On Friday, June 3, 2022, the Senate and House released a draft of the American Data Privacy and Protection Act, (ADPPA), a watershed privacy bill that would introduce a federal standard.  Currently, a hodgepodge of industry-specific and state laws make up the backbone of American privacy regulations and rights, so a national framework for privacy would establish a uniform system for this core American right.  However, the bill faces major hurdles to approval, including tough fights over how to address preemption and whether to grant individuals a private right of action.

While the ADPPA injects a very small dose of optimism into the, “Will there ever be a federal law debate?” many commentators remain skeptical that there is a realistic path to reversing the state-by-state trend.

What do we know about this bill?

The proposal consists of two key provisions; federal preemption and a private right of action (PRA)– it is worth noting that this is the only bill currently under Congressional consideration that contains both of these components.  Those familiar with the General Data Protection (GDPR) may notice that this bill draws upon many of the EU legislation’s key principles.

First, the ADPPA establishes federal preemption over state privacy laws, meaning that its provisions would supersede many existing state privacy laws.  However, the bill forecloses the possibility of preemption in sixteen areas of the law, including state laws that provide for specific statutes on civil rights, criminal codes, student and employee privacy, data breach notification requirements, facial recognition, and financial and health records.  The numerous exceptions to the bill’s preemption provision are indicative of the bipartisanship compromise that the bill’s passage will require.  For example, if passed, the ADPPA’s provisions would not preempt either the Illinois Biometrics Information Privacy Act (BIPA) or several key components of the California Privacy Rights Act (CCPA).  Conversely, the bill is expected to preempt vast swaths of Colorado, Virginia, and Connecticut privacy laws.  In other words, the question of exactly what this draft would preempts will be an area of focus should it become law.

Second, the bill creates a PRA for violations.  For example, an internet user who has opted out of targeted advertisements would have the right to sue an entity that improperly sells that user’s data online.  The scope of the PRA is contentious because some fear if construed too broadly, it will lead to an onslaught of lawsuits, while others worry that if the PRA is too narrow, it will be rendered useless.  There are some proposals that would delay enforcement of this provision.

Moreover, the ADPPA requires companies to minimize their data collection practices to only collecting data that is necessary to the functioning of their businesses.  The bill also prohibits entities from charging users a fee to access a user’s own personal data (there are a few narrow exceptions to this, such as consumer loyalty programs, or when financial data is used to complete a transaction).  Additionally, the bill would expand the privacy rights of minors, including prohibiting companies from disseminating targeted advertisements to users under 17.

Under the existing draft bill, users would also have the right to correct, access, or erase their own data. Once a user has modified their data held by a company, the burden would then shift to that company to inform third parties of any changes.

Role of the Federal Trade Commission?

The Federal Trade Commission (FTC) would be entrusted with ADPPA’s enforcement.  In addition, the FTC will pick up some new obligations like maintaining a register of data brokers and managing opt-out mechanisms for opt-outs of targeting advertising and other data-sharing services. And, the draft calls for the creation of a new bureau within the FTC that is specifically tasked with consumer data protection.

Notwithstanding these changes, federal regulators and state AGs would still have the right to sue, for punitive damages, entities who disregard the obligations and rights created by this legislation.

Our Take

It’s hard to get too excited about any federal privacy bills, but this bill has some bipartisan momentum behind it.  However, the broad exceptions to preemption indicate that companies will continue to content with the state by state approach.

 

Amelia Klitenic and Katherine Eige contribute to this post.