A Review: The American Data Privacy and Protection Act
PART 1: STATE PREEMPTION AND PRIVATE RIGHT OF ACTION
Congress reached a major milestone in the effort to create a comprehensive federal data privacy law last week when House Energy and Commerce Chair Rep. Frank Pallone (D-NJ), ranking member Rep. Cathy McMorris Rodgers (R-WA), and ranking member of the Senate Commerce Committee Sen. Roger Wicker (R-MS) came together to release a draft bill for discussion—the American Data Privacy and Protection Act (ADPPA). The release of a bipartisan draft bill is a welcome development after years of delays and discussion and is the most hopeful sign that Congress will finally address this issue. Unfortunately, the compromise text failed to adequately address the two most contentious issues in the debate about a federal privacy law: state preemption and a private right of action.
In an attempt at a compromise the ADPPA would preempt state privacy laws…except for a long list of excluded laws and topics, including the hotly contested Illinois Biometrics Information Privacy Act, part of the California Privacy Rights Act, and broad topics such as facial recognition, non-consensual pornography, data breach notification, and more. The list of exclusions is lengthy, which fundamentally undermines the purpose of state preemption (i.e., to have uniform laws to reduce compliance costs and simplify rules for consumers) especially on topics like data breach notification where every state already has a law. Moreover, the special carve outs specifically for privacy laws in Illinois and California, while excluding other states that have recently passed state privacy laws, such as Virginia, Utah, Colorado, and Connecticut, is unfair and reeks of backroom dealing. Clearly, legislators are trying to reach a compromise, but the state preemption should be much broader to be effective.
The ADPPA also attempts a compromise on a private right of action. The legislation would include strong enforcement measures, allowing the FTC as well as state attorneys general to bring action against any data holders violating provisions in the act. But the legislation also creates a limited private right of action. The ADPPA would allow individuals to bring civil actions seeking compensatory relief or injunctive relief against data holders starting four years after the act goes into effect. To limit duplicative enforcement, individuals must first notify their state attorney general and the FTC of their intent to bring suit, and if one of those agencies decides to initiate an action, individuals cannot file their own lawsuit. There is also a limited right to cure, whereby if a data holder successfully addresses an alleged problem within 45 days, they can seek dismissal of a demand for injunctive relief. While the drafters have clearly attempted to construct a narrow private right of action, the fact remains that the ADPPA would still leave open the door for expensive, frivolous lawsuits. Indeed, since the only lawsuits individuals would be proceeding with under the ADPPA are those that neither the FTC nor any attorney general decides to pursue, these are likely to be meritless.
As ITIF has written, state preemption and no private right of action should be the baseline for a federal privacy law. Unfortunately, as currently drafted, the ADPPA fails to achieve those two goals.
PART 2: THE GOOD AND THE BAD
The American Data Privacy and Protection Act (ADPPA), jointly released on June 3 by key members in the House and Senate Commerce Committees, would establish a comprehensive consumer data privacy framework. Unfortunately, the drafters have included several poorly conceived compromises on state preemption and a private right of action that fail to meet the standards of what is needed in a federal data privacy law. But the bill does offer a comprehensive framework for data privacy that serves as a blueprint for federal legislation, and it is worth exploring the pros and cons of these other provisions.
The ADPPA would establish basic consumer data rights; impose certain obligations (referred to as “duties of loyalty”) on how all organizations process personal data; and create additional requirements for large data holders (defined as organizations having sensitive personal data on 100,000 or more individuals or non-sensitive data on 5 million or more individuals) and third-party service providers that process data. The legislation would apply to all organizations, including non-profits and telecoms, and create a new division within the Federal Trade Commission (FTC) tasked with enforcing this law.
There are both positive and negative elements to the ADPPA. On the positive side, the legislation generally offers a sensible approach in establishing basic consumer data rights. The legislation creates strong transparency requirements for how organizations handle data and gives individuals the right to access, correct, delete, and port their personal data. The legislation requires entities obtain opt-in consent for collecting, processing, or transferring sensitive personal information, but opt-out consent for non-sensitive personal information (both reasonably defined). The legislation also would strengthen children’s privacy, requiring express affirmative consent for transferring data of children between ages 13 and 17, and establishing a new Youth Privacy and Marketing Division at the FTC. The ADPPA would require data brokers to register with the FTC and allow third-party audits of how data brokers share information with others, as well as direct the FTC to create a public online registry of data brokers that allows users to request that all data brokers delete their data within 30 days. Finally, the legislation requires organizations to implement reasonable data security practices, and allows those meeting other federal privacy laws, such as the Gramm-Leach Bliley Act or Health Insurance Portability and Accountability Act, to be deemed as in compliance.
One unique feature of the ADPPA is the requirement that the FTC establish a process for organizations to submit technical compliance programs for the agency’s approval. Organizations could submit a proposal outlining how they intend to meet or exceed the ADPPA’s requirements, and the FTC would have up to 180 days to approve or deny these plans. In theory, this provision could give organizations some flexibility on how to meet the law’s requirements. While approval of a technical compliance program does not preclude an attorney general or the FTC from opening an investigation, the ADPPA does state that a history of compliance with a technical compliance program should be considered in any enforcement action.
The legislation also establishes a series of “corporate accountability” mechanisms, including some only for large data holders. For example, all data holders must designate one or more privacy and data security officers responsible for complying with the law. Large data holders must also have a privacy protection officer responsible, reporting directly to the head of the organization, who is responsible for conducting comprehensive privacy audits, providing privacy training to employees, and serving as the main point of contact for regulators. Large data holders must also complete a biennial privacy impact assessment that considers the benefits of its data practices against potential risks to individuals. Large data holders “that use algorithms” (an absurd distinction given every organization with a computer uses algorithms in one form or another) must also submit annual algorithmic impact assessments to the FTC detailing steps they are taking to mitigate potential harm from their algorithms.
The ADPPA also includes provisions that are not ideal (at least as currently worded) but reflect the type of compromises likely to be found in any data federal privacy law. For example, ideally privacy rules should apply the same to all organizations regardless of their size—privacy risks for consumers depend on the sensitivity of the data and the context of its collection, not the size of the organization collecting the data. Yet in addition to additional requirements for large data holders, the legislation contains other carve out for smaller organizations, such as not requiring data portability for smaller data holders and allowing them to delete, rather than correct, data.
In addition, the requirements for data minimization and privacy by design raise costs and negatively impact the ability of organizations to engage in data-driven innovation. Or the requirement that organizations do not condition pricing on whether individuals waive certain privacy rights could encourage free-riding for online services, where those who share their data for targeted ads effectively pay for those who opt out. Finally, some of the “loyalty duties” in the ADPPA that restrict organizations from sharing sensitive information, such as an individual’s browsing history, search history, and precise geolocation without consent are mostly reasonable. But others raise questions. For example, the restriction on processing biometric information without consent could prevent legitimate business activities (such as identifying known shoplifters in a store) and the prohibition on collecting, processing, or transferring “known nonconsensual intimate images” is a worthy goal but raises other questions about what constitutes knowledge and whether providers would need to actively monitor private communications to stop distribution of these images.
The most troubling item in the ADPPA not yet discussed is that it grants the FTC the authority to establish “centralized opt-out mechanisms” that would allow individuals to opt out of all covered data transfers and targeted advertising if it determines that such mechanisms are feasible. This threshold is much too low—many things are technically feasible, but not necessarily practical or cost-efficient. Moreover, this type of universal opt-out would likely encourage consumers to broadly restrict data sharing without considering the broad societal implications of their decision or the more granular controls available to them by different organizations.
It is worth noting some other interesting tidbits from the ADPPA. The legislation would require data holders to specify whether they make data available to China, Russia, Iran, or North Korea. The provision is a bit vague as worded. Ideally, this would clarify that this means makes available to the government of these countries, and not simply whether data processing occurs in one of these countries. The former would be much more meaningful. Moreover, to make this provision more flexible, instead of naming these countries in the legislation, the act should allow the State Department to specify which countries should be included. The legislation also includes a requirement that the Department of Commerce issue an annual report on “digital content forgeries” (i.e., deep fakes). There is nothing controversial about that proposal, but its inclusion here seems out of place.
In summary, while the ADPPA is far from perfect, with some adjustments, it is a reasonable framework for a federal data privacy law if the drafters can include stronger state preemption and eliminate the private right of action.
This article was originally published by the Information Technology and Innovation Foundation (ITIF). Read the original article here.