Revised ADPPA: The Top 10 Takeaways

August.24.2022

The U.S. Legislature has proposed the first bipartisan comprehensive consumer data protection law, the American Data Privacy and Protection Act (ADPPA). If enacted, the United States would join over 100 countries and several U.S. states that have enacted comprehensive consumer privacy legislation. The House Committee on Energy and Commerce passed an amended version of the ADPPA on July 20, 2022, and it is now ready for a full House vote.

Here, we have outlined the top ten key takeaways from the revised ADPPA.

1. The ADPPA Would Apply Broadly

The ADPPA would define “covered entities” broadly to entities subject to the Federal Trade Commission (FTC) Act, common carriers under the Communications Act of 1934, or nonprofit organizations that determine the purposes and means of collecting, processing, or transferring covered data, as well as entities that control, are controlled by, or are under common control with a covered entity. The Act would create additional obligations for so-called “large data holders” and would impose reduced obligations on “small data holders”.

In line with other consumer privacy laws like the California Consumer Privacy Act (CCPA), the Act would define “covered data” broadly as “information that identifies or is linked or reasonably linkable to an individual or a device,” which includes “derived data” and “unique identifiers,” which would include persistent digital markers such as cookies and IP addresses. The definition excludes de-identified data, employee data, publicly available information, and inferences made “exclusively from multiple independent sources of publicly available information that do not reveal sensitive covered data with respect to an individual.”

The Act would also impose additional obligations on “third-party collecting entities,” which are covered entities whose principal source of revenue is derived from processing or transferring data that the entity did not directly collect. In addition to the requirements imposed on covered entities, third-party collecting entities would be required to: (i) register with the FTC; (ii) place additional notice on their website to inform consumers of their role as a third-party collecting entity; and (iii) respect signals from the “Do Not Collect” registry.

2. Covered Entity Obligations Largely Mirror State Privacy Laws, with Some Exceptions

Many of the covered entity obligations under the ADPPA largely mirror state privacy laws, and companies may be able to leverage existing state privacy law compliance programs should the ADPPA go into effect. For example, the ADPPA would require covered entities to provide a privacy notice describing their data collection, processing, and transfer activities, and including data minimization and privacy-by-design principles. On the security side, the ADPPA would require covered entities to establish, implement, and maintain reasonable administrative, technical and physical data security practices and procedures to protect and secure covered data against unauthorized access and acquisition.

The Act does contain some key differences from the state privacy laws:

Algorithm Design Evaluations: Covered entities would be required to evaluate the design of any algorithm knowingly developed to collect, process, or transfer covered data to reduce the risk of potential harms, and submit such evaluation to the FTC.
Restrictions on Use of Children’s Data: A covered entity would be prohibited from engaging in targeted advertising to any individual under the age of 17 if the covered entity knows that the individual is under the age of 17. Moreover, a covered entity would be prohibited from transferring the covered data of an individual to a third party without affirmative express consent from the individual or the individual’s parent or guardian if the covered entity knows that the individual is under 17 years of age.
Loyalty Duties: Covered entities would be prohibited from engaging in certain practices unless an enumerated exception applies. Prohibited practices include collecting, processing, or transferring social security numbers; collecting or processing sensitive covered data; transferring sensitive covered data to a third party; or in the case of certain video programming services, transferring covered data to third parties that reveals the video content or services requested or selected by the individual from such service.
Civil Rights Protections: Covered entities may not collect, process, or transfer covered data in a manner that discriminates or otherwise makes unavailable the equal enjoyment of goods or services on the basis of race, color, religion, national origin, sex, or disability.

3. Service Provider Obligations are Similar to Terms in State Privacy Laws

Similar to state consumer privacy laws, the Act would define “service providers” as entities that collect, process, or transfer “covered data on behalf of, and at the direction of, a covered entity and which receive covered data from or on behalf of a covered entity pursuant to a written contract” that meets the requirements outlined in the Act. The ADPPA would also prohibit service providers from transferring data without affirmative express consent unless the data is transferred to another service provider.

4. Large Data Holders Have Additional Obligations

The ADPPA would include additional obligations for large data holders. Large data holders are entities that either: (i) had annual gross revenues of $250 million or more in the most recent calendar year; or (ii) collected, processed, or transferred the covered data of more than 5 million individuals or linked/linkable devices; or (ii) the sensitive covered data of more than 200,000 individuals or linked/linkable devices, with some exceptions.

In addition to the general requirements applicable to covered entities, large data holders would be required to:

Short-Form Notice: Provide a short-form notice of its covered data practices.
Privacy Impact Assessment: Conduct a privacy impact assessment biennially that weighs the benefits of the covered data collecting, processing, and transferring practices against the potential externalities of such practices.
Algorithm Impact Assessment: Conduct an annual impact assessment of any algorithm used to collect, process or transfer covered data, and submit such assessment to the FTC.
Annual Certification: An executive officer of a large data holder must certify annually to the FTC that the entity maintains (i) reasonable internal controls to comply with the Act, and (ii) reporting structures to ensure certifying officers are involved in, and responsible for, decisions that impact the entity’s compliance with the Act.

5. Compliance Burden is Eased on Small Data Holders

The ADPPA would include certain exemptions for small data holders. Small data holders are covered entities or service providers that: (i) had an average adjusted gross revenue that is less than $41 million over the last 3 years; (ii) collect or process data for less than 200,000 individuals annually; and (iii) generate less than 50% of its revenue from transferring data.

The reduced obligations on small data holders would include:

Correction Requests: Small data holders would be exempt from the requirement to correct covered data at the individual’s request. Instead, small data holders may delete data in response to a correction request.
Data Security: Small data holders would be exempt from most data security requirements. However, small data holders must delete data that is no longer necessary.

6. Individual Rights

In line with other privacy laws, the ADPPA would afford individuals certain rights. Specifically, under the ADPPA, individuals would have the right to request: (1) access to covered data collected on the individual’s behalf; (2) correction of any inaccuracies in the individual’s covered data; (3) deletion of covered data obtained about the individual and notification to any third party or covered entity to which such data was transferred of the deletion request; (4) data portability; (5) to withdraw affirmative express consent that was previously provided; and (6) to opt out of transfers of covered data and targeted advertising.

While most covered entities would be required to respond to individual requests within 60 days of verification, the requirement differs for small and large data holders. Large data holders would be required to respond within 45 days of verification, while small data holders would be required to respond within 90 days of verification.

7. Consent for Sensitive Covered Data

Under the ADPPA, a covered entity would be required to obtain an individual’s affirmative express consent prior to the collection, processing, or transfer of the individual’s sensitive covered data. Under the ADPPA, “affirmative express consent” requires a specific, informed, unambiguous authorization for an act or practice by the covered entity. The request for consent must meet certain content requirements outlined in the Act.

8. Most State Privacy Laws Would be Preempted

The Act would broadly preempt consumer-focused laws like the CCPA and the legislation in Colorado, Connecticut, Utah, and Virginia. However, the Act would preserve the private right of action for security violations under the unaffected CCPA regulations. The Act also expressly excludes from preemption state laws addressing “health information, medical information, medical records, HIV status, or HIV testing.”

9. Private Right of Action

The ADPPA would be enforced by a new FTC bureau and state attorneys general (AG) or, in the case of California, the California Privacy Protection Agency. State AGs would be required to notify the FTC prior to initiating a civil action so the FTC may intervene.

Significantly, the Act would include a delayed private right of action, which would go into effect two years after the ADPPA has been in enacted. The Act would permit any person or class of persons to seek compensatory damages, injunctive or declaratory relief, and reasonable attorneys’ fees for certain violations of the Act in federal court.

Individuals would be required to notify the FTC and state AGs of their intent to bring action. The FTC or state AGs would have 60 days to decide whether to intervene in the suit. Prior to filing suit against small data holders or for injunctive relief, an individual must provide the covered entity with 45 days’ written notice identifying the alleged violations. Covered entities would be provided with 45 days to cure the alleged violation.

Individuals would not be permitted to bring an action against a covered entity that: has less than $25 million in annual revenue; collects, processes, or transfers the covered data of fewer than 50,000 individuals; or derives less than 50% of its revenue from transferring covered data.

10. The Act has a Long Way to Go Before Becoming Law

While the ADPPA has made it out of committee, the path forward is uncertain. The House is in recess for the month of August. Even if the ADPPA does pass when the House returns, it faces an uphill battle in the Senate. While the ADPPA has bipartisan support in the House, Senator Maria Cantwell (D-WA), chair of the Senate Commerce Committee, opposes the Act due to concerns about enforcement gaps. Senator Cantwell has repeatedly indicated that she would not support the Act in its current form.

Authors

Heather Egan Partner, Cyber, Privacy & Data Innovation, Global Compliance & Regulatory

Boston

See my bio

D:+1 617 880 1830
E: [email protected]

Practice:

Technology & Innovation Sector
Finance Sector
Energy & Infrastructure Sector
Cyber, Privacy & Data Innovation
Global Compliance & Regulatory
Government Investigations and Enforcement Actions
Technology & Innovation
Fintech
Responsible Business
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Heather Egan Partner

Boston

Heather partners with clients to reduce the risk of privacy and security incidents. In the event of an incident, she helps companies respond, successfully guiding them through investigation, remediation, notification and any ensuing government inquiries. She provides comprehensive crisis management support and companies rely on her to manage their response to catastrophes, investigations and government probes involving conduct by employees, contractors and third parties.

To help clients navigate complicated global regulatory compliance challenges, she leads comprehensive cybersecurity and privacy assessments worldwide, vets risks in corporate transactions, conducts internal investigations stemming from data incidents, and drafts and negotiates contracts concerning data-related vendors and arrangements. She regularly counsels businesses on how to mitigate risks associated with the collection, use, retention, disclosure, transfer and disposal of personal data. Outside of the U.S., she manages teams of talented counsel around the world to deliver seamless advice for clients that operate across many jurisdictional lines, developing comprehensive privacy and cybersecurity programs that address competing regulatory regimes.

Shannon Yavorsky Partner, Cyber, Privacy & Data Innovation, Technology Transactions

San Francisco; London

See my bio

D:+1 415 773 5731
E: [email protected]

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Technology Transactions
Global Compliance & Regulatory
Government Investigations and Enforcement Actions
Responsible Business
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Shannon Yavorsky Partner

San Francisco; London

She advises public and private companies across several sectors, including life sciences and health technology, financial services, private equity, insurance, social media and technology on a range of EU and U.S. federal and state privacy laws. Shannon’s strategic counseling advice includes, but is not limited to:

Advertising and payment card processing self-regulatory frameworks
Controlling the Assault of Non-Solicited Pornography And Marketing Act (CAN-SPAM)
Electronic Communications Privacy Act (ECPA)
EU AI Act
EU e-Privacy Directive (EPD)
EU General Data Protection Regulation (GDPR)
Fair Credit Reporting Act (FCRA)
Gramm–Leach–Bliley Act (GLBA)
Health Insurance Portability and Accountability Act (HIPAA)
National Institute of Standards and Technology (NIST) AI Risk Management Framework (AIRMF)
Telephone Consumer Protection Act (TCPA)
U.S. state breach notification laws
U.S. state privacy laws in California, Colorado, Connecticut, Utah, Virginia and other states

Shannon also helps clients undertake comprehensive privacy, cybersecurity and AI risk assessments, evaluates privacy, security and AI risks in corporate transactions and drafts and negotiates data-related contracts. She advises clients on cross-border data transfers, data breaches and developing global privacy and AI compliance programs.

Alyssa Wolfington Managing Associate, Cyber, Privacy & Data Innovation, Strategic Advisory & Government Enforcement (SAGE)

New York

See my bio

D:+1 212 506 5000
E: [email protected]

Practice:

Cyber, Privacy & Data Innovation
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Alyssa Wolfington Managing Associate

New York

Alyssa navigates clients through privacy programs and policy creation, and provides guidance on compliance with federal, state and international laws and regulations, including the U.S. state privacy laws in California, Colorado, Connecticut, Utah, Virginia and other states, the General Data Protection Regulation (GDPR), the Federal Trade Commission Act (FTC Act), the Health Insurance Portability and Accountability Act (HIPAA) and state data breach notification laws. She advises clients on security incident response and federal and state investigations related to privacy and data security. She also provides assessments of privacy and security practices for companies carrying out due diligence in the context of corporate transactions.