Executive Summary

• A bipartisan, bicameral group of key lawmakers released a draft of the American Data Privacy and Protection Act, which would establish new limitations on the collection and use of user data, as well as create new rights for users to access, correct, delete, and transfer their data.
• The bill attempts to navigate the major sticking points of previous privacy legislation through significant compromises on both state law preemption and a private right of action for individuals harmed by the data practices of companies; disagreement on these issues still exists, however, and could ultimately prevent passage.
• Regardless of this bill’s outcome, the ability of key legislators from both sides of the aisle to reach a compromise suggests that this draft could be the first step toward a comprehensive national privacy framework.

Introduction

After years of debate and negotiations, a bipartisan, bicameral group of lawmakers released a draft of the American Data Privacy and Protection Act (ADPPA), a national privacy framework. This long-awaited compromise suggests such legislation could move in either this Congress or the next. As the state patchwork of privacy laws continues to increase, the impetus for a national framework has never been greater, especially from the technology industry’s perspective. Yet as legislators from both parties clearly made significant compromises to get a workable draft, the ADPPA is likely not ideal from either party’s perspective.

Over the next few months, Congress will consider this legislation and the impact it would have on both consumer privacy and the economy. The ADPPA covers a broad swath of concepts, and this insight breaks down its most critical components. In particular, the insight focuses on the issues of preemption and a private right of action — two key sticking points in previous negotiations. While Congress will continue to negotiate the specific details of a privacy framework, and different bills may be introduced, this bipartisan framework appears to be a major step forward on the path to a national privacy law.

General Provisions

The ADPPA takes two main approaches to protecting consumer privacy: duties on entities that collect data, and rights for individuals whose data is collected.

First, the legislation would create a duty of loyalty for any entity or person that collects data (denoted as “covered entities” in the legislation); this would prohibit the collection of data beyond what is reasonably necessary, proportionate, and limited to provide or maintain a specific product or service requested by an individual or a communication to the individual reasonably anticipated within the context of the relationship. This broad standard closely aligns with other data minimization efforts, and would ensure that covered entities only collect data relevant to the service or product the consumer uses. At the same time, losing access to consumer data would limit companies’ ability to incorporate insights from the data into innovating new products and services that consumers may want. The duty of loyalty would also include a prohibition on a wide range of practices such as transferring precise geolocation, passwords, or biometric information without the express affirmative consent of the individual, and would impose privacy by design requirements directing covered entities proactively embed privacy into the design and operation of services and business practices.

Second, the ADPPA would also create consumer data rights to ensure consumers can find out what data is being collected from them and how it is being used. Moreover, these “data ownership” rights would allow individuals to access, correct, delete, and transfer their data to different services. , Beyond these basic rights, the ADPPA would set a variety of restrictions and prohibitions relating to the sharing of Social Security numbers or genetic information without the express consent of the individual, or expansions to Children’s Online Privacy Protection Act requirements which adds additional restrictions relating to targeted advertising to individuals under 18 years old. Under ADPPA, the Federal Trade Commission (FTC) would have the rulemaking authority to develop what these rights look like in practice.

Many of ADPPA’s provisions aren’t particularly controversial, so lawmakers will likely be able to iron out details during negotiations. Yet the bill’s extension into a wide range of topics such as data portability and algorithmic harms seemingly go beyond privacy and may be better left for specific legislation on these issues. For example, the bill would allow the FTC to establish rules regarding data portability, and the FTC has strongly suggested it wants to drastically change competition policy in the United States. Including a grant of authority to the FTC to make rules relating to data portability will inevitably be used to address perceived competition issues unrelated to the bipartisan compromises on user privacy.

There is a lot to unpack in these sections, and undoubtedly Congress will fiercely debate the provisions in the bill. Indeed, a bipartisan national framework will need to impose strong protections to gain enough support to pass. To this point, however, the specific protections and duties haven’t stalled previous attempts to pass a bill. Instead, preemption and private right of action remain the two central questions to whether a national privacy framework can move forward.

Preemption

The ADPPA preempts state laws that cover the provisions of the act, but does so with preservation of state laws in a few regards. First, it specifically grandfathers in California’s private right of action for data breaches and Illinois’ laws governing biometric and genetic information—both of which are fairly large exceptions to ADPPA’s preemption and could have a significant impact on compliance requirements for businesses. By grandfathering in these specific provisions and not the entire California Consumer Privacy Act, however, the bill narrows the applicability of state privacy law and essentially supersedes any broad state effort to regulate privacy.

Second, the bill has a wide range of exceptions for things such as consumer protection laws of general applicability, civil rights laws, data breach notifications, and tort law. While the list of non-preempted subjects in the bill goes beyond these examples and may seem large, many of these exceptions are fairly obvious and the ADPPA would likely not preempt them even if the bill didn’t explicitly include them.

Therefore, the impact of these exceptions will largely depend on enforcement and state views of the legislation generally. If the inherent protections in the bill assuage concerns from state lawmakers, states will have less desire to test the bounds of the law in court. If they feel that the law doesn’t go far enough, lawmakers across the country may try to use these exceptions to argue that new privacy legislation isn’t actually a privacy law but instead a consumer protection law of general applicability or one of the other exceptions. At a bare minimum, the preemptions exceptions will add some uncertainty for businesses, meaning innovation and investment in new products and services will be impacted.

Private Right of Action

The ADPPA places primary enforcement of the act with the FTC and state attorneys general (AGs), though it includes a fairly broad private right of action as well. There is widespread agreement that the FTC should be the primary enforcement agency for any privacy framework, though some have argued that this bill fails to give the agency the resources it would need to adequately protect consumers. State AGs are a bit more controversial when it comes to privacy enforcement as state level enforcement can lead to inconsistencies in application and politicization of enforcement. Proponents argue, however, that state AG enforcement allows states to actively protect consumer privacy and develop norms around data use.

While the state AG debate is ongoing, it likely won’t derail the legislation. Instead, the more serious contention is whether individuals should be able to bring litigation against covered entities. As drafted, the ADPPA allows individuals who suffer an injury to seek relief through a civil action against the covered entity, and courts may award individuals both injunctive relief as well as compensatory damages and attorneys’ fees. As a result, plaintiff lawyers will undoubtedly use the law to bring litigation of all kinds any time an individual feels that a covered entity misuses their data or otherwise fails to adhere to any interpretation of the act.

Notably, the drafters attempted to limit the negative impacts of a private right of action in two regards. First, plaintiffs seeking to bring a claim under this act must first give the FTC notice and 60 days to review the claim. If the FTC finds that a covered entity violated the act, it can independently seek to act. If the FTC decides to act, then the individual cannot seek monetary payments from the covered entity. The additional time and procedures required to bring claims against covered entities could limit some of the frivolous lawsuits against covered entities. That said, nothing in the legislation would actually stop private litigation. Thus, the only claims that would move forward are those that regulators have decided not to pursue.

Second, the ADPPA grants covered entities a right to cure the alleged infringing conduct. A right to cure would allow firms to resolve litigation at the outset, limiting the costs of litigation. Unfortunately, the right to cure is limited to claims seeking injunctive relief, meaning firms would still need to defend against claims for monetary damages. Because claims for monetary damages make up the bulk of frivolous lawsuits, the right to cure in this private right of action may not provide significant relief if the legislation causes an influx of litigation.

Conclusion

As it stands, the ADPPA takes a very fragmented approach to developing a national privacy framework. Many of the provisions in the legislation clearly are a result of bipartisan compromise, which on one hand makes the bill no one’s ideal, but on the other hand makes it the most viable national privacy legislation in the years. While Congress will likely be able to iron out many provisions, significant hurdles remain, and the bill lacks support from some key leaders. At a minimum, the ADPPA has sparked new life in the privacy debate.