Sure, America has the Grand Canyon, baseball, and apple pie, but you know what it doesn’t have? A nationwide data protection law. Instead, data protection has been left up to a pastiche of state laws, regulations, and enforcement actions that demand many companies choose one state law to rule them all. California led the pack, being the first to pass a data protection law, the California Consumer Privacy Act of 2018, going into effect January 1, 2020. Following California, only four other states have successfully enacted a data protection law, with Colorado and Virginia passing such laws in 2021 and Utah and Connecticut in 2022.
Never the trailblazer, the Federal government waded into the privacy space late last year when the American Data Privacy and Protection Act (ADPPA) was introduced into the House of Representatives on June 21, 2022, and received bipartisan support. This is the first comprehensive national privacy law, and it is being advertised by members of the House Energy and Commerce Committee as a major step in putting people back in control of their personal information. But the real question is…will it happen?
Preemption considerations are among the factors most likely to keep ADPPA in a holding pattern. Like the California, Colorado, Utah, Connecticut, and Virginia laws, the ADPPA governs how companies can collect, use, store, or share data. Although the laws differ in some respects, they all allow covered people to exercise certain individual rights, such as the right to access, correct, delete, or stop sale of their data. If enacted, the ADPPA will apply broadly to organizations operating in the United States and will preempt most states’ data privacy laws. While a federal law is ideal in some cases to facilitate ease of compliance in our ever-growing connected world, when states step into an unregulated space, the federal government’s delayed entry can cause problems rather than solve them.
In its current form, the ADPPA would override many state laws and, moreover, prevent states from taking future action in those areas. This effectively prevents states from acting in areas where they have experienced recent progress. There is a precedent for federal privacy laws to serve as a floor rather than a ceiling. For example, the Health Information Portability and Accountability Act (HIPAA) provides basic medical privacy protections that states can strengthen through their existing, tougher laws, and states retain the ability to make protections even more robust, which several have done, including New York, Texas, Washington, and Louisiana.
Interestingly, not all federal lawmakers are keen on the idea of federal preemption. The U.S. House of Representative’s California delegation has expressed reluctance to allow the proposed ADPPA to preempt the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). Then-House Speaker Nancy Pelosi, D-Calif., said in her statement opposing the current ADPPA preemption framework that California “leads the nation not only in innovation, but also in consumer protection” and deemed it crucial that the state “continues offering and enforcing the nation’s strongest privacy rights.”
The flip side is that many states have been unsuccessful in passing privacy laws—such as Indiana (SB 358), Iowa (House File 2506), Wisconsin (Assembly Bill 957), Louisiana (House Bill 987), Kentucky (HB 586), and Tennessee (HB 1467 / SB 1554)—or have not proposed any that would finally address privacy with the passage of the ADPPA.
Scope and Applicability
In its present form, the Act applies to any entity that collects, processes, or transfers covered data and is subject to the jurisdiction of the Federal Trade Commission (FTC), including nonprofits, and telecommunications common carriers. The Act does not apply, however, to government entities or “a person or an entity that is collecting, processing, or transferring covered data on behalf of or a Federal, State, Tribal, territorial, or local government entity.” The scope of “covered data” is similar to those in the CCPA and CPRA: “information that identifies or is linked or reasonably linkable, alone or in combination with other information, to an individual or a device that identifies or is linked or reasonably linkable to an individual, and may include derived data and unique identifiers.”
If enacted in its current form, the following are obligations that covered entities must comply with, found in Title 1 of the ADPPA.
- Data minimization. The data collected by covered entities must be in proportion and relevant to its specific purposes.
- Loyalty. Covered entities must prevent harmful uses of sensitive data.
- Privacy by design. Covered entities must implement reasonable policies, practices, and procedures for collecting, processing, and transferring covered data.
- Loyalty to individuals with respect to pricing. Covered entities may not condition or effectively condition the provision or termination of services or products to individuals by having individuals waive any privacy rights in the Act.
For certain obligations, policies that must be adopted by covered entities must correspond/be congruent with their “impact” (i.e., annual global revenue and number of data subjects affected by the entity’s operations) and “relationship with the data subject” (for example, direct, third-party, or service provider relationships).
Significantly, the ADPPA places direct obligations on service providers and third-party entities. For service providers, one of these obligations is the prohibition of transferring data, except to another service provider, without affirmative express consent. This obligation is not found in state privacy laws. Additionally, the Act requires third-party entities to provide notice to individuals of their activities and register with the Federal Trade Commission (FTC) if they process data pertaining to more than 5,000 individuals or devices that identify or are linked or reasonably linkable to an individual. Third-party entities will also have the same responsibilities and obligations as covered entities.
Once enacted, the present iteration of the ADPPA would provide the following potential rights to the public:
- Transparency. Covered entities must provide individuals with privacy policies detailing their data collection, processing, transfer, and security activities in a readily available and understandable manner.
- Ownership and control. Individuals have the right to access, correct, delete, and port personal data.
- Consent and object. Sensitive covered data may not be collected, processed, or transferred to a third party without the express affirmative consent of the individual. Individuals must be given the opportunity to object to the transfer of covered data to a third party before it is transferred.
- Civil Rights and Algorithms. The ADPPA prohibits covered entities from collecting, processing, transferring, or using personal data to discriminate based on specified protected characteristics.
- Targeted advertisements. Covered entities must provide individuals with a way to opt out of targeted advertisements. For individuals under the age of 17, targeted advertising is expressly prohibited.
Not without some teeth, the ADPPA also contemplates three avenues of enforcement. The FTC, State Attorneys General, and individuals would be authorized to bring causes of action under the ADPPA. Notably, individuals are limited to bringing a civil action within four years after the effective date of the ADPPA.
Although the ADPPA is a bipartisan effort, as noted above, there remains a tension between federal and state privacy rights and enforcement schemes. To be sure, criticisms that may be delaying passage of the ADPPA include how some of the parallel features of the ADPPA are not as strong as provisions in the enacted state laws. As such, the ADPPA has yet to leave the House and move on to the Senate.
Whether the ADPPA passes or not may come down to whether Congress strengthens the privacy rights and enforcement and/or softens the preemption provision, or whether California is willing to concede to federal law. The direction the pendulum may swing will become more clear as other states share their voice in support or opposition.