On June 3, 2022, House Energy and Commerce Chair Rep. Frank Pallone (D-NJ), Ranking Member Rep. Cathy McMorris Rodgers (R-WA) and Senate Commerce, Science and Transportation Committee Ranking Member Sen. Roger Wicker (R-MS) released a new comprehensive federal privacy bill, the American Data Privacy and Protection Act (“ADPPA”).
While the ADPPA contains a number of similarities to the Consumer Online Privacy Rights Act (“COPRA”), which was previously introduced in 2019 by Senate Commerce Committee Ranking Member Maria Cantwell (WA), Senators Brian Schatz (HI), Amy Klobuchar (MN) and Ed Markey (MA), the ADPPA also contains some notable differences. We have summarized some of these similarities and differences below. Read our previous post on the COPRA.
Similar to the COPRA, the ADPPA:
- provides individuals with a number of privacy rights, including rights to access, delete and correct their data, as well as a right of data portability;
- imposes data minimization obligations, requiring covered entities to avoid collecting, processing or transferring data beyond what is reasonably necessary and proportionate;
- requires covered entities to obtain express, affirmative consent to collect, process or transfer “sensitive covered data,” which is broadly defined;
- requires covered entities to provide individuals with privacy policies detailing their data collection, processing and transfer activities, and data security practices;
- requires certain covered entities (“large data holders”) to annually certify that they maintain reasonable internal controls and reporting structures for compliance with the respective bills and obligations to implement comprehensive privacy and security programs that include training programs, reporting processes and privacy impact assessments;
- prohibits covered entities from collecting, processing or transferring data in a manner that discriminates against individuals; and
- requires covered entities to implement and maintain reasonable data security practices, which at a minimum must contain certain prescribed activities such as vulnerability assessments.
Notable differences between the COPRA and the ADPPA include the following:
- The COPRA does not address children’s privacy, however, the ADPPA contains a provision devoted to the data protections of children and minors. For example, the ADPPA prohibits covered entities from engaging in targeted advertising to individuals under the age of 17 (provided the covered entity has actual knowledge of the individual’s age). The ADPPA also prescribes restrictions on the transfer of data related to minors without affirmative express consent from the individual or the individual’s parent or guardian, if the individual is between ages of 13 and 17. The ADPPA will establish a Youth Privacy and Marketing Division at the Federal Trade Commission, responsible for addressing privacy and marketing concerns with respect to children and minors.
- The ADPPA requires covered entities to publicly disclose whether individuals’ data is made available to China, Russia, Iran or North Korea. The COPRA does not require this type of disclosure.
- The ADPPA requires certain covered entities (“Third-Party Collecting Entities”) to provide clear and conspicuous notice on their websites or mobile applications informing individuals that they are Third-Party Collecting Entities using language required by FTC regulations. The ADPPA requires the FTC to promulgate regulations requiring such entities to allow for auditing of any access to or disclosure of data processed by the entities. Third-Party Collecting Entities that process data of more than 5,000 individuals will be required to register with the FTC on an annual basis, pay a registration fee, and may be at risk of civil fines for failing to comply with these requirements. The COPRA does not contain such a requirement.
- While both bills provide a small business exception, the ADPPA provides a higher revenue threshold, and the small business must meet this threshold for a certain number of years. The ADPPA exempts businesses that for the prior three calendar years had (1) annual revenue of less than $41 million; (2) did not collect or process the data of more than 100,000 individuals; and (3) did not derive more than 50% of its revenue from transferring personal information.
- Both the ADPPA and COPRA impose a duty of loyalty on covered entities; however, the ADPPA appears to be more prescriptive. The COPRA provides a general prohibition against deceptive and harmful data practices. The ADPPA enumerates specific data practices that are prohibited (e.g., the collection, processing, or transferring of Social Security numbers, except when necessary to facilitate extensions of credit, authentication, or the payment and collection of taxes).
- Under the ADPPA, large data holders that use algorithms, solely or in part, to collect, process or transfer data must conduct and submit annual impact assessments of their algorithms to the FTC. The COPRA requires any covered entity engaging in algorithmic decision-making (or assist others in algorithmic decision-making) for certain activities, such as determining eligibility for housing, education, employment or credit opportunities, must conduct annual impact assessments and make these assessments available to the FTC upon request.
- The ADPPA proposes that the FTC conduct a study to determine the feasibility on the creation of a unified opt-out mechanism and if the FTC finds that a centralized mechanism would be feasible, it must promulgate regulations establishing such mechanisms for covered entities. The COPRA does not contain such a proposal.
- The COPRA provides whistleblower protections that prohibit a wide range of retaliatory acts against whistleblowers for reporting violations of COPRA and grants whistleblowers a private right of action. The ADPPA does not address whistleblowers.
- The COPRA preempts state laws that “directly conflict” with the COPRA and specifies that a state law that provides greater protection is not in conflict. The ADPPA preempts state laws covered by the provisions of the ADPPA; however, a number of exceptions are enumerated, including consumer protection laws of general applicability, laws that solely address facial recognition or facial recognition technologies, electronic surveillance, wiretapping or telephone monitoring, Illinois’ Biometric Information Privacy Act and the limited privacy right of action for certain security breach damages under the California Consumer Privacy Act and California Privacy Rights Act.
- Both the COPRA and ADPPA grant individuals a private right of action; however, there are a number of restrictions with respect to this right under the ADPPA that may ultimately serve as a deterrent. For example, the right is not accessible to individuals under the ADPPA until four years after the Act takes effect. The ADPPA does not permit statutory damages; instead, individuals are only permitted to seek injunctive or declaratory relief, compensatory damages and reasonable attorneys’ fees and litigation costs. Also, to bring an action, individuals must notify the FTC and the attorney general of their state of residence prior to bringing suit. These regulators subsequently have 60 days to determine whether they will independently seek to take action. Demand for monetary payments sent to the covered entity prior or after these regulators determine to take action will be considered made in bad faith and unlawful.
On June 14, 2022, the House Energy and Commerce Committee held a hearing to discuss the ADPPA.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code