USA – A landmark bipartisan proposal for a federal data privacy bill released

The proposed legislation cited as the “American Data Privacy and Protection Act” (the Bill), is the first comprehensive privacy proposal to gain bipartisan, bicameral support of the US Congress. It proposes a uniform, national data privacy framework, the creation of a robust set of consumers’ data privacy rights and relevant enforcement mechanisms. It also includes a limited private right of action and establishes a pre-emption of the Bill over the state law.

The key aspects of the Bill include the following:

• the Bill pre-empts most state laws that address the same issues, but includes exceptions to this position in relation to certain specific state laws or categories of state laws (eg on state data breach notification laws; CCPA’s private right of action; laws that govern the privacy rights or other protections of employees, employee information, students, or student information; biometric and genetic privacy laws, laws solely addressing facial recognition, surveillance, wiretapping or phone monitoring; amongst others). Determining whether certain state law will continue to apply if the Bill is passed is likely to be an area of complexity;
  
  
• the Bill provides for a “duty of loyalty”, which includes prohibitions on covered entities from collecting, processing or transferring certain data, such as social security number, passwords, non-consensual intimate images, or, without express consent, biometric, genetic data or a person’s exact geolocation, browsing history or physical activity from their device;
  
  
• a private right of action, which is one of the most controversial aspects of the proposed legislation and would begin four years after the date of enactment;
  
  
• it covers broadly any person or entity that collects, processes or transfers “covered data” and is (i) subject to the Federal Trade Commission (FTC) Act, (ii) a common carrier under the Communications Act or (iii) is a non-profit organisation, as well as its affiliated entities;
  
  
• “covered data” includes information that identifies or is linked or reasonably linkable to an individual or a device that identifies or is linked or reasonably linkable to one or more individuals, including derived data and unique identifiers (with exclusions of de-identified data, certain employee data and publicly available information);
  
  
• “sensitive covered data” is subject to additional protection and is broadly defined to include, amongst other things, government-issued identifiers, information regarding race, ethnicity, national origin, religion, union membership, health information, biometric and genetic information, sexual orientation or behaviour information, financial information, account and device log-in credentials, precise geolocation, an individual’s private communications (covering quite a detailed list of examples including call records), information on online activities over time or across third party websites or online services, intimate photographs and video recordings, viewing habits of streaming or TV services, children’s data and any data collected for the purpose of identifying these data types;
  
  
• the Bill includes privacy and data protection principles that are typical for modern data protection laws, such as necessity, proportionality and purpose limitation, data minimisation, privacy by design, transparency and corporate accountability. It also provides for the rights of individuals including access to, correction, deletion and portability of covered data, as well as the right to consent (described as affirmative express consent) to processing of sensitive covered data, to opt out of data transfers to a third party and to opt-out of targeted advertising. The term “affirmative express consent” means an affirmative act by an individual that clearly communicates the individual’s freely given, specific, informed, and unambiguous authorization for an act or practice, in response to a specific request from a covered entity (where the request itself must meet certain standards and requirements);
  
  
• the Bill includes additional requirements applicable to “large data holders” and “third-party collecting entities” (covered entities whose principal source of revenue is derived from processing or transferring covered data that the covered entity did not collect directly from the relevant individuals), for instance, in relation to corporate accountability;
  
  
• specific sections are dedicated to the requirements for obtaining consent, unified consent mechanisms and algorithmic processing (including a requirement for large data holders that apply algorithmic decision-making to conduct annual algorithm impact assessments and design evaluation);
  
  
• enhanced data protections for children and minors under 17, including what they might agree to with or without parental approval;
  
  
• covered entities will be required to implement and maintain reasonable data security practices and procedures to protect data against unauthorised use and acquisition. The measures must take into account such factors as, for instance, the size of the entity, the nature, scope and the complexity of the processing, the sensitivity of data and the cost of available tools to improve security and reduce vulnerabilities. The minimum measures include designating an officer, employee or employees to maintain or implement such practices; and
  
  
• enforcement will be provided by the FTC and the state attorneys general, with some coordination rules. The FTC will also obtain a rulemaking authority and establish a Privacy Bureau. The FTC will be authorised to approve compliance programmes meeting or exceeding the requirements under the Bill.

Many observers note the challenges of passing the Bill due to the approaching mid-term elections in November 2022 and the overall lack of bipartisan progress in the current Congress. The House Committee on Energy and Commerce will hold a hearing about the Bill on 14 June 2022.

Read the House Committee on Energy and Commerce press release here and the proposed “American Data Privacy and Protection Act” here (the Bill).