National Privacy Law: Bipartisan Proposed Legislation Regarding Privacy Released
On June 3, 2022, Senator Wicker (R-Miss.), Ranking Member of the Senate Commerce Committee, and Representatives Pallone (D-N.J.) and Rodgers (R-Wash.), Chairman and Ranking Member of the House Energy and Commerce Committee, respectively, released their draft of the American Data Privacy and Protection Act (ADPPA or Act). The bipartisan ADPPA would establish a national consumer privacy and data security framework. While the draft legislation has garnered key support in Congress, it has not yet earned the support of Senator Cantwell (D-Wash.), who chairs the Senate Commerce Committee. As such, while this bill marks a significant advance towards a comprehensive federal privacy bill, its legislative outlook is uncertain.
Below, we provide a high-level summary of the proposed legislation, including aspects companies would need to consider for compliance, as well as the methods for pursuing litigation and enforcement under the Act, which are issues that are still being debated on Hill.
For a more detailed summary and analysis of the new proposal, please reach out to Wiley’s Privacy, Cyber & Data Governance Team.
Key Aspects of the ADPPA
- The Act would impose data minimization requirements on all covered entities, as opposed to specific types of data. The data minimization requirements would prohibit covered entities from collecting, processing, or transferring covered data beyond what is reasonably necessary, proportionate, and limited to (1) provide or maintain a specific product or service that an individual requests, or a reasonably anticipated communication between the covered entity and the individual; or (2) a purpose permitted by the Act.
- The ADPPA would restrict and prohibit a substantial number of practices relating to various types of data, including:
- The collection, processing, or transferring of social security numbers, except when necessary to facilitate extensions of credit, authentication, or the payment and collection of taxes.
- The transfer of an individual’s precise geolocation information to a third party, unless transferred to an individual’s other device or service after obtaining their express consent.
- The collection, processing, or transferring of biometric information, except for the specific purposes listed in the proposed legislation.
- The transfer of any password except to a designated password manager or a company whose exclusive purpose is to identify passwords that are being re-used across sites or accounts.
- The collection, processing, or transferring of known nonconsensual intimate images.
- The collection, processing, or transferring of genetic information except for in the case of medical or law enforcement purposes or with express consent.
- The transfer of an individual’s aggregated internet search or browsing history except with the individual’s affirmative consent, a search warrant, or exigent circumstances.
- The transfer of an individual’s physical activity information from a smart phone or wearable device except with the individual’s affirmative consent, a search warrant, or exigent circumstances.
- Sensitive data would be defined to include, among other things, data regarding individuals under the age of 17.
- The Act would mandate the inclusion of specific information in company privacy policies, including the length of time the company intends to retain each category of covered data, how an individual can exercise their rights, and a description of the company’s data security practices.
- The ADPPA would impose several requirements aimed at improving corporate accountability in the data privacy context, including: (1) requiring a company’s highest-ranking officer to annually certify to the Federal Trade Commission (FTC) that the company maintains reasonable internal controls and reporting mechanisms to comply with the Act; (2) requiring a company to designate at least one privacy officer and at least one data security officer; and (3) requiring large data holders to perform biannual privacy impact assessments.
- Service providers collecting or processing data on behalf of a company would generally be prohibited from using the data in a manner beyond the ways dictated by the company and would be prohibited from transferring data to a third party without affirmative express consent from an individual.
Self-Regulation Compliance Option
The ADPPA would create a process for self-regulation under which a company, or group of companies, may apply to the FTC for approval of compliance guidelines governing the collection, processing, and transfer of data by the covered company/companies. Importantly, once the FTC approves a set of compliance guidelines, a company that is eligible to participate—and does participate—in those approved guidelines will be deemed in compliance with the Act if it complies with the guidelines.
Compliance guideline applications would be subject to public comment and would be approved if they (1) meet or exceed the ADPPA’s requirements; (2) provide for regular review and validation by an independent, FTC-approved entity to ensure that the covered company continues to comply with the Act; and (3) include a means of enforcement if a company does not satisfy the guidelines’ requirements.
Implementation & Enforcement
- FTC. The ADPPA would establish a new bureau within the FTC to enforce the Act. It would also grant the FTC enforcement powers similar to those that exist for other unfair or deceptive practices under the FTC Act. However, the Commission would be barred from bringing actions against the same conduct under both the new bill and Section 5(b) of the FTC Act.
- FTC Rulemaking. The bill authorizes the FTC to issue guidance and promulgate rules on several areas including types of sensitive data, data minimization, consumer requests requirements, and the use of algorithms.
- State Enforcement. A state’s Attorney General would also be permitted to bring claims under the ADPPA in federal court for injunctive relief, enforcing compliance, obtaining damages, and obtaining reasonable attorney’s fees and other litigation costs. States would, however, be barred from bringing an enforcement action if the FTC has already initiated its own action.
- Private Rights of Action. Four years after it takes effect, individuals would be permitted to bring civil actions under the Act. Plaintiffs would be able to sue for compensatory damages, obtain injunctive relief, and obtain attorneys’ fees and litigation costs. Before bringing a civil action, plaintiffs would have to notify the FTC and state AGs, and those agencies would have 60 days to determine whether they will bring suit. Businesses would be precluded from enforcing pre-dispute arbitration agreements or joint action waivers regarding minors.
The proposed legislation would preempt any state privacy law “covered by the provisions of this Act.” However, other state laws, such as data breach notification laws, are explicitly not preempted. Other notable non-preempted laws include consumer protection laws, employee and student data privacy laws, the Illinois Biometric Information Privacy Act, and the California privacy law’s private right of action.
With Congress set to recess in August before heading into the midterms, it is unclear how far the ADPPA can advance this year. Although there is some momentum for the Act to move on an expedited timeline, Senator Cantwell (D-Wash.), Chair of the Senate Commerce Committee, has expressed skepticism about the ADPPA. Regardless of immediate reactions to the new draft legislation, given the significant impact it could potentially have, the ADPPA’s progress remains worth monitoring.
Wiley’s Privacy, Cyber & Data Governance Team has helped entities of all sizes from various sectors proactively address risks and address compliance with new privacy laws. Please reach out to any of the authors with questions.