American Data Privacy and Protection Act

The American Data Privacy and Protection Act (ADPPA) was a United States proposed federal online privacy bill that, if enacted into law, would have regulated how organizations keep and use consumer data. The bipartisan, bicameral bill was the first American consumer privacy bill to pass committee markup, which it did with near unanimity.

American Data Privacy and Protection Act

Long title	An act to provide consumers with foundational data privacy rights, create strong oversight mechanisms, and establish meaningful enforcement
Acronyms (colloquial)	ADPPA
Legislative history
Introduced in the House as H.R. 8152 by Frank Pallone D‑NJ on June 21, 2022 Committee consideration by House Energy and Commerce

Contents

The American Data Privacy and Protection Act (ADPPA) aimed to regulate how organizations keep and use consumer data. The Act had several main principles: data minimization, individual ownership, and private right of action. The burden of evaluating each organization's programs would fall to the organization.^[1]

Data collectors would have had to minimize the data they collected down to that which was "necessary, proportionate, and limited to" their purpose, whether administering a product or communicating. The bill would have given the Federal Trade Commission a year to define those terms. Data minimization is a common principle among other privacy laws, but the ADPPA would have affected business functions beyond compliance operations. ADPPA would also have specifically limited transfer and some processing of Social Security numbers, precise geolocation, biometric and genetic data, passwords, browsing history, and physical activity tracking.^[1]

Individuals would have had the right under ADPPA to know how their personal data was to be used and which third parties would have received it. They would have had the right to correct and download their user data. Organizations would have had up to 90 days to process these requests, depending on the organization's size. Individuals would also have had the right to take legal action against organizations in violation of the Act for four years after its execution after first giving their state Attorney General and Federal Trade Commission 60 days' notice to respond.^[1]

Designated "large data holders"—with adjusted gross revenue over $250 million in the last calendar year and processing either five million personal records or 100,000 sensitive individual records—would have been subject to additional controls. These organizations would have been required to designate a corporate officer for administering data policy, training employees, keeping records, and communicating with the government. Large data holders' highest ranking corporate officers and data security officers would have had to certify reasonable compliance with the Federal Trade Commission. Large data holders would have needed to provide a privacy impact assessment of their controls and risk to users every two years.^[1]

"Small data holders", on the other hand, would have been exempt from some requirements. Defined as organizations with adjusted gross revenue below $41 million over the past three calendar years, that process data for fewer than 100,000 individuals annually, and whose business does not primarily rely on transferring data, small data holders could delete records rather than processing corrective requests and would be exempt from many requirements apart from the user right to delete data no longer in use.^[1]

Third-party data collectors, whose primary business revenue comes from user data collected for another platform's use, would also have been subject to specific rules, such as displaying a notice about data collected on behalf of another organization, allowing for data audits, and populating a registry for such data collectors.^[1]

As the first federal user data privacy legislation, ADPPA would have largely superseded state laws like the California Consumer Privacy Act and Colorado Privacy Act, though carve-out state provisions about biometric data and data breaches would be protected. The federal bill would have include nonprofit organizations (whereas many state privacy laws do not), though nonprofits would largely fall under the "small data holder" exemptions.^[1]

History

There is no federal law governing online privacy in the United States.^[2] In July 2022, the American Data Privacy and Protection Act (ADPPA) became the first federal online privacy bill to pass committee, the House Energy and Commerce Committee, and did so with near unanimity.^[2][3] Sponsored by the committee chair Frank Pallone,^[2] the bicameral bill had bipartisan support and had included bipartisan concessions that had restricted prior attempts at a bipartisan privacy bill.^[3] The bill was additionally led by House Representative Cathy McMorris Rodgers and, in the other legislative chamber, Senator Roger Wicker.^[4] While Consumer Reports and the Electronic Privacy Information Center both showed optimism towards the bill, several Democratic senators opposed the bill because it might nullify stronger protection from several state laws.^[3]

Though the bill had bipartisan support as it advanced to the House floor, it faced opposition from California lawmakers, the chair of the Senate Commerce Committee Maria Cantwell, and big tech companies.^[2]

As the chair of the Senate committee responsible for data privacy, Maria Cantwell was the gatekeeper for any such bill to reach the senate floor. Cantwell, who had her own online privacy bill in draft, had similarly declined another bipartisan online privacy bill proposed by Senators Richard Blumenthal and Marsha Blackburn earlier in the year. Her primary concern for ADPPA was its enforcement provisions. Cantwell's own draft bill had been grappling with a provision that would restrict consumers from creating class-action lawsuits against companies that had harmed them.^[4]

The 2022 overruling of Roe v. Wade led to increased interest in a federal privacy bill, with concern over how unmitigated tracking by data brokers and app developers, such as user visits to abortion clinics or period app usage, could be used to target users in states where abortion is criminalized. ADPPA would have protected health privacy and not directly address Roe.^[3]

Internet safety and missing persons advocate Alicia Kozakiewicz—herself a victim of an Internet abduction in 2002—expressed concern about the ADPPA's effect on law enforcement efforts to quickly investigate and solve child abduction cases. Although she supported the majority of the provisions in the bill, Kozakiewicz worried that "If the current version of the American Data Privacy and Protection Act had been in place when [she] was held captive, it may have been nearly impossible for law enforcement to find [her] and identify [her] captor as quickly as it did, if at all."^[5]

Other privacy-related bills during ADPPA's advancement included Elizabeth Warren's Health and Location Data Protection Act, Suzan DelBene's Information Transparency and Personal Data Control Act, and Sara Jacobs's My Body, My Data Act. In the absence of federal legislation, state laws have included California's Consumer Privacy Act and Privacy Rights Acts, Illinois's Biometric Information Privacy Act, and Vermont's Data Broker Act.^[3]

Action on the ADPPA had not been completed prior to the adjournment of the 117th Congress on January 3, 2023.^[6]

See also

• State privacy laws of the United States
• American Privacy Rights Act

References

1. Dumiak, Matt (June 24, 2022). "Federal Privacy Bill: Breaking Down the ADPPA". JD Supra. Archived from the original on June 25, 2022. Retrieved July 30, 2022.
2. McGill, Margaret Harding (August 4, 2022). "Online privacy bill faces daunting roadblocks". Axios. Retrieved August 6, 2022.
3. Morrison, Sara (July 21, 2022). "The end of Roe could finally convince Americans to care more about privacy". Vox. Archived from the original on July 27, 2022. Retrieved July 30, 2022.
4. Lima, Cristiano (June 30, 2022). "Cantwell's elusive endorsement hinders privacy talks". Washington Post.
5. Kozakiewicz, Alicia (August 22, 2022). "Alicia Kozak: American Data Privacy and Protection Act could thwart efforts to save abducted children". Chicago Tribune.
6. "Actions—H.R.8152—American Data Privacy and Protection Act—117th Congress (2021-2022)". Congress.gov.

Further reading

• Brody, Ben; Chitkara, Hirsh (August 3, 2022). "What Microsoft, IBM and others won as the privacy bill evolved". Protocol. Retrieved August 6, 2022.
• Cameron, Dell (August 18, 2022). "What's Stopping the American Data Privacy Act From Passing?". Gizmodo. Retrieved August 21, 2022.
• Castro, Daniel (June 13, 2022). "A Review: The American Data Privacy and Protection Act". GovTech. Archived from the original on July 17, 2022. Retrieved July 30, 2022.
• Edelman, Gilad (July 21, 2022). "Congress Might Pass an Actually Good Privacy Bill". Wired. ISSN 1059-1028. Archived from the original on July 29, 2022. Retrieved July 29, 2022.
• Keary, Tim (June 20, 2022). "What is the American Data Privacy and Protection Act (ADPPA) and what does it mean to enterprises?". VentureBeat. Archived from the original on July 27, 2022. Retrieved July 30, 2022.
• Klar, Rebecca (July 20, 2022). "House panel advances landmark federal data privacy bill". The Hill. Retrieved July 30, 2022.
• Lima, Cristiano (July 26, 2022). "Analysis - Pelosi in a bind as California leaders object to federal privacy bill". Washington Post. ISSN 0190-8286. Archived from the original on July 26, 2022. Retrieved July 30, 2022.
• McKinnon, John D. (July 20, 2020). "Data-Privacy Bill Advances in Congress, but States Throw Up Objections". Wall Street Journal. Archived from the original on July 20, 2022. Retrieved July 30, 2022.
• Ostwal, Trishla (July 21, 2022). "States Retaliate as the Federal Privacy Bill Advances". Adweek. Retrieved July 30, 2022.
• Seitz, Jacob (July 21, 2022). "Congress' big new privacy bill might just neuter the agency that should be enforcing it". The Daily Dot. Retrieved July 30, 2022.
• Shatz, Sanford (July 12, 2022). "Congress Introduces the American Data Privacy and Protection Act". JD Supra. Archived from the original on July 14, 2022. Retrieved July 30, 2022.
• Tsukayama, Hayley; Schwartz, Adam; McKinney, India; Tien, Lee (July 24, 2022). "Americans Deserve More Than The Current American Data Privacy Protection Act". Electronic Frontier Foundation. Archived from the original on July 29, 2022. Retrieved July 30, 2022.