EGA Blog Post : American Data and Privacy Protection Act
After years of debate on a workable federal data privacy legislation, Congressional lawmakers are actively discussing a potential solution. On June 3rd, key members of the House and Senate committees released a discussion draft of the “American Data Privacy and Protection Act” (ADPPA) as a sign of bipartisan, bicameral support; the bill was formally introduced on June 21st.
An increasing number of stakeholders, industry members and advocacy groups alike, have emphasized the need for a federal solution considering the increasing number of states enacting their own privacy laws. In fact, Connecticut and Utah are the latest states to enact comprehensive privacy laws during the 2022 legislative cycle – they join California, Virginia and Colorado. ITIF reports that this patchwork of laws “create significant compliance costs for in-state businesses and confusion for consumers while also raising costs for out-of-state businesses that increasingly find themselves subject to multiple, duplicative rules.”
To address these concerns, the ADPPA would set national standards for how organizations collect and manage data, limit data collection on minors and strengthen data privacy rights of consumers. The Senate Committee on Commerce, Science, & Transportation outlined the following goals in a press release:
- Establish a strong national framework to protect consumer data privacy and security;
- Grant broad protections for Americans against the discriminatory use of their data;
- Require covered entities to minimize on the front end, individuals’ data they need to collect, process, and transfer so that the use of consumer data is limited to what is reasonably necessary, proportionate, and limited for specific products and services;
- Require covered entities to comply with loyalty duties with respect to specific practices while ensuring consumers don’t have to pay for privacy;
- Require covered entities to allow consumers to turn off targeted advertisements;
- Provide enhanced data protections for children and minors, including what they might agree to with or without parental approval;
- Establish regulatory parity across the internet ecosystem; and
- Promote innovation and preserve the opportunity for start-ups and small businesses to grow and compete.
While the reception to the proposal has been somewhat positive, tech industry representatives, privacy advocates, and lawmakers have all voiced concerns. Industry representatives have argued that the draft bill’s preemption exceptions for select state laws will perpetuate compliance confusion and that the private right of action provision should be reworked. Democratic lawmakers and privacy advocates have faulted weak language on enforcement and compliance exceptions for some data usage as insufficient for protecting consumer rights.
The Subcommittee on Consumer Protection and Commerce of the House Energy and Commerce Committee has voted to advance the bill as of June 23rd. Considering the broad bipartisan support for the legislation in the House, there is strong potential for the legislation to be approved by the House, moving the discussion to the Senate. Major challenges in the Senate will be garnering support from key Democratic Senators, including the relevant committee chair, as well as obtaining support from 10 Republican Senators to overcome a possible filibuster. Considering timing challenges, it will likely be difficult to pass the bill this session.
We recommend the following steps for organizations that could be impacted by the ADPPA:
- Continue to monitor policy activity on the federal level, both in the House and Senate;
- Continue to monitor state level regulation, especially in key states (e.g., California, Texas, Illinois, Massachusetts, Virginia, Colorado);
- Continue to build out compliance structures for existing privacy regulation, either at the state level (e.g. CCPA) or, if applicable, on a sectoral level (e.g., regulatory compliance on Health data, Financial data);
- Assess potential impact to the organization by creating and/or updating assessments on personal data currently sourced, analyzed, stored, and utilized within their business;
- Connect with your partners at Edelman Global Advisory who can assist you in understanding the implications of the legislation in relation to your business objectives.
Authored by Hyun Shin, Vice President,Technology Policy, Edelman Global Advisory and Max Schmidt, Global Development Manager, Technology, Edelman