Protection file

lawmakers unveil US privacy and data protection bill | McDermott Will & Emery

As time is running out in the US Congress and the midterm elections approach, a bipartisan group of lawmakers is making what could be a last ditch attempt to compromise on federal privacy law. On June 3, 2022, House Energy and Commerce Committee Chairman Rep. Frank Pallone (D-NJ), Ranking Member Rep. Cathy McMorris Rodgers (R-WA), and Ranking Member of the Senate Commerce, Science, and Transportation Committee Sen. Roger Wicker (R-MS) released a draft of a comprehensive new federal privacy bill, the American Data Privacy and Protection Act (ADPPA). Senator Maria Cantwell (D-WA), chair of the Senate Commerce Committee, who had been given the green light by Sen. Chuck Schumer (D-NY) to try to pass federal privacy legislation, is particularly absent from this list of potential sponsors. Shortly after its publication, Senator Cantwell criticized the ADPPA and pointed out that she had her own competing proposal. Senator Cantwell’s position, plus the absence of any California Representative or Senator, signals that the ADPPA is likely destined to stall on the hill like each of its predecessors.

Still, with the constant trickle of new state consumer privacy laws, many companies are growing anxious and waiting for action at the federal level, so the ADPPA is noteworthy. This On the subject highlights several notable features of the ADPPA beyond the access, correction, deletion and portability rights provided for consumers. We will begin by examining the private right of action and preemption in the ADPPA, as these have traditionally been the sticking points in the debate over federal privacy law.

  • Limited private right of action: Beginning four years after the effective date of the ADPPA, individuals and groups will have a private right of action, but it is a proscribed right. Notably, there are no statutory damages. Although a successful plaintiff can still recover attorneys’ fees, plaintiffs are only permitted to seek injunctive or compensatory damages. The lack of statutory damages may serve to dampen plaintiffs’ bar interest in bringing ADPPA cases to trial. Another deterrent to the private right of action lies in the procedural prerequisites to be met. First, the allegedly injured person will first have to notify the Federal Trade Commission (FTC) and its appropriate state attorney general of the alleged wrong to see if either regulator wishes to pursue the action. If no action is taken by these regulators, then the allegedly injured person must notify the potential defendant and give them 45 days to repair the alleged damage before bringing an action.
  • Federal preemption with more than a few exclusions: One of the things companies are looking for in a federal privacy bill is a strong state preemption so companies can focus on complying with a law and related regulations. The ADPPA comes close to this goal, but not by much. There is a broad statement of preemption of state laws, but that preemption is effectively gutted by a long, one-and-a-half-page list of state laws that are not preempted, including California’s California Consumer Privacy Act (CCPA) and the Illinois Biometric Information Privacy Act (BIPA).
  • Broad definition of “sensitive” data: ADPPA would classify much information as “sensitive” that does not immediately come to mind as particularly sensitive. For example, “information identifying an individual’s online activities over time or across third party websites or online services”. Indeed, this is cookie data. This definition, coupled with a positive opt-in requirement for the collection of “sensitive” data, means that the ADPPA would bring many of the requirements of the European ePrivacy Directive to the United States.
  • Proscriptive duty of loyalty: Although the ADPPA’s “duty of loyalty” is not the same type of fiduciary duty that other legislators have tried to introduce, it is nevertheless quite prescriptive, including a list of eight practices that companies should not adopt, ranging from the collection and use of social security numbers to the transfer of aggregate Internet search or browsing histories.
  • Target Marketing: Similar to other privacy laws, the ADPPA would require companies to allow opt-outs from targeted marketing, including intra-family targeted marketing. The ADPPA would also prohibit the delivery of targeted marketing to anyone under the age of 17.
  • Registration of third-party collectors: The ADPPA would require third parties that collect information about consumers, but do not have direct contact with that consumer, to register and offer certain public disclosures about their practices.
  • Executive responsibility: Effective one year after ADPPA comes into force, the Chief Executive Officer, Privacy Officer and Information Security Officer of what ADPPA defines as “big data owners” will have to certify ADPPA compliance to the FTC. This puts these individuals in the direct line for potential liability if their business does not, in fact, comply with the ADPPA. A large data owner is an entity that has annual gross revenues of $250 million or more and collects or transfers the personal information of five million or more people or devices or the sensitive data of 100,000 people or devices .
  • Impact evaluations and algorithms: Impact assessments would be required for a number of processing activities under the ADPPA, including in relation to any big data holder algorithm that uses personal information.
  • Exemption for small businesses: In addition to the exemptions provided under the ADPPA (for example, the Gramm–Leach–Bliley Act, the Fair Credit Reporting Act, the Health Insurance Portability and Accountability Act), the ADPPA includes a limited exemption for companies that, at during the three years (or for the period of existence of the entity if it is less than 3 years) has achieved (i) an annual turnover of less than 41 million dollars, (ii) has not collected nor processed the data of more than 100,000 people and (iii) did not derive more than 50% of its revenue from the transfer of personal information.

Ultimately, while the ADPPA represents another important step forward in signaling that a compromise on the two key issues of preemption and a private right of action is possible, the bill still has a long way to go. travel before becoming law. With Senator Cantwell likely to introduce a competing bill, and with the timeline he is on, it looks like the issue of federal privacy legislation could be left to a later Congress.

McDermott’s global privacy and cybersecurity team always stays abreast of the latest changes in the legislative landscape and prepares our clients in the future for the changes to come.

John Ying, summer partner in the Atlanta office, also contributed to this article.

[View source.]