On July 20, 2022, the House Committee on Energy and Commerce advanced a new federal privacy bill titled the American Data Privacy and Protection Act (ADPPA) to the House floor. Although it is not yet law, many commentators are optimistic that it may move forward in view of the ADPPA’s bipartisan support and the compromises it reaches on the issues of preemption and private rights of action, both of which have stalled prior federal privacy bills. The ADPPA reveals trends in U.S. privacy law that are emerging from state-level laws passed in California,[1] Virginia, Colorado, Utah and Connecticut (the “State Privacy Laws”). It also departs from all five State Privacy Laws in a few novel ways. This alert discusses key provisions of the ADPPA, as currently drafted, and how they compare to the State Privacy Laws. The ADPPA will likely face further amendment before the House votes on a final bill.
The ADPPA applies to any entity that processes Covered Data and is subject to the Federal Trade Commission Act (FTC Act). It also adds common carriers and nonprofits that otherwise would not be subject to the FTC Act. Banks, air carriers and governments remain excluded from the ADPPA, which is in line with all five State Privacy Laws. There are also exceptions for Covered Entities that are subject to existing privacy laws such as GLBA or HIPAA (discussed below). The State Privacy Laws have similar exceptions.
The ADPPA imposes special requirements on Large Data Holders, defined as a Covered Entity that has over $250 million in gross annual revenue and processes the Covered Data of more than 5 million individuals, or the Sensitive Data of 200,000 individuals, annually. These thresholds do not include processing personal email addresses, personal telephone numbers, or personal login information that allows individuals to access their own accounts with that Covered Entity. Among other requirements, Large Data Holders are required to submit annual certifications of compliance to the FTC, conduct audits and impact assessments of their data processing activities, and implement a comprehensive privacy program.
The ADPPA also imposes special requirements for Service Providers and Third-Party Collecting Entities (i.e., data brokers). A Third-Party Collecting Entity is a Covered Entity that derives more than 50% of its annual revenue from processing Covered Data that it did not collect directly, or that processes for revenue the Covered Data of more than 5 million individuals that it did not collect directly. Service Providers are exempt from the definition of a Third-Party Collecting Entity. Third-Party Collecting Entities must submit to a searchable, publicly available registry and periodic audits of their data security practices by the FTC. The ADPPA would also create a national “Do Not Collect” list, through which individuals could opt out of allowing data brokers to process their data.
Finally, Small Businesses are also subject to the ADPPA and must comply with nearly all of its requirements (with minor exceptions). Small Businesses under the ADPPA are Covered Entities that are not data brokers, have less than $41 million in gross annual revenue, and process the Covered Data of less than 200,000 individuals annually. This is a departure from the State Privacy Laws, all of which completely exclude businesses that process data of less than 100,000 individuals annually (or 25,000 individuals for data brokers).[2] By contrast, the ADPPA does not have a lower-limit threshold, and most of its provisions would apply to even the smallest of businesses.
Covered Data means any “information that identifies or is linked or reasonably linkable, alone or in combination with other information, to an individual or a device that identifies or is linked or reasonably linkable to an individual, and may include derived data and unique persistent identifiers.” This broad definition covers more than the privacy laws of Virginia, Colorado, Utah and Connecticut, and is arguably broader than California’s definition of personal data.
Like all State Privacy Laws, Covered Data under the ADPPA excludes deidentified or publicly available data. But the ADPPA’s definition of “publicly available” is broader than any of the State Privacy Laws because it includes information made lawfully available to the general public by governments, widely distributed media or a publicly available website, and also includes information available under federal, state or local law as well as “a visual observation of an individual’s physical presence in a public place by another person,” so long as the observer does not use a recording device.
Like Virginia, Colorado, Utah and Connecticut, the ADPPA has an exclusion for employee data. But while these states have blanket exclusions for individuals acting in a commercial context, the ADPPA’s employee data exclusion is more narrowly defined. Generally, the ADPPA only excludes employee data when it is processed by the employer and only when it is processed “solely for purposes related to such employee’s professional activities on behalf of the employer” or in case of an emergency.
The chart below shows key differences in the definition of Covered Data between the ADPPA and State Privacy Laws.
The ADPPA’s definition of Sensitive Data varies widely from State Privacy Laws. It also differs from the definition of sensitive personal data found in Europe’s General Data Protection Regulation.
All five State Privacy Laws grant heightened protection to sensitive categories of data, including race or ethnicity, citizenship, religion, health data, sexual orientation, genetic or biometric data used to identify a person, and precise geolocation. California, Virginia, Colorado and Connecticut also recognize children’s personal data as sensitive. Additionally, California classifies the following categories of data as sensitive: union membership; Social Security number, driver’s license or passport number; financial account number with related password or security code; and the contents of mail, email or texts, unless the Covered Entity is the intended recipient.
The ADPPA follows the State Privacy Laws by including race, ethnicity, religion, health data, genetic data, biometric data, precise geolocation and children’s data in the definition of Sensitive Data. Like California, the ADPPA also includes union membership and government identifiers such as a Social Security number, driver’s license or passport number. Also like California, the ADPPA includes financial account numbers, but it adds to that definition any information about an individual’s income level or bank balances. The ADPPA also exceeds California’s definition of Sensitive Data by including login credentials or security codes for any account or device. California’s definition of Sensitive Data only covers login information for financial accounts, and only when accompanied by the account number.
While California protects the contents of mail, email or text messages, the ADPPA would go further and protect all private communications and any information pertaining to their transmission, including phone numbers or addresses, times sent, duration, recipients, and location information of all parties to the communication. The ADPPA excludes communications from devices provided by an employer, but only with “conspicuous” prior notice to the employee.
The ADPPA does not recognize citizenship or immigration status as Sensitive Data. But it does add the following categories as Sensitive Data: skin color; intimate images or recordings; videos requested from television, cable, satellite or streaming media sources; and “calendar information, address book information, phone or text logs, photos, audio recordings, or videos maintained for private use by an individual.” These categories of viewing preferences, intimate images and private messages, recordings and contacts are new to the definition of sensitive data in U.S. privacy laws. The ADPPA also includes as Sensitive Data any other information processed for the purpose of identifying any of the specially enumerated categories.
The chart below shows key differences in the definition of Sensitive Data between the ADPPA and State Privacy Laws.
The ADPPA defines children as anyone under 17, which is a departure from existing U.S. privacy laws that apply to children under 13 or 16 years of age. The ADPPA considers all children’s data as Sensitive Data and expressly prohibits targeted advertising to anyone that the Covered Entity “knows” is a child, or any transfer of children’s data without the express affirmative consent of the parent. The ADPPA imposes a tiered approach to determine whether a Covered Entity knows an individual is a child: for large social media companies, the standard is knew or should have known; for Large Data Holders, the standard is knew or acted in willful disregard; and for all others, the standard is actual knowledge. The ADPPA also establishes a new Youth Privacy and Marketing Division within the FTC that will oversee the privacy of children and marketing directed at children.
The ADPPA grants individuals the now-familiar privacy rights of access, correction, deletion and portability, all of which are found in the State Privacy Laws. The ADPPA also gives individuals the right to opt out of transferring their data to third parties, with some exceptions including for legal compliance, data security, or transfers germane to the requested product or service. Only California grants individuals a similar right to opt out of most transfers of their data to third parties, with similar exceptions as the ADPPA. All five State Privacy Laws allow individuals to opt out of the sale of their data to third parties.
Right to Access: The ADPPA grants individuals the right to download, in a human-readable and understandable format, all of their data that the Covered Entity has collected for the past two years; the names of third parties and categories of Service Providers with whom their data was shared; and a description of the purposes for such sharing.
Right to Correct: The ADPPA grants individuals the right to correct any material inaccuracy or incomplete information in their Covered Data and to instruct any third parties or Service Providers to do the same.
Right to Delete: The ADPPA grants individuals the right to ask Covered Entities to delete their Covered Data and instruct any third parties or Service Providers to do the same.
Right to Portability: The ADPPA grants individuals the right to export or download their Covered Data, in both a human-readable format and a structured or machine-readable format, either to themselves or directly to another entity.
Right to Individual Autonomy: The ADPPA’s right to individual autonomy prohibits a Covered Entity from attempting to influence the exercise of ADPPA rights through fraudulent or misleading statements, or by designing a user interface to impair an individual’s decision-making.
Right to Opt Out of Targeted Advertising: The ADPPA grants individuals the right to opt out of targeted advertising. The method to exercise this right must be at least as easy as it was for the individual to opt in. Colorado, Virginia, Utah and Connecticut also grant their residents this right.
Right to Withdraw Consent: The ADPPA grants individuals the right to withdraw any affirmative express consent previously given. The withdrawal must be as easy to execute as it was for the individual to give consent in the first place.
The ADPPA allows Large Data Holders 45 days to comply with an individual’s exercise of most privacy rights. Small Businesses have 90 days to respond. And Covered Entities that fall in between the definitions of Large Data Holders and Small Businesses have 60 days. Each of these deadlines may be extended by an additional 45 days for good reason and with notice to the individual. By comparison, all five State Privacy Laws give every entity 45 days to respond (with less time in California for certain opt-out requests), and each also gives a 45-day extension for good cause.
The ADPPA takes a hybrid approach to exemption based on the types of data involved. The ADPPA sets forth requirements for both a privacy program and cybersecurity standards. Covered Entities that are subject to and compliant with the privacy program requirements of GLBA, HIPAA, HI-TECH, FCRA, FERPA and the Social Security Act are deemed compliant with the privacy program requirements of the ADPPA. Covered Entities that are subject to and compliant with the cybersecurity standards mandated by GLBA, HIPAA, HI-TECH and the Social Security Act are deemed compliant with the ADPPA’s cybersecurity standards. However, if a Covered Entity also collects data outside the scope of these sectoral privacy laws, it will also have to comply with the ADPPA regarding that data.
Similar to the State Privacy Laws, Covered Entities under the ADPPA must abide by the duties of data minimization, loyalty, privacy by design and nondiscrimination.
The Duty of Data Minimization requires Covered Entities to limit their processing to data that is reasonably necessary and proportionate to (1) provide or maintain a specific product or service requested by the individual, (2) deliver a communication that is reasonably anticipated by the individual within the context of their interactions with the Covered Entity, or (3) effect a specific permissible purpose.
The ADPPA identifies 17 specific permissible purposes for processing Covered Data, including:
The Duty of Loyalty imposes a number of specific restrictions on data practices. Covered Entities may not process Social Security numbers unless necessary to facilitate credit extensions, enforce a contract between the parties or prevent illegal activity. Covered Entities may not process any Sensitive Data except where it is strictly necessary to provide the requested product or service. Covered Entities are also prohibited from processing an individual’s search or browsing history without affirmative express consent, unless it is for the first 15 of the 17 specific permissible purposes listed above. Thus, Covered Entities may not process an individual’s search or browsing history for marketing or targeted advertising without affirmative express consent. These are just a few examples of the processing restrictions imposed by the ADPPA’s Duty of Loyalty.
The Duty of Privacy by Design requires Covered Entities to implement policies to comply with laws, mitigate risks to children, mitigate privacy risks stemming from their products or services, and implement privacy training and safeguards in the organization. In creating these policies, Covered Entities may consider their size, the cost of implementation, the volume of Covered Data they process, the sensitivity of that data and the number of individuals involved.
The Duty of Pricing Loyalty prohibits Covered Entities from discriminating against individuals for exercising their rights under the ADPPA. All five State Privacy Laws have similar nondiscrimination provisions.
The ADPPA’s Duty of Loyalty also requires Covered Entities and Service Providers to publish a public privacy policy describing their processing activities. At minimum, these policies must include the following:
If a Covered Entity makes material changes to its privacy policy, it must notify each affected individual before making that change and provide a reasonable opportunity for the individual to withdraw prior consent. Large Data Holders must also provide a short-form notice of their processing activities, limited to 500 words or less, and must keep a log of and publish every material change to their privacy policies for 10 years following the ADPPA’s enactment.
All State Privacy Laws similarly require a notice of processing activities, including the categories of data processed, the purposes for processing, the categories of data shared with third parties and how to exercise consumer rights. Only California requires notice of the length of time an entity keeps Covered Data. The ADPPA’s requirements of a description of security practices and whether any data is processed in China, Russia, Iran or North Korea are new under U.S. privacy laws.
The ADPPA generally preempts all other laws that are “covered by the provisions” of the ADPPA. But it also lists 19 categories of state and federal laws that will remain in effect, including:
The ADPPA is enforceable by the FTC or state attorneys general, and private rights of action are prohibited within the first two years after enactment. After those two years, an individual must first inform the FTC or their state attorney general of their intent to bring a civil action under the ADPPA. The FTC and state attorney general, jointly or severally, then have 60 days to respond to the individual as to whether they will intervene in the action. Additionally, the individual must give notice to the Covered Entity and a 45-day window to cure the violation before filing a complaint.
The ADPPA specifically preserves a private right of action under California’s privacy law for data breaches of nonencrypted and nonredacted personal information, as well as for breaches of an email address in combination with a password, or a security question and answer, in violation of a business’s duty to maintain reasonable security procedures. Thus, it appears the ADPPA would still allow California residents to bring a private right of action for these particular breaches under California law, outside of the restrictions placed on private rights of action under the ADPPA.
***
We will continue to monitor the latest developments in this ongoing legislative movement. Please reach out to the Kramer Levin privacy team for additional assistance on how to comply with emerging privacy laws.
[1] Unless noted, references to California privacy law in this alert are to the California Privacy Rights Act of 2020.
[2] California’s privacy law also applies to any entity with more than $25 million in gross revenue and all data brokers.