ADPPA Updates

ADPPA’s Preemption of State Laws is A Major Sticking Point

The ADPPA is now awaiting a House vote and there are doubts over whether the federal data privacy and protection law will pass that vote. While there is strong support for the ADPPA, that support is far from universal and several House members have stated that they would not vote in favor of the ADPPA in its current form and would require tweaks to be made before they would give their support.

One of the biggest sticking points is the preemption of state laws. The ADPPA would override state laws, including the California Consumer Privacy Act (CCPA) and the California Privacy Rights and Enforcement Act (CPRA), which provide greater protection for state residents in some key areas. The Health Insurance Portability and Accountability Act (HIPAA) preempts state laws; however, it sets minimum standards for healthcare data privacy and security, but states are permitted to implement their own laws that go further than HIPAA. The ADPPA in its current form does not permit that and sets a floor and a ceiling for data privacy.

House Speaker Nancy Pelosi has recently criticized some provisions of the ADPPA, which has cast further doubt on the ADPPA passing a House vote. Pelosi praised the efforts of California in implementing tough data privacy laws and for giving consumers the right to take action against companies that violate their privacy and obtain damages. Pelosi said it is imperative that California continues to offer and enforce the nation’s strongest privacy rights and that she would be working with Chairman Frank Pallone (D-NJ) about retaining California’s privacy laws.

Several state Attorneys General have also taken issue with the preemption requirements and are calling for changes to the ADDPA to allow states to implement tougher restrictions, with California far from being convinced. Despite concessions being made for California, the California Privacy Protection Agency remains firmly opposed to the ADPPA in its current form due to the preemption of state laws, specifically the removal of the floor of the CPRA and the prevention of California setting more stringent privacy laws in the future. However, if those changes are made to the preemption, there is significant potential for the ADDPA to lose its bipartisan support.

The ADPPA gives U.S. consumers greater power over how their personal data is collected and used, including the right to opt out of the collection and sharing of their personal data. Thoe opt out provisions are a cause of concern for many companies whose business model heavily relies on collection and sharing of personal data, in particular, the collection of data indirectly from third parties.

There has been intense lobbying by data brokers that want a relaxation of the requirements. According to Politico, the spending of five prominent data brokers on lobbying increased by 11% in the second quarter of 2022 compared with the corresponding period in 2021, in response to the ADPPA. One data broker, RELX, claims that if the data sharing restrictions of the ADPPA are not eased it will hamper the investigations of crimes by law enforcement.

RELX collects and shares data with law enforcement agencies which supports law enforcement efforts to target money laundering, human trafficking, and fraud. If individuals are allowed to opt out of data sharing, criminals would be able to do so too and that would hamper the efforts of law enforcement to bring those individuals to justice. RELX says the data it collects is not used for advertising purposes and seeks an exemption to use third-party data for law enforcement purposes. Privacy advocates believe that while there is value in data collection and data sharing for this purpose, the amount of data being collected is excessive, and it currently amounts to extensive nationwide surveillance of the entire population of the United States.

Other data brokers are lobbying for permission to use third-party data for advertising purposes. Large data brokers will be among those most affected by the ADPPA, which to a large extent is why the legislation was drafted – to limit and control how large data holders can use consumers’ data without consent. Currently, they are free to use third-party data collected by companies, which is commonly collected on users that have no direct relationships with those companies. The data fuels a market that has been estimated to be worth $240 billion.

The ADPPA does permit the sharing of de-identified data, but while personally identifiable information can – and often is – stripped out of the data that is collected and shared by data brokers, there is considerable potential for data to be combined with other data sources that can allow individuals to be identified. Data brokers are also pressing to ensure that the preemption requirements stay in place to prohibit states from implementing more stringent privacy laws.

There have already been compromises by Republicans and Democrats to get the ADPPA to the point of a House vote. It is likely that several tweaks will need to be made to the ADPPA for it to be signed into law.

The post ADPPA’s Preemption of State Laws is A Major Sticking Point appeared first on HIPAA Journal.

New Draft of ADPPA Law Introduced with Bipartisan Support

The American Data Privacy and Protection Act (ADPPA) was introduced in June, was substantially revised within a matter of days, and last month a new draft of ADPPA law was introduced with further revisions. The revised ADPPA has attracted considerable bipartisan support and sailed out of the committee with a vote of 53-2, and there is a reasonable chance that ADPPA will become the first federal privacy and data protection bill to be signed into law in the United States.

Why a Federal Data Privacy Law is Desperately Needed

ADPPA is far from the only attempt to get a federal data privacy and protection bill signed into law. Many other bills have been introduced that have attempted to introduce minimum standards for privacy and data protection at the federal level, but all attempts so far have failed. What the United States has is a patchwork of privacy and data protection laws at the state level and a handful of industry-specific laws such as HIPAA and FERPA. The problem is that the legal requirements for ensuring privacy and the security of data vary significantly depending on where a person lives. Some types of sensitive data – health data for instance – are only subject to strict controls over uses and disclosures if held by certain entities.

Disclose sensitive reproductive health information to a healthcare provider and that information is protected and cannot be disclosed without consent. Disclose that information through a health app and the information could be shared or sold, even though the information is the same. Californians have some of the strictest data privacy laws in the United States, but if you live across the border in Oregon, privacy standards are far lower. While individual states could all introduce laws to improve privacy protections for state residents, the best way forward is to have a federal data privacy and protection law that ensures the protection and privacy requirements are the same for all Americans.

ADPPA Advances to House Floor

The ADPPA advanced from a House committee in July, which is a major achievement, as none of the previous bills that have attempted to introduce federal privacy laws have survived that long. While the progress so far can be seen as a major achievement and the bill has good bipartisan support, ADPPA is not without its critics. Notably, representatives in California have stated that they will not back the bill as ADPPA law would have fewer protections for state residents than they currently have.

California is not the only state to have issues with the preemption of state laws, as 10 state attorneys general wrote to congressional leaders requesting ADPPA sets minimum standards for data privacy, and that individuals states should have the ability to increase protections for state residents should they deem it appropriate. However, the proposed amendment to ADPPA law to allow this was not passed.

Despite criticisms of the bill, the revised ADPPA law passed out of the committee and now heads to the House floor; however, the strong vote does not mean that the bill will progress, as several committee members voted for the bill but said they would be unlikely to support the bill in a floor vote unless modifications are made, and that they only voted in favor of ADPPA to get the bill to advance. Also, Senate Commerce Committee Chair Maria Cantwell has not stated that she will support the ADPPA, and her support will be required for ADPPA to pass a Senate vote.

Changes in the Latest Draft of ADPPA Law

In response to criticism from California, ADPPA has been amended to allow the California Privacy Protection Agency to enforce ADPPA compliance in the same way that the California Consumer Privacy Act (CCPA) is currently enforced, to try to bolster support for the bill in the state.

Changes have been made to the definition of employee data, which is exempt from ADPPA. The definition has a new addition, which now includes “information processed by an employer relating to an employee who is acting in a professional capacity for the employer, provided that such information is collected, processed, or transferred solely for purposes related to such employee’s professional activities on behalf of the employer.”

Extra protections are required for sensitive covered data. The definition of sensitive covered data has been broadened in the new ADPPA law to include information related to race, color, ethnicity, religion, or union membership, and information identifying an individual’s online activities over time and across third-party websites or online services.

One of the main changes to the revised ADPPA law concerns the private right of action, which allows individuals to sue for ADPPA violations. There were already some restrictions on the private right of action, such as the right being removed if the violation was subject to actions by the FTC or state attorneys general. ADPPA also included a delay of 4 years from ADPPA becoming law to the private right of action taking effect. The latest draft reduces that delay to two years, and there is now an exemption for small businesses. Small businesses are classed as those with annual revenues of less than $25 million, that deal with the covered data of fewer than 50,000 individuals, and who do not earn more than half of their revenue from transferring or selling covered data. Further, forced arbitration for disputes involving gender-based violence or physical harm is now banned.

ADPPA banned companies from conducting targeted advertising on minors, something that President Biden called to ban in his 2022 State of the Union address. ADPAA addressed this by banning targeting advertising at minors under the age of 17 if the covered entity knew that an individual is under 17. The new ADPPA law has been changed and a new tiered knowledge approach has been adopted, which includes “constructive knowledge” for covered high-impact social media companies that knew or should have known that an individual is under 17; a “willful disregard” tier for all large data holders and service providers who were aware that individuals were under 17, and an “actual knowledge” tier that applies to smaller covered entities.

There is also a new exclusion for the National Center for Missing and Exploited Children that will continue to allow it to work legally with children’s data to fulfill its mission to combat child trafficking, abuse, and abduction.

Annual privacy impact assessments were only required by large data holders. The wording has been changed to require all entities that do not meet the small- and medium-sized criteria to conduct annual assessments. Algorithmic impact assessments and evaluations are now required when large data holders’ algorithms pose a consequential risk to an individual or individuals.

Several other amendments have been made and the language of ADPPA law has been tightened for clarity, such as making it clear that covered entities are not permitted to retaliate against individuals who exercise their rights under ADPPA, such as making them pay for privacy.

The Next Steps Before ADPPA Becomes Law

The House will now vote on the bill and if that vote is passed, the bill will head to the Senate Committee on Commerce, Science, and Transportation. ADPPA will then be studied, and if it passes scrutiny, it will head to the Senate floor for a vote. If that vote is passed it will head to President Biden’s desk and provided the bill is signed – which is highly probable – ADPPA will become law.

The post New Draft of ADPPA Law Introduced with Bipartisan Support appeared first on HIPAA Journal.

What Will ADPPA Compliance Entail?

The American Data Privacy and Protection Act (ADPPA) aims to introduce national privacy and data security protections for consumer data. Here we explain what ADPPA compliance will entail.

The Need for a Federal Consumer Data Privacy Law

Despite many U.S. tech firms being among the largest worldwide collectors and processors of consumer data, the U.S. lacks a federal data privacy and protection law, and instead there is a patchwork of privacy laws covering each of the 50 states. National data privacy and protection laws have been introduced in many countries worldwide, yet all attempts to introduce comprehensive consumer data laws in the United States have failed to date.

As it stands, the personal data of residents of California, Colorado, Connecticut, Utah, and Virginia is subject to quite stringent laws, but that is far from the case elsewhere. In other states, consumer data privacy and security requirements are far lower or even virtually nonexistent. That means that consumer rights over their personal data can vary considerably, depending on which side of a state border an individual resides. There are several federal laws that have privacy and data security requirements, but whether those requirements apply depends on the entity collecting the data.

The amount and extent of data now being collected – and often sold without individuals’ knowledge – is considerable, and there is strong public support for a federal consumer data privacy and protection law. One survey suggests that 75% of Americans are in favor of a consumer data privacy and protection law that dictates how data can be collected and used. A federal law would also help to prevent companies from engaging in exploitation and discrimination, as they are largely free to do through the current collection, buying, selling, and sharing of consumers’ personal information.

The American Data Privacy and Protection Act

ADPAA (H.R. 8152) was introduced in the House of Representatives by Reps. Frank Pallone (D-NJ), Cathy McMorris Rodgers (R-WA), Janice Schakowsky (D-IL), and Gus Bilirakis (R-FL) and aims to introduce the first national data privacy and protection law, restricting the collection of personal data without consent, limiting uses and disclosures, and giving Americans new rights over their personal data, regardless where in the United States they live.

ADPPA will preempt state laws, although currently not the California Consumer Privacy Act and Illinois’ Biometric Information Privacy Act, and other consumer protection laws will also not be preempted, such as data breach notification laws and laws on cyberstalking, cyberbullying, and sexual harassment.

Covered Entities and Covered Data

Covered data is any information that identifies or is linked or reasonably linkable to an individual or device, by itself or in combination with other information. ADPPA does not apply to de-identified data, employee data, publicly available information, and inferences made exclusively from multiple independent sources of publicly available information that do not reveal sensitive covered data with respect to an individual.

Greater privacy and security requirements apply to sensitive covered data, which includes government-issued identifiers, health information, financial information, biometric data, genetic information, precise geolocation information, and a range of other sensitive data types.

Covered entities are entities that, alone or jointly with others, determine the purposes and means of collecting, processing, or transferring covered data and are:

  • Subject to the Federal Trade Commission Act
  • Common carriers subject to the Communications Act of 1934
  • Organizations not organized to carry out business for their own profit or that of their members
  • Entities that control, are controlled by, or are under common control with another covered entity

ADPPA will not apply to government entities or persons or entities that collect, process, or transfer covered data on behalf of federal, state, tribal, territorial, or local government. Covered entities required to comply with the Gramm-Leach-Bliley Act, Fair Credit Reporting Act, FERPA, HITECH Act, and HIPAA, will be deemed to be compliant if they are compliant with those laws for data privacy and security.

There is a separate classification for large data holders. A large data holder is an entity with gross annual revenue of $250 million or more, which collects, processes, or transfers the data of more than 5 million individuals or devices, or the sensitive data of 200,000 or more individuals or devices.

Summary of ADPPA Compliance Requirements

  • Consent is required to collect, process, and transmit covered data
  • Covered entities are required to minimize data collection to what is necessary
  • Covered entities must ensure privacy by design and not require consumers to pay for privacy
  • Covered entities must permit consumers to opt-out of targeted advertisements
  • Consumers are given the right to access/inspect their data, correct errors, delete their data, port their data, and withdraw consent at any time.
  • Protections are provided for minors under 17 years of age to prevent or restrict the use of their data
  • Improved transparency about how companies collect and use data
  • Improved protection for sensitive data types
  • Introduces greater accountability for large data holders, such as data brokers and large tech firms.

ADPPA Compliance Requirements

There are considerable ADPPA compliance requirements for all covered entities, the most important of which are summarized below.

Consent to Collect, Process, Share, and Sell Data

Covered entities must obtain express consent from an individual in order to collect, process, share, or sell their personal data, and are prohibited from pretextual consent such as obtaining consent using false, fictitious, fraudulent, or materially misleading statements or representation, and the use of interfaces for obtaining consent that manipulate consumers. Covered entities, service providers, and third parties are prohibited from engaging in deceptive advertising or marketing. Data may not be collected, processed, or transferred in a manner that discriminates on the basis of race, color, religion, national origin, sex, or disability.

Data Minimization

Covered entities that collect, process, or transfer covered data must ensure the data collected is limited to what is reasonably necessary and proportionate to providing a product or service or for delivering communications that are reasonably anticipated by the consumer.

Restricted use of Sensitive Data

Sensitive data must not be collected and processed unless the collection of that data is necessary to provide or maintain a specific product or service. Transfers of sensitive data to third parties are prohibited unless affirmative consent is obtained, if necessary to comply with federal, state, or local laws, and good-faith disclosures are permitted to prevent an individual from imminent injury. Biometric data may only be transferred to facilitate data security or authentication, and passwords may only be transferred if necessary to use a designated password manager or for identifying password reuse on multiple sites. Genetic information may only be transferred for medical diagnosis or research, with appropriate consent.

Privacy by Design

Covered entities and service providers must establish and maintain reasonable privacy policies and practices, must assess privacy risks to individuals under 17, and mitigate privacy risks, including substantial privacy risks, related to products and services. Reasonable training and safeguards must be implemented to comply with all applicable privacy laws. The privacy by design principle is tailored to the nature, scope, and complexities of the processing. The FTC will publish guidance, within a year of enactment, on what constitutes reasonable privacy policies, practices, and procedures.

Denial of Services or Pricing Based on Individuals Exercising Rights

It is prohibited to deny, condition, or effectively condition the provision of products or services on the individual’s agreement to waive certain rights or to terminate services if an individual chooses to exercise their rights under ADPPA. It is not permissible to price a product or service based on whether an individual agrees to provide financial information or if they exercise rights under APPA. It is not permissible to offer a loyalty program that provides discounts or free services in exchange for continued business with a covered entity or for such a program to be created to allow the covered entity to collect additional covered data it would not normally collect or process.

Data Security

Covered entities and service providers must establish, implement, and maintain reasonable administrative, technical, and physical data security practices and procedures to protect and secure covered data against unauthorized access and acquisition. What is considered reasonable will be based on the size and complexity of the covered entity or service provider, and the nature and scope of the collection, processing, and transferring of covered data.

Restrictions on the Collection, Use and Transferring of Minors’ Data

There are restrictions on the collection, use, and transferring of the data of minors under the age of 17. Restrictions include a ban on targeted advertising to any minor under 17 if the covered entity knows the individual is under 17. Data transfers are only permitted with express consent if the covered entity knows the individual is under 17. The FTC will establish a Youth Privacy and Marketing Division tasked with ensuring ADPPA compliance with respect to the privacy of children and minors and ADPPA compliance related to marketing directed at children and minors.

Appointment of Privacy and Data Security Officers

Covered entities and service providers are required to designate one or more qualified employees as privacy and data security officers to ensure ADPPA compliance. These officers will be responsible for developing and implementing a data privacy program and data security program and ensuring ADPPA compliance.

Impact Assessments

Large data holders have additional ADPPA compliance requirements. They must conduct a privacy impact assessment initially, and biannually thereafter, to assess potential adverse consequences as a result of the collecting, processing, and transferring of covered data, and the potential for algorithms to cause harm to an individual. These algorithmic impact assessments must be performed at the design stage, including using training data, and annually thereafter.

Consumer Right to Transparency

Ensuring consumers can exercise their rights is a major part of ADPPA compliance. Consumers have the right to transparency and must clearly be told how their data will be collected and used, and to which categories of third parties their data will be collected via clear and easy-to-understand privacy policies. Privacy policies must also explain consumer rights and how they can be exercised. If privacy policies change, consumers must be notified and allowed to withdraw their consent.

Consumer Right to Access, Correct, Delete, and Port their Data

Consumers must be allowed to access the data held by a covered entity and have that data provided in a human-readable downloadable format that is easy to understand. Consumers will have the right to correct any data and to have their data deleted. A covered entity must also notify any third party to whom the data has been transferred to notify them about the request to delete. Consumers have the right to data portability and have a machine-readable copy of their data provided, as far as is technologically possible.

Consumer Right to Withdraw Consent at any Time

Consumers have the right to withdraw their consent to collect, use, and transfer their data at any time, including consent to share their data with third parties. If data is used for providing targeted advertising, consumers must be provided with an easy way to opt-out prior to providing consent and after consent has been given.

Impact of ADPPA Compliance on Small Businesses

ADPPA compliance will have an impact on all covered entities, but steps have been taken during the bicameral development process to ease the compliance burden, especially for small- and medium-sized businesses. There is not a one-size-fits-all approach to ADPPA compliance. Small businesses will be exempt from some of the data security requirements, and small businesses – those with annual revenues lower than $41 million and did not collect or process the data of 100,000 in a year and did not derive more than half of their income from transferring consumer data – will not be required to comply with the data portability requirements. Instead of correcting any errors, small businesses may instead choose to delete the data.

Penalties for ADPPA Compliance Failures

The Federal Trade Commission (FTC) will be the main enforcer of ADPPA compliance, with state attorneys general also permitted to enforce compliance in their respective states. The FTC is required to establish a Bureau of Privacy, comparable in size and structure to other FTC Bureaus responsible for enforcing other consumer protection and competition laws, that will oversee ADPPA compliance. The Bureau of Privacy must be fully operational within a year of the enactment date.

ADPPA compliance failures, such as unfair or deceptive acts or practices, will be treated in the same manner as others described in section 18(a)(1)(B) of the Federal Trade Commission Act and will be subject to the same penalties described in the FTC Act. The maximum fine, adjusted for inflation in 2022, is $46,517. The FTC must establish a victims’ relief fund and deposit civil monetary penalties in that fund for distribution to victims of ADPPA compliance failures and there are limited other permissible uses of funds.

State attorneys general can bring civil actions over ADPPA compliance failures in the name of the state or on behalf of state residents to obtain damages, civil penalties, restitution, or other compensation, and reasonable attorneys’ fees.

Consumers Get the Right to Sue for ADPPA Compliance Failures

There is a private cause of action in ADPPA that allows consumers to sue for ADPPA compliance failures, although this will not come into force until 4 years after the date that ADPPA takes effect. Individuals will be able to sue for ADPPA compliance failures if they suffer an injury as a result of an ADPPA compliance violation. Any successful civil action brought against a covered entity over an APPA compliance violation could see the court award an amount equal to the sum of any actual damages sustained, injunctive relief, and the reimbursement of reasonable attorneys’ fees and litigation costs.

However, there is a caveat. In order to bring a civil suit against a covered entity for an ADPPA compliance violation, the FTC and the attorney general of the state where the individual resides must be notified in writing of the intent to commence a civil action. The FTC and the state attorney general then have 60 days to make a determination. If the FTC or state attorney general decides to independently intervene and bring their own civil case, the individual right to bring a civil action will not apply. ADPPA does have a right to cure. If a violation is corrected within 45 days, any action for injunctive relief will be dismissed.

Expected ADPPA Timeline

The first draft of the bill was released in early June, closely followed by a discussion draft. The discussion draft was dissected in a hearing on June 23, 2022, by the U.S. House Energy and Commerce Committee’s Subcommittee on Consumer Protection and Commerce. A revised version of the bill was introduced in the house shortly thereafter. Given that this is an election year, the current momentum will need to be maintained to get this bill signed into law this year.

While there is considerable support for ADPPA, critics would need to see several changes in order to provide their support, so there may be some watering down of the requirements. However, due to the bicameral development process and bipartisan support, ADPPA has the best chance of being signed into law of any comprehensive consumer data privacy law to date.

The post What Will ADPPA Compliance Entail? appeared first on HIPAA Journal.