House Committee Advances Federal Privacy Bill

Written By Haley Metteauer

On July 20, 2022, the House Committee on Energy and Commerce advanced to the House floor a new federal privacy bill, the American Data Privacy and Protection Act (“ADPPA” or “Act”). This bill, which would apply to most entities, including nonprofit organizations, will govern how companies across a variety of industries manage data that “identifies or is linked or reasonably linkable” to a consumer (“Covered Data”).

Some key provisions of the ADPPA include: 

  • Duties of Loyalty. Entities would be subject to several requirements, including the duty of loyalty to maintain data minimization principals and ensure special protections for the Covered Data.

  • Transparency. Entities would be required to disclose, among other things, the data they collect, the way that they use this data, their retention period, and whether this information is accessible to the People’s Republic of China, Russia, Iran, or North Korea.

  • Consumer Control and Consent. Consumers would be granted a variety of rights, including the right to access, correct, or delete the Covered Data collected by an entity and to grant affirmative, express consent before the entity can use their “sensitive covered data,” as defined in the Act.

  • Youth Protections. Where a consumer is under 17 years old, such additional protections as prohibition on targeted advertising are afforded.

  • Third-Party Collecting Entities. Such third-party collecting entities as data brokers, would be required to comply with the Federal Trade Commission’s (“FTC”) auditing regulations and registration requirements.

  • Civil Rights and Algorithms. The Act would prohibit covered entities from using Covered Data in a manner that would discriminate against an individual consumer. Additionally, the Act would require large data holders to conduct and report impact assessments on their algorithms to identify the Covered Entity’s efforts to mitigate potentially discriminatory harm.

  • Data Security. Entities would be required to adopt data security practices and procedures, which may be later defined or further regulated by the FTC.

  • Small- and Medium-size Businesses. Small- and medium-size businesses will be specifically regulated in a manner that minimizes any negative impacts stemming from the application of these provisions.

  • Enforcement. The Act would be enforceable by the FTC and by state attorneys general.

  • Private right of action. The Act would establish a delayed private right of action that would start four years after enactment. Under this private right of action, individuals who have been injured could sue covered entities in federal court to seek injunctive or monetary relief, including litigation costs and attorneys’ fees. 

  • Preemption. The Act would generally preempt any state laws that are “covered by the provisions” of the ADPPA or its regulations. However, the Act would expressly preserve sixteen different state law categories, including consumer protection and data breach notification laws. It would also preserve several specific state laws, such as the Illinois’ Biometric Information Privacy Act and Genetic Information Privacy Act.

Haley Metteauer
Previous

NIST Releases Guidance for HIPAA Cybersecurity Standards
Next

How to: CCPA/CPRA Employee Training Requirements