With the polarization of the political landscape, it seems to be a very rare occurrence that a controversial bill garners significant bipartisan support. Yet, the American Data Privacy and Protection Act (ADDPA) was able to do just that.
When the revised ADPPA was first brought to the House floor this past July, the results of the Committee on Energy and Commerce vote was a landslide decision of 53-2.
On the other hand, the bill has stirred controversy with some major politicians. Most notably, House Speaker Nancy Pelosi was a vocal opponent of the bill. Her opposition stems from privacy laws already established in her home state of California.
“With so much innovation happening in our state, it is imperative that California continues offering and enforcing the nation’s strongest privacy rights,” said Pelosi. “California’s landmark privacy laws…must continue to protect Californians — and states must be allowed to address rapid changes in technology.”
Other states have also shown concern. Connecticut, Virginia, Colorado and Utah all have privacy laws going into effect in the next year and the passing of a federal law could impact some of their own state laws. In fact, many states passed their own privacy laws due to federal inaction. The question remains whether states will put their trust in the federal government or stick to their own guns.
The ADPPA: Federal Privacy Regulator
The creation of a federal privacy law has been decades in the making, but recently, there has been more push against big tech companies having a monopoly over consumers’ data. There have been several iterations of a federal privacy bill as politicians have found it hard to compromise on certain issues.
There were two compromises on this particular bill that impeded the bill from being passed previously: whether to preempt state privacy laws and whether to create a private right of action.
The bi-partisan bill is co-sponsored by House Energy and Commerce Committee Chairman Frank Pallone, Jr. and Ranking Member Cathy McMorris Rogers. They seem committed to the battle against big tech in their effort to move the bill through the U.S. legislative process. In a joint statement they said:
“The American Data Privacy and Protection Act puts people back in control of their online data. It creates a strong national standard that will finally minimize the amount of Americans’ information companies are allowed to collect, process, and transfer. This will rein in Big Tech’s power and establish clear, robust protections for people, especially children. Under our solution, companies will face real consequences if they track our kids’ data or use that information to exploit them for profit.”
While the bill might have passed through the House without a hitch, the same cannot be said for the Senate. In fact, some believe that the bill being stalled from a vote in the Senate might mean that ADPPA has reached its final death bed. Regardless, the House legislature continues on with their fight.
ADPPA’s Current Iteration: Restrictions and Allowances
As mentioned above, the bill has gone through several iterations. The standards listed below apply to the ADPPA bill that was passed on July 20, 2022 on the House floor. There has so far been no further additions.
Covered Entities: The bill applies to most entities and includes nonprofits and common carriers. Large data holders–these are entities or service providers that had an annual gross revenue of $250,000,000 or more and covered data of more than 5,000,000 individuals or devices–have additional requirements.
Covered Data: The bill applies to any data that “identifies or is linked or reasonably linkable” to an individual.
Duties of Loyalty: The bill prohibits covered entities from collecting, using, or transferring covered data without the permission and request of the consumer. The only exception is if the collection or use of data falls under the seventeen permissible purposes. It also creates special protections for certain types of sensitive covered data, defined as sixteen different categories of data and requires covered entities to get a consumer’s consent before transferring their sensitive covered data to a third party, unless a specific exception applies.
Transparency: Requires covered entities to disclose the type of data they collect, what they use it for, how long they retain it, and whether they make the data accessible to the People’s Republic of China, Russia, Iran, or North Korea.
Consumer Control and Consent: The bill would give consumers various rights over covered data, including the right to access, correct, and delete their data held by a particular covered entity. It would further require covered entities to give consumers an opportunity to object before the entity transfers their data to a third party or targets advertising toward them.
Youth Protections: Individuals under age 17 get additional data protections including a prohibition on targeted advertising, and it would establish a Youth Privacy and Marketing Division at the Federal Trade Commission (FTC).
Third-Party Collecting Entities: Specific obligations were allotted for third-party collecting entities. These entities would have to comply with FTC auditing regulations. If enough data is collected above the threshold amount of individuals or devices, they would have to register with the FTC. The FTC would establish a searchable registry of third-party collecting entities and a “Do Not Collect” mechanism by which individuals could request that all registered entities refrain from collecting covered data relating to the individual.
Civil Rights and Algorithms: Prohibits most covered entities from using covered data in a way that discriminates on the basis of protected characteristics such as race or sex. Requires large data holders to conduct algorithm impact assessments. These Assessments need to describe the entity’s steps to mitigate potential harms resulting from its algorithms. The bill would also require large data holders to submit these assessments to the FTC and make them available to Congress on request.
Data Security: Requires a covered entity to adopt data security practices and procedures that are reasonable in light of the entity’s size and activities.
Small and Medium-sized Businesses: The bill relieves small-and medium-size businesses that meet certain size and data-collection thresholds from complying with several requirements.
Enforcement: The regulations will be enforced by the FTC, state attorneys general and state privacy authorities in civil actions. The bill would also give the California Privacy Protection Agency authority to enforce the ADPPA in the “same manner it would otherwise enforce” California’s privacy law, the California Consumer Privacy Act.
Private Right of Action: Creates a delayed private right of action starting two years after the law’s enactment. An injured person, or group of people, could sue covered entities in federal court for damages, injunctions, litigation costs, and attorneys’ fees. They would have to notify the FTC or their state attorney general before bringing suit. Before bringing a suit for injunctive relief or a suit against a small- or medium-size business, individuals would be required to give the violator an opportunity to address the violation. Renders pre-dispute arbitration agreements or joint-action waivers with individuals under the age of 18 unenforceable in disputes arising under the ADPAA.
Preemption: Preempts any state laws that are “covered by the provisions” of the ADPPA or its regulations, although it would expressly preserve sixteen different categories of state laws, including consumer protection laws of general applicability and data breach notification laws. It also preserves several specific state laws, such as Illinois’ Biometric Information Privacy Act and Genetic Information Privacy Act and California’s private right of action for victims of data breaches.
The ADPPA’s Affect on Publishers
Although new privacy regulations have upended the status quo for the ad tech industry, many industry professionals and experts are preparing for the new normal. Third-party cookie depreciation is on hold, or maybe not going away at all depending on who you ask. Yet, the ad tech ecosystem still needs to prepare for the fact that consumers’ rights to share their data is going to be regulated much harsher. In fact, along with the ADPPA, the government is considering implementing a Federal Privacy Bureau as an extension to the FTC.
While it might be harder to collect mass amounts of data, it is still important that the industry remembers the rights of the consumer and how certain tactics and practices affect the user experience. There are a plethora of new practices coming to light that can help publishers ethically collect consumer first-party data such as data clean rooms, alternative IDs, retail media and more.
After prepping for GDPR and CCPA, the industry is much more prepared for any federal privacy law than it would have been a few years ago.