New Federal law would pre-empt most existing state laws on data privacy and security.
On Friday, June 3, House and Senate leaders released a bipartisan discussion draft of a comprehensive data privacy bill called the American Data Privacy and Protection Act (ADPPA). Although many federal privacy bills have been introduced in the past, this discussion draft is gaining widespread attention because of its timing and bipartisan support.
The bill includes an agreement between Republicans and Democrats — for the first time — on two areas that have blocked previous efforts: whether a federal privacy law can preempt state laws and whether individuals should have the right to sue companies that illegally share their data or use it in ways the law prohibits.
Though privacy laws exist in several states - including California, Virginia, and Colorado - the U.S. does not yet have an all-encompassing federal data privacy law, which would act as a comprehensive measure to protect consumers’ private data from being misused, even in states without regulations. The ADPPA would preempt most of these existing state laws, according to the draft legislation.
Although still a draft, the ADPPA contains components similar to the European Union’s General Data Protection Regulation (GDPR), which is currently considered the world's strictest privacy and security law.
“Hopefully, ADPPA will have the same beneficial impact for the United States as GDPR had had on the European Union when it was enacted in 2018,” says George Powdar, Senior Vice President, Global Compliance and Reporting at Altair Global. “GDPR is currently the model for most data privacy laws globally.”
Powdar also expressed optimism for the ADPPA in that Relocation Management Companies (RMCs) can implement policies and procedures based on Federal law rather than individual state laws, thereby making compliance easier when handling transferee personal information.
Back in 2018, 28 European countries created and implemented the General Data Protection Regulation (GDPR), which is now the model for most data privacy laws globally.
RMCs who developed and implemented policies and procedures to be compliant with those regulations are now able to use those procedures to meet the privacy laws of other countries.
A federal law in the US, if modeled like the GDPR, and can supersede the State laws, will be easier for RMCs to comply with.
State laws that would not be preempted include generally applicable consumer protection laws, civil rights laws, employee and student privacy protections, data breach notification laws, contract and tort laws, criminal laws regarding fraud, theft, identity theft, unauthorized access to electronic devices, and unauthorized use of personal information; laws on cyberstalking, cyberbullying, nonconsensual pornography, and sexual harassment,” among several others.
The draft also does not block companies from forcing customers to use arbitration, except regarding children. Businesses regularly include such clauses in user agreements and have pushed to maintain that right.
The 64-page draft legislation addresses several critical issues related to data privacy, including third-party data collection policies, opt-out mechanisms for consumers, and the privacy of biometric information. The overarching goal of the act is to protect citizens against the discriminatory use of their data.
The ADPPA would require organizations to limit the data they collect and share. As part of this, companies can only collect information that is “reasonably necessary, proportionate, and limited.” The act would also give consumers more control over their data, requiring an option to allow end-users of services to turn off targeted advertisements and opt-out of the transfer of data to a third-party entity. The bill would also set up data protections for minors, prohibiting targeted advertising if companies know a consumer is under 17.
The ADPPA draft includes the following provisions:
- Establish a robust national framework to protect consumer data privacy and security;
- Grant broad protections for Americans against the discriminatory use of their data;
- Require covered entities to minimize on the front end, individuals’ data they need to collect, process, and transfer so that the use of consumer data is limited to what is reasonably necessary, proportionate, and limited for specific products and services;
- Require covered entities to comply with loyalty duties concerning specific practices while ensuring consumers don’t have to pay for privacy;
- Require covered entities to allow consumers to turn off targeted advertisements;
- Provide enhanced data protections for children and minors, including what they might agree to with or without parental approval;
- Establish regulatory parity across the internet ecosystem; and
- Promote innovation and preserve the opportunity for start-ups and small businesses to grow and compete
The discussion draft names the FTC as the prime Federal regulatory for the proposed new rules. Within a year of the legislation being enacted, the agency would create a new bureau that would be the authority power for part of the act.
Among other things, the act would require the FTC to issue guidance on policies that companies must follow in collecting, processing, and transferring covered data. The FTC is also in charge of tracking third-party collecting entities that process covered data of more than 5,000 individuals through a registration process.
According to the draft legislation, a violation of the act by companies would be considered “an unfair or deceptive act or practice under the FTC Act, meaning it may obtain civil penalties for initial and subsequent violations, among other relief,” according to the draft legislation.
Consumer advocacy and civil rights groups applauded the discussion draft. “Privacy rights are civil rights,” said David Brody, Managing Attorney of the Digital Justice Initiative at the Lawyers’ Committee for Civil Rights Under Law, in a statement. He said the group is encouraged the bill would “curb the rampant data-driven discrimination that occurs due to a lack of privacy protections.”