What Will ADPPA Compliance Entail?
The American Data Privacy and Protection Act (ADPPA) aims to introduce federal privacy and data security protections for consumer data. Here we explain what ADPPA compliance will entail.
The Need for a Federal Consumer Data Privacy Law
Despite many U.S. tech firms being among the largest worldwide collectors and processors of consumer data, the U.S. lacks a federal data privacy and protection law, and instead there is a patchwork of privacy laws covering each of the 50 states. National data privacy and protection laws have been introduced in many countries worldwide, yet all attempts to introduce comprehensive consumer data laws in the United States have failed to date.
As it stands, the personal data of residents of California, Colorado, Connecticut, Utah, and Virginia is subject to quite stringent laws, but that is far from the case elsewhere. In other states, consumer data privacy and security requirements are far lower or even virtually nonexistent. That means that consumer rights over their personal data can vary considerably, depending on which side of a state border an individual resides. There are several federal laws that have privacy and data security requirements, but whether those requirements apply depends on the entity collecting the data.
The amount and extent of data now being collected – and often sold without individuals’ knowledge – is considerable, and there is strong public support for a federal consumer data privacy and protection law. One survey suggests that 75% of Americans are in favor of a consumer data privacy and protection law that dictates how data can be collected and used. A federal law would also help to prevent companies from engaging in exploitation and discrimination, as they are largely free to do through the current collection, buying, selling, and sharing of consumers’ personal information.
The American Data Privacy and Protection Act
ADPAA (H.R. 8152) was introduced in the House of Representatives by Reps. Frank Pallone (D-NJ), Cathy McMorris Rodgers (R-WA), Janice Schakowsky (D-IL), and Gus Bilirakis (R-FL) and aims to introduce the first national data privacy and protection law, restricting the collection of personal data without consent, limiting uses and disclosures, and giving Americans new rights over their personal data, regardless where in the United States they live.
ADPPA will preempt almost all state privacy laws and will set a baseline for privacy and data protection at the federal level. ADPPA will also prohibit states from passing additional privacy laws that are stronger than the protections provided by the ADPPA.
Covered Entities and Covered Data
Covered data is any information that identifies or is linked or reasonably linkable to an individual or device, by itself, or in combination with other information. ADPPA does not apply to de-identified data, employee data (including data used solely for professional activities on behalf of a business), publicly available information, and inferences made exclusively from multiple independent sources of publicly available information that do not reveal sensitive covered data with respect to an individual.
Greater privacy and security requirements apply to sensitive covered data, which includes government-issued identifiers, health information, financial information, biometric data, genetic information, precise geolocation information, and a range of other sensitive data types such as an individual’s private communications, account or device log-in credentials, information relating to the sexual behavior of an individual, naked or undergarment-clad images/videos, information about an individual’s race, color, ethnicity, religion, or union membership, and information identifying an individual’s online activities over time and across third-party websites or online services.
Covered entities are entities that, alone or jointly with others, determine the purposes and means of collecting, processing, or transferring covered data and are:
- Subject to the Federal Trade Commission Act
- Common carriers subject to the Communications Act of 1934
- Organizations not organized to carry out business for their own profit or that of their members
- Entities that control, are controlled by, or are under common control with another covered entity
ADPPA will not apply to government entities or persons or entities that collect, process, or transfer covered data on behalf of federal, state, tribal, territorial, or local government. Covered entities required to comply with the Gramm-Leach-Bliley Act, Fair Credit Reporting Act, FERPA, HITECH Act, and HIPAA, will be deemed to be compliant if they are compliant with those laws for data privacy and security.
There is a separate classification for large data holders. A large data holder is an entity with gross annual revenue of $250 million or more, which collects, processes, or transfers the data of more than 5 million individuals or devices, or the sensitive data of 200,000 or more individuals or devices.
Summary of ADPPA Compliance Requirements
- Consent is required to collect, process, and transmit covered data
- Covered entities are required to minimize data collection to what is necessary
- Covered entities must ensure privacy by design and not require consumers to pay for privacy
- Covered entities must permit consumers to opt out of targeted advertisements
- Consumers are given the right to access/inspect their data, correct errors, delete their data, port their data, and withdraw consent at any time.
- Protections are provided for minors under 17 years of age to prevent or restrict the use of their data
- Improved transparency about how companies collect and use data
- Improved protection for sensitive data types
- Introduces greater accountability for large data holders, such as data brokers and large tech firms.
ADPPA Compliance Requirements
There are considerable ADPPA compliance requirements for all covered entities, the most important of which are summarized below.
Consent to Collect, Process, Share, and Sell Data
Covered entities must obtain express consent from an individual in order to collect, process, share, or sell their personal data, and are prohibited from pretextual consent such as obtaining consent using false, fictitious, fraudulent, or materially misleading statements or representation, and the use of interfaces for obtaining consent that manipulates consumers. Covered entities, service providers, and third parties are prohibited from engaging in deceptive advertising or marketing. Data may not be collected, processed, or transferred in a manner that discriminates on the basis of race, color, religion, national origin, sex, or disability.
Covered entities that collect, process, or transfer covered data must ensure the data collected is limited to what is reasonably necessary and proportionate to providing a product or service or for delivering communications that are reasonably anticipated by the consumer.
Restricted Use of Sensitive Data
Sensitive data must not be collected and processed unless the collection of that data is necessary to provide or maintain a specific product or service. Transfers of sensitive data to third parties are prohibited unless affirmative consent is obtained, if necessary to comply with federal, state, or local laws, and good-faith disclosures are permitted to prevent an individual from imminent injury. Biometric data may only be transferred to facilitate data security or authentication, and passwords may only be transferred if necessary to use a designated password manager or for identifying password reuse on multiple sites. Genetic information may only be transferred for medical diagnosis or research, with appropriate consent.
Privacy by Design
Covered entities and service providers must establish and maintain reasonable privacy policies and practices, must assess privacy risks to individuals under 17, and mitigate privacy risks, including substantial privacy risks, related to products and services. Reasonable training and safeguards must be implemented to comply with all applicable privacy laws. The privacy by design principle is tailored to the nature, scope, and complexities of the processing. The FTC will publish guidance, within a year of enactment, on what constitutes reasonable privacy policies, practices, and procedures.
Denial of Services or Pricing Based on Individuals Exercising Rights
It is prohibited to deny, condition, or effectively condition the provision of products or services on the individual’s agreement to waive certain rights or to terminate services if an individual chooses to exercise their rights under ADPPA. It is not permissible to price a product or service based on whether an individual agrees to provide financial information or if they exercise rights under ADPPA. It is not permissible to offer a loyalty program that provides discounts or free services in exchange for continued business with a covered entity or for such a program to be created to allow the covered entity to collect additional covered data it would not normally collect or process. In short, covered entities cannot retaliate against individuals for exercising their rights and cannot make people pay for privacy.
Covered entities and service providers must establish, implement, and maintain reasonable administrative, technical, and physical data security practices and procedures to protect and secure covered data against unauthorized access and acquisition. What is considered reasonable will be based on the size and complexity of the covered entity or service provider, and the nature and scope of the collection, processing, and transferring of covered data.
Restrictions on the Collection, Use, and Transferring of Minors’ Data
There are restrictions on the collection, use, and transferring of the data of minors under the age of 17. Restrictions include a ban on targeted advertising to any minor under 17 if the covered entity knows the individual is under 17. The July 18, 2022, update to ADPPA added a tiered approach to knowledge based on the size of the covered entity. Constructive Knowledge, where the covered entity knew or should have known an individual was under 17. This applies to covered high-impact social media companies with platforms used by individuals for user-generated content with at least $3 billion in annual revenue and 300 million active monthly users. Willful disregard of an individual age applies to all large data holders that knew or acted with the knowledge that an individual was under 17. Actual Knowledge applies to all other covered entities.
Data transfers are only permitted with express consent if the covered entity knows the individual is under 17. The National Center for Missing and Exploited Children is exempted and can continue to use the data of minors to fulfill its mission. The FTC will establish a Youth Privacy and Marketing Division tasked with ensuring ADPPA compliance with respect to the privacy of children and minors and ADPPA compliance related to marketing directed at children and minors.
Appointment of Privacy and Data Security Officers
Covered entities and service providers are required to designate one or more qualified employees as privacy and data security officers to ensure ADPPA compliance. These officers will be responsible for developing and implementing a data privacy program and data security program and ensuring ADPPA compliance.
All entities that do not meet the small- and mid-sized criteria have additional ADPPA compliance requirements. They must conduct a privacy impact assessment initially, and annually thereafter, to assess potential adverse consequences as a result of the collecting, processing, and transferring of covered data. Large data holders must conduct assessments of the potential for algorithms to cause harm to an individual. These algorithmic impact assessments must be performed at the design stage, including using training data, and annually thereafter.
Consumer Right to Transparency
Ensuring consumers can exercise their rights is a major part of ADPPA compliance. Consumers have the right to transparency and must clearly be told how their data will be collected and used, and to which categories of third parties their data will be collected via clear and easy-to-understand privacy policies. Privacy policies must also explain consumer rights and how they can be exercised. If privacy policies change, consumers must be notified and allowed to withdraw their consent.
Consumer Right to Access, Correct, Delete, and Port their Data
Consumers must be allowed to access the data held by a covered entity and have that data provided in a human-readable downloadable format that is easy to understand. Consumers will have the right to correct any data and to have their data deleted. A covered entity must also notify any third party to whom the data has been transferred to notify them about the request to delete. Consumers have the right to data portability and have a machine-readable copy of their data provided, as far as is technologically possible. There are several exceptions to the right to delete data, such as if a covered entity reasonably believes the data may contain evidence of unlawful activity or an abuse of the covered entity’s products or services. there are different timelines for when responses to these requests must be made, based on the covered entity type. Large data holders must respond within 45 days, and non-large data holders have 60 days.
Consumer Right to Withdraw Consent at any Time
Consumers have the right to withdraw their consent to collect, use, and transfer their data at any time, including consent to share their data with third parties. If data is used for providing targeted advertising, consumers must be provided with an easy way to opt-out prior to providing consent and after consent has been given. Opt-out mechanisms must be readily available to people with disabilities.
Impact of ADPPA Compliance on Small Businesses
ADPPA compliance will have an impact on all covered entities, but steps have been taken during the bicameral development process to ease the compliance burden, especially for small- and medium-sized businesses. There is not a one-size-fits-all approach to ADPPA compliance. Small businesses will be exempt from some of the data security requirements, and small businesses – those with annual revenues lower than $41 million and did not collect or process the data of 100,000 individuals in a year and did not derive more than half of their income from transferring consumer data – will not be required to comply with the data portability requirements. Instead of correcting any errors, small businesses may instead choose to delete the data. The private right of action will not apply to small businesses with annual revenues of $25 million, that engage with the data of less than 50,000 individuals, that derive less than half of their revenue from transferring covered data.
Penalties for ADPPA Compliance Failures
The Federal Trade Commission (FTC) will be the main enforcer of ADPPA compliance, with state attorneys general also permitted to enforce compliance in their respective states. The July 18, 2022 ADPPA update also allows the California Privacy Protection Agency to enforce ADPPA compliance in the State of California. State enforcement agencies, including the CPPA, can bring regulatory or administrative enforcement actions for ADPPA violations, as well as non-preempted state laws.
The FTC is required to establish a Bureau of Privacy, comparable in size and structure to other FTC Bureaus responsible for enforcing other consumer protection and competition laws, that will oversee ADPPA compliance. The Bureau of Privacy must be fully operational within a year of the enactment date.
ADPPA compliance failures, such as unfair or deceptive acts or practices, will be treated in the same manner as others described in section 18(a)(1)(B) of the Federal Trade Commission Act and will be subject to the same penalties described in the FTC Act. The maximum fine, adjusted for inflation in 2022, is $46,517. The FTC must establish a victims’ relief fund and deposit civil monetary penalties in that fund for distribution to victims of ADPPA compliance failures and there are limited other permissible uses of funds.
State attorneys general can bring civil actions over ADPPA compliance failures in the name of the state or on behalf of state residents to obtain damages, civil penalties, restitution, or other compensation, and reasonable attorneys’ fees.
Consumers Get the Right to Sue for ADPPA Compliance Failures
There is a private right of action in ADPPA that allows consumers to sue for ADPPA compliance failures, although this will not come into force until 2 years after the date that ADPPA takes effect. Individuals will be able to sue for ADPPA compliance failures if they suffer an injury as a result of an ADPPA compliance violation. Any successful civil action brought against a covered entity over an ADPPA compliance violation could see the court award an amount equal to the sum of any actual damages sustained, injunctive relief, and the reimbursement of reasonable attorneys’ fees and litigation costs. Private lawsuits do not limit the ability of the FTC or state enforcement agencies to later commence actions against a covered entity.
However, there is a caveat. In order to bring a civil suit against a covered entity for an ADPPA compliance violation, the FTC and the attorney general of the state where the individual resides must be notified in writing of the intent to commence a civil action. The FTC and the state attorney general then have 60 days to make a determination. If the FTC or state attorney general decides to independently intervene and bring their own civil case, the individual right to bring a civil action will not apply. ADPPA does have a right to cure. If a violation is corrected within 45 days, any action for injunctive relief will be dismissed.
Expected ADPPA Timeline
The first draft of the bill was released in early June, closely followed by a discussion draft. The discussion draft was dissected in a hearing on June 23, 2022, by the U.S. House Energy and Commerce Committee’s Subcommittee on Consumer Protection and Commerce. A revised version of the bill was introduced in the House shortly thereafter and is now subject to a House vote. Should the ADPPA progress, it will be sent to the Senate Committee on Commerce, Science, and Transportation which will dissect the bill and it will be subject to a vote. If that vote is passed it will go to the Senate floor for a vote, and thereafter to the president’s desk for his signature. Given that this is an election year, the current momentum will need to be maintained to get this bill signed into law this year.
While there is considerable support for ADPPA, critics would need to see several changes in order to provide their support, so there may be some watering down of the requirements further still in some areas, and strengthened in others. However, due to the bicameral development process and bipartisan support, ADPPA has the best chance of being signed into law of any comprehensive federal consumer data privacy law to date.