In the wake of numerous privacy bills introduced in Congress over recent years, on June 3, 2022, three key House and Senate committee leaders released the first bipartisan and bicameral discussion draft for a comprehensive federal privacy bill. If enacted, the proposed American Data Privacy and Protection Act (the “Act”), to be enforced primarily by the Federal Trade Commission (FTC), would largely preempt state privacy legislation recently implemented in California, Virginia, Colorado, Utah, and Connecticut, as well as possible future privacy legislation in other states. It would also afford to individuals across the nation extensive rights to correct, delete, access, and port their covered data, and require covered entities to comply with general data governance principles such as data minimization and restrictions on data retention. Unlike the majority of its state counterparts, the Act offers U.S. residents a conditional private right of action against covered entities for violations. The Act would go into effect 180 days after enactment—a short timeframe as compared to the state privacy laws that were enacted in recent years.
Because Congress will be in recess for much of the month of August, followed by the 2022 midterm elections, there is only very limited time in the current legislative session for Congress to come to an agreement on the Act, including controversial provisions like those relating to the private right of action of individuals and the preemption of state laws. If it does not pass this legislative session, a version of this bill could be reintroduced in the next legislative session, although which party controls each chamber of Congress and the resulting committee assignments in the next legislative session will impact the bill’s likelihood of passage. Although the prospects of enactment remain uncertain, this bill represents the most concrete effort to date to pass a national privacy law in the United States, and, as a result, organizations that have been focused on compliance with state privacy laws should monitor the development of this bill as they continue to review and refine their privacy compliance program.
Below we provide further background and outline some of the most notable provisions included in the draft bill.
Following the momentum of recently enacted state privacy laws, the proposed bill was released by House Commerce Committee Chair Frank Pallone (D-N.J.), ranking member Cathy McMorris Rodgers (R-Wash.), and Senate Commerce Committee ranking member Roger Wicker (R-Miss.), reinvigorating the prospects of a comprehensive federal privacy law after various failed attempts since the end of 2019. Notably, the fact that the bill constitutes the first federal privacy initiative founded on bipartisan support may be seen as a strong indication of growing consensus on the topic across the aisle. However, the bill does not yet have the support from a crucial lawmaker, Senate Commerce Committee Chairwoman Maria Cantwell (D-Wash), who championed previous federal privacy bills. Without bipartisan agreement in both chambers of Congress, the bill is unlikely to move forward.
Covered entities and data. The Act would apply domestically and extraterritorially to any entity or person subject to the Federal Trade Commission Act, telecommunications common carriers, and nonprofits who collect, process, or transfer covered data, as well as any entity or person that controls, is controlled by, is under common control with, or shares common branding with another covered entity. Covered data comprises information identifying, linked to, or reasonably linkable to a U.S. resident or linkable device (including derived data and unique identifiers). However, covered data excludes de-identified data, publicly available information, and, notably, job applicant and certain employee data.
Limited small business exemption. The Act exempts certain small and medium-sized covered entities from particular obligations such as the requirements to provide data portability, implement advanced data security measures, and designate privacy and data security officers. The exemption covers entities that earned annual revenues for the prior three years of $41 million or less, did not collect or process covered data of 100,000 U.S. residents in a year, and did not derive more than half their revenue from transferring covered data. Notably, the related revenue threshold is quite a bit higher than the $25 million applicability threshold under the California and Utah state counterparts.
Processing exemptions. Similar to some of the state privacy laws, the Act does not restrict the ability of covered entities to process covered data for certain purposes such as to complete transactions with affected individuals, perform internal research, address security incidents, or comply with legal obligations.
Individual rights. Similar to recently enacted state privacy laws, the Act grants U.S. residents specific rights of access, correction, deletion, portability, and non-discrimination.
Rights to opt in. Covered entities must obtain express affirmative and withdrawable consent before collecting, processing, or transferring to a third party information falling under the Act’s broad definition of “sensitive covered data.” The FTC would have rulemaking power to add further categories of covered data to the definition of sensitive covered data. In addition, express affirmative consent is required for the disclosure of covered data by service providers processing such data on behalf of a covered entity to other covered entities, service providers, or third parties.
Rights to withdraw consent or opt out. Before processing covered data according to privacy policies or practices that have been materially changed after collection, covered entities are required to notify affected individuals of the material changes and provide them an opportunity to withdraw their consent. Covered entities also must allow individuals to opt out of targeted advertising and the transfer of covered data to third parties, which might include the selling of covered data not explicitly regulated by the Act.
Transparency and privacy policies. The Act requires that covered entities provide individuals with privacy policies detailing their data collection, processing, transfer, and retention activities in a readily available and understandable manner. Privacy policies must outline the purposes for the collection and processing of each category of covered data, and specify the third parties to whom data is transferred and for what purposes. Unlike under recently enacted state privacy laws, there would also be an affirmative duty to include in the privacy policy a general description of the covered entity’s security practices and a disclosure as to whether any covered data will be made available to China, Russia, Iran, or North Korea.
Data minimization and disposal. The Act imposes a duty to only collect, process, and transfer the minimum covered data as reasonably necessary and proportionate to provide or maintain a product or service requested by the affected individual, to communicate with the affected individual in a reasonably anticipated manner, or for other purposes expressly permitted by the Act. In addition, absent the affected individual’s affirmative express consent to the continued retention, covered data needs to be disposed of when no longer necessary for the purposes underlying its collection, processing, or transfer.
Loyalty duties.Subject to limited exceptions, the Act generally restricts and prohibits certain data processing practices that involve sensitive covered data or are otherwise considered potentially harmful. This applies, for example, to the collection, processing, or transfer of biometric information except for data security or authentication purposes, for legal compliance, or in connection with legal claims or law enforcement or with affirmative express consent. Similarly, the transfer of an individual’s aggregated internet search or browsing history requires affirmative express consent.
Accountability for large data holders. Large data holders are subject to various accountability obligations established by the Act. Large data holders are covered entities with gross revenues over $250 million that, in the most recent calendar year, either collected, processed, or transferred the covered data of over 5 million individuals or devices or the sensitive covered data of 100,000 individuals or devices. The obligations imposed on large data holders include, for example, conducting impact assessments that weigh the risks posed to individuals by the collecting, processing, and transfer of covered data by the large data holders against the benefits to the large data holders. Similarly, they must carry out and submit to the FTC annual evaluations of algorithms used or knowingly developed to collect, process, or transfer covered data. The highest-ranking officer and each privacy and security officer of large data holders also need to certify on an annual basis that the entity maintains reasonable internal compliance controls and reporting structures.
New FTC bureau and state attorneys general. Under the Act, the FTC would have to establish a new bureau to carry out its enforcement authority under the Act within a year of enactment. Violations of the Act and of implementing regulations to be issued by the FTC will be treated as unfair or deceptive acts or practices (as defined under the FTC Act), which means that the FTC may obtain civil penalties for violations, among other relief. State attorneys general would also be able to bring cases in federal court for injunctive relief, to obtain damages, penalties, restitution, or other compensation, and to obtain reasonable attorneys’ fees and other litigation costs, unless the FTC exercises its right to intervene.
Conditional private right of action. Four years after the Act takes effect, individuals or classes suffering injury would be able to bring civil actions in federal court seeking compensatory damages, injunctive relief (subject to a limited 45-day cure period in favor of the defendant), declaratory relief, and reasonable attorneys’ fees and litigation costs for violations of the Act. However, individuals must first notify the FTC and the state attorney general of their state of residence of their intent to bring such an action, as well as provide those agencies with 60 days to determine if they want to bring suit. The Act does not provide plaintiffs with a right to statutory damages.
If enacted, covered entities that are subject to and in compliance with other specified federal privacy and data security laws will be deemed to be in compliance with the Act to the extent the covered data they are processing is subject to the other laws. The FTC will be tasked with issuing guidance for the implementation of these provisions.
State laws covered by the provisions of the Act would be preempted, subject to a list of specified state laws to be preserved. Examples of state laws not preempted include general consumer protection and tort laws, data breach notification laws, laws addressing banking or financial records, and laws solely addressing facial recognition. The same applies to laws on unsolicited email messages, telephone solicitation, or caller IDs, and specifically the Illinois Biometric Information Privacy Act and Genetic Information Privacy Act as well as Section 1798.150 of the California Civil Code (i.e., the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA)).