Will the US soon see a federal data privacy bill? Something that equals or surpasses the GDPR?
The American Data Privacy Protection Act (ADPPA) has made it further along the federal legislative process than any other data privacy regulation in the US. While the bill still has a long way to go and its chances aren’t certain, it’s come far enough and enjoys enough support that it bears further study. Both republicans and democrats in the House and the Senate support the bill, and its passage could radically change the privacy landscape in the US.
To get prepared for the possibility that it becomes law, we’ll dive into the ADPPA’s notable features, current amendments, criticisms, next steps, and overall chances in the House and Senate.
What’s in the bill currently?
The ADPPA features many of the same components as other modern data privacy laws, like the CPRA. (For an overview of the fundamental components of a modern data privacy law, see our blog, "The anatomy of a data privacy law"). Naturally, the bill varies in some of its details, and some of those variations could have a big impact on businesses should the ADPPA be enacted into law. Let’s take a look at some of the bill’s notable features and the amendments that have been made to date.
Variations in definitions
The ADPPA refers to businesses and data in different terms and with a different scope than other data privacy laws. The major differences include:
- “Covered entities,” which are defined as any entity or person that collects, processes, or transfers data and is subject to the Federal Trade Commission Act, is a common carrier under the Communications Act, or is a non-profit. This definition covers the vast majority of businesses.
- “Covered data,” which includes any information that identifies, is linked, or is reasonably linkable to an individual or a device. It also includes any data or unique identifiers derived from such information, like IP addresses, targeted advertising identifiers, and the like.
- “Children,” which are defined as any person under the age of 17. This is significant as data privacy laws often require businesses to treat children’s data in certain ways. Most other data privacy laws define children as people under the age of 13 or 16.
- “Sensitive data,” which includes categories of data beyond what other state privacy laws consider sensitive. Most laws consider info like race, ethnicity, genetic data, children’s data, and the like to be sensitive; California also includes union membership and identifiers like social security numbers; the ADPPA includes all of that as well as login credentials for any device. There are other minor deviations as well, but it is beyond the scope of this article to list each.
If the ADPPA is signed into law, it will preempt all other state data privacy laws. So, a business that is currently subject to Connecticut’s CTDPA, for instance, would instead need to be in compliance with the ADPPA.
Preemption is a big sticking point in the bill. Many states — especially California — don’t want their own laws to be superseded by the ADPPA.
The ADPPA does make several exceptions to its preemption, however. More specific laws governing data privacy, like the Children’s Online Privacy Protection Act (COPPA) would still apply, as well as certain elements of California’s CPRA (more on that later.)
Private right of action
A private right of action refers to the ability of individuals to sue businesses for noncompliance. Most US data privacy laws do not feature a private right of action, but the ADPPA does.
Prior to suing, however, an individual would need to inform the FTC or their state attorney general. Then, the FTC and/or state attorney general have 60 days to decide whether to intervene in the lawsuit. Additionally, the individual has to let the business know they intend to sue, and they have to give the business 45 days to correct the violation prior to contacting the FTC/attorney general.
Special category for large data holders
The ADPPA treats businesses that handle significant amounts of data differently than others. To qualify as a large data holder, a business must:
- Make more than $250 million in gross annual revenue and
- Process the data of more than 5 million individuals or
- Process the sensitive data of 200,000 individuals annually.
These are your Facebooks and Googles of the world. Under the ADPPA, they would have all sorts of additional disclosure, certification, and audit requirements.
Special category for small businesses
The ADPPA defines small businesses as those that:
- Are not data brokers,
- Have less than $41 million in gross annual revenue, and
- Process the data of fewer than 200,000 individuals annually.
Most notably, it has no lower threshold — other state privacy laws generally don’t restrict businesses that process fewer than 100,000 individuals’ data. Thus, nearly every kind of business is subject to the ADPPA in one way or another. And while there are some exceptions as to what applies to small businesses under the ADPPA, most of its requirements still hold.
Right to opt-out of data transfer
Like other state data privacy laws, the ADPPA gives consumers a variety of rights. An additional right that only it and the CPRA provide is the right for consumers to opt out of having their data transferred to third parties. Other state laws allow individuals to opt out of the sale of their data, but only the CPRA and ADPPA allow individuals to opt out of transfers regardless of whether money changes hands.
For the most part, the features we described above have been with the bill since its beginning. As of this writing, the ADPPA has just emerged from the House committee, where it was amended in certain ways to improve its odds in a House floor vote and in the Senate. Here’s what the committee changed.
The CPPA gets to enforce the ADPPA in California
Enforcement has been a major criticism of this bill. California’s representatives are unhappy that the ADPPA might preempt their CPRA, which is generally stronger and has more teeth. Since California has a lot of sway in the US legislature, an amendment was made to make California’s CPRA enforcement agency — the California Privacy Protection Authority (CPPA) — responsible for enforcing the ADPPA in California. For other states, the FTC and/or attorney general would enforce the ADPPA.
Private right of action becomes possible in two years
The original bill would have allowed for a private right of action to be permissible four years after enactment; this amendment makes it permissible in two.
Small businesses are exempt from private action
This amendment excludes small businesses from private lawsuits if they make less than $25 million revenue annually, have fewer than 50,000 individuals’ covered data, and earn less than half their revenue from transferring covered data.
Greater exclusions for employee data
Like other privacy laws, the ADPPA treats employee data differently from consumer data. This amendment expanded the carveout for employee data by including additional data categories.
Tiered approach for what constitutes “knowledge” that a consumer is under 17
Children’s data is treated differently than adult consumers’ data, but businesses can only treat data differently if they know that a consumer is under 17. This amendment created different definitions of what is considered “knowledge” that a consumer is under 17 depending on the size of the business.
Exclusion for the National Center for Missing and Exploited Children
This amendment ensured that the National Center for Missing and Exploited Children can work with children’s data legally. Without access to this data, the center would otherwise be unable to complete its mission of fighting child trafficking, abuse, and abduction.
The ADPPA is far from perfect, but it would also be better than nothing. Legislators naturally differ in whether they focus more on its flaws or its strengths.
Primarily, critics are concerned about the bill’s enforcement.
While the ADPPA allows for civil enforcement through its private right of action, it does not have significant administrative enforcement. The GDPR, for instance, has dedicated data protection authorities that mete out penalties; under the ADPPA, enforcement would fall to either the FTC or state attorneys general, both of which have much more than just data privacy enforcement on their plates.
It additionally preempts other state laws with greater or lesser enforcement and coverage. The amendment to permit the CPPA to be the ADPPA enforcer in California was a compromise to ensure that the state wouldn’t be subject to weak enforcement if the CPRA were to be replaced by the ADPPA. But the ADPPA would also preempt states with more business-friendly data privacy laws, like Utah’s. That, in turn, has upset the more business-minded members of Congress.
What’s next for the ADPPA?
As of this writing, the ADPPA has successfully passed through the House committee, where it received the amendments described above. Now, it has to pass a vote in the House.
If it passes a vote, then the bill will be introduced in the Senate, where it will go into the Senate Committee on Commerce, Science, and Transportation for study. If the committee approves of the bill, then it will go to the Senate floor for a vote, and after that, to President Biden’s desk.
What are its chances?
While this is the furthest any federal data privacy bill has gotten thus far, it still has a long way to go before becoming enacted into law and may look very different at the end of the legislative process.
One of the major challenges is the opposition from Senator Cantwell (D-Wash.). Senator Cantwell has criticized the bill’s lack of enforcement — and she’s the chair of the Senate Committee on Commerce, Science, and Transportation, which would be studying the bill prior to introducing it to the Senate floor.
However, if the bill were amended to feature stronger enforcement (especially if the private right of action were to be expanded), then it could risk the bill’s bipartisan support, without which the ADPPA would stand virtually no chance. As it stands, either the bill needs to change or its critics need to change their minds.
That being said, studying the specifics of the bill is still a useful exercise for privacy professionals and businesses. There is still a great deal of support for the bill and it may very well become law; even if it doesn’t, it’s likely that any future federal data privacy legislation will bear a significant resemblance to the ADPPA.
Whether the ADPPA becomes the law of the land, a future bill takes its place, or data privacy remains a state issue, Osano will be ready to keep your business compliant. We’ll keep tracking the progress of the ADPPA as it moves through the legislative process as well as any developments in the privacy space that can impact your business. To stay informed, subscribe to our newsletter.