On September 1, 2022, the American Data Privacy Protection Act (“ADDPA” or the “Act”) was blocked from moving forward before the full U.S. House of Representatives. The ADPPA, which comes from the U.S. House Committee on Energy and Commerce, proposes legislation that would enact federal data privacy laws. But the ADPPA is currently in limbo amid concerns that the Act does not guarantee the same level of consumer protection that may already exist or is slated to become effective in the near future, in various states. One aspect of the current draft of the ADPPA is preemption over state laws – a potentially scary change for any business that handles consumer data. The blocked vote was justified by the position that individual states “must be allowed to address rapid changes in technology.” But despite the current uncertainty, there is evidence that the ADPPA isn’t done yet – in fact, the ADPPA is the federal data privacy bill that has made it the furthest toward becoming law, and it has received strong bi-partisan support with a 52-3 vote that allowed the current draft to proceed to the U.S. House of Representatives.

The ADPPA proposes baseline data privacy protection but also features several concepts that exceed or expand on existing requirements. If the ADPPA is enacted – and it does seem that it has the bi-partisan support necessary to eventually be passed into law – then businesses subject to the ADPPA (defined as “covered entities”) may need to anticipate strengthening their internal processes. Some of the new and expanded concepts may include:

• Policing of the ADPPA by the Federal Trade Commission (“FTC”) through a new bureau, the Bureau of Privacy. The FTC would have broad authority to enforce any ADPPA violation and state attorney generals and state privacy authorities would also have authority to enforce violations.
• Individuals will have the right to bring private lawsuits against covered entities for violations of the ADPPA. It is worth nothing that covered entities will have a grace period before this right becomes effective, and the ADPPA requires individuals exercising this right to notify the FTC, which may intervene in the action. Nonetheless, expressly empowering private individuals increases the risk and potential liability to businesses that deal with consumer data.
• Some covered entities will owe duties of “loyalty” that require attention to internal data security and minimization.
• Recurring assessments for certain covered entities that use “algorithms,” which are broadly defined in the ADPPA (meaning computation processes on par with machine learning, natural language processing, and artificial intelligence).
• Restrictions on targeted advertising to minors (individuals under the age of 17) and transfer of their data, overseen by an FTC Youth Privacy and Marketing Division. Most importantly, “knowledge” of a minor’s age is to be based directly on collected data (as opposed to affirmative age gating mechanisms).
• Required transparency when data is disclosed to China, Russia, Iran, or North Korea.

In addition to policing the ADPPA, the FTC would also be responsible for administering specific compliance programs. For example, unique to the ADPPA, the FTC would provide for a technical compliance program where covered entities can receive approval of a technical program’s (“technology, product, service, or method”) compliance with the ADPPA with respect to its collection, processing or transfer of data.

The FTC would also be responsible for a central “unified” mechanism where individuals can exercise their opt-out rights on a “single interface.” This could be similar conceptionally to the National Do Not Call Registry, a list maintained by the FTC that allows individuals to restrict telemarketers from calling registered telephone numbers.

The decision to block a vote on the ADPPA may be motivated by criticism from California, which questions the draft’s preemptive authority. However, the ADPPA expressly claims authority over the regulation of data privacy – and if passed, the ADPPA would prohibit any state from adopting, or maintaining, laws that overlap within the scope of the Act. In effect, the ADPPA would replace current state data privacy laws, like California’s Consumer Privacy Act (“CCPA”) – and any imminent state privacy laws slated to take effect in 2023. And though the ADPPA has yet to move forward, the Committee on Energy and Commerce is expected to address California’s concerns. As a result, we may see a revised ADPPA sooner rather than later.

With several states introducing new or expanded privacy laws, and good reason to believe that the ADPPA could eventually pass into law, businesses and companies should be diligent in keeping up with developments in this area of law to adopt changes in how they collect, use and transfer consumer data. The ADPPA isn’t likely to stay in limbo forever, and it isn’t hard to imagine a world in the near future where businesses are subject to robust states laws and then a new set of rules and requirements under the ADPPA (or another enacted federal data privacy act). Companies that recognize data privacy is evolving into a ubiquitous commercial consideration will be better prepared to adapt to the changes that come with a federal data privacy act.

[View source.]