The American Data Privacy And Protection Act: Here's What You Need To Know About The Proposed Federal Law
Co-Authored By: Stacey Shadden and Micah Carlson (Graduate Clerk)
On June 23rd, 2022, the U.S. House of Representatives Subcommittee on Consumer Protection and Commerce passed H.R. 8152, a proposed piece of bipartisan legislation titled the “American Data Privacy and Protection Act” (ADPPA). This bill represents the most significant development in the push for a comprehensive federal data law in the United States, as no other proposed federal data legislation has advanced this far into the legislative process before. Here’s what you need to know about the proposed legislation:
What Would the Law Do?
Under the proposed law, any covered entity in the United States would be required to not unnecessarily collect or use covered data. Additionally, covered entities would have a duty to implement policies, practices, and procedures that would prescribe the proper methodology for processing covered data. These policies, practices, and procedures would be required to be disclosed to consumers through a publicly-available privacy policy. It should be noted that under the current version of the law, “covered entity” and “covered data” are defined very broadly, which would result in a broad application of the law. As currently written, the ADPPA would likely apply to the vast majority of businesses operating within the United States.
Consumers would also be granted specific rights under the law. These rights are similar to rights provided in currently-existing laws like the California Consumer Privacy Act (CCPA) and the European Union’s General Data Privacy Regulation (GDPR), and include the right of consumers to access, delete, and port their covered data.
Additionally, the law would task a new branch of the Federal Trade Commission (FTC) with providing guidance on complying with the ADPPA and enforcing the provisions of the law.
What’s Next?
The ADPPA has several significant hurdles that stand in the way of its passage. Procedurally, the bill must first be approved by the House Committee on Energy and Commerce before being placed on the House floor for a vote by the entire chamber. Additionally, a version of the bill would need to pass within the Senate. Substantively, there are several provisions of the ADPPA that remain hotly debated. Most notably, the bill’s statutory language regarding preemption and private right of action is dividing lawmakers.
For businesses, the primary appeal of a federal data law is the standardization of data protections in the United States. This would make compliance far easier for businesses, as they would no longer have to navigate a patchwork of wildly different state laws. However, the current version of the bill does not wholly preempt state law, and would instead provide carveouts for certain state laws like CCPA. Consequently, the ADPPA, as currently written, would not wholly eliminate the hectic patchwork approach to data privacy laws within the United States. This has led groups like the U.S. Chamber of Commerce to oppose the ADPPA as currently written.
The other hotly contested issue is whether the law should provide a private right of action to individuals. A private right of action would allow individuals to sue businesses directly for any violation of their individual rights under the law. This would effectively supplement the FTC’s enforcement powers. Under the current version of the law, the private right of action would only become available to consumers after a four-year moratorium following the law’s passage. Many Democrats have argued that the moratorium should be eliminated entirely and the private right of action expanded, while many Republicans oppose providing a private right of action at all.
Of course, this bill is subject to change throughout each step within the legislative process. If the ADPPA is eventually passed into law, the final version will almost certainly be significantly altered from its current state. If the bill is not passed into law, it will nonetheless help set the tone for the types of proposed data laws that we may be seeing in the near future.
McGrath North’s Privacy and Cybersecurity team has the expertise in assisting businesses with complying with new data privacy laws and regulations. Regardless of your organization’s circumstances, McGrath North can help your business comply with its legal obligations today and prepare for the inevitable changes in the data privacy landscape tomorrow.
Related Attorneys
