What Are Some of the Obstacles to Passing the Bill?
Preemption
Preemption is one reason that past bills failed, and it is a barrier to the ADPPA. Indeed, on August 15, the California Privacy Protection Agency announced its opposition to the ADPPA, stating that it opposes any bill that supersedes California’s landmark laws with weaker protections and prevents the agency from exercising its mandate to protect California’s residents. The California Privacy Protection Agency is the first state data protection agency in the United States
However, the ADPPA may not be DOA (dead on arrival). The California Privacy Protection Agency indicated that it would consider federal legislation that sets a floor, and not a ceiling, permitting states to enforce existing and future legislation with stricter provisions than the ADPPA.
Private Right of Action
Section 403(a) of the ADPPA includes a private right of action—but only for certain provisions and large businesses. The provisions that are excluded generally relate to consumer matters in the purview of the Federal Trade Commission (FTC), such as data minimization, privacy by design, youth privacy/marketing, small business protections, unified opt-out, and executive corporate responsibility. Not subject to the private right of action are businesses that have an annual revenue of less than $25 million, earn less than half of their revenue from transferring covered data, and have fewer than 50,000 accounts.
Beginning on the date that is 2 years after the date on which this Act takes effect, any person or class of persons for a violation of this Act or a regulation promulgated under this Act by a covered entity or service provider may bring a civil action against such entity in any Federal court of competent jurisdiction.
H.R. 8152 § 403(a)(1).
- Included violations. The private right of action pertains only to violations of the following duties: loyalty, pricing loyalty, transparency, individual data ownership and control, the right to consent and object, data protection for children and minors, third-party collecting entities, civil rights protections, establishment of data security practices, service providers, and third parties.
- Remedies. Plaintiffs may seek an injunction, declaratory relief, compensatory damages, and reasonable attorney fees and litigation costs.
- Mandatory arbitration. While a private right of action is likely essential to the passage of the ADPPA, Senator Cantwell is not in favor of the existing draft text because it permits businesses to bury, in their website terms of use, a mandatory arbitration provision for individuals. Class actions could still be brought.
- Notice to covered entities and service providers. Section 403 provides a business with the ability to cure: Plaintiffs must provide the putative defendant 45 days’ notice of the ADPPA provision being violated. If the business demonstrates to the court that it has cured the violation within the 45-day time period, injunctive relief is no longer available. The notice letter must also include the mandatory statement and hyperlink: “Please visit the website of the Federal Trade Commission (FTC) for a general description of your rights under the American Data Privacy and Protection Act.” If the statement is not included, the civil action may be dismissed.
- Notice to the FTC and state attorney general. Plaintiffs must also notify the FTC and their state attorney general of their intent to bring a civil action and then wait 60 days to see if they intervene. The FTC, state attorney general, and a state body, such as the California Privacy Protection Agency, retain the right to bring their own action or intervene in the plaintiffs’ action. The notice letter to covered businesses will be considered in bad faith and unlawful if sent before the expiration of the 60-day waiting period.
- Standing. Federal court is the only venue for section 403 actions, but federal court has standing requirements. Plaintiffs would need to show that they suffered actual harm. Federal court is also more expensive than state courts. And will attorneys general in states that aren’t that interested in the privacy concerns of their residents enforce the ADPPA? So the question remains: Is the private right of action a paper tiger? How will a plaintiff prove damages for a privacy violation? Senator Cantwell’s 2019 Consumer Online Privacy Rights Act (COPRA) takes a different approach: A violation of COPRA regarding the covered data of an individual automatically constitutes a “concrete and particularized injury in fact to that individual.” Will Senator Cantwell move toward approving the ADPPA if it is modified to provide for this type of concrete harm and statutory damages?
The 2018 California Consumer Privacy Act contains a private right of action relating to data security. The act permits plaintiffs to request statutory damages if (a) a business fails to implement reasonable and appropriate security measures and (b) that failure caused data security breaches that affected sensitive personal information. Notably, the ADPPA permits only compensatory damages, and the standing requirement could doom many cases.
The history of litigation under the act provides a road map as to the type of litigation that could arise from the ADPPA. To date, several hundred cases have been filed, the overwhelming majority of them in federal court. Targeted industries include financial services, healthcare, hospitality, insurance, and California agencies. For instance, a class action was brought in 2021 against the menstrual tracking app Flo Health, Google, Facebook, AppsFlyer, and Flurry—allegedly the tracking data were shared without consent with third parties for advertising purposes. On August 10, 2022, Flo Health responded to the amended class action, stating that its privacy policy clearly states that user data are collected to analyze user trends and improve usability and efficiency. The proliferation of data sharing and targeted advertising based on such “consent” is one target of the ADPPA.
How Are Consumers Protected?
Duty of Loyalty
Data minimization is the goal of section 101 of the ADPPA. The aim is for businesses’ loyalty to first be to the individuals from whom personal information is collected. Companies would be prohibited from collecting, processing, or transferring “covered data” beyond what is “reasonably necessary, proportionate, and limited to” providing a service requested by the individual, reasonably anticipated (such as processing a credit card), or for a purpose that is explicitly permitted. There are 17 purposes listed, including user authentication, fraud prevention, responding to a data breach, and announcing product recalls. This is a sea change in relation to how personal information is currently collected—with everyone clicking “accept” and ignoring terms in privacy policies such as the ones relied on in Flo Health, which have created the current situation of rampant behavioral advertising and information sharing.
Protecting health information, particularly women’s health information, is a particular focus these days. The ADPPA considers health information to be “sensitive data” subject to increased protections. States would retain the ability to legislate regarding health information, medical records, public health information, medical information, reporting, or services. Rep. Anna Eshoo, D-CA, voted no to the ADPPA, stating that the ADPPA’s provision permitting lawful government access to sensitive information could work hand in hand with state authorities that are seeking access to information about women seeking reproductive healthcare.
Familiar Privacy Rights
Europe’s General Data Protection Regulation (GDPR) set forth a litany of privacy rights that are also contained in the ADPPA: right to access, right to correct, right to delete, right to portability, right to opt out of targeted advertising, and right to withdraw consent. An interesting addition to this common litany is the right to individual autonomy, which forbids a business from using misleading advertising, fraudulent statements, or a user interface to impair an individual’s exercise of rights under the ADPPA. A unified opt-out mechanism is also called for (which avoids the chore of opting out of each individual site).
Cybersecurity
Large data holders or businesses that meet revenue or data-processing thresholds would be subject to data protection impact assessments and cybersecurity audits. But for the first time, most U.S. businesses would be required to implement reasonable administrative, technical, and physical security measures and data security practices (section 208 of the ADPPA). Mandated are vulnerability assessments, preventive and corrective action and evaluation thereof, information retention and disposal, formal employee training, designation of an information security officer, and incident response procedures.
What’s Next?
The 117th Congress has a few more months to consider the ADPPA. The next step is either a pre-conference between the House sponsors and certain senators before the full vote by the House or sending the bill to the Senate. Will they succeed? Only time will tell.
There once was a Congress, number one seventeen.
About data and personal rights did the House convene.
Both sides of the aisle, they did agree
To protect individuals’ personal data and privacy.
But will Congress enact
The American Data Privacy and Protection Act?