A bipartisan and bicameral group of legislators in Washington, D.C., released a discussion draft of a federal privacy bill on June 3 that, for first time, reaches compromise positions on the two key issues that have to date been the largest obstacles to passing such legislation: state preemption and a private right of action. We discuss briefly the content of the bill, the political context in which it resides and the likelihood that it becomes law.
To be clear, the discussion draft of the bill, the American Data Privacy and Protection Act (ADPPA), preempts most comprehensive state privacy laws and includes a narrow and limited private right of action. The compromises on these issues in the bill, however, are likely to draw criticism from both Democrats and Republicans, along with industry and privacy advocates.
The bill includes provisions seen at the state level in statutes in California, Colorado, Connecticut, Utah and Virginia (the latter four set to take effect in 2023), and novel concepts as well. Similar to existing state laws, the ADPPA provides for various consumer rights to access, rectify and delete “covered data.” The bill, however, provides broader protection against the collection and processing of “sensitive covered data” than previously seen in state statutes, one that requires the affirmative express consent of an individual prior to the collection, processing or transfer of such data. This consumer protection is notably stronger than under current state laws, where the strictest — Colorado, Virginia and Connecticut — also require opt-in consent prior to processing sensitive data, but the ADPPA’s definition of covered data that is “sensitive” is broader than those statutes, so the consent requirement is more impactful.
The ADPPA also introduces novel concepts, not present in existing U.S. consumer privacy statutes, such as the following:
- Individual liability associated with executive responsibility that would require the CEO, CPO and CISO of a “large data holder” to certify compliance with the ADPPA to the FTC.
- An annual requirement for large data holders to perform algorithm impact assessments, that, in part, assess the impact on children under the age of 17, advertising for key services (e.g., housing, education, employment and others), access or restriction to places of public accommodation (specifically as it relates to protected classes) and the disparate impact on protected classes.
- Biennial “privacy impact assessments” for large data holders that weigh “the benefits of the large data holders’ covered data collecting, processing, and transfer practices against the potential adverse consequences.”
- A “small data exception” that exempts small businesses from various elements of the bill.
- A prohibition on arbitration agreements and joint-action waivers that limit the rights provided for in the ADPPA of children under the age of 18.
Most notably, however, are the bill’s provisions governing state preemption and an individual private right of action.
State preemption – The bill’s exemption and preemption section conjures images of swiss cheese and includes carve outs for existing federal and certain limited state statutes (e.g., the Illinois Biometric Information Privacy Act and the narrow private right of action for a data breach under the California Consumer Privacy Act/California Consumer Privacy Rights Act). State consumer protection laws of general applicability (i.e., state unfair and deceptive acts or practice statutes) are preserved, but the ADPPA preempts states from passing similar comprehensive privacy legislation. This state preemption would render recent comprehensive privacy statutes set to take effect in 2023 in Colorado, Connecticut, Utah and Virginia moot and preempted.
Private right of action – The ADPPA provides for an individual private right of action, but not beginning until four years after the law takes effect. The right of action, however, is limited only to compensatory damages, attorneys’ fees and litigation costs, and injunctive relief; the bill does not include statutory damages. In addition, potential plaintiffs must follow certain procedures before they can bring their claim. First, the individual must notify the FTC and their state attorney general of their claims, at which point either regulator has 60 days to decide whether to independently seek action against the covered entity and nullify the individual’s claim. Second, a potential plaintiff must provide a covered business 45 days’ written notice of the specific violations of the ADPPA, at which point the covered business can cure the alleged violations and render a claim for injunctive relief moot. In addition, when a potential plaintiff sends a demand letter to a covered entity seeking monetary compensation, if the letter does not include a specific phrase and hyperlink to an FTC webpage, which describes the covered entity’s rights under the ADPPA, the individual forfeits their right to bring a claim.
The ADPPA is co-authored by a bipartisan group of legislators from both chambers: Sen. Roger Wicker (R-Miss.), Rep. Frank Pallone (D-N.J.) and Rep. Cathy McMorris Rodgers (R-Wash.). Absent from this group, however, are Senators and Representatives that have been highly engaged on consumer privacy issues. Most notably, Sen. Maria Cantwell (D-Wa.), to whom Senate Majority Leader Chuck Schumer (D-N.Y.) gave the go-ahead to attempt to find consensus on a federal privacy law. Sen. Cantwell has already voiced some hesitation about the bill, noting that for meaningful consumer protection, “we need a strong federal law that is not riddled with enforcement loopholes” and that “[c]onsumers deserve the ability to protect their rights on day one, not four years later” (referring to the delayed effect of the private right of action in the ADPPA). Another prominent voice on federal privacy legislative efforts, Sen. Brian Schatz (D-Haw.), who previously introduced a partisan federal privacy bill co-authored with 17 of his Democrat colleagues, has already shared his opposition to the ADPPA with leaders in the House and Senate.
Without a clear path to consensus, and a competing proposal likely from Sen. Cantwell (a revision to her 2019 bill, the Consumer Online Privacy Rights Act), the political reality facing the ADPPA is stark. Its existence is noteworthy, however, as an indication that progress can be made on the key obstacles to a federal standard for consumer privacy — the hurdles for that progress to be meaningful, however, remain tall.