Editor's Note:

The IAPPpublisheda more recent article on the draft American Data Privacy and Protection Act following changes made by the House Amendment in the Nature of a Substitute subcommittee and the Energy and Commerce full committee markup in July.

As the policy community takes time to absorb and reflect on the substantive provisions of the draft American Data Privacy and Protection Act, it is worth exploring the basic scope of application of the bill. What organizations would be expected to comply? How do obligations differ based on size or function in the data economy? The ADPPA presents a somewhat complex array of organizational roles, with different names than privacy professionals may be used to. For example, what’s the difference between a “third party” and a “third-party collecting entity?”

Note that this is an article about a draft bill, not yet introduced in the U.S. House or Senate. Any provisions are subject to amendment, including the scoping and definitional provisions. For this analysis, we have reviewed the draft text released June 3, 2022. Because it represents buy-in from only three of the four principals involved in ongoing “four corners” discussions — the leaders of the Senate and House commerce committees — this discussion draft has been referred to as the “three-corners draft” of the ADPPA.

Although reporting suggests that the final version of this bill has a better chance at passing than has ever been the case for a comprehensive privacy bill at the U.S. federal level, passage of the law is far from guaranteed. Nevertheless, the evolving understanding among policymakers of privacy roles and responsibilities is worth tracking.

Who would need to comply with the ADPPA?

In general, the ADPPA draft applies broadly to organizations operating in the United States. As defined in the draft, a covered entity is one that “collects, processes, or transfers covered data and is subject to the Federal Trade Commission Act (15 U.S.C. 41 et seq.),” plus nonprofits and common carriers, as explored below. Note that “transfer” in this context means any sharing of data, not necessarily a cross-border transfer. As defined in the draft, transfer “means to disclose, release, share, disseminate, make available, or license in writing, electronically, or by any other means.”

The FTC Act provides the FTC with authority to police unfair or deceptive acts or practices “in or affecting commerce” in the United States. As recently clarified in the SAFE Web Act, this includes “such acts or practices involving foreign commerce that cause or are likely to cause reasonably foreseeable injury within the United States; or involve material conduct occurring within the United States,” 15 U.S.C. Section 45(a)(4)(A).

Covered data in the draft is defined as “information that identifies or is linked or reasonably linkable to an individual or a device that identifies or is linked or reasonably linkable to 1 or more individuals, including derived data and unique identifiers.” Explicitly excluded from this definition are (i) deidentified data, (ii) employee data (defined broadly to include hiring data), and (iii) publicly available information.

Nonprofits are in

The ADPPA draft would explicitly extend FTC jurisdiction for privacy and data security matters over nonprofit organizations. Because the FTC’s primary jurisdiction applies to matters “in or affecting commerce,” most nonprofit organizations have been considered exempt from FTC consumer protection enforcement. Although some state-level “mini-FTC” acts apply to nonprofits, comprehensive state privacy laws have also generally exempted nonprofit organizations from their scope, with the exception of the Colorado Privacy Act.

This would be an impactful expansion of the scope of privacy compliance obligations. According to 2021 data from the Urban Institute, there are some 1.8 million nonprofit organizations in the United States, including 501(c)(3) public charities, private foundations, and a variety of membership and professional organizations. It is worth noting that most nonprofit organizations in the United States would fall under the “small data exception” in the ADPPA draft (see below). According to 2019 data, only 5.4% of registered charities had revenue exceeding $10 million (but note that charities are only a subset of nonprofits).

Common carriers are in, but others are still out

Due to a variety of historical carve-outs and overlapping regulatory regimes, the FTC’s jurisdiction over commercial activities does not include all industries. The exceptions include the insurance industry, banks, savings and loan institutions, credit unions, airlines, and the common carrier activities of telecommunications service providers. In contrast with many data protection authorities, the FTC does not have jurisdiction over governmental actions.

The ADPPA draft would adjust this by explicitly bringing the common carrier activities of telecom companies into scope of the FTC’s privacy and data security provisions. Other exempt industries would remain unchanged. However, in the data security section, the draft bill does include language specifying that compliance with the data security requirements of the Gramm-Leach-Bliley Act, covering financial institutions, or the Health Information Technology for Economic and Clinical Health Act, covering health care and associated technologies, will be deemed as compliance with the ADPPA.

Well-defined layers

Beyond the general “covered entity” definition in the draft bill, there are specific types of entities defined, each with additional obligations or carve-outs. In general, covered organizations are broken down first in terms of scale (revenue and number of individuals affected), then by role vis-à-vis the individual (direct relationship, third party, or service provider). See the table below for a breakdown of how defined roles change the substantive requirements of the draft bill.

Small and medium enterprises must comply with the ADPPA, but are exempt from a few substantive provisions under the draft bill’s “small data exception.” To fall within the exception, the organization must meet all of the following requirements: (1) annual gross revenue below a certain threshold (the draft proposes $41 million) for each of the prior 3 years, (2) not process the data of more than 100,000 individuals, and (3) not derive more than 50% of its revenue from transferring covered data.

At the other end of the scale, the draft ADPPA adds additional responsibilities on “large data holders,” which are defined as organizations (1) with more than $250 million in gross annual revenue in the prior calendar year and (2) which processed covered data of more than 5 million individuals or the sensitive covered data of more than 100,000 individuals. (The definition of sensitive data in the draft includes all the special categories of data in the EU General Data Protection Regulation, plus government issued identifiers, financial account numbers, precise geolocation data, private communications, login credentials, personal files, TV viewing data, intimate images, data about individuals under 17, and “information identifying an individual’s online activities over time or across third party websites or online services.”)

Rules and roles

The draft ADPPA also includes prescribed substantive requirements based on the role an organization plays with regard to covered data.

In the context of an organization transferring (sharing) personal data with another entity, the draft bill makes a distinction between a “service provider” and a “third party.” For privacy professionals, these roles echo the distinction between processors and controllers in the GDPR.

A service provider under the draft ADPPA means a “covered entity that collects, processes, or transfers covered data in the course of performing one or more services or functions on behalf of, and at the direction of, another covered entity, but only to the extent that such collection, processing, or transfer (i) relates to the performance of such service or function; or (ii) is necessary to comply with a legal obligation.” That is, service providers may also be general “covered entities” when not acting in the capacity of a service provider.

A third party is defined as an entity that is not a service provider but “collects, processes, or transfers third party data” (defined circuitously as “covered data that has been transferred to a third party by a covered entity”). If an entity counts as a large data holder, the bill treats it as a third party even if it falls under common ownership or corporate control with another entity (or vice versa). Importantly, third parties are subject to a limitation that their data processing must be consistent with that of a reasonable individual.

A data broker by any other name

The final type of entity that is subject to specific prescriptive rules under the draft ADPPA is referred to as a “third-party collecting entity.” This includes any covered entity “whose principal source of revenue derived from processing or transferring the covered data of individuals that the covered entity did not collect directly from the individuals to which the covered data pertains.” The definition clarifies that this does not include a covered entity that processes employee data “for the sole purpose of such third party providing benefits to the employee.” Principal source of revenue is also clarified to mean either more than 50% of revenue, or processing/transferring the data of more than 5 million individuals, if not collected directly. For such entities, Section 206 provides for extra notice requirements, audit logging, and registration on a public list administered by the FTC.

Work in Progress

The three-corners draft of the ADPPA would expand the scope of FTC authority over privacy and data security matters. It covers most, but not all, industries and includes targeted requirements for certain types of entities. Most analysis of the draft suggests that “covered entity” requirements would apply to all types of entities, including service provider, if not explicitly exempted. Compared with current practices, this would likely lead to a tightening of restrictions for those who do not collect data directly from individuals. Again, this is a public discussion draft, meant to solicit feedback from stakeholders. On Tuesday, June 14, at 10:30 a.m. EDT, there will be a House subcommittee hearing on the draft. The hearing is titled "Protecting America's Consumers: Bipartisan Legislation to Strengthen Data Privacy and Security."

Photo by Quick PS on Unsplash