As of September 2022, the United States has yet to enact a comprehensive US federal data privacy law. The federal government maintains a patchwork of industry-specific consumer privacy laws. So do many states. And while a handful of states starting with California passed comprehensive privacy protections and other state legislatures are working to do the same over the next few years), in the void of a unifying federal privacy law the US’s privacy landscape will remain woefully fragmented. Can Congress pass its own version of the EU’s General Data Protection Regulation (GDPR)? An ongoing congressional effort points to a solid ‘maybe’.
H.R. 8152, the American Data Privacy Protection Act (ADPPA), has gone further than any attempt that preceded it, allegedly gaining both bipartisan and bicameral support. On July 20th, 2022, the House Energy and Commerce Committee voted 53-2 to advance the ADPPA through the House of Representatives political process towards a floor vote.
What would this potential federal legislation mean for United States businesses? And what are the chances it passes in both the House and the Senate?
What Is ADPPA?
The American Data Privacy and Protection Act was designed to be the country’s first comprehensive federal consumer privacy framework. A bipartisan bill, ADPPA has been co-sponsored by:
- House Energy and Commerce Committee Chairman Frank Pallone, Jr. (D)
- Ranking Member Cathy McMorris Rogers (R)
- Senate Commerce Committee Ranking Member Roger Wicker (R)
While there are some natural differences between this bill and other modern data privacy laws, the general framework and intended outcomes remain quite similar.
If ADDPA is enacted, it would be the first sweeping step in protecting individual privacy rights and dictating how enterprises gather, store, and use consumer data. According to Victor Platt, a CISSP security specialist, it’s not just designed for today but the future, as digitalism becomes even more enmeshed in modern society:
“It codifies a broad definition of covered data and high bars for consent, purpose limitation, and opt-out; high-level inscrutable privacy policies will no longer be enough; and things you think aren’t personally identifiable information (PII) today, like unique IDs, will be in the future.”
What’s surprising to many experts is that despite the current political strife between the GOP and DNC, this bill may have enough bipartisan support to pass, which would make it the country’s first comprehensive privacy law.
What Is Included In ADPPA?
ADPPA’s initial “discussion draft” was passed around DC in early June. The new law would cover activities related to the collection, processing, and transfer of “covered data” (i.e., any information that identifies or links an individual or their device, with special emphasis placed on the protection of “sensitive covered data” and personal information).
The multi-hundred-page bill touched on several topics, including:
- The development of a uniform national data privacy framework
- The establishment of consumer data privacy rights
- The implementation of enforcement mechanisms
Amendments To The Discussion Draft
Since the June release, several changes have been made to the initial version of the bill. Many of these amendments are minor tweaks or exemptions, such as:
- Granting California’s Privacy Protection Agency the power to enforce ADPPA in the state
- Shortening the private right of action grace period from 4 to 2 years.
- Exempting businesses that made less than $25,000,000 annually and that engaged with covered personal data of less than 50,000 individuals from the private right of action
- Expanding the “employee data” definition with carve-outs made for additional personal data categories
- Sensitive covered data was expanded to include elements like:
- Union membership
- Internet browsing history
Standout Features of the ADPPA
- For consumers – Consumers are granted rights over their covered data. That includes the right to access, correct, delete, or transfer data.
- For covered entities – Companies that handle consumer data must provide consumers with an opt-out prior to transferring data to a third party or targeting them with digital advertising.
Additionally, transparency measures in the bill would compel covered entities to share the types of data they collect, the purposes for the data, and the length of time they plan to retain it. That said, some unique features would separate this bill from other laws in existence:
Private Right of Action
Under the bill, individuals would have a two-year window to sue certain businesses (exempting small businesses) for noncompliance. However, to levy a civil action, the individual would need to:
- Inform the business that they plan to sue
- Provide the business with a 45-day window to correct the violation
- Inform the Federal Trade Commission or state attorney general
- Wait 60 days to see whether either entity intervenes
If ADPPA eventually passes, it will preempt many state data privacy laws, notably California’s Consumer Privacy and Privacy Rights Acts (CCPA/CPRA) and Virginia’s Consumer Data Protection Act (VCDPA). However, existing federal laws that regulate data privacy within specific contexts, such as the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act (GLBA), will not be overridden.
Special Category for Large Data Holders
The bill pays special attention to massive companies that collect and process significant troves of data, like search engines and social media platforms. If a company qualifies, they have even more stringent disclosure, certification, and audit requirements. To qualify as a large data holder, a business must annually:
- Make more than $250 million
- Process more than 5 million individuals’ data
- Process more than 200,000 individuals’ sensitive data
DataGrail—Helping You Prepare for ADPPA
Whether the ADPPA passes or not, companies need to prepare for the future of consumer data privacy regulations. If the bill isn’t codified into law this year, there’s a strong likelihood of a similar comprehensive bill passing soon. Still, existing US state privacy laws already impact how your company collects, uses, stores, and transfers private data, and on August 11, 2022, the Federal Trade Commission began the rulemaking process to fill existing gaps.
Knowing this, the time to act is now. By implementing these data protection best practices today, you can ensure compliance tomorrow.
Need help with that?
DataGrail was designed for businesses like yours. The data privacy platform centralizes your company’s privacy program, enabling you to automate privacy requests while gaining visibility and control over all your user data.
If you want to proactively maintain data privacy compliance, try your free demo today.
Congressional Research Service. Overview of the American Data Privacy and Protection Act, H.R. 8152. https://crsreports.congress.gov/product/pdf/LSB/LSB10776\
DRM. ADPPA: American Data Privacy & Protection Act. https://www.drm.com/articles/adppa-american-data-privacy-protection-act/
House Committee on Energy and Commerce. Bipartisan E&C Leaders Hail Committee Passage Of The American Data Privacy And Protection Act. https://energycommerce.house.gov/newsroom/press-releases/bipartisan-ec-leaders-hail-committee-passage-of-the-american-data-privacy
JD Supra. FTC Launches National Privacy Rulemaking. https://www.jdsupra.com/legalnews/ftc-launches-national-privacy-rulemaking-4719110/
Venturebeat. What Is the American Data Privacy And Protection Act (Adppa) and What Does it Mean to Enterprises? https://venturebeat.com/security/adppa/