Federal Privacy Legislation – More Than Just Wishful Thinking?

A bipartisan draft bill unveiled on Friday, June 3, 2022, has the privacy world astir. Will the US finally have its first federal data privacy legislation? If the “American Data Privacy and Protection Act” becomes law, it would establish a nationwide standard for what data companies can collect and how they can use it.

Dan Clarke, president of Truyo and a privacy expert, is at the forefront of privacy legislation analysis, and he and Michael Hellbusch, Partner at Rutan & Tucker, have reviewed and examined what the American Data Privacy and Protection Act could mean for US businesses. Here’s what they have to say about the newly proposed federal privacy legislation.

Dan says, “I ask myself, is the time finally right for a Federal Privacy law? I am a huge proponent of Federal privacy legislation but remain skeptical of its likelihood. Although this is the best sign to date, and they seem to have agreed on enforcement (including a limited PRA), deep divides over the level of state preemption may keep federal legislation at bay. Perhaps with an agreement in principle on an EU-US data transfer framework to address Schrems II this will prompt a response in the form of consistent nationwide legislation that is greatly needed, but only time will tell.”

Michael Hellbusch says, “At first glance, the ADPPA represents something somewhat anachronistic in today’s Congress: compromise. It is apparent from the timing, structure, and substance of the bill that no interested party got everything it wanted and that the lawmakers compromised on various issues to get a bill with bipartisan support. While I don’t think this is what the final draft of the bill will look like, should there be one, it is plainly the product of measured concessions by the drafters.”

Dan Clarke’s Analysis of Key ADPPA Elements:

• What Business does this apply to– “any entity or person that collects, processes, or transfers covered data and — (i) is subject to the Federal Trade Commission Act (15 U.S.C. 41 et seq.); (ii) is a common carrier subject to title II of the Communications Act of 1934 (47 U.S.C. 201–231) as currently enacted or subsequently amended; or (iii) is an organization not organized to carry on business for their own profit or that of their members.” Any entity or person that controls, is controlled by, is under common control with, or has common branding with another covered entity is also included. There are several exemptions, including those for small and what I call “medium” businesses since many regulations only apply to large businesses. There are no business-level exemptions, but some finance and healthcare data is exempted.
• What Data is in Scope– The bill says, “information that identifies or is linked or reasonably linkable to an individual or a device that identifies or is linked or reasonably linkable to 1 or more individuals, including derived data and unique identifiers.” GLBA & HIPAA have standard exemptions along with public, employment, and de-identified data.
• Data Minimization Requirements– Data collection, processing, and transferring operations must be limited to appropriate and disclosed purposes.
• Data Processing Restrictions – Affirmative consent is required for processing certain data including biometric and genetic data.
• Privacy by Design – In accordance with state legislation, a corporation must establish standard and suitable privacy by design policies.
• Privacy Notices & Policies – Published privacy policies must define how data is processed in accordance with regulations, but data transmitted to China, North Korea, or Russia is given special consideration.
• Consumer Rights – This appears to be the most familiar, with standard privileges and a verification allowance. This includes copying, transferring, removing/deleting, and correcting data.
• Universal Opt-out: The ADPPA appears to support a global opt-out of sale, but the details will be decided by the FTC rulemaking process.
• Handling Sensitive Data –Businesses must acquire affirmative and express consent to collect or process sensitive data.
• Handling Children’s Data – This will be covered by FTC rulemaking, but as of right now it does explicitly state that businesses cannot engage in targeted advertising to individuals under the age of 17.
• Data Brokers – “ Third-party collecting entities “appears to be an alternative name for data brokers, and substantial restrictions on these third-party collecting entities include FTC registration and dark pattern avoidance.
• Large Data Threshold and additional requirements–
  • “Large Data Holders” include companies with revenue of over $250,000,000, or with data of 5,000,000 individuals or devices, or 100,000 individuals’ sensitive data.
  • These companies must employ a Data Protection Officer, engage in heightened security, and perform assessments.
  • This means that most larger enterprises would be subject to assessments.
• Cyber Security – To protect covered data, it is evident that sufficient administrative, technical, and physical security standards and procedures must be implemented and maintained. Because there is existing federal draft legislation in this area, most of this is left to future clarification.
• PRA – “Persons or classes of persons who suffer an injury” can bring a civil action for compensatory damages, injunctive or declaratory relief, and attorney’s fees four years after the ADPPA’s effective data and with 60 days’ notice to the FTC. This is more serious for children’s data, and in a vague provision, there may be certain types that are subject to a cure period, which is left to rulemaking to clarify.
• State Preemption – Except for the Illinois Biometric Act and some elements of CPRA, most state laws would be preempted.
• Enforcement – Enforcement (appears to be either party, not joint) will be conducted by the FTC primarily, but also State Attorneys General.
• Rulemaking – Many elements of the ADPPA are left open to rulemaking by the FTC, which I think needs to be extensive in its direction and supervision.

Michael Hellbusch’s Analysis of What the ADPPA Means for US Businesses:

• The Duty of Loyalty. The stated “duty of loyalty” in the ADPPA is somewhat of a misnomer because the bill does not specifically create such a duty, as it is commonly understood. Rather, the bill lays out various restricted or prohibited practices that the authors presume threaten the privacy and security of personal data. These restrictions, combined with privacy by design requirements and price discrimination protections, provide robust protection for individuals, but there is no true duty of loyalty in this draft of the bill.
• Privacy Policies. There are a few notable provisions in Section 202 of the ADPPA which reflect the federal nature of the legislation. First, the act requires companies to identify “other entities within the same corporate structure” with whom a covered entity may transfer covered data. This requirement is straightforward from a transparency perspective but could also be intended to shed light on intra-corporate transfers, a common workaround to data sharing restrictions. Second, the Act requires covered entities to notify whether or not data is shared with entities in China, Russia, Iran, or North Korea. Certainly, a national security component is considered here.
• Children’s Data. The ADPPA would implement a blanket prohibition on targeted advertising to children under the age of 17 if the covered entity has “actual knowledge” of the child’s age. The act invites discussion as to whether the standard should be “actual knowledge” or some other standard. The act also would place transfer opt-in requirements for the transfer of a child’s data to a third party if the child is between 13 and 17 years old.  Children’s privacy protection is obviously an important consideration for lawmakers; the ADPPA would also establish an FTC division known as the “Youth Privacy and Marketing Division” tasked with addressing the privacy rights of children and minors.
• Third-Party Collecting Entities. The ADPPA would heavily regulate data brokers, called “Third-Party Collecting Entities” under the bill, and place heavy restrictions on them. Third-Party Collecting Entities would be made to publicly register with the FTC and provide information about the entities’ data processing practices. In what is perhaps the most aggressive proposed action to date against data brokers, the ADPPA would establish a “Do Not Collect” registry in which an individual can submit requests to all Third-Party Collecting Entities to delete all covered data about the individual that was obtained in the entities’ capacity as data brokers and opt the individual out from further data collection without the affirmative express consent of the individual.
• Discrimination in Data Processing. Section 207 of the ADPPA would prevent the collection, processing, or transferring of covered data in a manner that discriminates against individuals on the basis of race, color, religion, national origin, gender, sexual orientation, or disability. In addition, it would regulate the training and use of algorithms that involve the processing of covered data. Entire articles could be spent on the impact of these regulations, and presumably, much discussion will be had about them over the next weeks and months, but they represent a major advancement in the regulation of algorithmic decision making.
• Small Business Exceptions. The ADPPA creates a “small data exception” for small businesses that do not deal heavily with personal information. For the exception to apply, the covered entity must be able to demonstrate that for the three preceding calendar years: (i) the entity’s average annual is $41 million or less; (ii) the entity did not collect or process covered data of mare than 100,000 individuals (with the exception of information for payment of goods/services and if such data is deleted within 90 days); and (iii) the covered entity did not derive more than 50 percent of its revenue from transferring covered data during any year. If the business meets these requirements, it is exempt from data portability requirements, some of the more onerous data security requirements of the act, and the designation of a privacy and data security officer.
• Designation of Data Protection Officers. The ADPPA would require most covered entities to designate qualified individuals to serve as privacy and data security officers within companies with specific responsibilities to implement the Act’s requirements. Large data holders would have additional requirements with respect to data security and privacy, including conducting regular audits and assessments, with reporting requirements.

A hearing titled “Protecting America’s Consumers: Bipartisan Legislation to Strengthen Data Privacy and Security” is scheduled for Tuesday, June 14, 2022 at 10:30 a.m. We’ll disseminate material from the meeting to keep you informed.