Publicly released last Friday, the discussion draft of the American Data Privacy and Protection Act gave the privacy community plenty of food for thought for the weekend. Initial impressions and analyses of the text ranged from “very promising,” “a valuable first step,” and “hugely impactful” to “not bad.”
Omer Tene perhaps described it most poetically as: “a tsunami that may yet make GDPR seem like a storm in a teacup.” Jim Steyer, founder and CEO of Common Sense Media, said that while the draft “should include stronger protections,” there is enough in it for Congressional leaders to build upon and reach an agreement this year.
Yet, given where things stand today, the picture remains unclear regarding the discussion draft’s chances of becoming law.
As IAPP’s Joe Duball argued, it would be smart to “temper feelings and expectations around this proposal.” Despite suggestions of progress and reasons for excitement about federal privacy legislation in recent weeks, “it is also possible that … the effort is doomed once again.” Things may unfold now similarly to how they did in December 2019, when Senate Democrats and Republicans both released a bill (COPRA and CDPA, respectively) that was greeted with excitement, but which resulted in a legislative stalemate due to several notable differences between the two texts.
Indeed, the chairwoman of the Senate Commerce Committee, Sen. Maria Cantwell, D-Wash., has not signed on to the ADPPA. Although House Commerce Committee chairman Rep. Frank Pallone’s, D-N.J., sponsorship is notable — and would give the bill bipartisan support in the House — the lack of an endorsement from Cantwell (or another Senate Democrat) means the bill does not yet have bipartisan support in the Senate.
And, without bipartisan agreement in both chambers of Congress, the legislation will be unable to move forward. This is why, if progress on a consumer federal privacy law is to be made, it is important to examine the key issues for which agreement has been most difficult to come by.
The ADPPA’s 'Duty of Loyalty'
Looking first at the main provisions of the draft bill in Title I — “Duty of Loyalty” — Sec. 101 starts by detailing requirements for data minimization. In general, these require covered entities to limit what they collect, process and transfer to that which is “reasonably necessary, proportionate and limited to” the information they need to provide or maintain specific products or services requested by individuals.
Sec. 102 deals with restricted and prohibited data practices regarding the processing of various categories of sensitive information. Prohibited activities include the collection, processing or transferring of social security numbers, biometric information, nonconsensual intimate images and genetic information. Transfers of an individual’s precise geolocation information, passwords, aggregated internet search or browsing history, or their “physical activity information” (from a smartphone or wearable device) are also restricted.
Sec. 103 shifts the focus to privacy by design.
In this regard, ADPPA requires the implementation of “reasonable policies, practices, and procedures” regarding data collection, processing and transfer. Namely, such policies must “consider” mitigating privacy risks related to minors (under age 17) as well as privacy risks related to the “design, development, and implementation” of the entity’s products/services. The bill leaves flexibility for these policies, however, as they would need to be calibrated to: the size of the entity and the complexity of its activities, the volume and the sensitivity of the data it handles, the number of individuals/devices to which its operations relate, as well as the cost of such implementation.
Furthermore, within a year of enactment of the bill, the FTC would be tasked with issuing guidance as to what constitutes “reasonably necessary, proportionate, and limited to” vis-à-vis the data minimization guidelines, as well as what is constitutes “reasonable policies, practices, and procedures” of its privacy by design principles.
Lastly, this title of the ADPPA also includes restrictions with respect to pricing. The section prohibits businesses from refusing to provide, charging different prices for, or conditioning a good/service on an individual’s agreement to waive their privacy rights guaranteed by the ADPPA. There are two exceptions to this rule: (1) the relating of price or level of service to “financial information” provided by the individual that is necessary for initiating, rendering, billing for, or collecting payment; and (2) loyalty programs.
Ambiguity in the 'Duty of Loyalty' across federal bills
Yet, the ADPPA seems to be based on a different understanding of the term “duty of loyalty” than that used in bills sponsored by Cantwell and Sen. Brian Schatz, D-Hawaii, in which the term is akin to a fiduciary responsibility — of a doctor or lawyer — to do no harm to the people divulging personal information to them. Duty of loyalty is also closely associated with the principle of “data stewardship.” Fred Cate described the concept this way: “If you collect my data, if you use my data, and something goes wrong that causes harm, you should be liable for it.”
In Cantwell’s Consumer Online Privacy Rights Act Sec. 101 (also entitled “Duty of Loyalty”), it stipulates that “A covered entity shall not engage in a deceptive data practice or a harmful data practice.” A harmful data practice is defined as “processing or transfer of covered data in a manner that causes or is likely to cause…[f]inancial, physical, or reputational injury to an individual, [p]hysical or other offensive intrusion upon the solitude or seclusion of an individual or the individual’s private affairs or concerns, where such intrusion would be offensive to a reasonable person, [or] [o]ther substantial injury to an individual.”
The focus on preventing harm in Cantwell’s bill aligns closely with the meaning of “duty of loyalty” in Schatz’s Data Care Act of 2021, which includes three distinct duties: of care, of loyalty, and of confidentiality. Its duty of loyalty prohibits online service providers from using an individual’s identifying data in a way that:
- benefits the online service provider to the detriment of the end user;
- would result in “reasonably foreseeable and material physical or financial harm”; or
- would be “unexpected and highly offensive to a reasonable end user.”
Unlike the duty of loyalty in Cantwell and Schatz’s bills, Title I: Duty of Loyalty in the ADPPA includes requirements on data minimization, “loyalty duties,” privacy by design and price discrimination. While these requirements may be impactful, ADPPA’s Title I does not explicitly obligate companies “to act in the best interests of people exposing their data” or prohibit them from “designing digital tools and processing data in a way that conflicts with trusting parties’ best interests,” which is how the concept of duty of loyalty in privacy has been explicated by scholars Neil Richards and Woodrow Hartzog.
Moreover, the “loyalty duties” of Sec. 102(a) appear duplicative of Sec. 204(a)’s rules on consent regarding sensitive covered data, which prohibit covered entities from collecting or processing sensitive covered data without the affirmative express consent of the individual. Sensitive covered data is defined in the draft to include things like government-issued identifiers; health, financial, biometric, genetic and precise geolocation information; private communications; log-in credentials; information relating to race or sexual orientation; and other categories (e.g., browsing history). In other words, Sec. 102(a) and Sec. 204(a) seem to overlap in the requirements they impose around these various sensitive data types.
Thus, a substantive issue in need of attention within the ADPPA discussion draft concerns the disagreement among lawmakers on what “duty of loyalty” ought to entail. Is duty of loyalty, as the ADPPA implies, synonymous with restrictions on the processing sensitive personal information, data minimization and privacy by design? Or, rather, as the Consumer Online Privacy Rights Act and other bills assume, is it a principle intended to prevent data controllers from making decisions out of self-interest that are deceptive or would bring harm to the individuals whose data they collect, use and reuse?
Preemption
The details of ADPPA’s preemption of state law and its various exemptions are also nuanced. Broadly speaking, it does not preempt federal privacy laws, like the Children’s Online Privacy Protection Act, but preempts state privacy laws, such as the California Consumer Privacy Act/California Privacy Rights Act, the Virginia Consumer Data Protection Act, the Colorado Privacy Act and others.
There are numerous exemptions to the preemption of state law, including Illinois’ Biometric Information Privacy Act, any laws that “solely regulate facial recognition,” CCPA’s private right of action concerning data breaches, as well as state unfair and deceptive acts and practices laws. Professor William McGeveran described it as a “preemption obstacle course for existing rules, but it would freeze most future state privacy lawmaking.”
ADPPA is not the first federal proposal, however, to contain such a tailored preemption clause. For example, the Consumer Data Privacy and Security Act of 2021, sponsored by Sen. Jerry Moran, R-Kan., had also included a preemption provision that would have preserved state and local laws regarding data breaches, student privacy, health information, information in the employment context, and well as anti-discrimination and other laws.
Thus, the biggest substantively new carve-outs to preemption in ADPPA seem to be for consumer protection laws, facial recognition laws, and Illinois’ Biometric Information Privacy Act and Genetic Information Privacy Act.
Indeed, the target of preemption — and the motivation for its push by industry — have long been the emerging “patchwork” of state consumer privacy laws, from California’s to Connecticut’s. In the wake of CCPA’s passage, Electronic Frontier Foundation’s Bennett Cyphers wrote that the campaign for preemption in a federal law was seeking “to undermine real progress on privacy being made around the country at the state level.”
Since then, lobbying tactics have also shifted. Privacy advocates have taken notice of industry’s new “privacy play” of “pushing weak privacy bills in states while Congress dithers.” Considering all this, one should not forget that “support of privacy regulation among big businesses masks a radically deregulatory agenda,” as Chris Hoofnagle has argued so eloquently.
Nevertheless, even despite the carve outs, ADPPA’s preemption of state law is likely to dampen its support among most Democrats. Sen. Brian Schatz reportedly sent a letter to the House and Senate Commerce committees saying that a federal privacy bill that lacks a duty of care “absolutely should not preempt states from adopting consumer-first online privacy reforms.” Sen. Cantwell agreed, according to the Washington Post, saying, “Senator Schatz is right — any robust and comprehensive privacy law must protect consumers’ personal data with a clear requirement that companies are accountable for the use of that data and must act in consumers’ best interests.”
Private right of action and enforcement
In the other contentious issue alongside preemption, the private right of action within ADPPA is complicated to unravel.
The private right of action outlined in Sec. 403, which would take effect four years after enactment, allows “any person or class of persons who suffers an injury that could be addressed by the relief permitted” to bring a civil action in federal court. Awards are limited to compensatory damages, injunctive or declaratory relief, and legal fees.
Yet, before bringing suit, an individual or class would need to “first notify the Commission and the attorney general of the State of the persons residence in writing outlining their desire to commence a civil action.” The FTC and state attorney general will then make a determination (within 60 days) and respond to the person or class “as to whether they will independently seek to take action.” If an individual or class sends “any written communication requesting a monetary payment” to a covered entity before those 60 days are up or after the FTC or state attorney general decided to independently seek civil actions, it “shall be considered to have been sent in bad faith and shall be unlawful.”
Moreover, an individual or class who sends correspondence to a covered entity alleging a violation and requesting monetary payment must include specific language (“Please visit the website of the Federal Trade Commission to understand your rights pursuant to this letter”) as well as a hyperlink to the Commission’s webpage. If the correspondence does not include this language and hyperlink, the person or class “shall forfeit their rights.”
Regarding agency enforcement, the ADPPA mandates the establishment of a new FTC bureau “comparable in structure, size, organization, and authority to the existing Bureaus within the Commission related to consumer protection and competition,” but otherwise does not specify number of staff or authorize appropriations as some other proposals have.
It does, however, direct the FTC to hire “adequate staff” with respect to its duties laid out in Sec. 205 to also establish a “Youth Privacy and Marketing Division,” which is tasked with addressing the duties of the FTC laid out in the act with respect to the privacy of children and minors.
Conclusion
Some may read the discussion draft of the American Data Privacy and Protection Act as emerging and encouraging evidence of compromise on the two most contentious issues: preemption and private right of action. Regarding disagreement between lawmakers over a private right of action, however, there are reasons to be skeptical that the ADPPA has resolved the issue.
In a statement last Friday, Sen. Cantwell implied that ADPPA was “riddled with enforcement loopholes,” taking particular issue with the four-year waiting period for the private right of action to take effect. Regarding preemption, ADDPA may also be less of a compromise than a clarification of what was already intended by previous preemption proposals.
The text of ADPPA also reveals some confusion over central concepts in privacy law, including duty of loyalty and duty of care. Further examining these concepts and while trying to resolve disagreements over them will be necessary for comprehensive legislation that includes them to move forward.
There are numerous additional sections and requirements in ADPPA — on the rights of consumers, appointment of privacy officers and other corporate accountability measures — that are beyond the scope of this initial analysis. The bill’s provisions on transparency and privacy policies, individual data ownership, consent regarding sensitive covered data, protections for children and prohibitions on targeted advertising, third-party collecting entities, civil rights protections, data security requirements, exceptions, and unified opt-out mechanisms are also all deserving of further study and scrutiny.
Given what has happened and been said over the last 72 hours, and in anticipation of what is to come in the coming days, weeks, and months, hard work remains in translating the energy created by the ADPPA discussion draft into a meaningful legislative outcome.