The American Data Privacy and Protection Act (ADPPA), a new bipartisan data privacy bill, seeks to instill a national standard on what companies can gather from consumers and how they can use it. It has caught the eye of lawmakers on both sides of the spectrum. Past federal legislation concerning consumer privacy have had trouble advancing in the polarized political sphere. To understand the importance of the ADPPA, let’s take a look at crucial parts of the proposal and its implications.

What is the American Data Privacy and Protection Act?

The ADPPA was introduced by House Energy and Commerce Chair Rep. Frank Pallone (NJ), Ranking Member Rep. Cathy McMorris Rodgers (WA) and Senate Commerce, Science and Transportation Committee Ranking Member Sen. Roger Wicker (MS). As a result of the discussion draft released June 3rd and the subsequent hearing on June 14th, debate on consumer data privacy has rekindled. Let’s look at some important aspects of the bill, outlined by David P. Saunders, a partner at McDermott Will & Emery:

1. In defining what “sensitive data” entails, the ADPPA is becoming more similar to Europe’s ePrivacy Directive. The ADPPA sees cookie data, like “information identifying an individual’s online activities over time or across third party websites or online services” as sensitive user information.
2. The ADPPA would require opt-out options for users who do not want to receive targeted marketing.
3. Third parties who indirectly collect data from consumers (who may have this information shared from the primary party) must conduct a particular public disclosure of their practices.
4. In an effort to drive accountability in data privacy, “large data holders” such as the chief executive officer, the chief privacy officer, and the chief information security officer, must certify compliance of their business with the FTC.
5. Many businesses are interested in hearing what will come out of this bill and how their operations may be impacted. The ADPPA includes an exemption for specific businesses, however. If a business has had an annual revenue less than “$41 million, did not collect or process the data of more than 100,000 individuals, and did not derive more than 50% of revenue from transferring personal information” in the last three years, they are not considered a covered entity in this bill.

How Does the American Data Privacy and Protection Act Compare to Past Privacy Legislation?

In 2019, a similar bill named the Consumer Online Privacy Rights Act (COPRA) was introduced by Senate Commerce Committee Ranking Member Maria Cantwell (WA), Sens. Brian Schatz (HI), Amy Klobuchar (MN) and Ed Markey (MA). They are similar in that they provide user privacy rights to “access, delete and correct their data,” require entities covered in the bill to provide consumers with details on data collection and security practices, and impose obligations to minimize data storage beyond what is “reasonably necessary and proportionate.”

However, the ADPPA sets itself apart from the COPRA in several key features outlined below:

1. The ADPPA has a provision to address protection of children and minor’s data. If the covered entity has the age of its users, it may not conduct targeted advertising to those younger than 17. This bill would also create a Youth Privacy and Marketing Division at the FTC to address future issues surrounding marketing and privacy for minors.
2. Covered entities in both bills would “impose a duty of loyalty.” However, the COPRA prohibits general harmful data practices, and the ADPPA further categorizes what these practices are: “the collection, processing, or transferring of Social Security numbers, except when necessary to facilitate extensions of credit, authentication, or the payment and collection of taxes.”
3. Unlike the COPRA, the ADPPA preempts state laws through provisions of the ADPPA but outlines certain exceptions, such as the Illinois Biometric Information Privacy Act and the limited privacy right of action for certain security breach damages under the California Consumer Privacy Act and California Privacy Rights Act.
4. The CORPA requires covered entities using algorithms to make decisions for certain activities to submit impact assessments to the FTC, while the ADPPA requires large data holders who collect and transfer data using algorithms to submit impact assessments to the FTC.
5. The ADPPA would require “Third-Party Collecting Entities” to provide public notices with approved language and register each year with the FTC. The COPRA does not contain this provision.

Where Does Everyone Stand on the American Data Privacy and Protection Act?

With midterms looming over lawmakers, let’s take a look at where certain figures stand as those up for election work to tighten their policy positions. 

During the first hearing of the bill, Rep. Cathy McMorris Rodgers stated, “the American Data Privacy and Protection Act focuses on requiring companies to only keep information they need, while encouraging them to take steps to better secure data that is retained” and that the law would be “leading the way in this draft bill to unleash the power of small businesses and entrepreneurs, the engines of America’s economy,” referencing the aforementioned small business exemption.

Sen. Roger Wicker, who released the draft of the bill with Rep. Rodgers, similarly highlighted the necessity for privacy legislation like the ADPPA, tweeting, “This legislation represents the best opportunity to finalize comprehensive federal data privacy protections in years…the American people shouldn’t wait any longer.”

In a joint statement, Wicker and Rodgers, along with the third sponsor of the ADPPA, Rep. Frank Pallone, stated that “This bill strikes a meaningful balance on issues that are critical to moving comprehensive data privacy legislation through Congress, including the development of a uniform, national data privacy framework, the creation of a robust set of consumers’ data privacy rights, and appropriate enforcement mechanisms.”

Although the bill is in its early stages, there are also a few opposing voices in the chambers. After the release of the draft, Sen. Cantwell, a sponsor of the COPRA, criticized the ADPPA and signaled that she had her own competing proposal. Sen. Schatz, who has led several privacy bills in the Senate, wrote a letter to the three sponsors urging them to “shift the burden of data privacy from consumers to companies” by including a corporate duty of loyalty in the legislation.

Business groups also have criticized the bill. Jordan Crenshaw, the Vice President of the Chamber of Commerce’s Technology Engagement Center said, “We support a national data privacy law, but remain concerned about the impact of the introduction of a private right of action and are engaging with the bill sponsors on this and other issues.” Carl Szabo, vice president and general counsel of NetChoice, a tech-focused trade group including Amazon, Facebook and Google, held similar sentiments, saying, “As it stands, the bill leaves a fractured and complex national privacy environment – making it nearly impossible for Americans to know how their data is treated as they travel between states or visit different websites.”

However, another influential tech figure was direct in his support for the ADPPA. In a letter to Congress after meeting with legislators, Apple CEO Tim Cook urged lawmakers to advance the American Data Privacy and Protection Act “as soon as possible.”

ABOUT THE WRITER

Katherine Zhang is a contributor to Identity Review from the University of California, Berkeley.

Do you have information to share with Identity Review? Email us at press@identityreview.com. Find us on Twitter.

RELATED STORIES 

• 18 Privacy Focused Organizations You Should Know About
• A Look into the Illinois Biometric Privacy Law
• Meet Scuba: Harnessing Data in a Privacy-First World
• Global Data Policy Database