Bipartisan Effort May Finally Produce an American Data Privacy Bill

Written By Haley Metteauer

Kennedy Sutherland LLP has previously reported on several state privacy laws that have been passed across the United States. On June 3, 2022, a bipartisan draft of the American Data Privacy and Protection Act (“Act”) was released, which, if passed into law, would be the first national data privacy standard.

According to Politico, “Legislators have been attempting to pass a national privacy law since the 1970s.” However, the provisions of this Act evidence an “agreement between Republicans and Democrats — for the first time — on two areas that have blocked previous efforts: whether a federal privacy law can preempt state laws and whether individuals should have the right to sue companies that illegally share their data or use it in ways the law prohibits.”

Legislators are hopeful that the Act may actually be passed. According to a joint statement by House Energy and Commerce Chair Frank Pallone (D-NJ), ranking member Cathy McMorris Rodgers (R-WA) and Sen. Roger Wicker (R-MS), “this bipartisan and bicameral effort to produce a comprehensive data privacy framework has been years in the making, and the release of this discussion draft represents a critical milestone.”

Beyond the legislators, industry participants such as David Brody, Managing Attorney of the Digital Justice Initiative at the Lawyers’ Committee for Civil Rights Under Law, have released a statement in support of the Act as it would “curb the rampant data-driven discrimination that occurs due to a lack of privacy protections.”

The draft version of the Act includes, among other things, the following provisions:

  • Covered entities will be prohibited from collecting, processing, or transferring personal consumer data “beyond what is reasonably necessary, proportionate, and limited to” provide the service or product that the consumer requested or communicate with the consumer “within the context of the relationship.” The "reasonably necessary and proportionate" standard will be later defined by the Federal Trade Commission (“Commission”).

  • Covered entities are prohibited or restricted from the following practices, except where “necessary”:

    • Collecting, processing, or transferring a consumer’s social security number;

    • Transferring a consumer’s “precise geolocation information to a third party” without the consumer’s “affirmative express consent” received “through a standalone conspicuous notice explaining the manner in which the precise geolocation information will be transferred”;

    • Collecting, processing, or transferring a consumer’s biometric information, unless required for legal matters;

    • The transfer of any password, unless done by the “designated password manager” or the covered entity;

    • Collecting, processing, or transferring a consumer’s genetic information, unless required for medicinal purposes;

    • The transfer of a consumer’s internet history without “affirmative express consent” received “through a standalone conspicuous notice explaining the manner in which the precise information will be transferred”; or

    • The transfer of a consumer’s physical activity information without “affirmative express consent” received “through a standalone conspicuous notice explaining the manner in which the information will be transferred[.]”

  • Covered entities are required to establish and implement “reasonable policies, practices, and procedures regarding the collection, processing, and transfer of covered data” that consider the requirements or factors outlined in the Act;

  • Covered entities are prohibited from denying, charging different prices or rates, or condition the provision of their services or products to consumers who agree to waive any rights granted under the Act;

  • Covered entities must make available, in a “clear, conspicuous, and readily accessible manner” a privacy policy which, at a minimum, complies with the Act’s requirements;

  • Covered entities must, within the Act’s prescribed timeframe and in the manner required by the Act:

    • provide consumers with access to the covered data of the consumer which has been collected, the name of any third party or service provider who received a transfer of the covered data, and a description of the purpose of the transfer;

    • correct any inaccurate or incomplete consumer information and notify third parties and service providers who have received a transfer of the inaccurate or incomplete information of their requirement to do the same; and

    • delete any consumer information improperly collected or transferred and notify third parties and service providers who have received a transfer of such information of their requirement to do the same.

  • Covered entities are prohibited from collecting, processing, or transferring “sensitive covered data” of a consumer, unless “affirmative express consent” has been given by the consumer;

  • Covered entities must provide consumers with a mechanism to “opt-out” of the collection of their personal information or the receipt of “targeted advertising”;

  • Covered entities are prohibited from issuing “targeted advertising” to or transferring collected data of persons actually known to be under the age of 17 — the regulation of which will be governed by the Youth Privacy and Marketing Division;

  • Covered entities must conduct an “impact assessment,” which assesses any algorithm that a covered entity utilizes for discriminatory impact;

  • Covered entities must establish, implement, and maintain “reasonable administrative, technical, and physical data security practices and procedures to protect and secure covered data against unauthorized access and acquisition[,]” in accordance with the Act’s requirements; and

  • Covered entities must establish executive responsibility in accordance with the Act and impact assessments to assess the effectiveness of the responsibilities imposed one year from the enactment of the Act.

The bill includes a four-year moratorium following the date of enactment before a consumer may bring a private lawsuit for a violation of the Act. This provision has been met with some disfavor. For example, Senate Commerce Chair Maria Cantwell (D-WA) stated ”[f]or American consumers to have meaningful privacy protection, we need a strong federal law that is not riddled with enforcement loopholes. Consumers deserve the ability to protect their rights on day one, not four years later.”

Additionally, Politico notes that the “U.S. Chamber of Commerce has strongly opposed any bill that includes a private right of action[,]” due to the “potential to generate class action lawsuits” by providing awards of attorney’s fees.

Due to her dissatisfaction with the Act and the controversy surrounding a private right of action, Cantwell has reportedly distributed a revised version of the Consumer Online Privacy Rights of Act, which she originally introduced in 2019, as an alternative avenue for consumer protection.

Due to controversial nature of this Act, little amount of time before Congress takes its August recess and the pending midterm elections this year, there is uncertainty as to whether the Act, or any comprehensive privacy legislation, will be passed this year. However, businesses and consumers should continue to monitor the progress of this legislation.

Haley Metteauer
Previous

EDPB Releases Guidelines for Administrative Fine Calculation under GDPR
Next

CPPA Releases Draft Regulations of CPRA