In case you missed it during your summer fun, last Friday Congress released a discussion draft of the American Data Privacy and Protection Act. The release arrives against a backdrop of a growing patchwork of state data privacy laws. Wading through the various state regimes threatens to add a significant regulatory burden to businesses, particularly digital businesses. The Virginia Consumer Data Protection Act becomes operative on January 1, 2023. And only six months later, on July 1, 2023, the Colorado Privacy Act will come into effect.
If passed, the American Data Privacy and Protection Act (“ADPPA”) would, for the most part, preempt the individual state laws. And, in our present environment, it would represent a rare moment of bipartisan agreement.
Review of Key Provisions and Ideas
The draft released contains surprisingly strong provisions. Yes, for companies already complying with the GDPR or the California Consumer Privacy Act, a lot of the provisions (e.g. a consumer’s right to delete or correct their data and the designation of a Privacy and Data Security Officer) will seem familiar. But arguably the ADPPA contains stronger provisions than existing laws in many respects.
First, it has incredibly specific provisions on what constitutes consent. Further, the ADPPA expands the notion of sensitive data to include additional types of data and activities – e.g. address books, data revealing an individuals’ use of TV or streaming services, and nude photos. Next, Article 22 of the GDPR did perceive of the possible harms of automated decision-making and contained language regarding “suitable measures” to safeguard the rights of data subjects. But these provisions feel weak compared to the provisions in the ADPPA. In the proposed law, large data holders must conduct impact assessments on their algorithms to mitigate the potential harm to individuals. It also requires that the large data holders submit those impact assessments to the FTC and make them available to Congress on request.
Next, the notion of a consumer directing all third-party collecting entities not to collect or process their data with the so-called “Do Not Collect” registry changes the landscape significantly. Although similar to the Do Not Call lists here in the United States under the Telephone Consumer Protection Act of 1991 (TCPA), it is a departure from other consumer data privacy acts.
The proposed law also requires consent for material changes in a privacy policy. Currently, privacy policies typically operate under the paradigm that continued use of a website after changes to the privacy policy constitutes consent. Here, the ADPPA would require affirmative consent from the individual after material changes to the privacy policy, a much friendlier paradigm for consumers.
Finally, the ADPPA would apply to all entities and persons who collect, process and transfer covered data who are subject to the Federal Trade Commission Act. This scope goes beyond that of the California, Virginia and Colorado privacy acts, each of which carve out businesses either based on revenue or number of records processed annually.
As to be expected with any truly bipartisan effort, some provisions relax requirements on business interests. And some provisions, on further scruity, give the industry significant breathing room to comply with the new law. First, the draft released carves employee data out of the scope of compliance of the ADPPA. Next, provisions on the private right of enforcement at first glance seem broad and consumer friendly. For example, the proposed law contemplates class actions and the awarding of attorney’s fees. Further, the proposed law prohibits arbitration and class action waivers. But these consumer-friendly provisions are weakened by a delay of four years for the private right of action to take effect. And, prior to initiating an action, the plaintiff must notify the FTC and the attorney general of the state of the defendant. Also, in certain instances, the defendant will have a right to cure.
The ADPPA does not address all problems with the data privacy laws. For example, the various privacy acts have often taken a somewhat antiquated command and control view of the data processing chain. In realty, most entities wear several hats. For instance, using terms from the GDPR, a CPA firm acts as processor of client data. But insofar as the same CPA firm likely operates a website for the general public to visit, it operates also as a controller. The ADPPA slightly improves on this as the restrictions on service providers refer to “service provider data” but additional clarity on this subject remains possible.
But Will it Pass?
For Big Tech, undoubtedly the ADPPA represents an improvement over complying with different laws across the United States. Furthermore, I think the political climate has changed in the United States with respect to Big Tech since the enactment of the GDPR. The public, which once viewed these companies as engines of American progress, now more likely views them as the robber barons of our gilded age. Or to put it differently, even if the political climate changes in November and all regulation becomes subject to more scrutiny, would the attitude towards Big Tech improve? Therefore, for Big Tech, a law passed now has the benefit of being the devil it knows.
For Democrats and privacy advocates, the weaknesses in the bill, including the weaknesses in the private right of action, should be reviewed with an eye on the horizon. Assuming Republicans win in November, more carve outs to business would be anticipated, perhaps even if those carve outs did not extend to Big Tech. In other words, with further delay, a real danger exists of the perfect becoming the enemy of the good.
For certain businesses not yet operating in California or under the GDPR, this potentially represents an especially unwelcome intrusion into their business practices. But to the extent that data privacy laws will inevitably proliferate in number, the ADPPA at least clarifies the path forward.
This is only a review of a draft, which is not yet law. It is not a complete review either. The provisions on civil rights and integrations with other laws require further review. And finally, this does not constitute legal advice for your specific situation. Stay tuned on this issue as it potentially represents a significant change for your business.