The current draft of the American Data Privacy and Protection Act, voted out of the House Energy and Commerce Committee in a bipartisan 53-2 vote this summer, has not yet been introduced in the Senate and may have reached a standstill in the House. On Sept. 1, just prior to the start of Congress’s fall session, House Speaker Nancy Pelosi, D-Calif., issued a statement that she would not hold a vote on the current version of the ADPPA, though she promised to work with Committee Chair Frank Pallone, D-N.J., “in the days ahead.” While the privacy community speculates whether this means a delay or a death knell to the passage of a comprehensive federal privacy bill this year, House legislators continue to work toward refining the bill.

The current version of the proposed legislation incorporates the first round of changes and updates from the House Amendment in the Nature of a Substitute subcommittee process and the Energy and Commerce full committee markup of the bill in July.

As previously explained by IAPP Managing Director, Washington, D.C., Cobun Zweifel-Keegan, CIPP/US, CIPM, the scope of the initial draft of the ADPPA broadly defined the term “covered entity” and extended U.S. Federal Trade Commission jurisdiction to include nonprofits and common carrier activities of telecommunications companies. It proposed different tiers of compliance requirements for small- and medium-sized businesses, as well as “large data holders.” The original proposed version of the ADPPA also specified requirements based on an organization’s relationship to covered data, such as whether it was a “third party,” “third-party collecting entity,” or “service provider.” The most significant changes in the current version of the bill are summarized below:

Changes to who needs to comply with the ADPPA

The definition for “covered entity” has been updated to correct an unintended exception in the initial draft of the act. Entities that collect, process or transfer covered data acting on behalf of government entities would be exempt from the statutory requirements only to the extent of the covered data used in the services provided to the government.

Within the prohibition on targeted advertising to minors under 17, legislators implemented a tiered knowledge approach for whether an entity knows an individual is a covered minor. To this end, the draft ADPPA defines yet another type of covered entity. A “covered high impact social media company” is defined as a covered entity that generates $3 billion or more in annual revenue, has 300 million or more monthly active users on its platform, and “constitutes an online product or service that is primarily used by users to access or share user-generated content.” Such companies would be considered to have knowledge of minors on their platforms if they “knew or should have known” the individual was a minor. Other large data holders would have knowledge of minors if they “knew or acted in willful disregard.” For all other organizations, the standard is set as actual knowledge.

Refining the layers: Further obligations and exemptions

Although the definition of a “large data holder” remains substantively the same across the versions, these specified covered entities are now subject to an additional reporting requirement to annually disclose metrics relating to the exercise of individuals’ data rights, such as requests to access or delete personal data, or opt out of data transfers and targeted advertising. A large data holder using a covered algorithm that poses a “consequential risk of harm” must also submit an impact assessment annually. This elevated requirement adds to the general obligation of covered entities and service providers to evaluate a covered algorithm to reduce the risk of potential harms before deployment.

Additionally, the requirement for a biennial privacy impact assessment, previously mandated only for large data holders, now extends to all covered entities except small businesses. These privacy impact assessments consider factors such as the nature and volume of the covered data and the risks posed to individuals’ privacy.

The prior exemptions for small and medium businesses remain largely unchanged, though the bill no longer uses the term “small data exception.” Section 209 instead simply delineates “Small Business Protections.” Small businesses would enjoy additional exemptions under the updated bill. But both new exemptions rely on separate definitions of small businesses from those in Section 209. First, individuals may not pursue claims under the private right of action described in Section 403 against an organization that “has less than $25,000,000 per year in revenue, collects, processes, or transfers the covered data of fewer than 50,000 individuals, and derives less than 50 percent of its revenue from transferring covered data.” (Section 209 uses the same categories, but at $41 million in revenue and 200,000 individuals.) In addition, businesses with 15 employees or less are now exempt from the requirement to designate privacy and security officers.

Clarifying roles

The definitions for “third party,” “third-party collecting entity,” and “service provider” remained largely the same among versions of the ADPPA with a few notable language changes. A third party — analogous to another controller under the EU General Data Protection Regulation GDPR — does not include a person or entity that collects covered data from another entity it is related to by common ownership or corporate control. This is subject to a consumer’s reasonable expectation of their data-sharing.

Legislators also implemented an important technical change to the definition of “service provider” to close an unintended gap and clarify that entities acting on behalf of government entities and handling covered data are still subject to the ADPPA.

Let’s get technical

In addition to the updates on types of entities and organization roles addressed within the ADPPA, the newest version of the bill added language that requires functionalities such as opt-out mechanisms to be more accessible to users with disabilities. The draft legislation also integrates references to unified opt-out mechanisms in provisions about an individual’s right to opt out of covered data transfers and targeted advertising.

The weeks ahead

Whether the draft of the ADPPA goes through another round of edits in the current congressional session remains to be seen. However, the changes to the initial draft of the ADPPA noted above show that movement toward technical refinements based on stakeholder engagement has carried on throughout the legislative process. No doubt these efforts are continuing, even as the legislative session winds to a close.

adppa_scope_chart_article.png