Privacy Impact Assessment Guide: 7 Best Practices to Master PIAs
One of data privacy’s greatest challenges is that it can all feel...Read Now
August 5, 2022
Will the US soon see a federal data privacy bill? Something that equals or surpasses the GDPR?
When it was introduced in 2022, the American Data Privacy Protection Act (ADPPA) made it further along the federal legislative process than any other data privacy regulation in the US. Although the ADPPA passed out of committee with a bipartisan 53-2 vote, it failed to advance to the House or Senate floors in the last Congress—but that doesn't mean businesses and privacy professionals should write the ADPPA off.
On March 1st, 2023, the Innovation, Data, and Commerce Subcommittee of the House Committee on Energy and Commerce held a hearing primarily focused on the ADPPA. The bill has yet to be reintroduced in Congress, but the hearing signaled that the ADPPA still enjoys significant support. If there is to be a federal data privacy bill in the U.S., it seems like it'll either come in the form of the ADPPA or in a bill that closely resembles it.
To get prepared for the possibility that it becomes law, we’ll dive into the ADPPA’s notable features, current amendments, criticisms, next steps, and overall chances in the House and Senate.
The ADPPA features many of the same components as other modern data privacy laws, like the CPRA. (For an overview of the fundamental components of a modern data privacy law, see our blog, "The anatomy of a data privacy law"). Naturally, the bill varies in some of its details, and some of those variations could have a big impact on businesses should the ADPPA be enacted into law. Let’s take a look at some of the bill’s notable features and the amendments that have been made to date.
The ADPPA refers to businesses and data in different terms and with a different scope than other data privacy laws. The major differences include:
If the ADPPA is signed into law, it will preempt all other state data privacy laws. So, a business that is currently subject to Connecticut’s CTDPA, for instance, would instead need to be in compliance with the ADPPA.
Preemption is a big sticking point in the bill. Many states — especially California — don’t want their own laws to be superseded by the ADPPA.
The ADPPA does make several exceptions to its preemption, however. More specific laws governing data privacy, like the Children’s Online Privacy Protection Act (COPPA) would still apply, as well as certain elements of California’s CPRA (more on that later.)
A private right of action refers to the ability of individuals to sue businesses for noncompliance. Most US data privacy laws do not feature a private right of action, but the ADPPA does.
Prior to suing, however, an individual would need to inform the FTC or their state attorney general. Then, the FTC and/or state attorney general have 60 days to decide whether to intervene in the lawsuit. Additionally, the individual has to let the business know they intend to sue, and they have to give the business 45 days to correct the violation prior to contacting the FTC/attorney general.
The ADPPA treats businesses that handle significant amounts of data differently than others. To qualify as a large data holder, a business must:
These are your Facebooks and Googles of the world. Under the ADPPA, they would have all sorts of additional disclosure, certification, and audit requirements.
The ADPPA defines small businesses as those that:
Most notably, it has no lower threshold — other state privacy laws generally don’t restrict businesses that process fewer than 100,000 individuals’ data. Thus, nearly every kind of business is subject to the ADPPA in one way or another. And while there are some exceptions as to what applies to small businesses under the ADPPA, most of its requirements still hold.
Like other state data privacy laws, the ADPPA gives consumers a variety of rights. An additional right that only it and the CPRA provide is the right for consumers to opt out of having their data transferred to third parties. Other state laws allow individuals to opt out of the sale of their data, but only the CPRA and ADPPA allow individuals to opt out of transfers regardless of whether money changes hands.
For the most part, the features we described above have been with the bill since its beginning. As of this writing, the ADPPA has just emerged from the House committee, where it was amended in certain ways to improve its odds in a House floor vote and in the Senate. Here’s what the committee changed.
Enforcement has been a major criticism of this bill. California’s representatives are unhappy that the ADPPA might preempt their CPRA, which is generally stronger and has more teeth. Since California has a lot of sway in the US legislature, an amendment was made to make California’s CPRA enforcement agency — the California Privacy Protection Authority (CPPA) — responsible for enforcing the ADPPA in California. For other states, the FTC and/or attorney general would enforce the ADPPA.
The original bill would have allowed for a private right of action to be permissible four years after enactment; this amendment makes it permissible in two.
This amendment excludes small businesses from private lawsuits if they make less than $25 million revenue annually, have fewer than 50,000 individuals’ covered data, and earn less than half their revenue from transferring covered data.
Like other privacy laws, the ADPPA treats employee data differently from consumer data. This amendment expanded the carveout for employee data by including additional data categories.
Children’s data is treated differently than adult consumers’ data, but businesses can only treat data differently if they know that a consumer is under 17. This amendment created different definitions of what is considered “knowledge” that a consumer is under 17 depending on the size of the business.
This amendment ensured that the National Center for Missing and Exploited Children can work with children’s data legally. Without access to this data, the center would otherwise be unable to complete its mission of fighting child trafficking, abuse, and abduction.
The ADPPA is far from perfect, but it would also be better than nothing. Legislators naturally differ in whether they focus more on its flaws or its strengths.
Primarily, critics are concerned about the bill’s enforcement.
While the ADPPA allows for civil enforcement through its private right of action, it does not have significant administrative enforcement. The GDPR, for instance, has dedicated data protection authorities that mete out penalties; under the ADPPA, enforcement would fall to either the FTC or state attorneys general, both of which have much more than just data privacy enforcement on their plates.
It additionally preempts other state laws with greater or lesser enforcement and coverage. The amendment to permit the CPPA to be the ADPPA enforcer in California was a compromise to ensure that the state wouldn’t be subject to weak enforcement if the CPRA were to be replaced by the ADPPA. But the ADPPA would also preempt states with more business-friendly data privacy laws, like Utah’s. That, in turn, has upset the more business-minded members of Congress.
As of this writing, the ADPPA has successfully passed through the House committee, where it received the amendments described above. Now, it has to pass a vote in the House.
If it passes a vote, then the bill will be introduced in the Senate, where it will go into the Senate Committee on Commerce, Science, and Transportation for study. If the committee approves of the bill, then it will go to the Senate floor for a vote, and after that, to President Biden’s desk.
While this is the furthest any federal data privacy bill has gotten thus far, it still has a long way to go before becoming enacted into law and may look very different at the end of the legislative process.
One of the major challenges is the opposition from Senator Cantwell (D-Wash.). Senator Cantwell has criticized the bill’s lack of enforcement — and she’s the chair of the Senate Committee on Commerce, Science, and Transportation, which would be studying the bill prior to introducing it to the Senate floor.
However, if the bill were amended to feature stronger enforcement (especially if the private right of action were to be expanded), then it could risk the bill’s bipartisan support, without which the ADPPA would stand virtually no chance. As it stands, either the bill needs to change or its critics need to change their minds.
That being said, studying the specifics of the bill is still a useful exercise for privacy professionals and businesses. There is still a great deal of support for the bill and it may very well become law; even if it doesn’t, it’s likely that any future federal data privacy legislation will bear a significant resemblance to the ADPPA.
Whether the ADPPA becomes the law of the land, a future bill takes its place, or data privacy remains a state issue, Osano will be ready to keep your business compliant. We’ll keep tracking the progress of the ADPPA as it moves through the legislative process as well as any developments in the privacy space that can impact your business. To stay informed, subscribe to our newsletter.
Matt Davis is a writer at Osano, where he researches and writes about the latest in technology, legislation, and business to spread awareness about the most pressing issues in privacy today. When he’s not writing about data privacy, Matt spends his time exploring Vermont with his dog, Harper; playing piano; and writing short fiction.