While some U.S. states have data privacy laws, amongst them California, known to have the strictest privacy law, to date, the United States do not have a federal data protection act.
In June this year, a first draft of the American Data Privacy and Protection Act (ADPPA) was proposed. The draft bill received bipartisan support and advanced in the House in July. The latest version was amended and contains a number of changes.
In general, the ADPPA draft applies to organizations operating in the United States. An entity falls within the scope if it “collects, processes, or transfers covered data and is subject to the Federal Trade Commission Act (15 U.S.C. 41 et seq.)”.
Covered data in the draft is defined as “information that identifies or is linked or reasonably linkable to an individual or a device that identifies or is linked or reasonably linkable to 1 or more individuals, including derived data and unique identifiers”. Explicitly excluded from this definition are deidentified data, publicly available information, and, interestingly, employee data, including hiring data.
Small and medium enterprises are exempt from a few provisions under the draft bill’s “small data exception”. To fall within the exception, an organization must meet all of the following requirements: (1) annual gross revenue below a certain threshold (the draft proposes $41 million) for each of the prior 3 years, (2) not process the data of more than 100,000 individuals, and (3) not derive more than 50% of its revenue from transferring covered data.
On the other hand, the draft ADPPA adds additional responsibilities on “large data holders,” which are defined as organizations (1) with more than $250 million in gross annual revenue in the prior calendar year and (2) which processed covered data of more than 5 million individuals or the sensitive covered data of more than 100,000 individuals.
Sensitive data within the meaning of the draft comprises all the special categories of data in the GDPR, plus government issued identifiers, financial account numbers, precise geolocation data, private communications and calendar and address book information, account or device log-in credentials, intimate images, data about minors under 17, and “information identifying an individual’s online activities over time or across third party websites or online services”.
The Key Principles
The ADPPA draws upon some of the EU General Data Protection Regulation’s (GDPR) core principles:
One of the key principles of the ADPPA, data minimization, can be found in Sec. 101. Essentially, companies must limit their data collection practices to collecting only the data that is necessary for the functioning of their business. The overall systematics resembles the GDPR’s principle of prohibition with reservation of permission.
Sec. 102, “loyalty duties”, restricts and prohibits the collection, processing or transferring of sensitive information, such as, for example, social security numbers, biometric information, passwords, aggregated internet search or browsing history.
Much like in the GDPR, the transfer of sensitive data can, inter alia, be based on consent, or on the necessity to comply with a legal obligation, or to prevent an individual from imminent injury, as well as, under certain circumstances, on public safety.
Another similarity to the GDPR is the definition of consent in Sec. 2 (1), and the transparency requirements. Consent must be explicit, and it is emphasized that consent cannot be deduced from a person’s behavior or inactivity. The draft ADDPA goes beyond the GDPR requirements in that it explicitly prohibits the use of so-called dark patterns or nudging (Sec. 2 (6)).
Sec. 103 outlines the requirements to implement privacy by design and it expands the privacy rights of minors.
Transparency obligations that, too, bear resemblance with those of the GDPR are outlined in Sec. 202. In difference to the GDPR, which requires informing data subjects about third country data transfers, the ADPPA requires companies to state whether or not covered data is transferred to, processed or stored in, or accessible to the People’s Republic of China, Russia, Iran, or North Korea.
The rights to data access, correction, and deletion as well as data portability are regulated in Sec. 203, and are similar to the data subjects’ rights according to the GDPR.
According to Sec. 204, the processing or transfer of sensitive data requires explicit consent, and the data subject must have the option to revoke consent. Interesting is also the requirement to provide -where possible- an opt-out-mechanism when using targeted advertising methods.
Sec. 301 prescribes a written data privacy impact assessment for large data holders and other covered entities that weighs the benefits of the entity’s covered data collecting, processing and transfer practices against the potential adverse consequences of such practices, including substantial privacy risks, to individual privacy.
The enforcement of the ADPPA will be with the Federal Trade Commission (FTC). In addition, the FTC will be entrusted with new obligations, such as maintaining a register of data brokers and managing opt-out mechanisms for opt-outs of targeting advertising and other data-sharing services.
There are two main points of contention: how to address preemption and whether to grant individuals a private right of action.
The draft ADPPA establishes federal preemption over state privacy laws, meaning that its provisions would supersede many existing state privacy laws. However, there are numerous exceptions to the preemption of state law, including state laws that provide for specific statutes on civil rights, criminal codes, student and employee privacy, data breach notification requirements, facial recognition, and financial and health records.
The ADPPA also creates a private right of action (PRA) against violations. The scope of the PRA is also discussed controversially as some fear it might lead to an upsurge of lawsuits, while others worry that if the PRA is too narrow, it would be rendered useless. The originally prescribed four-year waiting period for the private right of action to take effect was now reduced to two years in the amended version.
While a U.S. federal privacy legislation has been a topic of conversation for a couple of years, the recent draft bill did not attract too much public attention. The latest version might be a long-sought compromise, albeit, critics warn it would potentially roll back state privacy protections to meet a lower federal standard. On the other hand, the draft bill contains many principles and concepts known from the GDPR. By introducing a national framework for privacy, the state-by-state trend might be reversed and a uniform system for data privacy in the U.S. established. The next step for the bill to actually become law would be to pass Congress. Let’s see what happens.