Keypoint: A revised version of the American Data Privacy and Protection Act was formally introduced in the House and voted out of a subcommittee.
As we previously reported, on June 3, 2022, a bipartisan and bicameral group of lawmakers released a discussion draft of a comprehensive data privacy bill called the American Data Privacy and Protection Act (ADPPA). Representatives Frank Pallone Jr. (DN.J.), Cathy McMorris Rodgers (R-Wash.), And Senator Roger Wicker (R-Miss.) All supported the discussion draft although it lacked the key support of Senator Maria Cantwell (D-Wash.).
On June 21, 2022, lawmakers formally introduced the ADPPA as HR 8152. On June 23, 2022, the Subcommittee on Consumer Protection and Commerce of the House Committee on Energy and Commerce held an open mark up session on the ADPPA and seven other bills. During the mark up session, the subcommittee ordered and favorably reported the bill, as amended by a substitute, to the full committee.
In the post below, we analyze some of the key changes between the discussion draft and current version of the ADPPA, briefly recap the mark up session, and discuss the bill’s path forward.
Changes to ADPPA
Some of the key changes between the discussion draft and the current version of the ADPPA are:
Covered and Excluded Data
A number of definitional changes were made to the contours of what data would be covered by the ADPPA, including:
- Covered data – The definition of covered data now excludes “inferences made exclusively from independent sources of publicly available information that do not reveal sensitive covered data with respect to an individual.” This change may be motivated by statements in a recent California Attorney General opinion that inferences drawn from publicly available information must be disclosed in response to a request to access.
- Sensitive covered data – The definition of sensitive covered data was revised in a number of respects, including the removal of “information identifying an individual’s online activities over time or across third party websites or online services” and “information revealing an individual’s race, ethnicity, national origin,” religion, or union membership or nonunion status in a manner inconsistent with the individual’s reasonable expectation regarding disclosure of such information. ” The definition still includes information from individuals under the age of 17 but adds the requirement that the covered entity must know the individual is under that age.
- Biometric data – The definition of biometric data is now more aligned with the definition in the Connecticut Data Privacy Act. Specifically, biometric data is defined to exclude a digital or physical photograph, an audio or video recording, or data generated from a digital or physical photograph, an audio or video recording or video recording that cannot be used to identify an individual.
The definition of covered entity now excludes entities “acting in a non-commercial context.” The definition also removed the “common branding” language that is found in the CCPA / CPRA. New exclusions were added for governmental entities and persons or entities acting on behalf of such entities.
Another significant change was to the definition of service providers and their relationship with covered entities. The definition of service provider is now more closely aligned with the definition of processor under GDPR and the Virginia / Colorado / Connecticut laws: “The term ‘service provider’ means a person or entity that collects, processes or transfers covered data on behalf of, and at the direction of, a covered entity and which receives covered data from or on behalf of a covered entity pursuant to a written contract, provided that the contract meets the requirements of section 302. ”
In a related change, section 302 was substantially revised to add new obligations on service providers and to specify requirements for contracts between covered entities and service providers. Many of those contractual requirements are similar to the ones found in GDPR and US state privacy laws going into effect in 2023.
Duty of Loyalty
The duty of loyalty (sections 101 and 102) were reworked. Section 101 (data minimization) now states that covered entities must not collect, process or transfer covered data unless such activities are reasonably necessary and proportionate to certain listed activities. The section also now lists twelve permissible purposes. Section 102 (loyalty duties) prohibits certain processing activities unless an exception applies. Those processing activities include certain types of processing of sensitive covered data and transfers of sensitive covered data to third parties.
Unified Opt-Out Mechanisms
Section 210 now requires the FTC to “establish one or more acceptable privacy protective, centralized mechanisms, including global privacy signals such as browser or device privacy settings for individuals to exercise all such rights through a single interface for a covered entity.” The prior version of the ADPPA required the FTC to conduct a feasibility study first before deciding whether to issue such regulations. This change could be the result of the fact that laws in Colorado, Connecticut and California (at least according to draft regulations), will require the recognition of such signals in the near future.
Mark Up Session
During the mark up session, lawmakers offered – and withdrew – four amendments. Three of the amendments were offered by Republican Representative Armstrong. Those amendments sought to modify the bill’s preemption, private right of action, and right to cure provisions. Lawmakers raised other concerns with the current draft, including provisions on loyalty programs and the treatment of children’s data.
For more detail on the mark up session, please see the Future of Privacy Forum’s Keir Lamont’s recap and the IAPP’s Joe Duball’s article.
While the ADPPA continues to move forward in the House, its chances in the Senate remain unclear. On June 22, 2022, Cristiano Lima from the Washington Post reported that Senate Commerce Chair Maria Cantwell, “whose panel controls the fate of any data privacy bill, told the Washington Post that she’s not close to supporting” the ADPPA, and that Senate Majority Leader Chuck Schumer “has said he will not bring the current bill up for a vote in the upper chamber.” According to the Washington Post “Cantwell cited concerns that the legislation has” major enforcement holes “and is too weak as it stands to warrant passing a federal law that could override state privacy laws, such as the landmark California Consumer Privacy Act.” Other Senate Democrats are also reportedly expressing hesitations over the current ADPPA draft.