a lot of the same substantive provisions that are now contained within the ADPPA. However, these prior bills had discernible differences or were silent on two key issues: enforcement authority and creation of a private right of action. The ADPPA rectifies both of these issues by addressing these two major criticisms of the APPS and DATA.
The ADPPA restricts covered entities from "collect[ing], process[ing], or transfer[ring] data beyond what is reasonably necessary" to provide a specific service; or maintain communication between the covered entity and the consumer. A “covered entity” is defined as “any entity or person that collects, processes, or transfers covered data” and is subject to the Federal Trade Commission Act; is a common carrier subject to title II of the Communications Act of 1934; or is an organization not organized to carry on business for their own profit; and includes any entity or person that controls, is controlled by, is under common control with, or shares common branding with another entity. Under the ADPPA, “covered data” is “information that identifies, is linked, or is reasonably linkable to an individual or a device that is linked or reasonably linkable to 1 or more individuals, including derived data and unique identifiers.” Although the ADPPA adopts a board definition of “covered data”, it does not include employee data or publicly available information.
Title I of the ADPPA details the Duty of Loyalty, which acts as a “baseline duty on all covered entities not to unnecessarily collect or use covered data in the first instance, regardless of any consent or transparency requirements.” This section includes duties such as, obtaining affirmative consent by way of an “opt-in” option when collecting sensitive data and takes into account privacy risks associated with individuals under the legal age of consent. Although this section poses a duty on covered entities to act in a reasonable manner when collecting a consumer’s data, the ADPPA falls short because it lacks guidance on what constitutes reasonable data collection, and this ambiguity is likely to cause confusion if the ADPPA is passed as currently drafted. Critics also have criticisms about what has not been included in the ADPPA. Unlike APPS and DATA, the ADPPA does not include a general prohibition on engaging in “harmful data practice[s]” likely to cause harm to the consumer. This is highlighted by the fact that while the ADPPA includes requirements on how to handle consumer data, it does not explicitly obligate businesses to act in the best interest of the consumer.
Moreover, the ADPPA places a prohibition on targeted advertising to children and minors if the covered entity has actual knowledge that the individual is under the age of 17. The ADPPA also prohibits the transfer of covered data of minors to a third-party without the affirmative express consent from the individual’s parent or guardian if the covered entity has actual knowledge that the individual is between 13 to 17 years of age. The ADPPA places a knowledge requirement on this section, which is ambiguous and could lead to unequal enforcement because what constitutes “actual knowledge” is not clear from the plain language of the bill.
Title III of the ADPPA addresses corporate accountability. The ADPPA imposes additional obligations on “large data holders.” A large data holder is a covered entity that, in the most recent calendar year had annual gross revenues of $250,000,000 or more; and collected, processed, or transferred (i) the covered data of more than 5,000,000 individuals or devices, (2) or the sensitive covered data of more than 100,000 individuals or devices. These additional obligations include providing short-form notice of the covered entity's covered data practices, the implementation of a privacy protection officer, and conducting biennial privacy impact assessments. It further requires that company CEOs and company privacy protection officers maintain reasonable internal controls and reporting structures for compliance with the ADPPA. In addition, this section sets forth the responsibilities of service providers and third parties, requiring covered entities to conduct reasonable due diligence in selecting service providers and transferring data to third parties. Service providers are only permitted to collect or process covered data for the purposes directed by the covered entity they received the data from and may not transfer such data to another entity without affirmative express consent. Third parties are only permitted to process covered data consistent with the expectations of a reasonable individual. This provision requires covered entities to conduct due diligence when transferring consumer data to service providers and third parties in compliance with the ADPPA. To assist compliance by covered entities, the ADPPA mandates that the FTC issue guidance to clarify a covered entity’s obligations under this title.
Title IV of the ADPPA discusses enforcement, preemption, and the effective date. The enforcement provisions grant enforcement authority to the FTC, state attorneys general, and individuals. Pursuant to the ADPPA, the FTC shall establish a new bureau related to consumer protection and competition in order to oversee enforcement of the provisions of the ADPPA and the corresponding regulations. This new bureau is to be fully staffed and operational within one year after the date of enactment. A violation of the provisions of the ADPPA and corresponding regulations will constitute a violation of Section V of the FTC Act. The ADPPA now codifies the FTC's current practice of bringing actions under Section V of the FTC Act if an organization fails to adhere to its published privacy notice. Additionally, state attorneys general have authority to enforce the provisions of the ADPPA by either bringing a civil action in the name of the state, or as parens patriae on behalf of the residents of the state. These actions must be brought in the appropriate federal court to enjoin that act or practice; enforce compliance with this Act or the regulation; obtain damages, civil penalties, restitution, or other compensation on behalf of the residents of the state; or reasonable attorneys’ fees and other litigation costs reasonably incurred. The ADPPA addresses a deficiency in both the DATA and APPS by providing for a newly established bureau tasked with consumer protection in order to oversee alleged violations and ensure compliance with the ADPPA.
Although some states have comprehensive legislation in place to protect consumer data and privacy rights, if passed, the ADPPA will preempt existing state legislation. However, there are some exceptions to the preemption provision of the ADPPA, including state consumer protection laws of general applicability, including the California Consumer Privacy Act of 2018 (“CCPA”). Critics of the ADPPA highlight the fact that this section is ambiguous and may leave room for loopholes in the future. Specifically, the ADPPA will not preempt the CCPA; however, it will preempt the California Privacy Rights Act (“CPRA”). As the ADPPA currently reads, preempting the CPRA would eliminate some of the more privacy-protective provisions CPRA has in place, including the right to access and opt-out relating to automated decision-making and the inclusion of unique identifies under covered data.
Title VII of the ADPPA also provides for a private cause of action in the section entitled “Enforcement by Persons”. This section authorizes “any person or class of persons who suffers an injury that could be addressed by [compensatory damages; injunctive relief; or reasonable attorneys’ fees]” to bring a civil action against a covered entity for alleged violations of the ADPPA. However, prior to bringing a private cause action, the individual must first notify the FTC and the attorney general of the state where the person resides. The FTC and attorney general would then have 60 days to make a determination on whether they will independently seek to take action. The ADDPA further limits private causes of action by requiring individuals to provide written notice, and then allow 45 days for the covered entity to cure. If the covered entity fails to cure the alleged violation within those 45 days, only then does the private individual have the ability to bring a private cause of action. However, the ability to bring a private cause of action is not available for individuals until four years after the ADPPA takes effect. Unlike APPS and DATA, the ADPPA addresses this deficiency by permitting individuals to seek recovery for alleged violations of the ADPPA, but prior to becoming enacted this provision should be extensively reviewed and clarified.
The ADDPA is not without its critics. Many critics highlight the fact that the "Enforcement by Persons" provision does not create a private right of action until four years after the ADPPA takes effect, which may severely limit an individual’s recovery. Additionally, they criticize the fact that the private right of action requires individuals to provide notice of their intent to bring an action to both the FTC and the state Attorney General prior to commencing that action. This provision allows citizens to proceed under the ADPPA even if neither the FTC nor the applicable state’s Attorney General decides to pursue the alleged violation, which may result in frivolous litigation as all of the claims with merit will be taken up by the above-referenced entities, leaving the meritless claims behind to be commenced by the private citizen. Another criticism of the ADPPA is that if an individual seeks monetary payment for a violation under the ADPPA either prior to providing notice to the FTC or the applicable state Attorney General, or after either of the afore-referenced governmental entities have made a determination to independently seek civil action, then the demand will be deemed to have been sent in bad faith. A determination of bad faith is deemed unlawful and may result in the individual being unable to bring their lawsuit and/or the potential imposition of a civil penalty.
Proponents of the ADPPA suggest that ambiguity comes as a result of compromise between both political sides. As of right now, the ADPPA is only a bill and still requires further examination and clarification on central concepts before being enacted. If passed, the ADPPA will become effective 180 days after the Act is enacted. The FTC must also issue guidance to help facilitate compliance with the ADPPA, which would help clarify some ambiguities that critics have noted in the draft language. Taking into consideration the pressure for Congress from the FTC to adopt a comprehensive federal data privacy framework, the ADPPA has a greater chance of passing and being signed into law by President Biden because it now addresses the previous deficiencies that doomed previous comprehensive data privacy bills. Spilman's Cybersecurity and Data Protection Practice Group will continue to monitor the progress of the ADPPA.
If you have any questions about the ADPPA, or about cybersecurity and data privacy, please contact Spilman’s Cybersecurity and Data Protection Practice Group for assistance.