Last month, the U.S. House of Representatives’ Committee on Energy and Commerce held the third of three scheduled meetings ahead of a release of a new draft of the American Data Privacy and Protection Act (ADPPA), which is edging closer to being the first, comprehensive federal privacy legislation to be signed into law in the United States.

There is a clear need for greater privacy protections for Americans. Big tech firms are collecting huge volumes of sensitive data on Americans and there are few restrictions on how consumer data can be collected, used, and shared. There is mounting concern over the collection and use of the data of minors, the serving of targeted advertisements to children and teenagers based on the personal data collected by tech firms, and the sheer volume of data that is being collected on all Americans.

Currently, privacy regulations are implemented at the state level, and they can vary vastly across the country. ADPPA seeks to address this by placing restrictions on the collection and use of consumer data at the federal level and replacing the current patchwork of state privacy laws. ADPPA was approved by the Committee on Energy and Commerce on July 20, 2022, with a 53-2 vote but failed to advance to the House or Senate floors in the last Congress. Support may be strong, but in its current form, that support is not strong enough to get ADPAA over the line and signed into law.

The March 1, 2023, Committee hearing restarted the discussion about federal privacy legislation, with Subcommittee Chair Gus Bilirakis (R-FL) and Ranking Member Jan Schakowsky (D-IL) stating there is a desperate need to get federal privacy legislation signed into law in the present Congress. There was consensus among subcommittee members that federal privacy legislation is required, and that the ADPPA could well be the path forward. That said, there are different views on what privacy legislation should include and it was clear that significant changes are needed for ADPPA to stand a chance of being signed into law.

The Committee held another hearing on March 23, 2023, that was focused on hugely popular apps and how Congress can safeguard American data, address data sharing risks, and protect children from online harm. TikTok CEO, Shou Zi Chew, testified before the Committee and was grilled for hours but appeared unable to persuade the Committee that TikTok was safe and secure, and was not collecting data and passing that information to the Chinese government. Legislation has been proposed specifically to address this threat. The Restricting the Emergence of Security Threats that Risk Information and Communications Technology (RESTRICT) Act was introduced in March 2023 and would give the government the authority to ban IT products such as TikTok if they are thought to pose a national security risk. While the Biden Administration is in favor of the RESTRICT Act, it fails to address domestic data privacy issues and the current digital Wild West where there are few rules on how consumer data can be collected, used, and shared.

A new draft of ADPPA is expected imminently, with Committee on Energy and Commerce Chair Cathy McMorris Rodgers (R-WA) reportedly penning the last few updates to the bill, which is believed to incorporate significant changes. One of the major sticking points is the preemption of state laws, which backers say is vital for small businesses that are disproportionately burdened by the current patchwork of state laws. However, progressive states with much more stringent privacy protections – California for example – would see consumer privacy protections weakened by ADPPA, and with the privacy law setting protections in stone, there would be no way to improve protections in the future once ADPPA is signed into law. Nancy Pelosi, (D-CA) has already stated that she would not support ADPPA in its current form for this reason.

Whether the new version of ADPPA will address the sticking points sufficiently to retain the current bipartisan support and win over skeptics remains to be seen, but that will certainly be required to get ADPPA through the Republican House and Democrat Senate and signed into law.

The post Revised American Data Privacy and Protection Act Due to be Released appeared first on HIPAA Journal.

In 2022, the bipartisan, bicameral American Data Privacy and Protection Act (ADPPA) was proposed to introduce a new federal data privacy law to replace the current patchwork of privacy laws that exist at the state level. The legislation progressed further than any previous attempt to introduce a federal data privacy law, advancing past the House Energy and Commerce Committee with a vote of 53-2 to the verge of a House vote. While the ADPPA has strong bipartisan support, it is currently not strong enough for the ADPPA to survive a House vote, with California one of the most vocal states opposing the ADPPA in its current form.

Ahead of a second House Energy and Commerce Committee hearing on March 1, California Governor Gavin Newsom, Attorney General Rob Bonta, and the California Privacy Protection Agency (CPPA) wrote to Congress confirming their opposition to the ADPPA, although they welcomed the need for stronger federal action to protect the privacy of Americans.

The major sticking point for California is the preemption language of the ADPPA, which sets a ceiling rather than a floor for privacy standards. In its current form, the ADPPA would not allow states to introduce stricter privacy protections than those of the ADPPA. California has some of the strictest privacy protections in the United States, so while ADPPA introduces stronger privacy protections than currently exist in many states, it would weaken protections for California residents and could potentially compromise the ability of the CPPA to fulfill its mandate to protect the privacy of Californians.

“National data privacy laws passed by Congress should strengthen, not weaken our existing laws here in California,” said Governor Newsom. “As personal data is routinely bought and sold it is critical that consumers have the ability to consent to the sharing of this information, especially in an era where Roe v. Wade has been overturned and access to personal data can be used in legal proceedings. California has been on the leading edge when it comes to creating new digital technology, but we have also coupled these advances with stronger consumer protections. The rest of the nation should follow our lead.”

Specifically, Newsom, Bonta, and the CCPA have requested the language be changed to allow states to respond to changes in technology and data collection practices and ensure that the ADPPA is passed without a preemption clause to preserve California’s authority to establish and enforce data privacy protections in the state. However, the preemption was a tradeoff necessary for the ADPPA to get such strong support. The ADPPA is viewed by many as a way to escape the growing burden of complying with state privacy laws, which is becoming unsustainable for small and medium-sized businesses. Federal privacy protections will improve consumer privacy and provide some certainty for small businesses, but if states can introduce more stringent laws, there are fears that businesses will be forced to spend even more of their time on legal and compliance matters.

At the Committee hearing, House Energy and Commerce Committee Chair Cathy McMorris Rodgers (R-WA) confirmed that data privacy and security remain a major focus and are vital to ensure America’s global competitiveness edge against China, and the need to rein in big tech firms, protect children online, and put people in charge of their personal data.

“Americans have no say over whether and where their personal data is sold and shared, they have no guaranteed way to access, delete, or correct their data, and they have no ability to stop the unchecked collection of their sensitive personal information,” said McMorris Rodgers. “This isn’t acceptable. Data brokers and Big Tech’s days of operating in the dark should be over. People should trust that their data is being protected.”

The consumer privacy issues at the heart of the matter were discussed by the Committee, including the need to regulate data brokerage and rein in big tech firms. Currently, huge amounts of consumer data are being collected and data brokers are selling data virtually unrestricted and without oversight, and Americans are largely unaware of the extent to which their personal data are being used and sold.

“Members of both parties talk a lot about holding Big Tech accountable, and I firmly believe that the way to do that is by adopting a strong national privacy standard that limits the excesses of Big Tech and makes the digital world safer,” said Energy and Commerce Committee Ranking Member Frank Pallone, (D-NJ), referring to the data broker industry as operating in a shadow world, free from oversight and restriction. “We simply cannot go another Congress without passing comprehensive privacy legislation.”

Progress is being made, but there is still a considerable way to go to build sufficient consensus to get the ADPPA over the line and signed into law this year.

The post Lawmakers Continue Push for Federal Data Privacy Law appeared first on HIPAA Journal.

The ADPPA is now awaiting a House vote and there are doubts over whether the federal data privacy and protection law will pass that vote. While there is strong support for the ADPPA, that support is far from universal and several House members have stated that they would not vote in favor of the ADPPA in its current form and would require tweaks to be made before they would give their support.

One of the biggest sticking points is the preemption of state laws. The ADPPA would override state laws, including the California Consumer Privacy Act (CCPA) and the California Privacy Rights and Enforcement Act (CPRA), which provide greater protection for state residents in some key areas. The Health Insurance Portability and Accountability Act (HIPAA) preempts state laws; however, it sets minimum standards for healthcare data privacy and security, but states are permitted to implement their own laws that go further than HIPAA. The ADPPA in its current form does not permit that and sets a floor and a ceiling for data privacy.

House Speaker Nancy Pelosi has recently criticized some provisions of the ADPPA, which has cast further doubt on the ADPPA passing a House vote. Pelosi praised the efforts of California in implementing tough data privacy laws and for giving consumers the right to take action against companies that violate their privacy and obtain damages. Pelosi said it is imperative that California continues to offer and enforce the nation’s strongest privacy rights and that she would be working with Chairman Frank Pallone (D-NJ) about retaining California’s privacy laws.

Several state Attorneys General have also taken issue with the preemption requirements and are calling for changes to the ADDPA to allow states to implement tougher restrictions, with California far from being convinced. Despite concessions being made for California, the California Privacy Protection Agency remains firmly opposed to the ADPPA in its current form due to the preemption of state laws, specifically the removal of the floor of the CPRA and the prevention of California setting more stringent privacy laws in the future. However, if those changes are made to the preemption, there is significant potential for the ADDPA to lose its bipartisan support.

The ADPPA gives U.S. consumers greater power over how their personal data is collected and used, including the right to opt out of the collection and sharing of their personal data. Thoe opt out provisions are a cause of concern for many companies whose business model heavily relies on collection and sharing of personal data, in particular, the collection of data indirectly from third parties.

There has been intense lobbying by data brokers that want a relaxation of the requirements. According to Politico, the spending of five prominent data brokers on lobbying increased by 11% in the second quarter of 2022 compared with the corresponding period in 2021, in response to the ADPPA. One data broker, RELX, claims that if the data sharing restrictions of the ADPPA are not eased it will hamper the investigations of crimes by law enforcement.

RELX collects and shares data with law enforcement agencies which supports law enforcement efforts to target money laundering, human trafficking, and fraud. If individuals are allowed to opt out of data sharing, criminals would be able to do so too and that would hamper the efforts of law enforcement to bring those individuals to justice. RELX says the data it collects is not used for advertising purposes and seeks an exemption to use third-party data for law enforcement purposes. Privacy advocates believe that while there is value in data collection and data sharing for this purpose, the amount of data being collected is excessive, and it currently amounts to extensive nationwide surveillance of the entire population of the United States.

Other data brokers are lobbying for permission to use third-party data for advertising purposes. Large data brokers will be among those most affected by the ADPPA, which to a large extent is why the legislation was drafted – to limit and control how large data holders can use consumers’ data without consent. Currently, they are free to use third-party data collected by companies, which is commonly collected on users that have no direct relationships with those companies. The data fuels a market that has been estimated to be worth $240 billion.

The ADPPA does permit the sharing of de-identified data, but while personally identifiable information can – and often is – stripped out of the data that is collected and shared by data brokers, there is considerable potential for data to be combined with other data sources that can allow individuals to be identified. Data brokers are also pressing to ensure that the preemption requirements stay in place to prohibit states from implementing more stringent privacy laws.

There have already been compromises by Republicans and Democrats to get the ADPPA to the point of a House vote. It is likely that several tweaks will need to be made to the ADPPA for it to be signed into law.

The post ADPPA’s Preemption of State Laws is A Major Sticking Point appeared first on HIPAA Journal.

The American Data Privacy and Protection Act (ADPPA) was introduced in June, was substantially revised within a matter of days, and last month a new draft of ADPPA law was introduced with further revisions. The revised ADPPA has attracted considerable bipartisan support and sailed out of the committee with a vote of 53-2, and there is a reasonable chance that ADPPA will become the first federal privacy and data protection bill to be signed into law in the United States.

Why a Federal Data Privacy Law is Desperately Needed

ADPPA is far from the only attempt to get a federal data privacy and protection bill signed into law. Many other bills have been introduced that have attempted to introduce minimum standards for privacy and data protection at the federal level, but all attempts so far have failed. What the United States has is a patchwork of privacy and data protection laws at the state level and a handful of industry-specific laws such as HIPAA and FERPA. The problem is that the legal requirements for ensuring privacy and the security of data vary significantly depending on where a person lives. Some types of sensitive data – health data for instance – are only subject to strict controls over uses and disclosures if held by certain entities.

Disclose sensitive reproductive health information to a healthcare provider and that information is protected and cannot be disclosed without consent. Disclose that information through a health app and the information could be shared or sold, even though the information is the same. Californians have some of the strictest data privacy laws in the United States, but if you live across the border in Oregon, privacy standards are far lower. While individual states could all introduce laws to improve privacy protections for state residents, the best way forward is to have a federal data privacy and protection law that ensures the protection and privacy requirements are the same for all Americans.

ADPPA Advances to House Floor

The ADPPA advanced from a House committee in July, which is a major achievement, as none of the previous bills that have attempted to introduce federal privacy laws have survived that long. While the progress so far can be seen as a major achievement and the bill has good bipartisan support, ADPPA is not without its critics. Notably, representatives in California have stated that they will not back the bill as ADPPA law would have fewer protections for state residents than they currently have.

California is not the only state to have issues with the preemption of state laws, as 10 state attorneys general wrote to congressional leaders requesting ADPPA sets minimum standards for data privacy, and that individuals states should have the ability to increase protections for state residents should they deem it appropriate. However, the proposed amendment to ADPPA law to allow this was not passed.

Despite criticisms of the bill, the revised ADPPA law passed out of the committee and now heads to the House floor; however, the strong vote does not mean that the bill will progress, as several committee members voted for the bill but said they would be unlikely to support the bill in a floor vote unless modifications are made, and that they only voted in favor of ADPPA to get the bill to advance. Also, Senate Commerce Committee Chair Maria Cantwell has not stated that she will support the ADPPA, and her support will be required for ADPPA to pass a Senate vote.

Changes in the Latest Draft of ADPPA Law

In response to criticism from California, ADPPA has been amended to allow the California Privacy Protection Agency to enforce ADPPA compliance in the same way that the California Consumer Privacy Act (CCPA) is currently enforced, to try to bolster support for the bill in the state.

Changes have been made to the definition of employee data, which is exempt from ADPPA. The definition has a new addition, which now includes “information processed by an employer relating to an employee who is acting in a professional capacity for the employer, provided that such information is collected, processed, or transferred solely for purposes related to such employee’s professional activities on behalf of the employer.”

Extra protections are required for sensitive covered data. The definition of sensitive covered data has been broadened in the new ADPPA law to include information related to race, color, ethnicity, religion, or union membership, and information identifying an individual’s online activities over time and across third-party websites or online services.

One of the main changes to the revised ADPPA law concerns the private right of action, which allows individuals to sue for ADPPA violations. There were already some restrictions on the private right of action, such as the right being removed if the violation was subject to actions by the FTC or state attorneys general. ADPPA also included a delay of 4 years from ADPPA becoming law to the private right of action taking effect. The latest draft reduces that delay to two years, and there is now an exemption for small businesses. Small businesses are classed as those with annual revenues of less than $25 million, that deal with the covered data of fewer than 50,000 individuals, and who do not earn more than half of their revenue from transferring or selling covered data. Further, forced arbitration for disputes involving gender-based violence or physical harm is now banned.

ADPPA banned companies from conducting targeted advertising on minors, something that President Biden called to ban in his 2022 State of the Union address. ADPAA addressed this by banning targeting advertising at minors under the age of 17 if the covered entity knew that an individual is under 17. The new ADPPA law has been changed and a new tiered knowledge approach has been adopted, which includes “constructive knowledge” for covered high-impact social media companies that knew or should have known that an individual is under 17; a “willful disregard” tier for all large data holders and service providers who were aware that individuals were under 17, and an “actual knowledge” tier that applies to smaller covered entities.

There is also a new exclusion for the National Center for Missing and Exploited Children that will continue to allow it to work legally with children’s data to fulfill its mission to combat child trafficking, abuse, and abduction.

Annual privacy impact assessments were only required by large data holders. The wording has been changed to require all entities that do not meet the small- and medium-sized criteria to conduct annual assessments. Algorithmic impact assessments and evaluations are now required when large data holders’ algorithms pose a consequential risk to an individual or individuals.

Several other amendments have been made and the language of ADPPA law has been tightened for clarity, such as making it clear that covered entities are not permitted to retaliate against individuals who exercise their rights under ADPPA, such as making them pay for privacy.

The Next Steps Before ADPPA Becomes Law

The House will now vote on the bill and if that vote is passed, the bill will head to the Senate Committee on Commerce, Science, and Transportation. ADPPA will then be studied, and if it passes scrutiny, it will head to the Senate floor for a vote. If that vote is passed it will head to President Biden’s desk and provided the bill is signed – which is highly probable – ADPPA will become law.

The post New Draft of ADPPA Law Introduced with Bipartisan Support appeared first on HIPAA Journal.

The American Data Privacy and Protection Act (ADPPA) aims to introduce national privacy and data security protections for consumer data. Here we explain what ADPPA compliance will entail.

The Need for a Federal Consumer Data Privacy Law

Despite many U.S. tech firms being among the largest worldwide collectors and processors of consumer data, the U.S. lacks a federal data privacy and protection law, and instead there is a patchwork of privacy laws covering each of the 50 states. National data privacy and protection laws have been introduced in many countries worldwide, yet all attempts to introduce comprehensive consumer data laws in the United States have failed to date.

As it stands, the personal data of residents of California, Colorado, Connecticut, Utah, and Virginia is subject to quite stringent laws, but that is far from the case elsewhere. In other states, consumer data privacy and security requirements are far lower or even virtually nonexistent. That means that consumer rights over their personal data can vary considerably, depending on which side of a state border an individual resides. There are several federal laws that have privacy and data security requirements, but whether those requirements apply depends on the entity collecting the data.

The amount and extent of data now being collected – and often sold without individuals’ knowledge – is considerable, and there is strong public support for a federal consumer data privacy and protection law. One survey suggests that 75% of Americans are in favor of a consumer data privacy and protection law that dictates how data can be collected and used. A federal law would also help to prevent companies from engaging in exploitation and discrimination, as they are largely free to do through the current collection, buying, selling, and sharing of consumers’ personal information.

The American Data Privacy and Protection Act

ADPAA (H.R. 8152) was introduced in the House of Representatives by Reps. Frank Pallone (D-NJ), Cathy McMorris Rodgers (R-WA), Janice Schakowsky (D-IL), and Gus Bilirakis (R-FL) and aims to introduce the first national data privacy and protection law, restricting the collection of personal data without consent, limiting uses and disclosures, and giving Americans new rights over their personal data, regardless where in the United States they live.

ADPPA will preempt state laws, although currently not the California Consumer Privacy Act and Illinois’ Biometric Information Privacy Act, and other consumer protection laws will also not be preempted, such as data breach notification laws and laws on cyberstalking, cyberbullying, and sexual harassment.

Covered Entities and Covered Data

Covered data is any information that identifies or is linked or reasonably linkable to an individual or device, by itself or in combination with other information. ADPPA does not apply to de-identified data, employee data, publicly available information, and inferences made exclusively from multiple independent sources of publicly available information that do not reveal sensitive covered data with respect to an individual.

Greater privacy and security requirements apply to sensitive covered data, which includes government-issued identifiers, health information, financial information, biometric data, genetic information, precise geolocation information, and a range of other sensitive data types.

Covered entities are entities that, alone or jointly with others, determine the purposes and means of collecting, processing, or transferring covered data and are:

• Subject to the Federal Trade Commission Act
• Common carriers subject to the Communications Act of 1934
• Organizations not organized to carry out business for their own profit or that of their members
• Entities that control, are controlled by, or are under common control with another covered entity

ADPPA will not apply to government entities or persons or entities that collect, process, or transfer covered data on behalf of federal, state, tribal, territorial, or local government. Covered entities required to comply with the Gramm-Leach-Bliley Act, Fair Credit Reporting Act, FERPA, HITECH Act, and HIPAA, will be deemed to be compliant if they are compliant with those laws for data privacy and security.

There is a separate classification for large data holders. A large data holder is an entity with gross annual revenue of $250 million or more, which collects, processes, or transfers the data of more than 5 million individuals or devices, or the sensitive data of 200,000 or more individuals or devices.

Summary of ADPPA Compliance Requirements

• Consent is required to collect, process, and transmit covered data
• Covered entities are required to minimize data collection to what is necessary
• Covered entities must ensure privacy by design and not require consumers to pay for privacy
• Covered entities must permit consumers to opt-out of targeted advertisements
• Consumers are given the right to access/inspect their data, correct errors, delete their data, port their data, and withdraw consent at any time.
• Protections are provided for minors under 17 years of age to prevent or restrict the use of their data
• Improved transparency about how companies collect and use data
• Improved protection for sensitive data types
• Introduces greater accountability for large data holders, such as data brokers and large tech firms.

ADPPA Compliance Requirements

There are considerable ADPPA compliance requirements for all covered entities, the most important of which are summarized below.

Consent to Collect, Process, Share, and Sell Data

Covered entities must obtain express consent from an individual in order to collect, process, share, or sell their personal data, and are prohibited from pretextual consent such as obtaining consent using false, fictitious, fraudulent, or materially misleading statements or representation, and the use of interfaces for obtaining consent that manipulate consumers. Covered entities, service providers, and third parties are prohibited from engaging in deceptive advertising or marketing. Data may not be collected, processed, or transferred in a manner that discriminates on the basis of race, color, religion, national origin, sex, or disability.

Data Minimization

Covered entities that collect, process, or transfer covered data must ensure the data collected is limited to what is reasonably necessary and proportionate to providing a product or service or for delivering communications that are reasonably anticipated by the consumer.

Restricted use of Sensitive Data

Sensitive data must not be collected and processed unless the collection of that data is necessary to provide or maintain a specific product or service. Transfers of sensitive data to third parties are prohibited unless affirmative consent is obtained, if necessary to comply with federal, state, or local laws, and good-faith disclosures are permitted to prevent an individual from imminent injury. Biometric data may only be transferred to facilitate data security or authentication, and passwords may only be transferred if necessary to use a designated password manager or for identifying password reuse on multiple sites. Genetic information may only be transferred for medical diagnosis or research, with appropriate consent.

Privacy by Design

Covered entities and service providers must establish and maintain reasonable privacy policies and practices, must assess privacy risks to individuals under 17, and mitigate privacy risks, including substantial privacy risks, related to products and services. Reasonable training and safeguards must be implemented to comply with all applicable privacy laws. The privacy by design principle is tailored to the nature, scope, and complexities of the processing. The FTC will publish guidance, within a year of enactment, on what constitutes reasonable privacy policies, practices, and procedures.

Denial of Services or Pricing Based on Individuals Exercising Rights

It is prohibited to deny, condition, or effectively condition the provision of products or services on the individual’s agreement to waive certain rights or to terminate services if an individual chooses to exercise their rights under ADPPA. It is not permissible to price a product or service based on whether an individual agrees to provide financial information or if they exercise rights under APPA. It is not permissible to offer a loyalty program that provides discounts or free services in exchange for continued business with a covered entity or for such a program to be created to allow the covered entity to collect additional covered data it would not normally collect or process.

Data Security

Covered entities and service providers must establish, implement, and maintain reasonable administrative, technical, and physical data security practices and procedures to protect and secure covered data against unauthorized access and acquisition. What is considered reasonable will be based on the size and complexity of the covered entity or service provider, and the nature and scope of the collection, processing, and transferring of covered data.

Restrictions on the Collection, Use and Transferring of Minors’ Data

There are restrictions on the collection, use, and transferring of the data of minors under the age of 17. Restrictions include a ban on targeted advertising to any minor under 17 if the covered entity knows the individual is under 17. Data transfers are only permitted with express consent if the covered entity knows the individual is under 17. The FTC will establish a Youth Privacy and Marketing Division tasked with ensuring ADPPA compliance with respect to the privacy of children and minors and ADPPA compliance related to marketing directed at children and minors.

Appointment of Privacy and Data Security Officers

Covered entities and service providers are required to designate one or more qualified employees as privacy and data security officers to ensure ADPPA compliance. These officers will be responsible for developing and implementing a data privacy program and data security program and ensuring ADPPA compliance.

Impact Assessments

Large data holders have additional ADPPA compliance requirements. They must conduct a privacy impact assessment initially, and biannually thereafter, to assess potential adverse consequences as a result of the collecting, processing, and transferring of covered data, and the potential for algorithms to cause harm to an individual. These algorithmic impact assessments must be performed at the design stage, including using training data, and annually thereafter.

Consumer Right to Transparency

Ensuring consumers can exercise their rights is a major part of ADPPA compliance. Consumers have the right to transparency and must clearly be told how their data will be collected and used, and to which categories of third parties their data will be collected via clear and easy-to-understand privacy policies. Privacy policies must also explain consumer rights and how they can be exercised. If privacy policies change, consumers must be notified and allowed to withdraw their consent.

Consumer Right to Access, Correct, Delete, and Port their Data

Consumers must be allowed to access the data held by a covered entity and have that data provided in a human-readable downloadable format that is easy to understand. Consumers will have the right to correct any data and to have their data deleted. A covered entity must also notify any third party to whom the data has been transferred to notify them about the request to delete. Consumers have the right to data portability and have a machine-readable copy of their data provided, as far as is technologically possible.

Consumer Right to Withdraw Consent at any Time

Consumers have the right to withdraw their consent to collect, use, and transfer their data at any time, including consent to share their data with third parties. If data is used for providing targeted advertising, consumers must be provided with an easy way to opt-out prior to providing consent and after consent has been given.

Impact of ADPPA Compliance on Small Businesses

ADPPA compliance will have an impact on all covered entities, but steps have been taken during the bicameral development process to ease the compliance burden, especially for small- and medium-sized businesses. There is not a one-size-fits-all approach to ADPPA compliance. Small businesses will be exempt from some of the data security requirements, and small businesses – those with annual revenues lower than $41 million and did not collect or process the data of 100,000 in a year and did not derive more than half of their income from transferring consumer data – will not be required to comply with the data portability requirements. Instead of correcting any errors, small businesses may instead choose to delete the data.

Penalties for ADPPA Compliance Failures

The Federal Trade Commission (FTC) will be the main enforcer of ADPPA compliance, with state attorneys general also permitted to enforce compliance in their respective states. The FTC is required to establish a Bureau of Privacy, comparable in size and structure to other FTC Bureaus responsible for enforcing other consumer protection and competition laws, that will oversee ADPPA compliance. The Bureau of Privacy must be fully operational within a year of the enactment date.

ADPPA compliance failures, such as unfair or deceptive acts or practices, will be treated in the same manner as others described in section 18(a)(1)(B) of the Federal Trade Commission Act and will be subject to the same penalties described in the FTC Act. The maximum fine, adjusted for inflation in 2022, is $46,517. The FTC must establish a victims’ relief fund and deposit civil monetary penalties in that fund for distribution to victims of ADPPA compliance failures and there are limited other permissible uses of funds.

State attorneys general can bring civil actions over ADPPA compliance failures in the name of the state or on behalf of state residents to obtain damages, civil penalties, restitution, or other compensation, and reasonable attorneys’ fees.

Consumers Get the Right to Sue for ADPPA Compliance Failures

There is a private cause of action in ADPPA that allows consumers to sue for ADPPA compliance failures, although this will not come into force until 4 years after the date that ADPPA takes effect. Individuals will be able to sue for ADPPA compliance failures if they suffer an injury as a result of an ADPPA compliance violation. Any successful civil action brought against a covered entity over an APPA compliance violation could see the court award an amount equal to the sum of any actual damages sustained, injunctive relief, and the reimbursement of reasonable attorneys’ fees and litigation costs.

However, there is a caveat. In order to bring a civil suit against a covered entity for an ADPPA compliance violation, the FTC and the attorney general of the state where the individual resides must be notified in writing of the intent to commence a civil action. The FTC and the state attorney general then have 60 days to make a determination. If the FTC or state attorney general decides to independently intervene and bring their own civil case, the individual right to bring a civil action will not apply. ADPPA does have a right to cure. If a violation is corrected within 45 days, any action for injunctive relief will be dismissed.

Expected ADPPA Timeline

The first draft of the bill was released in early June, closely followed by a discussion draft. The discussion draft was dissected in a hearing on June 23, 2022, by the U.S. House Energy and Commerce Committee’s Subcommittee on Consumer Protection and Commerce. A revised version of the bill was introduced in the house shortly thereafter. Given that this is an election year, the current momentum will need to be maintained to get this bill signed into law this year.

While there is considerable support for ADPPA, critics would need to see several changes in order to provide their support, so there may be some watering down of the requirements. However, due to the bicameral development process and bipartisan support, ADPPA has the best chance of being signed into law of any comprehensive consumer data privacy law to date.

The post What Will ADPPA Compliance Entail? appeared first on HIPAA Journal.