I recently reported on a new privacy law enacted in Connecticut, as well as similar laws in a few other states. Of course that begs the question, what about federal laws? Over the past few years there have, in fact, been several efforts to introduce federal legislation, both in the House and the Senate by lawmakers on either side of the aisle.
Significantly, last week saw the release of a “discussion draft” of the American Data Privacy and Protection Act (ADPPA), which is described as “the first comprehensive privacy proposal to gain bipartisan, bicameral support.” The ADPPA would apply to the collection, processing, and transfer of “covered data,” defined as information that identifies or is linked or reasonably linkable to an individual or a device, by a “covered entity,” defined as any person or entity that is covered under the FTC Act, is a common carrier, or is a non-profit organization. The ADPPA would also provide special treatment to “sensitive covered data,” which includes information such as government-issued ID numbers (e.g., SSN), private communications, information relating to individuals under age 17, and several other categories, and also would include several requirements applicable only to “large data holders” (based on revenues or collection/processing activity). General exceptions exist under the ADPPA for certain types of collection, processing, and transfer, as well as for certain smaller entities in terms of revenues or collection/processing activity.
The ADPPA would require covered entities to minimize and limit their data activities; to restrict or refrain from certain data practices; to implement reasonable policies/practices with respect to covered data; to post a privacy policy; to implement reasonable administrative, technical, and physical controls to protect covered data; to prevent discrimination and other harmful effects arising from collection, processing, or transfer of covered data or from using algorithms; and to designate one or more privacy officers and data security officers.
The ADPPA would provide individuals with rights to access, correct, delete, and obtain a portable copy of their covered data, would require their consent to collect, process, or transfer sensitive covered data, and would afford opt outs for transfers and targeted advertising.
The FTC would be able to enforce violations of the ADPPA as unfair or deceptive practices under the FTC Act. Violations could also be enforced by state attorneys general and, eventually, by individuals or classes of individuals.
Finally, the ADPPA contains a number of provisions governing its interaction with other federal and state laws, including preemption of state data privacy laws to some extent.
As with other proposed federal privacy legislation, the ADPPA has a long way to go before it could make it on the books.
