Last week, congressional leaders released a draft bipartisan bill that, if adopted, would establish the nation’s first comprehensive federal privacy law.
The American Data Privacy and Protection Act (ADPPA) would provide Americans with multiple rights related to the data about them, including the right to access such data, correct the data, delete the data, and prevent certain uses of the data without consent. In response, organizations in many different sectors would face substantial new obligations relating to the data they collect on the individuals they serve.
The ADPPA shares many features with comprehensive state privacy laws—such as the California Consumer Privacy Act (CCPA)—that have been adopted in the past several years. It also borrows elements from the nation’s health privacy law, the regulations adopted under the Health Insurance Portability and Accountability Act (HIPAA). But it goes further than those laws in many respects, and it would be the American equivalent of the General Data Protection Regulation (GDPR), Europe’s governing privacy framework.
The release of the draft legislation represents an important compromise between Democratic and Republican leaders of the House Energy and Commerce Committee, who were able to come to agreement on issues such as state law preemption and a private right of action. Nevertheless, Senate Commerce Chair Maria Cantwell (D-WA), who has pushed her own privacy legislation, has criticized the bill. Some privacy advocates view the legislation as not going far enough, while industry representatives view some provisions, such as permitting a private right of action four years after its effective date, as unacceptable. It is not clear whether the ADPPA has sufficient support to be enacted.
The ADPPA would apply broadly to “covered data” held by “covered entities.” Covered data means any information that identifies or is linked or reasonably linkable to an individual or a device that itself identifies, is linked to, or is reasonably linkable to an individual. Covered data excludes only de-identified data, employee data, and publicly available information. A covered entity is any entity or person that collects, processes, or transfers covered data and is subject to the jurisdiction of the Federal Trade Commission (FTC).
Unlike certain state privacy laws, the ADPPA would apply to many nonprofit organizations and small businesses with low revenues. Moreover, there is no explicit exception for government entities, although laws using similar language have been interpreted by courts as inapplicable to federal and state agencies.
Nevertheless, many organizations in the health care sector, education sector, and financial services sector would not be required to comply with the law in regard to much, if not all, of the data they hold (see discussion below). Further, some small businesses that do not engage in interstate commerce could fall outside of the FTC’s jurisdiction and, therefore, would be exempt from the law. In addition, certain organizations with annual revenues of $41 million or less would not be required to comply with some aspects of the law in accordance with the “small data exception” [Section 209(c)].
Duties of Covered Entities
The ADPPA would impose various duties and other requirements on covered entities with respect to covered data. They include:
- Data minimization: Covered entities would have a baseline duty not to unnecessarily collect or use covered data [Section 101].
- Restricted and prohibited practices: Certain practices would be restricted or prohibited entirely. There would be substantial limits on the ability of covered entities to transfer precise geolocation information, browsing history, and physical activity information collected from a smartphone or wearable device. Covered entities also could not engage in the collection, processing, or transferring of biometric information, known nonconsensual intimate images, or genetic information, except under limited circumstances [Section 102].
- Privacy by design: Covered entities would be required to establish and implement policies and procedures related to the collection, processing, and transfer of covered data [Section 103].
- Denials and pricing: Covered entities would be prohibited from denying a service or product, conditioning a service or product, or setting the price of a service or a product based on an individual’s agreement to waive any privacy rights [Section 104].
Third-party collecting entities—covered entities whose principal source of revenue comes from processing covered data that the entities did not directly collect from individuals—would be subject to additional obligations, including the requirement to register with the FTC if they processed covered data on more than 5,000 individuals [Section 206].
Consumer Data Rights
Under the ADPPA, individuals would have multiple rights regarding the data that covered entities have about them. Many of these rights are similar to rights granted to individuals under comprehensive state privacy laws, the GDPR, and HIPAA.
Rights related to ownership and control of data would include [Section 203]:
- Access: An individual’s right to access the covered data about the individual in a human-readable format that can be downloaded from the Internet.
- Accounting of disclosures: An individual’s right to the name of any third parties to which the covered entity transferred the individual’s information, which would include a description of the purpose of such transfer.
- Correction: An individual’s right to correct any inaccurate or incomplete information held about the individual.
- Deletion: An individual’s right to delete covered data about the individual.
- Export: An individual’s right to export certain covered data in both a human-readable and a machine-readable format, to the extent technically feasible.
Covered entities would have 30 or 60 days to respond to requests related to ownership and control of data, depending on the size of the covered entity, and would have to respond without charge for the first two times that an individual exercises one of these rights during any 12-month period. Covered entities could decline the request under limited circumstances, such as if they could not verify the identity of the requestor, if compliance with the request is impossible or impractical, or if doing so would interfere with law enforcement.
Individuals would also have consent and opt-out rights [Section 204]. Covered entities would be prohibited from collecting or processing “sensitive covered data”—which includes government-issued identifiers (e.g., Social Security numbers), health data, credit card numbers, biometric information, genetic information, precise geolocation information, and certain demographic information such as race or religion, among other data—without the individual’s consent. Individuals would have a right to opt out of transfers of their covered data as well as a right to opt out of targeted advertising. Additional restrictions would apply to data on minors under the age of 18 [Section 205].
The ADPPA would also seek to protect civil rights. Subject to limited exceptions, covered entities could not collect, process, or transfer covered data in a manner that discriminates against individuals on the basis of race, color, religion, national origin, gender, sexual orientation, or disability [Section 207]. Large data holders—covered entities that have annual revenues of at least $250 million and collect covered data on more than 5 million individuals (or sensitive data of more than 100,000 individuals)—would be required to annually engage in an “algorithm impact assessment.” Under that assessment, the large data holder would need to document steps taken to mitigate any potential harms of their algorithms related to children; advertisements for housing, education, employment, health care, insurance, or credit; access to public accommodations; and other potential discriminatory impacts. Other covered entities would have to evaluate the design of their algorithms to reduce the risk of harm.
Covered entities would also need to secure individuals’ data [Section 208]. Covered entities would need to establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect covered data against unauthorized access and acquisition. While the data security practices could be tailored based on an entity’s size and complexity, among other factors, all covered entities that did not qualify for the “small data exception” would need to engage in certain minimum practices, such as engaging in an assessment of the vulnerability of each system holding covered data.
Despite these individual rights, covered entities would retain the ability to engage in certain activities in regard to covered data, so long as their collection, processing, and transfer of the covered data was reasonably necessary, proportionate, and limited to such permitted purpose. Covered entities, for example, could complete a transaction or fulfill an order or service requested by an individual, respond to security incidents, protect against fraudulent or illegal activity, or conduct research that is in the public interest and adheres to human subject research regulations [Section 209].
Large data holders would be required to certify annually to the FTC that the organization has reasonable controls and reporting structures necessary to comply with the ADPPA; such data holders would also need to conduct a privacy impact assessment biennially. All covered entities that did not qualify for the small data exception would be required to designate privacy officers and security officers [Section 301]. Services providers—covered entities that collect, process, or transfer covered data on behalf of another covered entity—and third-party recipients of covered data would have their own responsibilities related to such data [Section 302]. Covered entities would be able to submit technical compliance programs and compliance guidelines to the FTC for approval under certain circumstances [Sections 303 and 304].
The ADPPA would be enforced by the FTC and state attorneys general. The FTC would establish a new bureau to exercise its authority under the law. Civil penalties paid to the FTC or the Department of Justice that cannot be provided directly to harmed individuals would be deposited into a Privacy and Security Victims Relief Fund; proceeds from the fund could be paid to future victims or be used by the FTC to provide compliance guidance or engage in technological research necessary to enforce the ADPPA [Section 402]. When feasible, a state attorney general would be required to notify the FTC in writing of any planned civil action under the law; if the FTC brought an action against a covered entity for violating a law, a state could not bring its own action against the defendant while the federal action was pending [Section 403].
Four years after the effective date of the ADPPA, individuals would also have a private right of action under the law [Section 404]. Individuals could be awarded compensatory damages, injunctive or declaratory relief, or reasonable attorneys’ fees and litigation costs under the law. Individuals or classes of individuals could only bring an action under the law if they first notified the FTC and their state attorney general of their intent to file suit; the FTC and state attorney general would then have 60 days to decide whether to bring the action instead of the individual or class.
The ADPPA limits the use of “pre-dispute arbitration agreements” and certain other agreements intended to limit individuals’ remedies under the law.
Relation to Other Laws and Impact on the Health Care Sector
Covered entities that are required to comply with various federal laws—including HIPAA regulations, the Family Educational Rights and Privacy Act (FERPA), and the financial services privacy law, the Gramm-Leach-Bliley Act, among other laws—and which do comply with those laws, are deemed to be in compliance with the applicable requirements of the bill but only with respect to data subject to the requirements of those regulations [Section 404].
The bill generally would preempt state laws that are covered by the provisions of the ADPPA, and recent privacy laws enacted by states such as California, Colorado, Connecticut, Utah, and Virginia largely would be preempted in favor of a uniform national framework. But the ADPPA would also leave significant exceptions to preemption. State consumer protection laws, civil rights laws, employee and student privacy laws, breach notification laws, state health privacy laws, criminal laws governing fraud and identity theft, and laws governing criminal justice records, among others, would remain in effect. Illinois’ Biometric Information Privacy Act and Genetic Information Privacy Act would not be pre-empted, and neither would the provision of the CCPA that allows for private causes of action for data breaches.
As a result of this framework, the ADPPA’s impact on health care organizations would depend on their relationship to HIPAA. Health plans and health care providers would continue to have their privacy and security requirements dictated by HIPAA and state health privacy laws; many providers and plans may never be regulated by the new law. Nevertheless, there could be circumstances under which HIPAA-covered entities could be impacted by the ADPPA. If a provider or a health plan held individually identifiable data that is neither protected health information nor employee data, such data could be subject to the new law. Further, the ADPPA’s HIPAA exception is narrower than that in the CCPA and similar state laws. While the CCPA exempts all protected health information from its reach, the ADPPA’s exception only applies to protected health information if the covered entity is acting in compliance with HIPAA. Therefore, it is possible that providers and health plans that fall out of compliance with HIPAA could face penalties from the FTC under the law.
Health care tech companies that currently fall outside the scope of HIPAA would be more directly impacted by the ADPPA. These companies capitalize on the explosion of growth in health care data; many of them hold health care data on behalf of patients through wearable devices or apps. These companies typically would have to comply with the new law, and its preemption provision would mean that comprehensive state privacy laws would not apply to them.
Organizations acting as business associates could be subject to both regulatory regimes. A health care app that partners with providers or health plans, for example, could act as a business associate for data it holds on behalf of those providers or plans and, therefore, would need to continue to comply with HIPAA in regard to such data. But if that same health care app collected data directly from consumers, that data likely would be regulated by the ADPPA.
Note: The valuable insights in this article were drawn from Manatt on Health, Manatt’s premium information service. Manatt on Health provides in-depth insights and analyses focused on the legal, policy, and market developments that matter to you, keeping you ahead of the trends shaping our evolving health ecosystem. Manatt on Health delivers a personalized, user-friendly experience that gives you easy access to Manatt Health’s industry-leading thought leadership, including:
- Insights This Week: Weekly big-picture and targeted in-depth analysis of federal and state health reform activity delivered to your inbox
- Deep-Dive Analyses: Deep analyses of key federal legislation, regulatory and guidance summaries, and industry-leading white papers and webinars on today’s hottest health care topics
- 50-State Surveys: Robust reports tracking key information on the emerging state actions reshaping our health care landscape