U.S. comprehensive federal privacy legislation takes major step forward

On June 3, a bipartisan trio of congressional committee leaders released a discussion draft of the American Data Privacy and Protection Act (“ADPPA”), a major step towards implementing a comprehensive national data privacy and data security framework in the United States. 

Attempted compromises over private right of action and federal preemption

The fact that any sort of bipartisan privacy deal has emerged is significant, given that most previous efforts in Washington, D.C. have been party-line efforts that failed to bridge the partisan gap on two persistent and fundamental disagreements between Democrats and Republicans.  The first stumbling block has been the issue of remedies and enforcement, namely whether consumers would be empowered to bring private lawsuits against companies for alleged non-compliance.  The second stumbling block has been the issue of federal preemption, namely whether a federal law would preempt state privacy laws, such as the raft of new state privacy laws in California, Colorado, Connecticut, Utah, and Virginia. The ADPPA’s drafters have attempted to strike a compromise position on both issues, though it remains to be seen if these compromises will appease enough legislators in both parties.

Remedies and enforcement are covered in Section 403 of the discussion draft.  The ADPPA phases in a limited private right of action beginning four years after the law takes effect.  After the four-year ramp-up period, any person (or class of persons) who suffers an injury for a violation of the law can bring a civil suit to recover compensatory damages, injunctive relief, and reasonable attorneys’ fees and litigation costs, subject to an important restriction.  The private right of action would be limited by a requirement that the complainant give at least 60 days’ notice to the FTC and the applicable state Attorney General before filing a lawsuit demanding a monetary settlement; if either regulator decides to independently seek civil actions against the defendant entity, the complainant will be barred from filing suit or demanding a monetary settlement. Also of note, unlike certain other consumer protection and privacy laws (e.g., the Telephone Consumer Protection Act and CCPA), there is not a fixed minimum statutory penalty under the ADPPA, meaning that plaintiffs may need to demonstrate their actual damages in order to receive compensatory damages. 

Federal preemption is covered in Section 404(b) of the discussion draft.  The ADPPA sets a baseline rule that it will preempt any similar state laws, with several enumerated exceptions.  For instance, the ADPPA would not preempt the Illinois Biometric Information Privacy Act (“BIPA”), laws that solely address facial recognition or wiretapping, laws that address notification requirements in the event of a data breach, laws that address unsolicited email messages and telephone solicitations, state consumer protection statutes, and the limited private right of action for certain security breach damages under the California Consumer Privacy Act (“CCPA”) and California Privacy Rights Act (“CPRA”).  However, comprehensive state privacy laws including the bulk of the CCPA and CPRA, and upcoming laws in Colorado, Connecticut, Virginia, and Utah, would be preempted by the ADPPA. 

Other ADPPA provisions of note

It is premature to analyze the full statute in-depth since the discussion draft – if ultimately passed – would almost certainly be amended by the House and Senate and then subjected to a House-Senate negotiation and reconciliation process.  Any such legislative compromise would likely also leave ample room for substantial FTC rulemaking.  However, certain provisions and themes are worth noting in this preliminary analysis.  For instance:

  • Comparison to other privacy laws – The CCPA and CPRA represent one model for comprehensive privacy laws.  State laws in Colorado, Connecticut, Virginia, and Utah represent another model for comprehensive privacy laws.  And of course the EU’s General Data Protection Regulation (“GDPR”) is another model for how comprehensive privacy laws can be drafted. The ADPPA is distinct and does not fit cleanly into any of those existing models, though certain fundamental rights and protections are common across the various frameworks. 
  • Definition of “covered data” – The ADPPA defines “covered data” as information that identifies or is linked or reasonably linkable to an individual or a device that identifies or is linked or reasonably linkable to 1 or more individuals, including derived data and unique identifiers.  Covered data excludes de-identified data, employee (and job applicant and B2B) data, and publicly available information.
  • Duty of loyalty – The ADPPA would create a new “duty of loyalty” for covered entities, which in certain respects goes beyond other current and pending comprehensive privacy laws.  It is not expressly clear how extensive the duty of loyalty is, beyond certain specific loyalty obligations (described below).  Some other partisan privacy proposals treat the duty of loyalty more like an overarching principle intended to prevent covered entities from acting deceptively or harming individuals. 
  • Data minimization – Among the duty of loyalty requirements, covered entities must limit what they collect, process and transfer to that which is “reasonably necessary, proportionate and limited to” the information they need to provide or maintain specific products or services requested by individuals, or the information needed to provide communications to the individual reasonably anticipated within the context of the relationship. 
  • Restricted and prohibited data practices – Among the duty of loyalty requirements, the ADPPA would restrict and prohibit covered entities from engaging in eight specific data processing activities, including processing or transferring social security numbers except when necessary; transferring an individual’s precise geolocation information to a third party without affirmative express consent; processing or transferring biometric information without affirmative express consent (unless for the purpose of data security, authentication, legal compliance, or in relation to a legal claim); transferring a password other than to a designated password manager; processing or transferring non-consensual intimate images; processing or transferring genetic information without affirmative express consent (unless for medical purposes or for law enforcement); transferring an individual’s aggregated internet search or browsing history without affirmative express consent; and/or transferring an individual’s physical activity information from a smart phone or wearable device without affirmative express consent.
  • Privacy by design – Among the duty of loyalty requirements, covered entities must establish and implement policies and procedures regarding the collection, processing, and transfer of covered data, which consider: applicable laws; mitigation of privacy risks to children under 17 years of age; mitigation of privacy risks related to the products and services of the covered entity; and implementation of reasonable training within the covered entity. 
  • Privacy policy – The ADPPA would require covered entities to make publicly available a privacy policy that provides a detailed and accurate representation of the entity’s data collection, processing, and transfer activities.  The content requirements are generally aligned with state laws such as the California Online Privacy Protection Act (“CalOPPA”), the Delaware Online Privacy Protection Act (“DOPPA”), and other state privacy laws, including the CPRA’s requirement to include the length of time the covered entity intends to retain each category of covered information.  In a unique addition, the ADPPA would also require covered entities to affirmatively state whether they transfer any covered data to the People’s Republic of China, Russia, Iran, or North Korea.
  • Individual privacy rights – Subject to verification and authentication of the requester’s identity, the ADPPA would create new individual rights of access to, correction, deletion, and portability of covered data.  The access rights would give individuals the right to access the covered data collected by the covered entity; the name of any third party or service provider to whom the covered entity has transferred covered data, as well as the categories of sources from which the covered data was collected; and a description of the purpose for which the covered entity transferred the covered data to a third party or service provider.   
  • Opt-out rights for targeted advertising and transfers to third parties – Individuals have the right to opt-out of targeted advertising.  Individuals also have the right to opt-out of transfers of covered data to any entity that is not a service provider; this appears to be roughly equivalent to the state law right to opt-out of sales of personal information, albeit in a less direct manner. For children under 17, a covered entity is strictly prohibited from engaging in targeted advertising, and the third party data transfer opt-out right instead becomes an opt-in requirement for children between 13 and 17 years of age.  
  • Opt-in consent requirement for sensitive covered data – Covered entities cannot collect or process sensitive covered data, or transfer such data to a third party that is not a service provider, without first obtaining affirmative express consent.  Individuals must also have the right to withdraw such consent in an easy manner at any later time.  Sensitive covered data is defined to include a government-issued identifier (e.g., SSN, passport, or driver’s license); health conditions or healthcare treatment, financial account number (including debit card number, credit card number, or any required security or access code, password, or credentials allowing access to any such account); biometric information; genetic information; precise geolocation; race, ethnicity, or national origin; religion; union membership; sexual orientation; and information about a child under 17. While most of the above identifiers are included in comparable existing definitions of sensitive data under some U.S. state laws and special categories of data under the GDPR, the ADPPA extends this definition to also include an individual’s private communications unless the covered entity is an intended recipient; account or device login credentials; information identifying an individual’s online activities over time or across third party websites or online services; calendar information; address book information; intimate photos or recordings; information revealing the extent of an individual’s access or viewing or use of televisions, streaming media, or cable services.
  • Data brokers – A third-party collecting entity is defined to be a covered entity whose principal source of revenue derives from transferring covered data that the entity did not collect in the first instance.  In other words, a data broker.  Such entities must register with the Federal Trade Commission (“FTC”) on an annual basis and honor a “Do Not Collect” signal that can be submitted through an FTC website. 
  • Data security – A covered entity must establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect covered data.  While this requirement is generally flexible and context-specific based on the data processing activities and other factors, the ADPPA would include a few specific requirements.  First, covered entities must identify and assess vulnerabilities, including a plan to receive and respond to unsolicited reports of vulnerabilities.  Second, covered entities must take preventative and corrective action to mitigate any reasonably foreseeable risk or vulnerability to covered data.  Third, covered entities must evaluate and make reasonable adjustments to their safeguards in light of any material changes. Fourth, covered entities must have a retention and disposal plan that calls for the secure disposal of covered data when no longer needed for the purpose for which it was originally collected. Fifth, covered entities must train each employee with access to covered data.  And sixth, covered entities must designate an officer or employee(s) to maintain and implement the foregoing data security practices.
  • Unified opt-out mechanism – Within 18 months, the FTC would need to finalize a feasibility study on the creation of a unified opt-out mechanism that would allow individuals to exercise all privacy rights through a single, consistent interface.
  • Extra requirements for large data holders – The ADPPA would create heightened compliance obligations for a category of “large data holders” (i.e., those covered entities that have annual gross revenue over $250,000 and collected or processed covered data of more than 5 million individuals or the sensitive data of more than 100,000 individuals).  Each year, the CEO or highest-ranking executive officer, and each privacy officer, of a large data holder must certify to the FTC that the entity maintains reasonable internal controls to comply with the law and reporting structures to ensure that such certifying officers are involved in and responsible for decisions that impact the entity’s compliance. Large data holders must designate privacy officers and data security officers.  Large data holders must undertake impact assessments that weigh the benefits of the large data holder’s covered data collecting, processing, and transfer practices against the potential adverse consequences of such practices to individual privacy.
Take-aways for businesses

If enacted (and there is a long way to go before we reach that stage) the ADPPA would significantly shift the landscape of U.S. privacy law compliance, moving it away from a patchwork of somewhat-overlapping state privacy laws to a single federal law with a handful of state laws that will survive federal preemption.  The change in compliance approach would be significant and would require a thoughtful approach about how best to transition away from current privacy programs.