August 9, 2022

Volume XII, Number 221

Advertisement
Advertisement

August 08, 2022

Subscribe to Latest Legal News and Analysis

Moving Closer to a Federal Data Privacy Act: House Subcommittee Advances American Data Privacy and Protection Act To Full Committee

As more states enact their own privacy laws, members of the privacy community and those impacted by privacy legislation continue to push for uniformity. The American Data Privacy and Protection Act (ADPPA) addresses this growing concern by drafting a uniform national data privacy framework. On June 23, 2022, the House Committee on Energy and Commerce Consumer Protection and Commerce Subcommittee (Consumer Protection Subcommittee) reported the ADPPA favorably, as amended, to the full committee. Given the reach of this legislation and since some key issues remain in flux, it is worth monitoring the Committee’s upcoming markup. 

Background: The ADPPA

The ADPPA is the first bipartisan, bicameral comprehensive privacy and data security proposal with support from both House and Senate committee leaders. The bill’s primary purpose is to provide consumers with foundational data privacy rights, create oversight mechanisms, and establish meaningful enforcement. In a press release offered by the ADPPA’s sponsors, they stated that the effort has been “years in the making,” representing “a critical milestone.” 

At the Consumer Protection Subcommittee markup, Chairman Frank Pallone opened the session by addressing privacy rights as civil rights and underlined the growing importance of privacy and privacy protections in the world today. He focused on the importance of protecting children and teens, protecting vulnerable women in abusive relationships by giving them control over their personal information and limiting the data available for their aggressors to exploit, and avoiding discrimination against people of color. 

During the markup, Members of Congress on both sides of the aisle discussed important issues such as algorithm impact assessments, preemption of state laws, the private right of action, and the right to cure. Specifically, Committee members focused on including political viewpoint protection considerations in algorithm impact assessments. Additionally, as the ADPPA moves to full committee, discussions about the bill’s insufficient preemption of state laws, right to cure, and the possible negative implications of the private right of action are likely to be front and center.

Some of the ADPPA’s highlights include:

  • Data protections for children and minors. The bill establishes a Federal Trade Commission (FTC) Youth Privacy and Marketing Division responsible for the privacy of children and minors and marketing directed at children and minors (under age 17). The ADPPA also expressly prohibits targeted advertising to children and minors.

  • Data broker registry. The bill requires the FTC to establish a searchable, publicly available, central registry of data brokers (referred to as “third-party collecting entities”), which are covered entities whose principal source of revenue is derived from processing covered data, not directly collected from individuals. The proposed registry would provide consumers with the ability to add their names to a “Do Not Collect” list that is shared with all data brokers.

  • Annual algorithmic impact assessments. The bill requires large data holders that use an algorithm to collect, process, or transfer covered data to submit annual algorithmic impact assessments to the FTC. Algorithmic impact assessments should include a detailed description of steps taken to mitigate potential harm to individuals. During the markup, the Committee approved an amendment to require large data holders to conduct algorithmic impact assessments within two years of passage. The amendment also revised the text to require that assessments must feature a statement of purpose, a detailed description of data used by the algorithm, and an assessment of the necessity and proportionality of the algorithm. 

  • Chief privacy officer requirement. The bill requires all non-exempt entities to appoint a chief privacy officer. In addition to appointing a chief privacy officer, large data holders are subject to annual executive certifications and biennial audits.

  • State law preemption: The bill preempts a number of state privacy laws, such as the California Privacy Protection Act (CCPA), but excludes well-known statutes such as the Biometrics Information Privacy Act in Illinois. Additionally, the bill does not infringe upon the CCPA’s private right of action provision, general consumer protection laws, civil rights laws, employee and student privacy protections, data breach notification laws, and laws on cyberstalking and cyberbullying. 

  • Sensitive data: The ADPPA now defines “sensitive data” as all precise geolocation information, not just precise geolocation information that reveals the past or present actual physical location of an individual or device. Additionally, the Subcommittee amended the bill to remove references to racial and ethnic information.

  • Service providers are no longer covered entities: A covered entity is any entity or person that collects, processes, or transfers covered data and is (1) subject to the FTC; (2) a common carrier subject to title II of the Communications Act; or (3) a non-profit. The Subcommittee revised the text to ensure that service providers are not considered covered entities. 

  • Exceptions to Data subject rights: The Subcommittee also added two additional exceptions to data subject requests. In addition to refusing a request due to verification or contractual issues, the ADPPA now allows a covered entity to block an individual’s request if the covered entity determines that the action would require access to or correction of another individual’s sensitive data or if the covered entity reasonably believes that the exercise of the right would require the covered entity to commit an FTC violation. 

What’s Next/Primary Takeaway

This legislation will continue to attract significant attention from affected stakeholders, and if the full Energy and Commerce Committee approves the measure in the coming weeks, it is safe to say that it could receive consideration by the full House. We note that the U.S. Chamber of Commerce and the tech industry are very active in their advocacy, and there have been some mentions of concerns regarding public health and access to data, including access to abortion-related information after the recent Dobbs decision. Despite the support of House Energy and Commerce Committee Chairman Frank Pallone (D-NJ), Ranking Member Cathy McMorris Rodgers (R-WA), and Senate Committee on Commerce, Science, and Transportation Ranking Member Roger Wicker (R-MS), the path forward for the ADPPA remains in limbo. The “4th Corner,” Senate Commerce, Science, and Transportation Committee Chairwoman Maria Cantwell (D-WA), has expressed opposition to the bill as currently drafted and may also hold a markup of her own privacy bill later this summer. For further information, please review the ADPPA here

© 2022 ArentFox Schiff LLPNational Law Review, Volume XII, Number 186
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Eva J. Pulliam Attorney Brand Protection Arent Fox Schiff Washington DC
Partner

Eva splits her time between Washington and San Francisco and concentrates her practice on brand protection: protecting data, brand image, and brand names. She advises clients across numerous industries on best practices in the areas of data privacy, advertising and marketing, and trademark. Household names, tech giants and startups, non-profits, and other innovative organizations call on Eva to guide them through product development and brand management. 

In the privacy space, Eva counsels clients around data collection, use, and transfer, as...

202-857-6323
Oliver Spurgeon III  Healthcare Consultatnt ArentFoxSchiff
SENIOR GOVERNMENT RELATIONS DIRECTOR

Oliver Spurgeon III* has served as a guiding hand in Washington in various capacities, including as a legislative staffer for a leading Member of Congress, private consultant for non-profit organizations, private corporations, and local governments, and as a lobbyist for several national trade associations. As a member of the Government Relations practice group, Oliver represents clients on a range of issues before the U.S. Congress, Executive Branch agencies, and the government of the District of Columbia including transportation, Medicare and Medicaid reimbursement,...

202-857-6424
Destiny Planter Attorney Copyright Law ArentFox Schiff Washington DC
Associate

Prior to joining ArentFox Schiff, Destiny was awarded the Frances Phillips Fellowship. She used this opportunity to work with the African Network for the Prevention and Protection against Child Abuse and Neglect and volunteer in orphanages in Kenya and Ghana. She then joined the Carolina College Advising Corps at Ben L. Smith High School in Greensboro, North Carolina, where she worked to increase the rates of college enrollment and completion among low-income, first-generation college and underrepresented high school students.

While in law...

202-857-6077
Christine Chong Privacy Attorney ArentFox Schiff San Francisco
Associate

As an Associate on the privacy, cybersecurity, and data protection team, Christine helps clients with regulatory compliance, data breach response, technology transactions, vendor contracting, marketing initiatives, and external and internal-facing policies. Her clients include international consumer products, e-commerce, manufacturing, data analytics services, retail and technology businesses, and not-for-profit organizations. 

Christine regularly advises on ethical data use, machine learning and artificial intelligence, vendor contracting, and...

415-757-5517
Advertisement
Advertisement
Advertisement