Over the last five years, at least half a dozen federal privacy laws have been proposed by U.S. legislators, all to end up in the dustbins or file cabinets of the halls of Congress. But in June 2022, a bipartisan group of Representatives introduced the American Data Privacy and Protection Act (ADPPA¹), which has diverse support from both branches of Congress and both political parties. If the Act passes – and it still has a number of hurdles to pass – it would be the first comprehensive federal privacy framework that would give Americans new rights over their personal data, and create new obligations for businesses and organizations nationwide.

A little history: The notion of a federal law protecting the basic privacy rights of all Americans first surfaced in May 2000, when the Federal Trade Commission (FTC) called on Congress to pass such a law. The FTC may have been ahead of its time when it made this recommendation – this was four years before Facebook was launched, and seven years before the iPhone was introduced. Since then, and even after repeated calls for a federal privacy law by the FTC, Congress has taken no action beyond sectoral laws covering specific types of data and audiences.

Even as states forge ahead with their own privacy laws – California, Colorado, Connecticut, Virginia and Utah, as of mid-2022 – a U.S. privacy law is not assured. But this time, the wind is at its back, bolstered by the support of legislators, business associations and advocacy groups. Some common questions that potential covered entities are asking:‍‍

What is the status of the proposed law?

In June 2022, the U.S. House Energy and Commerce Committee – which legislates on a wide variety of issues including privacy, cybersecurity and data security – held a hearing on the proposed ADPPA. The Act is currently a discussion draft, after which it could become an official bill to be voted on by the House before moving to the Senate for review. Although the proposed law has bipartisan support, disagreement² remains among some legislators and key constituency groups. Congress will go into recess in August, and then momentum will build toward mid-term elections in November, so potential progress on the Act this year is unclear.

What does ADPPA cover?

The law would apply to most entities, including nonprofit organizations. In general, compliance requirements include:

• Consumer consent to collect, process and transmit personal data, with notices written in “plain English”
• Improved transparency about data collection and use
• Option to opt-out of targeted advertising
• Right to access, delete, correct, and port data
• Restrictions on the use of data of minors under age 17
• Improved protection for sensitive data
• Data minimization
• Privacy by design

The Committee believes the rules should not overburden small- and mid-sized businesses. Some large organizations, however, such as large data holders and service providers using data on behalf of other covered entities, would face different or additional requirements. Critics argue that privacy rules should apply equally to all organizations, regardless of size, since the sensitivity of information does not change with the size of the company.

What would happen to existing privacy laws enacted by states?

If Congress ultimately passes a federal privacy law, it might include a provision that preempts state privacy laws. However, one state – California – is pushing back, believing the proposed national law would be weaker than California’s existing privacy law. The California Privacy Protection Agency sent a letter to House Speaker Nancy Pelosi – a California resident – expressing their concerns³ about the potential for the ADPPA to harm residents of her home state.

Who would enforce the new privacy law?

The FTC primarily will be responsible for ADPPA compliance through a newly created FTC Bureau of Privacy. State Attorneys General also will have the power to bring civil suits over violations affecting residents of their states.

What are the potential penalties under ADPPA?

Initially, failure to comply with regulations under ADPPA will be considered under the FTC’s “unfair deceptive acts or practices,” which calls for a maximum fine of just over $46,000 in 2022 (this amount is adjusted for inflation every year). This amount is significantly less than the penalties under the EU’s General Data Protection Regulation (GDPR⁴), considered one of the strictest privacy laws in the world. The maximum fine for violating GDPR is €20 million, or 4 percent of a company’s global annual revenue, whichever is greater.

ADPPA, in its current draft, also includes a private right of action allowing consumers to sue for compliance failures, although this provision will not take effect until two years after ADPPA takes effect. Penalties under the private right of action would cover actual damages sustained, injunctive relief, and the reimbursement of reasonable attorneys’ fees and litigation costs.

What do consumer groups and business groups think about the proposed law?

While most advocacy groups support some type of national data privacy legislation, different groups support or oppose different parts of the Act as written. The American Civil Liberties Union (ACLU), for example, believes the draft law should be revised to include more robust civil rights protections. Some business trade groups believe their members already are subject to extensive sectoral laws, and would like to see certain provisions of the draft law reconsidered.

What is the biggest hurdle to passage of the Act?

Besides general timing, the biggest hurdle may be the proposed private right of action⁵, which allows an individual consumer to pursue legal action for a violation. The ADDPA allows for a limited right of private action, requiring a consumer to first submit a claim to the FTC or their state Attorney General. If the FTC or state AG declines to initiate prosecution, then the consumer can sue after allowing the subject company 45 days to cure the alleged violation. Business groups are generally opposed to a private right of action, believing if the FTC or state AG declines to initiate an action, then the only lawsuits to proceed will be without merit.

What is the likelihood the ADPPA will pass?

With the legislative session coming to a close, and disagreements among legislators and key stakeholder groups remaining about aspects of the proposed legislation, the prospects for passage this year seem slim. Overall, however, opinion has coalesced around the need for federal privacy legislation in the United States – the only major economy without this type of protection.

What should businesses do to prepare?

A federal privacy law will have an impact on nearly every business in the country, so it’s not too early to start planning. Relyance AI’s data privacy platform is designed for the ever-changing privacy regulation landscape. One constant in the various regulations is that organizations need to know where their personal and sensitive data is, how it is processed, and whether that processing is in accordance with contracts and policies. Relyance AI supports these efforts with the ability to automatically map the systems in an organization that process personal and sensitive data, how that data flows, and then continuously comparing that operational reality to the privacy and security provisions in relevant contracts and policies. Want to learn more? Contact us here.

‍

----------------------

1. https://crsreports.congress.gov/product/pdf/LSB/LSB10776
2. https://www.natlawreview.com/article/heated-debate-surrounds-proposed-federal-privacy-legislation
3. https://about.bgov.com/news/california-democrats-push-for-stronger-privacy-protection-bill/
4. https://gdpr.eu/what-is-gdpr/
5. https://www.govtech.com/policy/a-review-the-american-data-privacy-and-protection-act