with rare dual supportthe US Data Privacy and Protection Act moved out of the U.S. House of Representatives Committee on Energy and Commerce with a vote of 53-2 on July 20, 2022. The bill still has to pass the full House and Senate, and negotiations are underway. Considering the Biden government Responsible Data Practice StrategyWhite House support is likely if a version of the bill is passed.
As a lawyer and attorney who: studies and practices technology and data privacy law“I have been following the act, known as ADPPA, closely. If passed, it will fundamentally change US data privacy laws.
ADPPA fills the data privacy gap, builds federal precedence over some state data privacy laws, allows individuals to sue for violations, and significantly changes data privacy law enforcement. Like all major changes, ADPPA gets mixed reviews from media, scholars, and companies. But many see the bill as a triumph for US data privacy that provides a necessary national standard for data practices.
Who and what will regulate ADPPA?
ADPPA would apply to “covered” entities, meaning any entity that collects, processes or transfers covered data, including non-profit organizations and sole proprietorships. It also regulates cell phone and internet providers and other common carriersof possible with regard to changes in federal communications regulations. It does not apply to government agencies.
ADPPA defines “covered” data as any information or device that identifies or can reasonably be associated with an individual. It also protects biometric data, genetic data and geolocation information.
The bill excludes three categories of big data: anonymized data, employee data and publicly available information. That last category includes social media accounts with privacy settings that can be viewed publicly. While Research has repeatedly shown anonymized data can be easily re-identifiedthe ADPPA is trying to address that by requiring covered entities to “take reasonable technical, administrative and physical measures to ensure that the information cannot be used at any time to re-identify any person or device.”
How ADPPA protects your data
The law requires data collection to be as minimal as possible. The law allows Covered Entities to collect, use or share an individual’s information only when it is reasonably necessary and proportionate to a product or service the individual is requesting, or to respond to a communication the individual initiates. It enables collection for authentication, security incidents, prevention of illegal activities or serious harm to persons and compliance with legal obligations.
People would be given access rights and some control over their data. ADPPA grants users the right to correct inaccuracies and potentially delete their data held by Covered Entities.
The bill allows data collection as part of public interest research. This allows data to be collected for peer-reviewed research or research in the public interest, for example to test whether a website unlawfully discriminates. This is important for researchers who might otherwise violate site terms or hacking laws.
The ADPPA also has a provision that: tackles the service-conditioned-on-consent problem– those annoying “I agree” boxes that force people to accept a jumble of legal terms. When you click on any of those boxes, you are contractually waiving your privacy rights as a condition of simply using a service, visiting a website, or purchasing a product. The bill will prevent covered entities from using contract law to circumvent the bill’s protections.
Seeking the Federal Electronic Surveillance Act for Guidance
that of the USA Electronic Communications Privacy Act may guide federal lawmakers in finalizing ADPPA. Like the ADPPA, the ECPA legislation of 1986 included a major overhaul of U.S. electronic privacy laws to address the adverse effects on privacy and civil liberties of advancing surveillance and communications technologies. Again, advances in surveillance and data technologies, such as artificial intelligence, are significantly affecting citizens’ rights.
ECPA, which is still in effect today, provides a basic national standard for electronic surveillance security. ECPA protects communications from interception unless a party to the communications consents. But ECPA doesn’t prevent states from passing more protective laws, so states can choose to grant more privacy rights. The end result: About a quarter of US states require consent from all parties to intercept communications, giving their citizens more privacy rights.
The ECPA’s federal-state balance has been working for decades, and the ECPA has not overpowered the courts or destroyed trade.
As drafted, ADPPA advances some national data privacy laws. This affects California’s Consumer Privacy Actalthough it does not prejudge the Illinois Biometric Information Privacy Act or state laws that specifically regulate facial recognition technology. However, pre-emption provisions are in flux as House members continue to negotiate the bill.
If preemption continues, any final version of the ADPPA will be the law of the land, restricting states from more rigorously protecting their citizens’ data privacy.
Private claim law and enforcement
ADDPA provides a private right of action, allowing people to sue covered entities that violate their rights under ADPPA. This gives the bill’s enforcement mechanisms a major boost, although it has significant limitations.
The American Chamber of Commerce and the tech industry oppose a private right of action, preferring that enforcement of ADPPA be confined to the Federal Trade Commission. But the FTC has far fewer staff and far fewer resources than US trial attorneys.
ECPA has a private right of action for comparison. It has not overwhelmed courts or businesses, and entities are likely to comply with ECPA to avoid civil lawsuits. In addition, courts have tightened ECPA’s terms, providing clear precedents and understandable compliance guidelines.
How big are the changes?
The changes to US data privacy laws are big, but ADPPA provides US citizens with much-needed security and data protection, and I believe it’s workable with adjustments.
Given how the Internet works, data routinely flows across international borders, so many US companies already have compliance with other countries’ laws built into their systems. This includes the EU General Data Protection Regulation-a law similar to the ADPPA. For example, Facebook offers EU citizens the protection of the GDPR, but does not offer US citizens that protection, as it is not required to do so.
Congress has done little about data privacy, but ADPPA stands ready to change that.
Anne Toomey McKenna is visiting professor of law at the University of Richmond.