Publicly released last Friday, the discussion draft of the American Data Privacy and Protection Act gave the privacy community plenty of food for thought for the weekend. Initial impressions and analyses of the text ranged from â€œvery promising,â€� â€œa valuable first step,â€� and â€œhugely impactfulâ€� to â€œnot bad.â€�
Omer Tene perhaps described it most poetically as: â€œa tsunami that may yet make GDPR seem like a storm in a teacup.â€� Jim Steyer, founder and CEO of Common Sense Media, said that while the draft â€œshould include stronger protections,â€� there is enough in it for Congressional leaders to build upon and reach an agreement this year.
Yet, given where things stand today, the picture remains unclear regarding the discussion draftâ€™s chances of becoming law.
As IAPPâ€™s Joe Duball argued, it would be smart to â€œtemper feelings and expectations around this proposal.â€� Despite suggestions of progress and reasons for excitement about federal privacy legislation in recent weeks, â€œit is also possible that â€¦ the effort is doomed once again.â€� Things may unfold now similarly to how they did in December 2019, when Senate Democrats and Republicans both released a bill (COPRA and CDPA, respectively) that was greeted with excitement, but which resulted in a legislative stalemate due to several notable differences between the two texts.
Indeed, the chairwoman of the Senate Commerce Committee, Sen. Maria Cantwell, D-Wash., has not signed on to the ADPPA. Although House Commerce Committee chairman Rep. Frank Palloneâ€™s, D-N.J.,Â sponsorship is notable â€” and would give the bill bipartisan support in the House â€” the lack of an endorsement from Cantwell (or another Senate Democrat) means the bill does not yet have bipartisan support in the Senate.
And, without bipartisan agreement in both chambers of Congress, the legislation will be unable to move forward. This is why, if progress on a consumer federal privacy law is to be made, it is important to examine the key issues for which agreement has been most difficult to come by.
The ADPPAâ€™s ‘Duty of Loyalty’
Looking first at the main provisions of the draft bill in Title I â€” â€œDuty of Loyaltyâ€� â€” Sec. 101 starts by detailing requirements for data minimization. In general, these require covered entities to limit what they collect, process and transfer to that which is â€œreasonably necessary, proportionate and limited toâ€� the information they need to provide or maintain specific products or services requested by individuals.
Sec. 102 deals with restricted and prohibited data practices regarding the processing of various categories of sensitive information. Prohibited activities include the collection, processing or transferring of social security numbers, biometric information, nonconsensual intimate images and genetic information. Transfers of an individualâ€™s precise geolocation information, passwords, aggregated internet search or browsing history, or their â€œphysical activity informationâ€� (from a smartphone or wearable device) are also restricted.
Sec. 103 shifts the focus to privacy by design.
In this regard, ADPPA requires the implementation of â€œreasonable policies, practices, and proceduresâ€� regarding data collection, processing and transfer. Namely, such policies must â€œconsiderâ€� mitigating privacy risks related to minors (under age 17) as well as privacy risks related to the â€œdesign, development, and implementationâ€� of the entityâ€™s products/services. The bill leaves flexibility for these policies, however, as they would need to be calibrated to: the size of the entity and the complexity of its activities, the volume and the sensitivity of the data it handles, the number of individuals/devices to which its operations relate, as well as the cost of such implementation.
Furthermore, within a year of enactment of the bill, the FTC would be tasked with issuing guidance as to what constitutes â€œreasonably necessary, proportionate, and limited toâ€� vis-Ã -vis the data minimization guidelines, as well as what is constitutes â€œreasonable policies, practices, and proceduresâ€� of its privacy by design principles.
Lastly, this title of the ADPPA also includes restrictions with respect to pricing. The section prohibits businesses from refusing to provide, charging different prices for, or conditioning a good/service on an individualâ€™s agreement to waive their privacy rights guaranteed by the ADPPA. There are two exceptions to this rule: (1) the relating of price or level of service to â€œfinancial informationâ€� provided by the individual that is necessary for initiating, rendering, billing for, or collecting payment; and (2) loyalty programs.
Ambiguity in the ‘Duty of Loyalty’ across federal bills
Yet, the ADPPA seems to be based on a different understanding of the term â€œduty of loyaltyâ€� than that used in bills sponsored by Cantwell and Sen. Brian Schatz, D-Hawaii, in which the term is akin to a fiduciary responsibility â€” of a doctor or lawyer â€” to do no harm to the people divulging personal information to them. Duty of loyalty is also closely associated with the principle of â€œdata stewardship.â€� Fred Cate described the concept this way: â€œIf you collect my data, if you use my data, and something goes wrong that causes harm, you should be liable for it.â€�
In Cantwellâ€™s Consumer Online Privacy Rights Act Sec. 101 (also entitled â€œDuty of Loyaltyâ€�), it stipulates that â€œA covered entity shall not engage in a deceptive data practice or a harmful data practice.â€� A harmful data practice is defined as â€œprocessing or transfer of covered data in a manner that causes or is likely to causeâ€¦[f]inancial, physical, or reputational injury to an individual, [p]hysical or other offensive intrusion upon the solitude or seclusion of an individual or the individualâ€™s private affairs or concerns, where such intrusion would be offensive to a reasonable person, [or] [o]ther substantial injury to an individual.â€�
The focus on preventing harm in Cantwellâ€™s bill aligns closely with the meaning of â€œduty of loyaltyâ€� in Schatzâ€™s Data Care Act of 2021, which includes three distinct duties: of care, of loyalty, and of confidentiality. Its duty of loyalty prohibits online service providers from using an individualâ€™s identifying data in a way that:
- benefits the online service provider to the detriment of the end user;
- would result in â€œreasonably foreseeable and material physical or financial harmâ€�; or
- would be â€œunexpected and highly offensive to a reasonable end user.â€�
Unlike the duty of loyalty in Cantwell and Schatzâ€™s bills, Title I: Duty of Loyalty in the ADPPA includes requirements on data minimization, â€œloyalty duties,â€� privacy by design and price discrimination. While these requirements may be impactful, ADPPAâ€™s Title I does not explicitly obligate companies â€œto act in the best interests of people exposing their dataâ€� or prohibit them from â€œdesigning digital tools and processing data in a way that conflicts with trusting partiesâ€™ best interests,â€� which is how the concept of duty of loyalty in privacy has been explicated by scholars Neil Richards and Woodrow Hartzog.
Moreover, the â€œloyalty dutiesâ€� of Sec. 102(a) appear duplicative of Sec. 204(a)â€™s rules on consent regarding sensitive covered data, which prohibit covered entities from collecting or processing sensitive covered data without the affirmative express consent of the individual. Sensitive covered data is defined in the draft to include things like government-issued identifiers; health, financial, biometric, genetic and precise geolocation information; private communications; log-in credentials; information relating to race or sexual orientation; and other categories (e.g., browsing history). In other words, Sec. 102(a) and Sec. 204(a) seem to overlap in the requirements they impose around these various sensitive data types.
Thus, a substantive issue in need of attention within the ADPPA discussion draft concerns the disagreement among lawmakers on what â€œduty of loyaltyâ€� ought to entail. Is duty of loyalty, as the ADPPA implies, synonymous with restrictions on the processing sensitive personal information, data minimization and privacy by design? Or, rather, as the Consumer Online Privacy Rights Act and other bills assume, is it a principle intended to prevent data controllers from making decisions out of self-interest that are deceptive or would bring harm to the individuals whose data they collect, use and reuse?
The details of ADPPAâ€™s preemption of state law and its various exemptions are also nuanced. Broadly speaking, it does not preempt federal privacy laws, like the Childrenâ€™s Online Privacy Protection Act, but preempts state privacy laws, such as the California Consumer Privacy Act/California Privacy Rights Act, the Virginia Consumer Data Protection Act, the Colorado Privacy Act and others.
There are numerous exemptions to the preemption of state law, including Illinoisâ€™ Biometric Information Privacy Act, any laws that â€œsolely regulate facial recognition,â€� CCPAâ€™s private right of action concerning data breaches, as well as state unfair and deceptive acts and practices laws. Professor William McGeveran described it as a â€œpreemption obstacle course for existing rules, but it would freeze most future state privacy lawmaking.â€�
ADPPA is not the first federal proposal, however, to contain such a tailored preemption clause. For example, the Consumer Data Privacy and Security Act of 2021, sponsored by Sen. Jerry Moran, R-Kan., had also included a preemption provision that would have preserved state and local laws regarding data breaches, student privacy, health information, information in the employment context, and well as anti-discrimination and other laws.
Thus, the biggest substantively new carve-outs to preemption in ADPPA seem to be for consumer protection laws, facial recognition laws, and Illinoisâ€™ Biometric Information Privacy Act and Genetic Information Privacy Act.
Indeed, the target of preemption â€” and the motivation for its push by industry â€” have long been the emerging â€œpatchworkâ€� of state consumer privacy laws, from Californiaâ€™s to Connecticutâ€™s. In the wake of CCPAâ€™s passage, Electronic Frontier Foundationâ€™s Bennett Cyphers wrote that the campaign for preemption in a federal law was seeking â€œto undermine real progress on privacy being made around the country at the state level.â€�
Since then, lobbying tactics have also shifted. Privacy advocates have taken notice of industryâ€™s new â€œprivacy playâ€� of â€œpushing weak privacy bills in states while Congress dithers.â€� Considering all this, one should not forget that â€œsupport of privacy regulation among big businesses masks a radically deregulatory agenda,â€� as Chris Hoofnagle has argued so eloquently.
Nevertheless, even despite the carve outs, ADPPAâ€™s preemption of state law is likely to dampen its support among most Democrats. Sen. Brian Schatz reportedly sent a letter to the House and Senate Commerce committees saying that a federal privacy bill that lacks a duty of care â€œabsolutely should not preempt states from adopting consumer-first online privacy reforms.â€� Sen. Cantwell agreed, according to the Washington Post, saying, â€œSenator Schatz is right â€” any robust and comprehensive privacy law must protect consumersâ€™ personal data with a clear requirement that companies are accountable for the use of that data and must act in consumersâ€™ best interests.â€�
Private right of action and enforcement
In the other contentious issue alongside preemption, the private right of action within ADPPA is complicated to unravel.
The private right of action outlined in Sec. 403, which would take effect four years after enactment, allows â€œany person or class of persons who suffers an injury that could be addressed by the relief permittedâ€� to bring a civil action in federal court. Awards are limited to compensatory damages, injunctive or declaratory relief, and legal fees.
Yet, before bringing suit, an individual or class would need to â€œfirst notify the Commission and the attorney general of the State of the persons residence in writing outlining their desire to commence a civil action.â€� The FTC and state attorney general will then make a determination (within 60 days) and respond to the person or class â€œas to whether they will independently seek to take action.â€� If an individual or class sends â€œany written communication requesting a monetary paymentâ€� to a covered entity before those 60 days are up or after the FTC or state attorney general decided to independently seek civil actions, it â€œshall be considered to have been sent in bad faith and shall be unlawful.â€�
Moreover, an individual or class who sends correspondence to a covered entity alleging a violation and requesting monetary payment must include specific language (â€œPlease visit the website of the Federal Trade Commission to understand your rights pursuant to this letterâ€�) as well as a hyperlink to the Commissionâ€™s webpage. If the correspondence does not include this language and hyperlink, the person or class â€œshall forfeit their rights.â€�
Regarding agency enforcement, the ADPPA mandates the establishment of a new FTC bureau â€œcomparable in structure, size, organization, and authority to the existing Bureaus within the Commission related to consumer protection and competition,â€� but otherwise does not specify number of staff or authorize appropriations as some other proposals have.
It does, however, direct the FTC to hire â€œadequate staffâ€� with respect to its duties laid out in Sec. 205 to also establish a â€œYouth Privacy and Marketing Division,â€� which is tasked with addressing the duties of the FTC laid out in the act with respect to the privacy of children and minors.
Some may read the discussion draft of the American Data Privacy and Protection Act as emerging and encouraging evidence of compromise on the two most contentious issues: preemption and private right of action. Regarding disagreement between lawmakers over a private right of action, however, there are reasons to be skeptical that the ADPPA has resolved the issue.
In a statement last Friday, Sen. Cantwell implied that ADPPA was â€œriddled with enforcement loopholes,â€� taking particular issue with the four-year waiting period for the private right of action to take effect. Regarding preemption, ADDPA may also be less of a compromise than a clarification of what was already intended by previous preemption proposals.
The text of ADPPA also reveals some confusion over central concepts in privacy law, including duty of loyalty and duty of care. Further examining these concepts and while trying to resolve disagreements over them will be necessary for comprehensive legislation that includes them to move forward.
There are numerous additional sections and requirements in ADPPA â€” on the rights of consumers, appointment of privacy officers and other corporate accountability measures â€” that are beyond the scope of this initial analysis. The billâ€™s provisions on transparency and privacy policies, individual data ownership, consent regarding sensitive covered data, protections for children and prohibitions on targeted advertising, third-party collecting entities, civil rights protections, data security requirements, exceptions, and unified opt-out mechanisms are also all deserving of further study and scrutiny.
Given what has happened and been said over the last 72 hours, and in anticipation of what is to come in the coming days, weeks, and months, hard work remains in translating the energy created by the ADPPA discussion draft into a meaningful legislative outcome.