With time running out in this US Congress, and with midterms around the corner, a bipartisan group of legislators is making what may be a last-gasp attempt at a federal privacy law compromise. On June 3, 2022, House Energy and Commerce Committee Chair Rep. Frank Pallone (D-NJ), Ranking Member Rep. Cathy McMorris Rodgers (R-WA) and Senate Commerce, Science and Transportation Committee Ranking Member Sen. Roger Wicker (R-MS) released a draft of a new comprehensive federal privacy bill, the American Data Privacy and Protection Act (ADPPA). Notably absent from this list of potential sponsors is Sen. Maria Cantwell (D-WA), Chair of the Senate Commerce Committee, who had been given the OK by Sen. Chuck Schumer (D-NY) to attempt to pass federal privacy legislation. Shortly after its release, Senator Cantwell criticized the ADPPA and signaled that she had her own competing proposal. Senator Cantwell’s position, plus the absence of any California Representative or Senator, signals that the ADPPA is likely destined to stall on the hill like each of its predecessors.
Nonetheless, with the steady drip of new state consumer privacy laws, many businesses are growing anxious and waiting for action at the federal level, so the ADPPA is noteworthy. This On the Subject highlights several notable features of the ADPPA beyond the anticipated consumer rights of access, correction, deletion and portability. We will start with a look at the private right of action and pre-emption in the ADPPA, as those have traditionally been the sticking points in the federal privacy law debate.
Limited private right of action: Beginning four years after the ADPPA’s effective date, individuals and classes will gain a private right of action, but it is a proscribed right. Notably, there are no statutory damages. While a successful plaintiff can still recover attorneys’ fees, plaintiffs are only permitted to seek injunctive or compensatory damages. The lack of statutory damages may serve to dampen the plaintiffs’ bar’s interest in bringing ADPPA cases in the first instance. A further deterrent to the private right of action are the procedural prerequisites to suit. First, the allegedly aggrieved person will first have to give notice to the Federal Trade Commission (FTC) and their relevant state Attorney General of the alleged wrong to see if either regulator wants to pursue the action. Absent action by these regulators, the allegedly aggrieved person must then give notice to the prospective defendant and give them 45 days to cure the alleged harm before filing suit.
Federal pre-emption with more than some carve-outs: One of the things that businesses are looking for in a federal privacy bill is strong state pre-emption so that businesses can focus on complying with one law and related regulations. The ADPPA creeps closer to that objective, but not by much. There is a broad statement of pre-emption of state laws, but then that pre-emption is effectively gutted by a page-and-a-half long list of state laws that are not pre-empted, including California’s California Consumer Privacy Act (CCPA) and Illinois’ Biometric Information Privacy Act (BIPA).
Broad Definition of “Sensitive” Data: The ADPPA would categorize a large swath of information as “sensitive” that may not immediately come to mind as being particularly sensitive. For example, “information identifying an individual’s online activities over time or across third party websites or online services.” In effect, this is cookie data. This definition, paired with an affirmative opt-in obligation for the collection of “Sensitive” data, means that the ADPPA would bring many of the requirements of Europe’s ePrivacy Directive to the United States.
Proscriptive Duty of Loyalty: While the ADPPA’s “duty of loyalty” is not the same kind of fiduciary duty that other legislators have attempted to introduce, it is nonetheless quite prescriptive, including a list of eight practices that businesses should not engage in, ranging from the collection and use of Social Security numbers to the transfer of aggregated internet search or browser histories.
Targeted Marketing: Similar to other privacy legislation, the ADPPA would require that businesses allow opt-outs from targeted marketing, including intra-corporate family targeted marketing. The ADPPA would also prohibit the delivery of targeted marketing to anyone under the age of 17.
Third-Party Collectors Registration: The ADPPA would require third parties who collect information about consumers, but who lack direct contact with that consumer, to file registration and offer certain public disclosures about their practices.
Executive Responsibility: Beginning one year after the ADPPA becomes effective, the chief executive officer, the chief privacy officer and the chief information security officer of what the ADPPA defines as “large data holders” would have to certify compliance with the ADPPA to the FTC. This puts these individuals in direct line for potential liability if their company does not, in fact, comply with the ADPPA. A large data holder is an entity that has annual gross revenues of $250 million or more and collects or transfers the personal information of five million or more individuals or devices or the sensitive data of 100,000 individuals or devices.
Impact Assessments and Algorithms: Impact assessments would be required for a number of processing activities under the ADPPA, including with respect to any algorithm of a large data holder that uses personal information.
Small Business Exemption: In addition to the anticipated exemptions to the ADPPA (e.g., the Gramm–Leach–Bliley Act, the Fair Credit Reporting Act, the Health Insurance Portability and Accountability Act), the ADPPA includes a limited exemption for businesses that for the prior three calendar years (or for the period in which the entity has been existence if less than 3 years) had (i) annual revenue of less than $41 million, (ii) did not collect or process the data of more than 100,000 individuals and (iii) did not derive more than 50% of its revenue from transferring personal information.
Ultimately, while the ADPPA represents another important step forward by signaling that compromise on the two key sticking issues of pre-emption and a private right of action is possible, the bill still has a long way to go before becoming law. With Senator Cantwell likely to introduce a competing bill and with the calendar where it is, it looks like the issue of federal privacy legislation may be left to a subsequent Congress.