Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

USA: Discussion draft for bipartisan federal privacy bill submitted to House of Representatives

A bipartisan group of U.S. Senate and U.S. House of Representative leaders released, on 3 June 2022, a discussion draft for a federal comprehensive data privacy bill which, if passed, would become the American Data Privacy and Protection Act.

The bill, which is the first comprehensive federal privacy bill to gain bipartisan and bicameral support aims to:

  • grant individuals broad protections against the discriminatory use of their data;
  • require covered entities to minimise on the collection, processing, use, and transfer for individuals' data to what is reasonably necessary, proportionate, and limited for specific products and services;
  • require covered entities to comply with other obligations while not compromising on privacy requirements;
  • allow individuals to stop targeted advertisements; and
  • provide enhanced data protections for children and minors.

Who does it affect?

The bill refers to 'covered entities', which means:

  • any entity or person that collects, processes, or transfers covered data that is:
    • subject to the Federal Trade Commission Act of 1914;
    • a common carrier subject to title II of the Communications Act of 1934 as currently enacted or subsequently amended; or
    • an organisation not organised to carry on business for their own profit or that of their members; and
  • includes any entity or person that controls, is controlled by, is under common control with, or shares common branding with another covered entity.

In addition, the bill addresses a subset of covered entities defined as 'large data holders' who would be subject to additional obligations.

Notably, there is a 'small data exemption' which excuses certain organisations from a limited set of provisions.

What does it include?

The bill includes provisions on the duty of loyalty, including in relation to data minimisation, outlining that a covered entity shall not collect, process, or transfer covered data beyond what is reasonably necessary, proportionate, and limited to certain circumstances. Regarding Privacy by Design, the bill outlines an express duty to establish and implement reasonable policies, practices, and procedures regarding the collection, processing, and transfer of covered data. Furthermore, the bill prohibits a covered entity from charging different rates or offering different services/products based on agreements to waive privacy rights.

In addition, the bill outlines a number of consumer data rights, with a view to providing:

  • Transparency - covered entities would be required to make publicly available, in a clear, conspicuous, and readily accessible manner, a privacy policy that provides a detailed and accurate representation of the entity's data collection, processing, and transfer activities.
  • Individual data ownership and control - a covered entity would be required, after receiving a verified request from the individual, to provide them with the right to access, correct, delete, and portability.
  • The right to consent and object - sensitive covered data would need the express consent of the concerned individual before being collected, processed, or transferred to a third party. In addition, the bill outlines that covered entities would need to provide individuals with a clear means of withdrawing their consent, the right to opt-out of covered data transfers, and the right to opt-out of targeted advertising.
  • Data protections for children and minors - the bill would prohibit targeted advertising to any individual under the age of 17, if the covered entity is aware that the individual is under this age threshold.
  • Third-party collecting entities - third-party collecting entities would be required to place a clear and conspicuous notice on their website or mobile application and register with the Federal Trade Commission ('FTC') in certain circumstances.
  • Civil rights and algorithms - a covered entity may not collect, process, or transfer covered data in a manner that discriminates or otherwise makes unavailable the equal enjoyment of goods or services on the basis of race, colour, religion, national origin, gender, sexual orientation, or disability, except for in a limited set of instances. Furthermore, the bill outlines that all covered entities must conduct an algorithmic design evaluations and large data holders to conduct algorithmic impact assessment.
  • Data security and protection of covered data - the bill includes provisions which would require covered entities to establish, implement, and maintain reasonable administrative, technical, and physical data security practices and procedures to protect and secure covered data against unauthorised access and acquisition.

The bill also includes a number of general exceptions would require the FTC to finalise a feasibility study on the creation of unified opt-out mechanisms.

Regarding corporate accountability, the bill would require all covered entities to appoint one or more qualified employees as privacy officers and/or one or more qualified employees as data security officers. In addition, a large data holders would be required to designate at least one of the aforementioned officers to report directly to the highest official as a privacy protection officer, responsible for:

  • establishing the process for periodically reviewing and updating the privacy and security policies, practices, and procedures;
  • conducting audits of such policies, practices, and procedures;
  • developing a programme to educate and train employees;
  • maintaining updated, accurate, clear, and understandable records; and
  • serving as the point of contact between the large data holder and enforcement authorities.

Large data holders would also be required to conduct a Privacy Impact Assessment that weighs the benefits of its data collection, processing, and transfer practices against the potential adverse consequences of such practices to individual privacy.

Enforcement

The bill would require the FTC to establish a new bureau related to consumer protection and competition. In addition, the bill provides that State Attorney Generals, or the chief consumer protection officer of the State, may bring a civil action in the name of the State while also granting individuals with a private right of action starting from four years after the effective date of the bill.

Timeline

If passed, the bill would come into effect 180 days after the date of its enactment.

You can read the press release here and the bill here.

UPDATE (8 June 2022)

Energy and Commerce Committee announces legislative hearing on bill for American Data Privacy and Protection Act

The U.S. House Committee on Energy and Commerce announced, on 7 June 2022, a legislative hearing on the discussion draft bill for the American Data Privacy and Protection Act. The hearing will be held on 14 June 2022, and will be available to the public via webcast.

You can read the press release here and access details on the hearing here.

UPDATE (15 June 2022)

Bodies issue statements following legislative hearing on bill for American Data Privacy and Protection Act

The House Committee on Energy and Commerce released, on 14 June 2022, the opening remarks of Chairman Frank Pallone, Jr. at the start of the legislative hearing on the discussion draft bill for the American Data Privacy and Protection Act. Other bodies and individuals also released, on 14 June 2022, remarks from the legislative hearing, including U.S. Representative Anna Eshoo, the Electronic Privacy Information Center ('EPIC'), the Information Technology Industry Council ('ITI'), Privacy for America, and the Interactive Advertising Bureau ('IAB').

You can read the House Committee on Energy and Commerce statement here, Eshoo's statement here, EPIC's statement here, ITI's statement here, Privacy for America's statement here, and IAB's statement here.

UPDATE (22 June 2022)

Bill for the American Data Privacy and Protection Act introduced to House of Representatives

House Resolution ('HR') 8152 for the American Data Privacy and Protection Act was introduced, on 21 June 2022, to the U.S. House of Representatives.

You can read HB 8152 here and track its progress here.