As countries around the world — from Brazil to China — have followed the EU’s lead in enacting comprehensive privacy legislation, the US has been behind the curve. Historically, federal US legislators have taken a sectoral approach, regulating specific types of data, particularly sensitive health and financial data.
However, on June 3, the Senate and House released a draft of the American Data Privacy and Protection Act, or ADPPA, a watershed privacy bill that would introduce a federal standard. Despite bipartisan support, the bill faces major hurdles before it can be approved, such as how to address preemption over state laws and whether to grant individuals a private right of action.
The bill excludes the possibility of preemption for state laws on civil rights, criminal codes, student and employee privacy, data breach notification requirements, facial recognition, and financial and health records. But as California, Connecticut, Virginia, Colorado and Utah have already passed consumer privacy legislation, it may be an uphill battle to reach a compromise that satisfies all sides.
The ADPPA phases in a limited private right of action beginning four years after the law takes effect. After this transition period, any person (or class of persons) who suffers an injury for a violation of the law can bring a civil suit to recover compensatory damages, injunctive relief, and reasonable attorneys’ fees and litigation costs. The private right of action would be limited by a requirement that the complainant give at least 60 days’ notice to the Federal Trade Commission and the applicable state attorney general before filing a lawsuit demanding a monetary settlement. If either regulator decides to seek civil actions against the defendant entity, the complainant will be barred from filing suit or demanding a monetary settlement.
Also, unlike certain other consumer protection and privacy laws (e.g., the Telephone Consumer Protection Act and California’s Consumer Privacy Act), there is not a fixed minimum statutory penalty under the ADPPA, meaning that plaintiffs may need to demonstrate their actual loss to receive compensatory damages.
The ADPPA draws upon many of the key principles of the EU’s General Data Protection Regulation (GDPR). Companies must minimize their data collection practices to collecting only data that is necessary to the functioning of their businesses. Covered entities cannot collect or process sensitive covered data, or transfer such data to a third party that is not a service provider, without first obtaining express affirmative consent.
Under the draft bill, users would have the right to correct, access or erase their own data. Once a user has modified their data held by a company, the burden would then shift to that company to inform third parties of any changes.
The bill also prohibits entities from charging users a fee to access their own personal data (subject to limited exceptions). Additionally, the bill would expand the privacy rights of minors, including prohibiting companies from disseminating targeted advertisements to users under the age of 17.
Enforcement. The FTC would be entrusted with ADPPA’s enforcement. The draft calls for the creation of a new bureau within the FTC that is specifically tasked with consumer data protection.
This bill has some bipartisan momentum behind it, but there are no guarantees it will overcome the hurdles of opposition to some of its provisions. If enacted though, the ADPPA would significantly shift the landscape of US privacy law away from a patchwork of state privacy laws to a single federal law with a handful of state provisions that will survive federal preemption.
Pending a federal law, to keep up to date with state privacy laws, the IAPP Westin Research Center actively tracks the proposed and enacted comprehensive privacy bills from across the US.