The American Data Privacy and Protection Act (ADPPA) was introduced in June, was substantially revised within a matter of days, and last month a new draft of ADPPA law was introduced with further revisions. The revised ADPPA has attracted considerable bipartisan support and sailed out of the committee with a vote of 53-2, and there is a reasonable chance that ADPPA will become the first federal privacy and data protection bill to be signed into law in the United States.
Why a Federal Data Privacy Law is Desperately Needed
ADPPA is far from the only attempt to get a federal data privacy and protection bill signed into law. Many other bills have been introduced that have attempted to introduce minimum standards for privacy and data protection at the federal level, but all attempts so far have failed. What the United States has is a patchwork of privacy and data protection laws at the state level and a handful of industry-specific laws such as HIPAA and FERPA. The problem is that the legal requirements for ensuring privacy and the security of data vary significantly depending on where a person lives. Some types of sensitive data – health data for instance – are only subject to strict controls over uses and disclosures if held by certain entities.
Disclose sensitive reproductive health information to a healthcare provider and that information is protected and cannot be disclosed without consent. Disclose that information through a health app and the information could be shared or sold, even though the information is the same. Californians have some of the strictest data privacy laws in the United States, but if you live across the border in Oregon, privacy standards are far lower. While individual states could all introduce laws to improve privacy protections for state residents, the best way forward is to have a federal data privacy and protection law that ensures the protection and privacy requirements are the same for all Americans.
ADPPA Advances to House Floor
The ADPPA advanced from a House committee in July, which is a major achievement, as none of the previous bills that have attempted to introduce federal privacy laws have survived that long. While the progress so far can be seen as a major achievement and the bill has good bipartisan support, ADPPA is not without its critics. Notably, representatives in California have stated that they will not back the bill as ADPPA law would have fewer protections for state residents than they currently have.
California is not the only state to have issues with the preemption of state laws, as 10 state attorneys general wrote to congressional leaders requesting ADPPA sets minimum standards for data privacy, and that individuals states should have the ability to increase protections for state residents should they deem it appropriate. However, the proposed amendment to ADPPA law to allow this was not passed.
Despite criticisms of the bill, the revised ADPPA law passed out of the committee and now heads to the House floor; however, the strong vote does not mean that the bill will progress, as several committee members voted for the bill but said they would be unlikely to support the bill in a floor vote unless modifications are made, and that they only voted in favor of ADPPA to get the bill to advance. Also, Senate Commerce Committee Chair Maria Cantwell has not stated that she will support the ADPPA, and her support will be required for ADPPA to pass a Senate vote.
Changes in the Latest Draft of ADPPA Law
In response to criticism from California, ADPPA has been amended to allow the California Privacy Protection Agency to enforce ADPPA compliance in the same way that the California Consumer Privacy Act (CCPA) is currently enforced, to try to bolster support for the bill in the state.
Changes have been made to the definition of employee data, which is exempt from ADPPA. The definition has a new addition, which now includes “information processed by an employer relating to an employee who is acting in a professional capacity for the employer, provided that such information is collected, processed, or transferred solely for purposes related to such employee’s professional activities on behalf of the employer.”
Extra protections are required for sensitive covered data. The definition of sensitive covered data has been broadened in the new ADPPA law to include information related to race, color, ethnicity, religion, or union membership, and information identifying an individual’s online activities over time and across third-party websites or online services.
One of the main changes to the revised ADPPA law concerns the private right of action, which allows individuals to sue for ADPPA violations. There were already some restrictions on the private right of action, such as the right being removed if the violation was subject to actions by the FTC or state attorneys general. ADPPA also included a delay of 4 years from ADPPA becoming law to the private right of action taking effect. The latest draft reduces that delay to two years, and there is now an exemption for small businesses. Small businesses are classed as those with annual revenues of less than $25 million, that deal with the covered data of fewer than 50,000 individuals, and who do not earn more than half of their revenue from transferring or selling covered data. Further, forced arbitration for disputes involving gender-based violence or physical harm is now banned.
ADPPA banned companies from conducting targeted advertising on minors, something that President Biden called to ban in his 2022 State of the Union address. ADPAA addressed this by banning targeting advertising at minors under the age of 17 if the covered entity knew that an individual is under 17. The new ADPPA law has been changed and a new tiered knowledge approach has been adopted, which includes “constructive knowledge” for covered high-impact social media companies that knew or should have known that an individual is under 17; a “willful disregard” tier for all large data holders and service providers who were aware that individuals were under 17, and an “actual knowledge” tier that applies to smaller covered entities.
There is also a new exclusion for the National Center for Missing and Exploited Children that will continue to allow it to work legally with children’s data to fulfill its mission to combat child trafficking, abuse, and abduction.
Annual privacy impact assessments were only required by large data holders. The wording has been changed to require all entities that do not meet the small- and medium-sized criteria to conduct annual assessments. Algorithmic impact assessments and evaluations are now required when large data holders’ algorithms pose a consequential risk to an individual or individuals.
Several other amendments have been made and the language of ADPPA law has been tightened for clarity, such as making it clear that covered entities are not permitted to retaliate against individuals who exercise their rights under ADPPA, such as making them pay for privacy.
The Next Steps Before ADPPA Becomes Law
The House will now vote on the bill and if that vote is passed, the bill will head to the Senate Committee on Commerce, Science, and Transportation. ADPPA will then be studied, and if it passes scrutiny, it will head to the Senate floor for a vote. If that vote is passed it will head to President Biden’s desk and provided the bill is signed – which is highly probable – ADPPA will become law.
The post New Draft of ADPPA Law Introduced with Bipartisan Support appeared first on HIPAA Journal.