US is one step closer to federal consumer data privacy protection

In 2002, California was the first state to enact a data breach security notification law. Since then, all 50 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have followed suit. 

In recent years, the focus has shifted towards a more proactive approach to data privacy and, in 2018, California was the first state to enact a comprehensive privacy law – the California Consumer Privacy Act (CCPA). Colorado, Connecticut, Utah and Virginia have since enacted their own versions of a consumer privacy act. These acts aim to provide a more comprehensive regulatory structure for data privacy and data protection, and impose certain requirements on businesses for the collection, maintenance and dissemination of consumer data. The CCPA has already been amended, with the California Privacy Rights Act (CPRA) set to go into effect on January 1, 2023.

As one of the few large nations without national privacy legislation, protecting consumers’ personal information has fallen squarely on the states, until now. The American Data Privacy and Protection Act (ADPPA), introduced as H.R. 8152 in June, advanced out of a House panel with a 53-2 vote on July 20, 2022.

What is the ADPPA?

The ADPPA follows on the privacy legislation and regulations that have come before, specifically on the privacy principles, data collection prohibitions, and notice and consent requirements as laid out in the General Data Protection Regulation (GDPR), as well as the CCPA and similar state laws. The ADPPA includes some of the following key takeaways.

Privacy by Design

Businesses will be required to implement, maintain and enforce policies that protect the security and integrity of information it collects.

Limiting the data businesses can collect for one of 17 enumerated purposes

As expected, a majority of the permitted purposes focus on completing business transactions, authenticating users and preventing fraud. Targeted advertising, while greatly restricted, is also an acceptable purpose which has been a sticking point for some advocacy groups.

Granting individuals ownership and control over their data

The ADPPA gives individuals the right to access, correct, and delete their data. Under the current version, businesses will have between 45 – 60 days to respond to these requests. The timing of the response is dependent upon size of the business.

A private right of action to sue a company for violation of the ADPPA

An individual will have two years from any violation of the ADPPA to file suit.

Specific provisions and caveats depending on the size of the companies

If a business meets certain requirements pertaining to revenue and data collection it can be declared a small business and request certain exemptions.

The ADPPA does not preempt any of the state breach notification laws, however, it does preempt the drafting and enforcement of state consumer protection laws that address topics such as privacy by design; data minimization and purpose specification; individual rights to access, correct, and delete personal information; and other data protection requirements. While the ADPPA will provide greater protection for the majority of Americans, those states who have previously enacted their own privacy laws are concerned about losing ground. The California Privacy Protection Agency board voted to oppose H.R. 8152 arguing that it “seeks to significantly weaken Californians’ privacy protections by pre-empting the California Consumer Privacy Act and other state privacy laws.”

As such, there are still some roadblocks and challenges for the current version of the ADPPA and it will likely progress through several more iterations before it is put to a full House vote. We will continue to provide updates on this historic legislation; however, as the need for privacy policies to grow, our national Data Privacy and Cybersecurity Practice Group provides pre and post breach services that will ensure you are compliant with all regulations.