Draft Released of the Bipartisan American Data Privacy and Protection Act

Draft Released of the Bipartisan American Data Privacy and Protection Act

June 8, 2022, Covington Alert

After years of negotiations, lawmakers have released draft bipartisan comprehensive privacy legislation – the “American Data Privacy and Protection Act” (or “the bill”). Disagreement over the approaches to preemption and a private right of action have long stalled the progress of federal privacy legislation in Congress. Although the bill appears to reflect bipartisan agreement on these topics, Senator Cantwell (D-WA), Chair of the Senate Committee on Commerce, Science, and Transportation, reportedly has yet to join this effort based on concerns with its enforcement mechanisms. Similarly, even before this draft was publicly released, Senator Schatz (D-HI) wrote a letter opposing preemption in the absence of additional robust consumer protections. The time for legislative action before this Congress adjourns is dwindling, though continued action from the states on privacy issues, such as the recently released draft regulations on the California Privacy Rights Act, could galvanize support for a federal privacy bill sooner. Even if Congress does not act this session, a bipartisan agreement will likely set the stage for continued discussion next year. We recently discussed these and other political and timing considerations here.

The American Data Privacy and Protection Act borrows a number of concepts from previously introduced legislative proposals, and it includes a number of novel approaches. Below, we summarize several key aspects of the bill.

The bill would apply to “covered entities,” defined as ”any entity or person that collects, processes, or transfers covered data and” (1) is subject to the FTC Act, (2) is a common carrier subject to title II of the Communications Act of 1934; or (3) an organization not organized to “carry on business for their own profit or that of their members”; as well as any entity or person that controls, is controlled by, is under common control with, or shares common branding with another covered entity. The bill also would include additional requirements for “Large Data Holders,” defined as a covered entity that had annual gross revenues of $250,000,000 or more in the most recent calendar year and meets certain thresholds.

The bill recognizes several exceptions to its requirements. Specifically, the bill excludes certain activities, including the use of previously collected data to maintain a product or service for which covered data was collected and to conduct internal research or analytics to improve products and services. The definition of “covered data” (information that “identifies or is linked or reasonably linkable to an individual or device”) excludes deidentified data, employee data, and publicly available information. The bill notes that a covered entity that is required to comply with the GLBA, HIPAA, FCRA, or FERPA and is in compliance with the information security requirements of those laws would be “deemed to be in compliance” with the requirements under this bill “with respect to any data covered by such information security requirements,” and the FTC will issue further guidance interpreting the scope of this exemption.

The bill would prohibit covered entities from collecting, processing, or transferring covered data beyond what is “reasonably necessary, proportionate, and limited to” (1) provide or maintain a “specific product or service requested by an individual,” or a communication by the covered entity to the individual “reasonably anticipated within the context of the relationship,” or (2) a purpose expressly permitted by the bill. The FTC is responsible for issuing guidance on what is reasonably necessary, proportionate, and limited, taking into account “the number of individuals and devices to which the covered data collected, processed, or transferred” by the covered entity.

Consistent with other draft privacy legislation previously introduced in Congress, the bill would require covered entities to produce a privacy notice. The scope of information that must be included in a privacy notice includes some notable categories, including a phone number for the covered entity; whether or not the covered entity transfers covered data and “the name of each third-party collecting entity” to which covered data is shared; and whether or not any covered data is “transferred to, processed in, or otherwise made available to” China, Russia, Iran, or North Korea. 

In addition to the privacy policy, Large Data Holders must provide a clear and conspicuous short-form privacy notice that, among other things, “draw[s] attention to data practices that may reasonably be unexpected or that involve sensitive covered data.” Sensitive covered data is defined to include: “[a]ny information that describes or reveals past, present, or future” health diagnosis or treatment; biometric information (which is not limited to information used to identify a particular individual); precise geolocation information that reveals past or present “actual physical location” of an individual or device; information revealing sensitive characteristics such as race, gender, religion, or sexual orientation or behavior that is “inconsistent with the individual’s reasonable expectation;” information “identifying or revealing the extent or content of any individual’s access or viewing” of television, cable, or streaming media; and information of an individual under the age of 17 (without an actual knowledge qualifier). 

The bill also addresses the procedure required to update privacy policies or otherwise change privacy practices. Specifically, prior to a material change to a privacy policy or practices, the covered entity must provide notice of the material change and the opportunity for the individual to withdraw consent prior to the changes taking effect.

The bill would prohibit several activities, including the collection, processing, or transfer of social security numbers (outside certain activities such as the extension of credit or payment of taxes) and biometric information (except for data security, authentication, compliance with legal obligation, or with affirmative express consent); as well as the transfer of precise geolocation information (absent affirmative express consent). The bill also would prohibit the transfer of an individual’s “physical activity information from a smart phone or wearable device” other than to another device or service “of that individual” with standalone notice and affirmative express consent. Notably, the bill brackets a prohibition on transferring an individual’s “aggregate internet search or browsing history,” except with a standalone notice and affirmative express consent, and unlike the approach taken by state privacy laws, “aggregated” is not defined. The brackets suggest that this prohibition may still be a discussion item.

Covered entities would be required to facilitate consumer rights related to access, correction, deletion, and portability. Notably, the access right requires disclosure of the “name of any third party, other covered entity, or service provider” to whom covered data is shared. Although covered entities must respond to a consumer rights request within 60 days of verification of such requests, Large Data Holders must respond in 30 days (though these time frames are bracketed for further discussion). These rights are subject to enumerated exceptions, including where compliance with the request would be “impossible or demonstrably impracticable” or result in the release of trade secrets. The bill text also empowers the FTC to create guidance on responding to consumer rights requests.

The bill creates rights to object to data transfers and prior to engaging in targeted advertising. If the FTC concludes after undertaking a study that a universal opt-out mechanism for data transfers and targeted advertising is feasible, the covered entity must allow for individuals to exercise this right through a centralized mechanism for individuals to exercise their right to object. The bill defines “transfer” as “to disclose, release, disseminate, make available or license,” which appears to be an expansion of the current opt-out of sale right in U.S. state privacy laws. The bill’s definition of “targeted advertising” resembles some state privacy approaches, but does not address whether the websites or services must be nonaffiliated. Specifically, “targeted advertising means “the display[] to an individual or unique identifier [of] an online advertisement that is selected based on known or predicted preferences, characteristics, or interests derived from covered data collected over time or across third party websites or online services about the individual or unique identifier.” Exceptions to targeted advertising include first-party advertising based on an individual’s “visit into and purchase of a product or service from a brick-and-mortar store, or visit to or use of a website or online service that offers a product or service that is the subject of an advertisement; contextual advertising; and advertising measurement.

The bill signals a continued interest in children and teen privacy, including through the creation of a Youth Privacy and Marketing Division within the FTC that would be responsible for addressing the privacy of, and marketing directed at, children and minors. Additionally, the bill contemplates additional heightened requirements related to children and minors, including a requirement that covered entities implement policies and practices that, among other things, “consider the mitigation of privacy risks related to individuals under the age of 17.” Sensitive covered data, which requires affirmative express consent for collection and processing, is defined to include information about individuals under the age of 17 (without an actual knowledge qualifier). The bill also prohibits targeted advertising to an individual under the age of 17 if the covered entity has actual knowledge of the individual’s age, and the bill prohibits the transfer of covered information of children under the age of 17 without affirmative express consent from the individual or parent if the covered entity has actual knowledge of the individual’s age. Although the current version of the bill appears to limit these prohibitions to instances in which a covered entity has actual knowledge that the individual is under the age of 17, the “actual knowledge” standard is in brackets, suggesting that this issue may not be fully resolved.

Covered entities would be required to obtain affirmative express consent prior to collecting, processing, or transferring sensitive covered data. Additionally, and as noted above, the collection, processing, and transfer of certain types of covered information – social security numbers and biometric information – outside of certain exceptions would require affirmative express consent. The transfer of aggregated internet search or browsing history or physical activity information from a smart phone or wearable device also would require affirmative express consent. 

Affirmative express consent is defined as “an affirmative act” that communicates the individual’s “freely given, specific, informed, and unambiguous authorization,” and must meet certain requirements related to notice, including that the disclosure is standalone and explains the individual’s rights. Affirmative express consent can neither be inferred from the individual’s continued use of the service or product, nor can it be obtained through the use of manipulative design techniques. When obtaining consent for sensitive covered data, the covered entity must also provide a clear and conspicuous “easy-to-execute” means to withdraw any affirmative express consent.

A Large Data Holder that uses algorithms, defined as “a computational process . . . that makes or facilitates human decision-making with respect to covered data,” must undertake an impact assessment that describes the steps taken to mitigate potential harms to an individual. The potential harms identified in the bill for consideration include harms to individuals under the age of 17; harms related to “making or facilitating” advertising for housing, education, employment, healthcare, insurance, or credit; harms related to determining access to a place of accommodation; or harms that relate to disparate impact on the basis of an individual’s race, color, religion, national origin, gender, sexual orientation, or disability status. If a covered entity “knowingly develops” an algorithm, it must evaluate the design of the algorithm, including any training data, to reduce the right of potential harms. The FTC is empowered to create guidance on these requirements in consultation with the Secretary of Commerce, and the bill empowers the FTC to create rules describing these requirements, including the requirements for Large Data Holders to submit these impact assessments to the FTC and may exclude those that present a low or minimal risks of potential harms to individuals.

The CEO of a Large Data Holder (or highest ranking officer) as well as each Privacy and Data Security Officer must annually certify to the FTC, starting one year after the date the bill is enacted, that the entity maintains reasonable internal controls to comply with the law and a reporting structure to ensure that certifying officers are involved in decisions that affect the entity’s compliance with the bill’s requirements. Covered entities also must designate one or more “qualified” employees as privacy officers, in addition to one or more data security officers. Additionally, Large Data Holders must also establish a process to periodically review and update policies, conduct regular audits, develop a program to train employees, maintain records of privacy and security practices, and starting one year after the enactment of the bill, undertake privacy impact assessments.

The bill would require the Secretary of Commerce to publish a report on digital content forgeries that includes a description of the common sources of such forgeries in the U.S. and a description of how such forgeries can be used to commit fraud, cause harm, or violate law.

The bill would preempt state laws, with only certain limited exceptions. For example, the bill would not preempt the private right of action provided for certain data breaches under the California Privacy Rights Act; state data breach notification statutes; state biometric privacy laws; state consumer protection statutes (though the bill includes in brackets that a violation of the bill cannot be pleaded as an element of any violation of a consumer protection law); and laws related to unsolicited email or text messages, among others.

The bill would be enforceable by the FTC, state attorneys general, and through a private right of action. With respect to the FTC, the bill would create a new bureau related to consumer protection and competition to enforce the bill’s provisions. Additionally, the bill could be enforced by state attorneys general bringing a civil action in the name of the state or through their parens patriae authority on behalf of residents of the state. Prior to instituting an action, the state attorney general would have to notify the FTC of its intent, and the FTC may intervene.

The bill also contemplates a private right of action for consumers who suffer an injury as a result of a violation of the bill’s provisions (or an associated regulation) in federal court. Prior to bringing a suit, the plaintiff first must notify the FTC and the state attorney general. Not later than 60 days after receiving the notice, the FTC or attorney general may decide to independently take action. After the FTC or attorney general made the determination to independently seek a civil action, “[a]ny written communication requesting a monetary payment” that a plaintiff sends is in bad faith and unlawful.

Although the bill references compliance with FTC-approved technical programs, which must be considered in evaluating the covered entity’s compliance, approval of a technical compliance program does not limit the FTC’s authority to commence an investigation or enforcement action.

*           *           *

If you have any questions concerning the material discussed in this client alert, please contact the members of our Data Privacy and Cybersecurity practice.