United States: A PROPOSED FEDERAL PRIVACY LAW
Newsletter Article
United States: A PROPOSED FEDERAL PRIVACY LAW
13 September 2022
The proposed U.S. Federal Privacy Law, the American Data Privacy and Protection Act (ADPPA) was introduced in the U.S. House of Representatives on June 21, 2022. This represents the first-time federal data privacy legislation in the United States has progressed to a full chamber vote.
The aim of the ADPPA is much like the GDPR back in 2018, whose main aim was to harmonize the GDPR across all 28 member states. The ADPPA has the same aspirations across its fifty states. At the time of writing, five U.S. states have passed comprehensive data protection laws: California, Connecticut, Utah, Virginia, and Colorado.
If the federal ADPPA passes into law, it will provide all businesses in all sectors ample instruction on how to introduce and meet the new law. It will give U.S. citizens rights similar to the GDPR. The ADPPA will almost certainly follow other global laws and introduce a 12-month grace period to meet the compliance criteria.
SCOPE AND EXEMPTIONS
The ADPPA applies to entities that fall into one of the following three categories:
- Entities subject to the Federal Trade Commission (FTC) Act
- For example, fall within the scope: tech companies collecting real-time physical health data from mobile applications or wearable fitness trackers (not covered entities under HIPAA)
- Common carrier subjects to title II of the Communications Act (1934) – Title II deals with telephone and telegraph common carriers.
- Nonprofits
By exception, Government and public entities will not be covered, nor will employee data. With respect to employee data, however, the exclusion is narrow. Data resulting from employee surveillance would not be outside the scope of the law. Note that the California Privacy Right Act (CPRA) (effective January 1, 2023) would regulate employee data (assuming the sunset clause is not lifted).
Compared to the California Consumer Privacy Act (CCPA), the federal bill is intended to be broader (including additional requirements for “large data holders”), particularly since the CCPA does not cover non-profits.
However, the CCPA/CPRA appears to offer protection against amendments that would weaken privacy, whereas Congress has the power to amend the ADPPA in the future in a way that could strengthen or weaken privacy protections.
SENSITIVE COVERED DATA
The list of Sensitive Covered Data includes social security number, passport number, (past, present, future) physical health, mental health, diagnosis, financial account number, debit card number, biometric and genetic data, precise geolocation, private communications (voicemails, emails, texts, direct messages,…), information about kids, etc.
In this context, Sensitive Covered Data are based on the opt-in principle, which means that affirmative and express consent must be obtained, that data cannot be transferred to third parties without the consent of the person concerned, and which expressly prohibits dark patterns and inferred consents.
In contrast, the CCPA provides for an opt-out principle.
TRANSPARENCY
Where transparency is only a focus point for state laws, the federal law goes further by recognizing that bombarding consumers with notices that most will never read does not protect information. These privacy notices must meet a certain standard.
The ADPPA also requires that the privacy notice disclose whether data is collected, transferred, disclosed, processed, stored or accessed to the People’s Republic of China, Russia, Iran, or North Korea.
DATA SUBJECTS RIGHTS
The ADPPA would provide subjects various rights over covered data, including rights of access, correction and deletion of their data held by a particular covered entity. It would further require covered entities to give subjects the right of data portability. These rights may be subject to exceptions, including because of the FTC’s rulemaking authority.
CORPORATE ACCOUNTABILITY
Any massive data holder/social media giant will be held to a higher standard than smaller companies. These large companies will have to demonstrate annually a certificate of compliance with the regulations.
Any entity with more than 15 employees will have to appoint a privacy and data security officer.
ENFORCEMENT STRATEGY
The enforcement strategy is divided into three areas:
- New Office of Privacy at the FTC to enforce the law
- Individuals’ private right of action
- State Attorneys Generals and state privacy agencies can also bring lawsuits
Also, it is expected that the FTC can create “technical compliance programs” to help companies comply with the law.
PRIVATE RIGHT OF ACTION
The Private Right of Action (PRA) will not be available until two years after the ADPPA’s effective date. Of note, the ADPPA would go into effect one-hundred and eighty (180) days after enactment. Therefore, ultimately, the PRA would be delayed approximately two-and-a-half (2.5) years after the ADPPA passes.
This right may be exercised by individuals or classes of individuals that may bring a civil action in Federal Court for compensatory damages. That said covered entities and service providers can take measures to significantly limit class actions. It is available for violations involving:
Covered Sensitive Data, Payment for Privacy, Transparency, Individual Rights, Consents and Opt-Outs, Child Protection, Data Brokers, Civil Rights, Data Security, Service Providers and Third Parties.
The CCPA only provides a PRA for data breaches.
PRIOR CONTENTIOUS ISSUES
But even before its potential entry into force, the picture is already unclear as to the chances of the discussion draft becoming law… and the many debates it provokes.
For example, where the Republicans want the federal bill to preempt state laws, the Democratic Party does not. Also, where Republicans do not want to establish the PRA, Democrats want it to be specifically established. The federal bill decides that it will preempt most state laws and allow the PRA. Especially, preemption would only be valid to the extent that it governs the same issues (e.g., the CPRA would be preempted except for employee data).
CONCLUSIONS
Although still in the federal bill stage, it is running up against Californians who are very concerned about the impact that ADPPA will have on the rights that they already enjoy. In fact, California Democrats would even like to be exempt from the federal standard.
At the same time, some are questioning whether CCPA/CPRA could be used as the basis for a federal privacy bill. For others, the bipartisan bill is stronger than California’s because, among other things, it includes civil rights protections and bans ads targeting minors.
In any event, a number of bipartisan amendments have already been adopted during the review. One would have changed the bill’s preemption provision to allow states to create stricter laws.
It remains to be seen whether the bill will be introduced and voted on in each federal chamber of the U.S. Congress to become effective…
AUTHOR
Manon Darms
REVIEWER
