Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

USA: The ADPPA was the start, but where has the draft APRA landed?

In this Insight article, Michelle Schaap, Partner at CSG Law, will discuss some (not all) notable distinctions between the failed American Data Privacy and Protection Act (ADPPA) and the draft American Privacy Rights Act (APRA). Not surprisingly, the two have many of the same terms, as the APRA drafters used the ADPPA as their starting point.

MRaust/iStock via Getty Images

However, in crafting the new proposed legislation, some consideration may have been given to the objections raised to the ADPPA in an effort to avoid the same stumbling blocks. For readers interested in doing their own analysis, be warned: the use of defined terms is not the same (even though the underlying definitions may be the same) and the numbering of the two acts for their section identification is not the same.

Preemption

ADPPA

Under the ADPPA, Section 404, federal laws, were not pre-empted, nor was the authority of other Executive Agencies and/or common carriers' breach obligations under 47 CFR 62.2011. The ADPPA also did not supersede anti-trust laws or enforcement. Entities otherwise covered by the ADPPA, but which were subject to and in compliance with the following laws would be deemed in compliance with the ADPPA with limited exceptions: the Gramm-Leach-Bliley Act of 1999 (GLBA) (Title V), the Health Information Technology for Economic and Clinical Health Act (HITECH), the Fair Credit Reporting Act of 1970 (FCRA), the Family Educational Rights and Privacy Act of 1974 (FERPA), the Children's Online Privacy Protection Act of 1998 (COPPA), and the Health Insurance Portability and Accountability Act of 1996 (HIPAA), along with a few other specifically identified statutory privacy laws. Notably, Section 208 of the ADPPA with respect to the mandated data security and protections would not have been superseded by those other laws.

State laws, however, did not receive the same treatment as federal laws under the ADPPA. Indeed, Section 404(b) of the ADPPA specifically provided that '[n]o State […] may adopt, maintain, enforce, prescribe or continue in effect at any law, regulation, rule, standard, requirement, other provision…. covered by the provisions of this Act…' The ADPPA did not, however, preempt consumer protection laws against 'deceptive, unfair or unconscionable practices,' civil rights laws, provisions of laws that govern the privacy of employee or student information, or breach notification laws, as well as several other listed laws. Notably, Illinois' laws, the Biometric Information Privacy Act of 2008 (BIPA) and the Genetic Information Privacy Act (GIPA) were both expressly called out and preserved. It also expressly preserved the private right of action provided in the California Consumer Privacy Act of 2018 (CCPA), as amended by the California Privacy Rights Act of 2020 (CPRA) (collectively the CCPA as amended) in Section 1798.150, and allows for the California Privacy Protection Agency to enforce the ADPPA as it would the CCPA as amended.

The ADPPA would have overridden the application of certain aspects of the Communication Act of 1934 as it related to the processing and/or security of covered data with limited exceptions. Finally, the ADPPA did not preempt common law or statutory causes of action for civil relief, including without limitation actions for wrongful death, negligence failure to warn, and an objectively offensive invasion of privacy.

APRA

Expanding on the exclusions from the broad preemption of states' laws, the APRA carved out from preemption to include state laws that address spam emails, telephone solicitations or caller ID, health information, and library records. However, unlike the ADPPA, APRA does not expressly carve out preemption laws regarding facial recognition or facial recognition technologies.

Remembering that APRA does not preclude states from enforcing their laws that are not otherwise covered by the APRA, and the APRA does not apply to small businesses, it is unclear whether this leaves the door open for states to enforce their privacy laws against those smaller enterprises. It is reasonable to assume, however, that regulators in states such as California may still object to the preemption of their laws otherwise.

Private right of action and small businesses

ADPPA

Unlike most states' proactive privacy laws, the ADPPA created a private right of action. This right would not be available for two years after the date the act became effective. Before a person could bring that action, they would first have to give notice to the Federal Trade Commission (FTC) and the Attorney General of their state of residence to give either the opportunity to intervene. Note that the act also contemplated that the FTC would report on actions brought by individuals - the implication being that the right under the act might be either removed or potentially revised.

The private right of action was limited to violations of only certain sections: 102 (duty of loyalty), 104 (no discrimination on pricing for exercising privacy rights), 202 (transparency), 203 (privacy rights), 204 (consent and right to opt-out), 205(a) (no targeted advertising to minors), 205(b) (no transfer of minors' data without express consent), 206(b)(3)(C) (failure of third party to honor the do not collect registry), 207(a) (civil rights violations), 208(a) (failure to implement data security practices), or 302 (third party or service party violations of covered entity's directions).

The private right of action was also not permitted against entities that had less than $25 million in revenue/year, processed fewer than 50,000 person data, and generated less than 50% of its revenue from such transfer. For reference, a 'small business' under the ADPPA was defined as an entity with annual gross revenues during a three-year look-back period of less than $41 million, did not process more than 200,000 persons' data annually and the entity did not earn more than 50% of its revenue from the transfer of data in any year.

APRA

First, the definition of a 'small business' under the APRA is different, the revenue threshold was reduced to less than $40 million, and as to the earnings from the transfer of data, it could be any portion of its earnings - whether 2%, 50% or more. As such, fewer businesses under the new law would be considered small businesses. However, unlike the ADPPA which excluded small businesses from certain aspects of the proposed law, the APRA expressly excludes all small businesses from all aspects of the proposed legislation. So, while the ADPPA excluded private rights of action against small businesses, fewer businesses will escape the overall reach of the APRA.

The APRA did remove the barrier created under the ADPPA requiring prior notice to the FTC, requiring notice to be given only to the offending covered entity, subject to the removal of the prior notice and cure period requirements in certain cases, as noted below.

The violations for which an individual could pursue a private right of action include covered entities' failure to minimize data with respect to sensitive data and/or biometric data (a new right versus those under the ADPPA), protection against interference with consent rights using dark patterns (also new), and failure to implement reasonable measures to protect data where that failure results in the breach of the individual's data (an added hurdle for such an action not present in the ADPPA), and failure by the covered entity to exercise due diligence in engaging with a service provider or third party before transferring or entrusting data to such an entity (also new under the APRA). The other rights for a cause of action are akin to those in the ADPPA.

The remedies afforded individuals under the APRA in a private cause of action included those in the ADPPA regarding relief afforded by Illinois' laws protecting biometric and genetic data, where the conduct at issue occurred primarily in Illinois. And if there is unauthorized access to covered data, California residents can still seek relief under CCPA as amended (Section 1798.150 of the California Civil Code (Cal. Civ. Code))

Notably, the APRA does not have the two-year waiting period contained in the ADPPA before an individual may bring a cause of action for violations under the APRA.

Waivers and arbitration clauses as to individual actions

ADPPA

The ADPPA would not allow these to be enforced for actions by or on behalf of individuals under 18 or those claiming gender or partner-based violence or other physical harm. Class action waivers would also not be enforceable against impacted individuals under the age of 18.

APRA

The APRA's clause regarding arbitration clauses is slightly different. While the ADPPA excluded from the arbitration clause gender or partner-based violence, APRA also carves out from arbitration in an individual's action claims for 'substantial privacy harm' including any financial harm of $10,000 or more, physical or mental harm involving treatment by health care facilities, or highly offensive intrusion or discrimination based on race, religion, national origin, sex, or disability. The APRA also included the exclusion of minors under 18, similar to the ADPPA.

Cure periods prior to individual actions

ADPPA

Before an individual could bring a cause of action, that impacted person would first need to provide a cure period for small business violations or for actions seeking injunctive relief. The offending entity would have 45 days to cure the alleged breach.

APRA

The cure window provided under the ADPPA is reduced in the APRA to 30 days before an action can be brought for injunctive relief. Also notable under the APRA is that if there is a risk of 'substantial harm' to the individual, no notice would need to be given prior to bringing the action and affording the covered entity no prior cure period.

Covered entities and exclusions

ADPPA

Entities covered under the ADPPA included entities that control or process covered data, and are subject to the FTC Act, common carriers under the Communications Act of 1934, and not-for-profits (with very limited exceptions).

The definition of 'large data holder' includes entities with annual gross revenues in excess of $250 million and processes information of 5 million individuals or devices that identify or are linkable to one or more individuals or sensitive data of 200,000 individuals or devices.

Exclusions: Federal, state, tribunal, and local governments, entities collecting or processing data on behalf of the foregoing, not-for-profits providing assistance to families of missing or exploited children.

APRA

Large data holders under the APRA, with the same dollar threshold, refers to an entity that collects or processes covered data of 5 million individuals, 15 million portable connected devices, and 35 million connected devices, or the sensitive covered data of 200,000 individuals, 300,000 portable connected devices and 700,000 connected devices.

Exclusions: While the definition of a covered entity is similar to the ADPPA, as noted above, the APRA expressly excludes small businesses from its ambit. Further, the exclusions for not-for-profits extended to entities with the primary mission to 'prevent, investigate or deter fraud.' Note, however, that this exclusion does not extend to Section 9; leaving these not-for-profits obligated to implement measures to protect the data they control. Notable, the draft does not require other excluded entities to maintain reasonable measures as mandated by Section 9.

Covered data exclusions

ADPPA

The ADPPA expressly excludes employee data and goes into detail, expressly excluding the business contact information of personnel. The ADPPA does not address the issue of this information being (or not being) available on the employer's website.

APRA

As to employee information (the APRA uses a different term), such data is excluded from the APRA but does not expressly call out business contact information. Instead, the APRA addresses this in its definition of 'publicly available' information. Note that if an employer does not include on its website or otherwise does not make publicly available the contact information for its personnel, it would seem such data is not excluded as 'employee information.' It may be that further edits to the APRA will address this issue to provide further clarity.

Under the APRA, the definition of 'biometric data' does not include 'personally identifying physical movements,' which were included in the ADPPA definition, while still leaving in the term gait.

Data requests and response times

ADPPA

Under the ADPPA, large data holders must respond to an individual's request to exercise their privacy rights within 45 days. For entities other than small businesses the response time was set at 60 days; and for small businesses, the response time was set at 90 days.

APRA

The APRA shortened the response time to 15 days for large data holders or data brokers, and 30 days for other covered entities.

Privacy-enhancing technology pilot

Finally, the APRA contemplates the establishment of a pilot program to encourage private companies to use privacy-enhancing technology to meet the measures to secure and protect data contemplated in Section 9 of the APRA.

Whether this version of the APRA or a modified version will pass so that we finally have a federal privacy law is yet to be seen. For the time being, we are left to manage the privacy laws and cybersecurity laws adopted by many states, leaving it a challenge for businesses to manage their data in compliance with those laws, and for individuals to understand what rights they may or may not have. As such, I would encourage Congress to pass a federal privacy law, which does preempts states' laws, with limited exceptions, to give businesses and individuals alike a clear road map and mandate as to their obligations, rights, and limitations.

Michelle Schaap Partner
[email protected]
CSG Law, New Jersey