Recently Amended Draft Federal Privacy Legislation Continues to Receive Support & Criticism

The American Data Privacy and Protection Act (“ADPPA”) has been working its way through Congress with notable bipartisan support. After a July 20th markup session in the House Committee on Energy & Commerce amending the bill, the bill received a 53-2 vote to head to the House of Representatives. It is unclear how this bill would fare in the Senate – or even a vote from the full House – but this is significant progress for federal privacy legislation. 

The new version of the bill does explicitly provide for enforcement authority of the California Privacy Protection Agency (“CPPA”), which is a primary concern of the agency. Other opposition remains, however, including from ten state Attorneys General who have urged Congress not to preempt certain state privacy laws, but instead make the ADPPA “a federal floor, not a ceiling.” Senator Maria Cantwell (D-Wash.), Chair of the Senate Committee on Commerce, Science, and Transportation, has also expressed (and reiterated) concerns, describing the current bill as too weak to warrant passage. Her support is likely crucial for the bill to make progress in the Senate. And some data brokers, while they would like to keep the preemption provisions, have raised concerns about how the bill would hamper the industry, including their ability to support public safety and law enforcement efforts.         

Recognizing that “some compromise is necessary,” a group of nearly 50 civil rights, privacy, and consumer protection organizations recently voiced support for the bill in a letter to House Speaker Nancy Pelosi. The August 25 letter urged Speaker Pelosi to move the bill to a vote by the full House, explaining that this bill provides comprehensive federal privacy and civil rights provisions that will create lasting data privacy protections for millions of Americans.

Despite this support, Speaker Pelosi released a statement on September 1, suggesting that she would not support the bill’s current broad preemption of certain state data privacy laws.  She explained that the current bill “does not guarantee the same essential consumer protections as California’s existing privacy laws[,] … and states must be allowed to address rapid change in technology.”     

Below is a summary of some of the key changes to the bill.  

Definitions

Under the definition of “affirmative express consent,” the bill provides that the option to refuse consent from a covered entity must be just as prominent and must take as many, or fewer, steps as the option to accept consent. This definition of consent is similar to the prohibition on the use of dark patterns in the consent process under the California Privacy Rights Act (“CPRA”). This section now also requires that a new consent be obtained when data is processed for a different purpose than what was within the scope of the original consent.

The bill also clarifies that a service provider – an entity acting at the direction of a covered entity – is not a covered entity under the Act.

And the definition of a “state privacy authority” was added and explicitly includes the CPPA, which is relevant to the enforcement provisions of the draft bill that permit such authorities to enforce the Act. So the newly constituted California state privacy regulator would be entitled to enforce the federal law. Even with this concession, California regulators continue to object to preemption of the CPRA by the ADPPA, as noted above.

Duty of Loyalty

The bill’s “Loyalty Duties” section is really a misnomer – the section provides additional data minimization and consent requirements, not a general duty to act in the best interests of an individual. That aside, the amended section includes an expanded list of permissible collection and processing purposes. For example, if the processing is limited to what is reasonably necessary, a covered entity may now process covered data for an asset transfer, like a merger or acquisition. But a covered entity transferring this data must, in part, provide affected individuals certain notice regarding the transfer of the data and must also provide an opportunity to withdraw consent or request deletion of the covered data. 

Centralized Opt-Out Mechanism

The previous version of the bill required that the FTC establish acceptable centralized mechanisms, like browser or device privacy settings, for individuals to exercise their rights under the proposed law. The amended version spells out the substance of these mechanisms by requiring that, for example, covered entities inform individuals about the centralized opt-out choice and that the mechanism be easy-to-use, in a covered language, and accessible to individuals with disabilities. 

Enforcement

The bill previously stated that not later than one (1) year after the date of enactment, the FTC would issue regulations, but this has been changed to three (3) years. And the prior version of the bill activated the private right of action after four (4) years from the effective date, but the revised version has cut this down to two (2) years.

As indicated above, the CPPA established under the CPRA may enforce an enacted ADPPA as “it would otherwise enforce the” CPRA. Although the CPPA may enforce the ADPPA, California would likely not be able to enforce its own CPRA because it would be preempted – the preemption provision still provides that states may not enforce any law “covered by the provisions of this Act.” The bill does include a long list of exceptions to preemption, including general consumer protection laws, data breach notification laws, and common law claims, as well as explicit exemptions for Illinois’s Biometric Information Privacy and Genetic Information Privacy Acts, but the CPRA is not included in this list. It appears this will remain a significant barrier to progress in both the House and Senate.