The American Data Privacy and Protection Act (ADPPA), or H.R. 8152, is still just a bill.
But could it become the U.S.’s first federal data privacy law?
We can’t predict the future, but its bipartisan support and popularity provide insights into what an eventual U.S. federal law will most likely look like.
Let’s examine the requirements, obligations, and rights outlined by the ADPPA, discuss what may be holding it back, and investigate what it means for the future of data privacy in America.
- What Is the American Data Privacy and Protection Act (ADPPA)?
- What Is the Purpose of the ADPPA?
- ADPPA Key Terms and Definitions
- Who Supports the ADPPA?
- What’s Blocking the ADPPA?
- What’s Included in the ADPPA?
- ADPPA Impact on Businesses and Consumers
- ADPPA Compared to Some of the Biggest Data Privacy Laws
- Future Outlook of the ADPPA
What Is the American Data Privacy and Protection Act (ADPPA)?
The American Data Privacy and Protection Act, or ADPPA, is a federal bill that, if passed, would be the first federal-level data privacy law in the United States.
It would preempt existing state comprehensive privacy protection laws, except for certain categories of laws in California and Illinois.
The ADPPA passed through the House Committee on Energy and Commerce with a 53-2 vote and was placed on the Union Calendar, Calendar No. 488, in December 2022.
However, Congress didn’t have time to formally consider it before the end of the 117th Session in January 2023.
What Is the Purpose of the ADPPA?
The purpose of the ADPPA is to establish a uniform set of protections and rights for Americans over how their personal information is collected, processed, and used.
It creates limitations and requirements for companies that handle personal data, including nonprofits and common carriers, and outlines the penalties and fines for violating the law.
ADPPA Key Terms and Definitions
Before I explain the requirements outlined by the ADPPA, it’s important to cover some key terms so you understand the scope and application of this potential law.
It uses unique language that doesn’t regularly appear in other data privacy legislation, including most current US state privacy laws.
For example, instead of ‘consumer’ or ‘data subject,’ the ADPPA uses the term ‘individuals.’
Read the definitions of these terms exactly as they appear in Section 2 of the current version of the American Data Privacy and Protection Act below:
- Affirmative express consent: An affirmative act by an individual that clearly communicates the individual’s freely given, specific, and unambiguous authorization for an act or practice after having been informed, in response to a specific request from a covered entity that meets the requirements of subparagraph (B).
- Collect/Collection: Buying, renting, gathering, obtaining, receiving, accessing, or otherwise acquiring covered data by any means.
- Control: (A) Ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of the entity; (B) control over the election of a majority of the directors of the entity (or of individuals exercising similar functions); or (C) the power to exercise a controlling influence over the management of the entity.
- Covered data: Information that identifies or is linked or reasonably linkable, alone or in combination with other information, to an individual or a device that identifies or is linked or reasonably linkable to an individual and may include derived data and unique persistent identifiers.
Covered entity: Any entity or any person, other than an individual acting in a non-commercial context, that alone or jointly with others determines the purposes and means of collecting, processing, or transferring covered data and —
- (I) is subject to the Federal Trade Commission Act (15 U.S.C. 41 et seq.);
- (II) is a common carrier subject to the Communications Act of 1934 (47 U.S.C. 151 et seq.) and all Acts amendatory thereof and supplementary thereto; or
- (III) is an organization not organized to carry on business for its own profit or that of its members; and
- (ii) includes any entity or person that controls, is controlled by, or is under common control with the covered entity.
- Individual: A natural person residing in the United States.
Large data holder: A covered entity or service provider that, in the most recent calendar year:
- (i) had annual gross revenues of $250,000,000 or more; and
- (ii) collected, processed, or transferred (I) the covered data of more than 5,000,000 individuals or devices that identify or are linked or reasonably linkable to 1 or more individuals, excluding covered data collected and processed solely for the purpose of initiating, rendering, billing for, finalizing, completing, or otherwise collecting payment for a requested product or service; and
- (II) the sensitive covered data of more than 200,000 individuals or devices that identify or are linked or reasonably linkable to 1 or more individuals.
- Process: To conduct or direct any operation or set of operations performed on covered data, including analyzing, organizing, structuring, retaining, storing, using, or otherwise handling covered data.
- Service provider: a person or entity that (i) collects, processes, or transfers covered data on behalf of, and at the direction of, a covered entity or a Federal, State, Tribal, territorial, or local government entity; and (ii) receives covered data from or on behalf of a covered entity or a Federal, State, Tribal, territorial, or local government entity.
Third-Part Collecting Entity: A covered entity whose principal source of revenue is derived from processing or transferring covered data that the covered entity did not collect directly from the individuals linked or linkable to the covered data.
- It does not include a covered entity insofar as such entity processes employee data collected by and received from a third party concerning any individual who is an employee of the third party for the sole purpose of such third party providing benefits to the employee.
- Transfer: To disclose, release, disseminate, make available, license, rent, or share covered data orally, in writing, electronically, or by any other means.
I’ll use these words as described by the ADPPA throughout this guide, so feel free to refer back to this list of definitions as needed.
Who Supports the ADPPA?
The American Data Privacy and Protection Act has bipartisan support and is sponsored by Representative Frank Pallone, Jr., a Democrat from New Jersey, District 6.
It is co-sponsored by:
- Representative Cathay McMorris Rodgers, a Republican from Washington, District 5
- Representative Janice D. Schakowsky, a Democrat from Illinois, District 9
- Representative Gus M. Bilirakis, a Republican from Florida, District 12
What’s Blocking the ADPPA?
Despite the apparent bipartisan support, the ADPPA currently sits at a standstill and may eventually die altogether.
So, what’s keeping this bill from becoming a law? Balancing state-level innovation with a cohesive national framework is challenging but essential.
There are unresolved debates for which political leaders haven’t found a middle ground yet.
Let’s cover some of those discourses in a little more detail.
The Conclusion of the 117th Congress
One major issue blocking the ADPPA? Not enough time in the Congressional schedule.
The ADPPA made it through the Energy and Commerce Committee with a bipartisan 53-2 vote in July 2022.
However, lawmakers never had the time to formally consider the proposal before the end of the 117th Congress on January 3, 2023.
While the 118th Congress pledged to keep data privacy and the ADPPA a top priority, there has yet to be any further movement regarding the bill.
The Debate Over a Private Right of Action
Another divisive subject when it comes to passing a federal data privacy law in the U.S. is whether or not individuals should have a private right of action.
A private right of action means an individual can sue over a violation of their rights.
Democrats push for a private right of action, while Republicans push against it. As a compromise, the ADPPA provides a private right of action with a two-year delay.
However, lawmakers still express concerns from both sides of the aisle whether this is feasible.
To Preempt or Not To Preempt Other State Laws
An additional issue blocking the ADPPA concerns what power it may or may not have on the various U.S. state privacy laws that have entered into action.
When a federal law preempts state laws, it takes over and ultimately replaces them, causing uniformity among all U.S. states.
Two apparent lines are drawn in the sand regarding whether the federal data privacy law should preempt the state-level legislation.
One side wants state laws to remain in force so long as they provide similar or higher levels of protection regarding data processing provisions.
The other side wants the federal law to supersede all state laws, with no exceptions.
As it’s currently written, the ADPPA provides some compromises for California and Illinois.
In large part, this compromise is because California fought hardest against preemption during the 117th Congressional Session, as reported on by the IAPP.
Such ongoing debates make it difficult to predict whether America’s first official federal data privacy law will preempt state-level legislation. Regardless, achieving a balance between national uniformity and state innovation is paramount.
What’s Included in the ADPPA?
The ADPPA includes provisions about all of the following topics:
- Data minimization
- Loyalty duties
- Privacy by design
- Loyalty to individuals with respect to pricing
- Large data holder metrics reporting
- Third-party collecting entities
- Civil rights and algorithms
- Data security and protections
- Small business protections
- Unified opt-out mechanisms
Let’s discuss in more detail how these may impact covered entities.
The ADPPA discusses the covered entity’s data minimization duties in Title I, Section 101.
Entities are limited to only collecting information that is “reasonably necessary” and “proportionate to” the following:
- Providing or maintaining a product or service as requested by the individual
- Specific permissible purposes
Those permissible purposes for collecting and processing data are:
- To initiate, manage, or complete a transaction to fulfill an order for products or services requested by the individual
- Processing data necessary to perform system maintenance and diagnostics
- Developing, maintaining, repairing, or enhancing a product or service
- Conducting internal research or analytics to improve a product or service
- Performing inventory management or reasonable network management
- Protecting against spam
- Debugging or repairing errors impairing the functionality of a service or product
- Authenticating users of a product or service
- Fulfilling a product or service warranty
- Preventing, detecting, protecting against, or responding to a security incident, fraud, harassment, or illegal activity
- Complying with legal obligations at a state, federal, local, tribal, or investigative level
- Prevent an individual or group from suffering harm if at risk of death, serious physical injury, or other health risk
- To conduct scientific, historical, or statistical research
- Delivering communication as reasonably anticipated by the consumer or between individuals (not advertisements)
- To ensure data security and integrity
The Federal Trade Commission (the Commission) will provide guidance regarding what is considered “reasonably necessary and proportional” for compliance.
The ADPPA requires all covered entities to follow certain “loyalty duties” regarding their personal data processing procedures, as presented in Title I, Section 102.
In particular, it describes what covered entities and service providers may not do to personal information, which includes:
- Collecting, processing, or transferring Social Security numbers.
- Collecting, processing, or transferring sensitive data unless it’s strictly necessary.
- Transfer sensitive data to a third party unless they’ve expressed affirmative consent or the transfer is necessary.
- Broadcast television services, cable services, and other video programming services cannot transfer data to an unaffiliated third party unless they get affirmative consent.
Privacy by Design
Under the ADPPA, PbD means establishing, implementing, and maintaining reasonable policies and practices that:
- Consider applicable Federal laws, rules, or regulations related to the data.
- Identify, assess, and mitigate privacy risks related to minors.
- Mitigate privacy risks related to the products and services they provide, including the design and development of such products or services.
- Implement reasonable training and safeguards to promote compliance with all applicable privacy laws impacting the covered entity.
Covered entities must consider their size and the scope and complexity of the processing activities they’re engaged in.
They must also consider the sensitivity of the data they collect, the volume collected, the number of individuals or devices impacted, and the cost of implementing such policies.
Loyalty to Individuals With Respect To Pricing
The ADPPA explicitly prohibits retaliation through service or pricing in Title I, Section 104.
Covered entities cannot punish an individual for acting on their rights outlined by the potential new law.
However, it does not prevent entities from:
- Offering a different price, rate, level, or selection of goods in connection with the individual voluntarily participating in a loyalty program.
- Offering financial incentives to individuals who participate in market research.
- Offering different types of pricing or functionality as a result of individuals exercising their privacy rights.
- Declining to provide a product or service if the data collection is strictly necessary for such product or service.
- The covered entity or service provider’s identity and contact information
- Any other entity with the same corporate structure as the covered entity the data gets transferred to
- The categories of data processed
- The purpose for processing each category of data
- Whether the entity transfers the data, and if so, each category or third party gets transferred to, the name of each third party, and the purposes for transferring the data
- The length of time the entity plans to retain the data for
- A description of how individuals can exercise their rights outlined by the ADPPA
- A general description of the entity’s security practices
- If the data is transferred to, processed in, stored in, or accessible to the People’s Republic of China, Russia, Iran, or North Korea
Additionally, entities that qualify as large data holders must provide a short form privacy notice to consumers that is:
- Concise, clear, conspicuous, and not misleading
- Readily accessible
- Inclusive of an overview of the rights individuals have and draws attention to any possibly unexpected data practices
- No more than 500 words in length
Large Data Holder Metrics Reporting
Under the ADPPA, any entity that qualifies as a large data holder must compile metrics for the prior calendar year.
The specific metrics include the number of:
- Verified access requests
- Verified deletion requests
- Requests to opt out of targeted advertising
- Requests the large data holder complied with in whole or in part and denied
- The median or mean number of days it took to respond to the requests
Third-Party Collecting Entities
Under Title II, Section 206 of the ADPPA, all third parties that collect data must post a clear, not misleading, accessible notice on their website or mobile apps.
It must meet all of the following requirements:
- Notify the individuals that the entity is a third-party collecting entity using language as developed by the Commission
- Include a link to the Commission’s established website
- Is reasonably accessible and usable by individuals with disabilities
Before January 31 of each calendar year, any third-party collecting entities that collected the data of more than 5,000 individuals or devices must register with the Commission.
The registration process includes:
- Paying a $100 fee
- Providing the legal name and primary physical, email, and internet address of the third-party entity involved
- A description of the categories of covered data they process and transfer
- The contact information of the third party, including a contact person, telephone number, email address, website, and physical address
- A link to a website so individuals can exercise their rights
The Commission will establish and maintain a searchable website for the public with details about all third-party collecting entities.
Civil Rights and Algorithms
The ADPPA prohibits covered entities from processing information in any way that discriminates against individuals in Title II, Section 207.
The Commission has the authority to enforce this section of the ADPPA.
If the ADPPA is enacted, within three years, the Commission will submit a report to Congress that summarizes:
- All types of information the Commission transmitted to agencies during the previous year
- How the information related to Federal civil rights laws
Covered Algorithm Impact Assessments
Large data holders that use a “covered algorithm” that poses a potential risk of harm to an individual or group must conduct an impact assessment.
The ADPPA defines covered algorithm as:
“A computational process that uses machine learning, natural language processing, artificial intelligence techniques, or other computational processing techniques of similar or greater complexity and that makes a decision or facilitates human decision-making with respect to covered data, including to determine the provision of products or services or to rank, order, promote, recommend, amplify, or similarly determine the delivery or display of information to an individual.”
The impact assessment must provide all of the following information:
- A detailed description of the data used by the covered algorithm
- A statement of the purposes and proposed uses of the algorithm
- A description of the outputs produced by the algorithm
- An assessment of the necessity and proportionality of the covered algorithm as related to its stated purposes
- A description of the steps the large data holder will take to mitigate potential harms
You might wonder why AI regulation is appearing in a data privacy bill?
Data privacy regulations must keep pace as technology advances rapidly.
Federal law must be adaptable, forward-thinking, and capable of addressing unforeseen privacy issues arising from technologies like AI, biometrics, and evolving data collection methods.
Data Security and Protections
Covered entities under the ADPPA must establish, implement, and maintain reasonable administrative, technical, and physical data security practices, as Title II, Section 208 explains.
When determining what security practices to implement, covered entities must consider:
- The size and complexity of the covered entity itself
- The nature and scope of the collecting, processing, and transferring of the data
- The volume and nature of the data collected, processed, or transferred
- The sensitivity of the data collected, processed, or transferred
- The current state of (and limitations of) administrative, technical, and physical safeguards for protecting the data
- The cost of the available tools to improve security and reduce vulnerabilities
At a minimum, covered entities must assess their vulnerabilities, evaluate their preventative and corrective actions, train their employees, and designate an officer to implement such practices.
Small Business Protections
Exemptions and protections specifically regarding small businesses are described in Title II, Section 209 of the ADPPA.
To qualify as a small business, the entity must meet the following thresholds:
- Not exceed $41,000,000 in average annual gross revenues
- Not annually collect or process data from more than 200,000 individuals
- Not derive more than 50% of its revenue from transferring data during any calendar year
In particular, small businesses are exempt from complying with Section 203 (a) 4, Paragraphs (1) through (3) and (5) through (7).
Compliance with Section 203 (a)(2) is optional.
Unified Opt-Out Mechanisms
Under Title II, Section 210 of the ADPPA, covered entities must establish one or more global privacy signal opt-out mechanisms within 18 months after the enactment date of the act.
The centralized opt-out mechanism must meet all of the following guidelines:
- Require the covered entity to inform consumers about the centralized opt-out option.
- Not be required to be the default setting, but may be the default setting in cases where the mechanism clearly represents an individual’s affirmative, freely-given choice to opt out.
- Be consumer-friendly, easy to use, and clearly described.
- Permit the covered entity to have an authentication process to determine that the mechanism represents a legitimate opt-out request.
- Be available in any covered language the entity provides products or services to.
- Be provided in a manner that is reasonably accessible for individuals with disabilities.
Fines and Penalties for Violating the ADPPA
The Federal Trade Commission and the state Attorney General offices have the authority to enforce the ADPPA, as written in Title IV.
Fines and penalties could reach up to $10,000 per violation if it’s considered an unfair or deceptive act by the Commission.
Private Right of Action
The ADPPA also grants a private right of action for individuals in Title IV, Section 403, with a two-year limit.
But the right to private action doesn’t apply until two years after the act passes.
A court may award the plaintiff an amount equal to any compensatory damages, injunctive relief, declaratory relief, and reasonable attorney’s fees and litigation costs.
However, the individual must first notify the Commission and the attorney general in the state where the person resides about their plans to pursue civil action.
They’ll get a response within 60 days of receipt of the notice stating whether they can proceed with the litigation.
ADPPA Impact on Businesses and Consumers
If the ADPPA passes into law, it will not only affect American consumers but also apply to businesses worldwide.
Let’s discuss its possible implications and reach in greater detail.
How It Impacts Businesses
Let’s discuss how the ADPPA would impact businesses if turned into a federal law.
Not only will you have to post privacy policies (and possibly an additional notice) to your website or app, but you also have to:
- Honor global privacy controls regarding consumer opt-out rights.
- Provide multiple ways for your American consumers to follow through on their rights.
- Perform impact assessments for certain types of data processing.
- Obtain affirmative consent from consumers for specific types of data processing, collection, and transfer.
- Create and implement proper security measures to protect the integrity of the data.
However, the strictest requirements outlined by the ADPPA apply to large data holders.
Small businesses are exempt from meeting some of the potential law’s more complex, time-consuming aspects.
Additionally, if your business already complies with U.S. state data privacy laws like the Virginia Consumer Data Protection Act (VCDPA) or the Colorado Privacy Act (CPA), it’ll likely be easier for you to follow the requirements of the ADPPA.
The Federal law may overtake those state-specific laws, but because it describes similar protections, it could make compliance a more seamless transition in some cases.
How It Impacts Consumers
The ADPPA impacts consumers by providing them with rights over how external entities collect, process, and use their personal information.
It also provides them with a private right of action against entities that violate any of their privacy rights outlined by the potential law.
The consumer data rights appear in Title II of the act and include:
- Individual data ownership and control
- Right to consent and object
- Data protection for children and minors
Let’s discuss exactly what each of these rights entails.
Under Title II, Section 201 of the ADPPA, consumers would have the right to awareness, which the act defines in three parts.
First, within 90 days after the act takes effect, the Commission would publish a webpage describing each provision, right, obligation, and requirement outlined by the ADPPA.
Next, the Commission promises to update the information quarterly and as necessary whenever a change in the law, regulation, guidance, or judicial decision occurs.
Finally, the information will be published in the top ten languages used in the U.S. according to the most recent United States Census.
Consumers also have the right to transparency, as outlined in Title II, Section 202 of the Act.
It must also be readily accessible and provide a detailed and accurate representation of the covered entity’s data collection, processing, and transfer activities.
Individual Data Ownership and Control
The ADPPA grants consumers the right to access, correct, delete, and portability of covered data in Title II, Section 203.
Specifically, consumers can:
- Access their personal data in a readable format downloadable from the internet twice in 12 months free of charge.
- Correct verifiable and substantial inaccuracies or incomplete information and instruct the covered entity to notify all related third parties or service providers to do the same.
- Delete the data a covered entity collected about them and instruct them to notify all related third parties or service providers to do the same.
- Request, if technically feasible, that a covered entity export their data to the individual or another entity in a portable, structured, interoperable, and machine-readable format.
Qualifying small businesses are exempt from complying with these individual requests.
Right to Consent and Object
The American Data Privacy and Protection Act gives consumers the right to consent and object in Title II, Part 204.
Specifically, consumers can opt out of (aka., object to):
- Having their data transferred to a third party
- Targeted advertising
Consumers also have the right to “individual autonomy,” which means covered entities cannot attempt to condition the consumer to make choices by:
- Using false, fictitious, fraudulent, or misleading statements or representations
- Designing, modifying, or manipulating the user interface to obscure, subvert, or impair an individual’s autonomy, decision-making, or choice to exercise rights
Data Protection for Children and Minors
The ADPPA also describes additional rights regarding data protection for children and minors.
Specifically, covered entities cannot engage in targeted advertising if the individual is a covered minor under age 17.
Covered entities also cannot transfer data of minors without obtaining express, affirmative consent from their legal guardian.
ADPPA Compared to Some of the Biggest Data Privacy Laws
Next, let’s compare the proposed ADPPA to other significant data privacy laws worldwide.
ADPPA vs. GDPR
The ADPPA is similar to the European Union’s (EU) General Data Protection Regulation (GDPR), their leading data privacy law.
However, it also differs in some notable ways.
Both laws outline principles of transparency over an entity’s data processing activities and require privacy notices (or policies).
They each describe data minimization requirements regarding collecting information that is “proportionate” and “necessary.”
Additionally, they provide similar rights to the protected individuals — i.e., the right to access, delete, or correct data, and data portability.
However, some significant differences include:
- The ADPPA definition of ‘individual’ does not appear to have the same extraterritorial scope as the GDPR definition of ‘data subject.’
- The GDPR definition of ‘personal data’ is broader and has fewer exemptions than the ADPPA definition of ‘covered data.’
- The ADPPA ‘covered entity’ does not apply to government agencies, while the GDPR definition of ‘data controllers’ does.
- The ADPPA features exemptions for small businesses, and the GDPR does not have an equivalent effect.
ADPPA vs. PIPEDA
Most of Canada is governed by the Personal Information Protection and Electronic Documents Act (PIPEDA), a law that shares some similarities with the ADPPA but also differs greatly.
Both laws create ground rules for businesses that handle personal information from individuals.
Like the ADPPA, PIPEDA requires covered entities to hold themselves accountable for protecting personal data and keeping it safe and secure.
However, a significant difference concerns their legal scopes.
The reach of who PIPEDA protects is limited, even in Canada. In some locations, Provincial laws have more power than PIPEDA. It also only impacts for-profit, commercial activity in the private sector.
On the other hand, the ADPPA would apply to any natural person residing in America.
While there are exceptions to what’s considered a covered entity or covered data, it does account for both the public and private sectors.
ADPPA vs. CCPA
So how does America’s first potential federal law compare to the California Consumer Protection Act (CCPA) — a 2018 state law once referred to as ‘America’s GDPR’?
Both give consumers the right to access, correct, or delete their data, and outline privacy notice/policy requirements. They also share similar descriptions of safety and security requirements, although the ADPPA lists more specifics than the CCPA.
But, California lawmakers claim that the CCPA requirements are stricter than what the ADPPA describes in the following ways:
- The CCPA outlines obligations for third-party processors that don’t exist in the current version of the ADPPA.
- The ADPPA excludes employee data from its scope, including contractors, but this is not the case under the CCPA.
- The recent CCPA amendments created the California Privacy Protection Agency (CPPA), a group of five board members who implement and enforce the law.
- However, the ADPPA does not create any specific agency for upholding the law and instead depends on the Commission and state Attorney General offices.
Future Outlook of the ADPPA
The American Data Privacy and Protection Act faces a pivotal moment, with preemption, innovation, emerging technologies, and protection gaps at the forefront.
That said, it’s highly likely that something that looks similar to the current version of the ADPPA will be America’s first Federal data protection law.
But for now, it’s more a question of when, which may take several more years.
After the end of the 117th Congress in January 2023, American lawmakers claimed data privacy would remain a top priority. But the ADPPA has yet to come up for further discussion.
Once it’s back on the schedule, we may see some changes to details like granting individuals a private right of action or if it preempts state data privacy laws.
But overall, the ADPPA as it’s currently written was well received across both sides of the political spectrum.
It’s unclear when America will pass a federal data privacy law, but the current version of the ADPPA provides good insight as to what it will most likely look like.
America’s first official federal law must ensure comprehensive protection, leaving no room for organizations to exploit ambiguities to the detriment of consumers.
It should establish a meaningful baseline of privacy rights while empowering state regulators to address specific regional concerns.
Protecting privacy in the digital age is complex and requires careful navigation.
It’s vital to balance federal and state authority, foster innovation, and stay ahead of technology to ensure adequate data protection.
In the meantime, we’ll keep following the ADPPA as it moves (or doesn’t) towards potentially becoming a law.