Medha Bhatt, Product Manager at CYTRIO
Currently, five U.S. states have signed consumer data privacy legislation into law while six other states have active bills pending. As more states pass state-level data privacy laws, a federal law is becoming increasingly necessary to prevent a patchwork of confusing state-level legislation. This impending chaos makes it urgent for the United States Congress to enact U.S. federal privacy legislation to preempt overlapping and conflicting state privacy laws, risking significant uncertainties for businesses and consumers.
On June 3, 2022, after years of conflicting proposals from Democrats and Republicans, a draft of a bipartisan federal privacy bill, the American Data Privacy and Protection Act (ADPPA) was released.
The ADPPA has yet to be introduced in the U.S. House or Senate, therefore any provision is subject to amendment. However, even in draft form, the bill offers a comprehensive framework for data privacy that serves as a blueprint for federal legislation and is worth exploring.
- A comprehensive national privacy law: The ADPPA shares many features with comprehensive state consumer privacy laws—such as the California Consumer Privacy Act (CCPA) enacted in 2018. It also borrows elements from the nation’s health privacy law, HIPAA (Health Information Portability and Accountability). But it goes further than those laws in many respects and would be the American equivalent of the General Data Protection Regulation (GDPR), Europe’s governing consumer privacy framework.
- Lays strong foundation for data and cybersecurity needs: This draft is the first comprehensive federal bill that lays a solid foundation for cybersecurity practices for all entities, along with maintaining a fine balance with data privacy. The bill protects American citizens’ personal data from adversaries like China and Russia, while allowing flexibility of personal data being used for limited purposes to address any fraudulent or illegal activity. By having a single national privacy law focusing on data protection and cybersecurity, it increases America’s global competitiveness and removes any barriers to common business practices of data transfer.
- Increased transparency and accountability: ADPPA creates strong transparency requirements for how organizations should handle data and give individuals the right to access, correct, delete, and port their personal data.ADPPA also establishes a series of “corporate accountability” mechanisms, including some for large data holders, defined as organizations having sensitive personal data on 100,000 or more individuals or non-sensitive data on 5 million or more individuals. (e.g., a dedicated privacy protection officer, completing biennial privacy impact assessment, etc.)
- Data minimization: All covered entities should not unnecessarily collect or use data, regardless of whether they obtained a consent or met transparency requirements. This takes the onus off individuals to protect their privacy and instead requires companies to be the one to think about collection and use of personal data. This certainly better aligns with what consumers expect.
- Data protection for children and minors: There are also additional guardrails against collecting data from those under 17, including an explicit ban on any company from using data to target teens with ads. Such a rule would be a step up from current child privacy laws, which only ban that practice for those under 13.
- Affirmative express consent for collection, use, or sharing of sensitive covered data: Covered entities would be required to obtain affirmative express consent prior to collecting, processing, or transferring sensitive covered data. (e.g., social security numbers and biometric information) The transfer of aggregated internet search or browsing history or physical activity information from a smart phone or wearable device also would require affirmative express consent.
As with other proposed federal privacy legislation, the ADPPA has several debatable provisions.
- Compromises on state preemption: The bill includes an extensive list of excluded laws and topics from state preemption. It carves out 15 different state laws including those in California and Illinois, undermining the purpose of having state preemption. (i.e., uniform laws to reduce compliance costs and simplify rules for consumers especially on topics like data breach notification where every state already has a law, while retaining several salient and effective pieces of state level regulations.)
- Controversial private right to sue provision: ADPPA delays enforcement of individual private right of action to four years from the enactment date. Individuals can bring a civil action in federal court for violation of any of their rights under ADPPA or for the use of data that is inconsistent with the provisions of the Act.Some stake holders and lobbying groups such as the U.S. Chamber of Commerce have objected to this suggesting this would encourage an influx of abusive class action lawsuits, create further confusion regarding enforcement of blanket privacy rights, harm small businesses, and hinder data-driven innovation.ADPPA applies to “covered data” which is defined as “information that identifies or is linked or reasonably linkable to an individual or a device that identifies, or is linked or reasonably linkable to one 1 or more individuals, including derived data and unique identifiers.” Covered data excludes de-identified data, employee data, and publicly available information.De-identified data exemption: ADPPA allows a company that collects personally identifiable data to share “anonymized” data with third parties that would then have little trouble de-anonymizing it. There is not much the bill can do once that first hand-off happens.Employee data exemption: Since the bill provides exemption to employee data, employers could misuse this exception for snooping on employees’ emails and other communications, recording their mouse movements, or tracking their location—and be totally unhampered by this bill.
- Restriction on processing biometric information without consent: ADPPA prohibits organizations to collect, process, or transfer precise geo-location and biometric data without the affirmative consent of the individual. This, in turn, could prevent legitimate business activities such as identifying shoplifters in a store, detecting any fraudulent activities etc.
- Smaller organization exceptions: Ideally, privacy rules should apply the same to all organizations regardless of their size. Privacy risks for consumers depend on the sensitivity of the data and the context of its collection, not the size of the organization collecting the data. Verizon Data Breach Investigation Report (DBIR) shows that, for the past five years, smaller companies are equally susceptible to data breaches as large enterprises. The draft legislation contains other exceptions for smaller organizations, such as not requiring data portability for smaller data holders and allowing them to delete, rather than correct data.
With numerous improvements still being discussed as part of the latest hearing held on June 14, 2022, there are still several issues to be resolved. But the areas of agreement on the draft seem to far outweigh the differences.
Overall, the bill is a substantial positive step forward where the U.S. economy, consumer safety, and national security could all benefit by passing this legislation that maintains a fine balance between data security and consumer privacy.