House Resolution ('HR') 8152 for the American Data Privacy and Protection Act was introduced, on 21 June 2022, to the U.S. House of Representatives, with some amendments from the discussion draft for a bipartisan federal privacy bill submitted to the U.S. House of Representatives. 

Who does HR 8152 apply to?

In particular, HR 8152 would apply to a 'covered entity' which is defined as:

• any entity or person, other than an individual acting in a non-commercial context, that alone or jointly with others determines the purposes and means of collecting, processing, or transferring covered data and: 
  • is subject to the Federal Trade Commission Act of 1914;
  • is a common carrier subject to the Communications Act of 1934;
  • is an organisation not organised to carry business for their own profit or that of their members; and
• includes any entity or person that controls or is controlled by another covered entity.

What are the key obligations for covered entities?

In terms of its substantive provisions, HR 8152 would, among other things:

• require covered entities and service providers to establish, implement, and maintain reasonable policies, practices, and procedures regarding the collection, processing, and transfer of covered data;
• require a covered entity to provide an individual with a means to withdraw any consent that is as easy to execute as the means to provide consent, with respect to the processing or transfer of the covered data of the individual;
• provide for data subject rights, such as access, deletion, correction, and the right to export covered data of the individual, as well as the right to opt-out of targeted advertising;
• prohibit targeted advertising to children and minors under the age of 17; and
• require that a covered entity or service provider that knowingly develops an algorithm, solely or in part, to collect, process, or transfer covered data or publicly available information to, before deploying the algorithm in interstate commerce, evaluate the design, structure, and inputs of the algorithm, including any training data used to develop the algorithm, to reduce the risk of the potential harms identified.

How does HR 8152 compare to the initial discussion draft?

Some of the key changes with respect to HR 8152 compared to the initial discussion draft include:

• an amended definition of 'biometric information' which is narrower in scope, with certain exclusions added in the text of HR 8152 for a digital or physical photograph, audio or video recording, or data generated from any of the aforementioned forms, and which cannot be used to identify an individual;
• within the definition of 'covered data' the exclusion of inferences made exclusively from multiple independent sources of publicly available information that do not reveal sensitive covered data with respect to an individual;
• a definition of 'precise geolocation information', and applies a range of 1,000 feet or less in terms of the sufficient precision needed to identify street level location information or an individual's location;
• an amended definition of 'sensitive covered data' to provide that communications are not considered private if made to or from an employer-provided device and a conspicuous notice that such communications can be accessed is provided;
• a definition for 'substantial privacy risk', which is the collection, processing, or transfer of covered data in a manner that may result in any reasonably foreseeable material physical injury, economic injury, highly offensive intrusion into the reasonable privacy expectations of an individual under the circumstances, or discrimination on the basis of race, colour, religion, national origin, sex, or disability;
• amendments to provisions governing the duty of loyalty;
• amendments to requirements with respect to privacy policies which outline that material changes must be notified to affected individuals before implementing such changes, and copies of previous versions of privacy policies must be retained for at least ten years and published on the large data holder's website; 
• a knowledge requirement with respect to the data protections of children and minors; and
• amendments to the scope of impact assessments regarding algorithm impact and evaluation, and the information that needs to be provided in an impact assessment. 

UPDATE (28 June 2022)

HR 8152 forwarded to the full Committee

The Subcommittee forwarded, on 23 June 2022, HR 8152 to the full Committee following an open markup session held by the Consumer Protection and Commerce Subcommittee.

You can read HR 8152 here and track its progress here.