USA: Amended American Data Privacy and Protection Act - Road to a US federal privacy law
On 20 July 2022, the U.S. House Committee on Energy and Commerce announced that it had passed amendments to House Resolution ('HR') 8152, for the American Data Privacy and Protection Act ('ADPPA'), during the full Committee markup. The amended HR 8152 introduces additional obligations for covered entities and service providers, including prohibitions on retaliation through service of pricing and large data holder metrics for reporting. In this article, OneTrust DataGuidance outlines the main amendments and key provisions businesses should be aware of, with expert commentary and insights provided by Starr Drum, Lead of the privacy division of the Cybersecurity & Privacy Practice Group at Maynard Cooper & Gale PC.
Scope of application
The amended HR 8152 applies to covered entities and service providers that process, collect, and transfer covered data, providing definitions for the same. In particular, and in line with the first draft, covered entity is defined as:
- any entity or person, other than an individual acting in a non-commercial context, that alone or jointly with others determines the purposes and means of collecting, processing, or transferring covered data and:
- is subject to the Federal Trade Commission Act of 1914;
- is a common carrier subject to the Communications Act of 1934;
- is an organisation not organised to carry business for their own profit or that of their members; and
- any entity or person that controls or is controlled by another covered entity.
Correspondingly, service provider is defined as a person or entity that collects, processes, or transfers covered data on behalf of, and receives covered data from or on behalf of, a covered entity, Federal State, Tribal, territorial, or local government entity.
Notably, the amended HR 8152 alters the definition of employee data, changing the employee data that will fall within its scope. Specifically, the definition of employee data has been expanded to include employees' information that is collected, processed, or transferred solely for purposes related to such employee's professional activities on behalf of the employer. The amended HR 8152 also introduces additional requirements for de-identified data, including that contractual obligations be included contractually in all subsequent instances for which the data may be received.
Obligations for covered entities and service providers
The amended HR 8152 introduces several additional requirements for covered entities and service providers. On this point, Drum highlighted, "the amendments include a new notice and opt-out requirement for covered data included as part of an asset transfer. Another significant amendment concerns the time period in which aggrieved persons can bring a private right of action against alleged violators once the law goes into effect. The previous bill delayed the ability to sue by four years post-adoption of the law, whereas the amendment shortened it to two years. The amendment also expands upon previously identified categories of information considered sensitive in nature, now including information that identifies an individual's online activities and information on one's race, colour, ethnicity, religion, or union membership. The addition of these categories aligns HR 8152 more closely with the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') and other recently adopted state privacy frameworks".
Regarding data minimisation, the amended HR 8152 provides that companies would only be allowed to collect and make use of user data if it is necessary for one of 17 permitted purposes, as outlined in the bill, including authenticating users, preventing fraud, and completing transactions. Collection and use outside of these purposes would be prohibited. This is in contrast with many other global privacy laws which center around the concept of consent which has led to the proliferation of cookie consent pop-ups.
Unified opt-out mechanism
In regard to the unified opt-out mechanism, the amended HR 8152 stipulates that:
- covered entities or service providers acting on behalf of covered entities must inform individuals about the centralised opt-out choice;
- unified opt-out mechanism is not required to be the default setting, but may be the default setting provided that in all cases the mechanism clearly represents the individual's affirmative, freely given, and unambiguous choice to opt out;
- be consumer-friendly, clearly described, and easy-to-use by a reasonable individual;
- permit the covered entity or service provider acting on behalf of a covered entity to have an authentication process that may be use to determine if the mechanism represents a legitimate request to opt out;
- be provided in any covered language in which the covered entity provides products or services subject to the opt-out; and
- be provided in a manner that is reasonably accessible to and usable by individuals with disabilities.
The amended HR 8152 requires impact assessments to be conducted in relation to privacy and covered algorithms.
The amended HR 8152 retains the requirement for large data holders to conduct privacy impact assessments to weigh the benefits of a large data holder's covered data collecting, processing, and transfer practices against potential adverse consequences, including substantial privacy risks, to individual privacy. Importantly, however, the amended HR 8152 removes the requirement to obtain approval from by the privacy protection officer and has also removed the requirement to designate a privacy and data security officer.
In addition, the amended HR 8152 extends the mandatory biennial privacy impact assessment requirement to covered entities that are not large data holders. In line with the requirements for large data holders, these covered entities must weigh the benefits of the covered data collection, processing, and transfer practices that may cause a substantial privacy risk against the potential material adverse consequences of such practices to individual privacy.
In regard to covered algorithms, the amended HR 8152 preserves the provisions associated with 'algorithm impact assessments', redefining them as 'covered algorithm impact assessments'. Specifically, and in line with the first draft, the amended HR 8152 states that a large data holder that uses a covered algorithm in a manner that poses a consequential risk of harm to an individual or group of individuals, and uses covered algorithm solely or in part, to collect, process, or transfer covered data must conduct an impact assessment on an annual basis.
Large data holder metrics for reporting
The amended HR 8152 establishes that large data holders that are covered entities must, for each calendar year, in which it was a large data holder, compile metrics for the prior calendar year which must include:
- the number of verified access requests;
- the number of verified deletion requests;
- the number of requests to opt-out of covered data transfers;
- the number of requests to opt-out of targeted advertising;
- the number of requests from 1-4 above that:
- complied with whole or in part; or
General principles and duties
More generally, the amended HR 8152 maintains duties and principles introduced in the first draft including requirements associated with Privacy by Design, data security as well as privacy policies (please see our Insight Article entitled USA: Discussion draft for federal data privacy bill - What you need to know). Notably, the amended HR 8152 introduces additional permissible purposes for the collecting, processing, or transfer of covered data including:
- communications that are not an advertisement, if reasonably anticipated by the individual within the context of their interactions with the covered entity;
- to ensure the data security and integrity of covered data;
- covered data previously collected by a service provider at the direction of a government entity, or a service provided to a government entity by a covered entity, and only insofar as authorised statute, to prevent, detect, protect against, or respond to a public safety incident; and
- transfers in the context of a merger, acquisition, bankruptcy, or similar transaction where a third party assumes control if, within a reasonable time prior to the transfer, it provides affected individuals with:
- a notice describing such transfer, including the name of the entity or entities receiving the covered data and their privacy policies; and
- a reasonable opportunity to withdraw any previously given consent and reasonable opportunity to request the deletion of their covered data.
On the additional permissible purpose of mergers and acquisition, Drum commented, "One amendment that would create significant implications in the mergers and acquisition space is the new notice, opt-out, and deletion requirements for asset transfers that include covered data (§101(b)(13)). Compliance with this provision could be onerous on targets, particularly where the target's covered data was not collected directly from individuals or where individuals have failed to keep their contact information up to date. The failure to provide requisite notice, or the receipt of a significant number of individuals' opt-outs and deletion requests could significantly impact deal values and potentially delay transactions".
Consumer data rights
The amended HR 8152 maintains the consumer data rights previously established, namely:
- right to export covered data;
- right to opt-out of covered transfers; and
- right to opt-out of targeted advertising.
Furthermore, the amended HR 8152 stipulates requirements associated with verification, response times, and the charging of fees. Specifically, individuals can exercise their rights free of charge twice within a 12-month period, any request beyond the initial two will be subject to a reasonable fee. In regard to timing, the amended HR 8152 maintains that large data holders must comply with a request within 45 days of verification, whereas covered entities that are not large data holders or do not fall under the small business protections will have 60 days to respond, finally covered entities that fall under the small business protections will have 90 days to respond. On the point of verification, the amended HR 8152 notes that a covered entity is not permitted to exercise an individual rights in whole or in part, if they cannot reasonably verify the individual whom the data belongs to, or the authorised person. The amended bill also provides exemptions to an individual's ability to exercise their rights including where the covered entity reasonably believes that the request is made to interfere with a contract between the covered entity and another individual.
Under the current iteration of HR 8152, requests of consent from covered entities must include a description of each processing purpose for which the individual's consent is sought. Moreover, the amended HR 8152 requires that the option to refuse consent must be at least as prominent as the option to accept, and that denial of consent must take a number of steps that is equal or inferior to those required when providing consent. In addition, the amended HR 8152 clarifies that where affirmative express consent is obtained processing for a different purpose will also require subsequent affirmative express consent.
As provided in the first draft of HR 8152, the amended HR 8152 provides requirements specific to covered minors, defined as any individual under the age of 17. Notably, the amended HR 8152 introduces an exception to the data transfer requirements for such covered data. Specifically, the amended HR 8152 establishes that a covered entity or service provider may collect, process, or transfer covered data of an individual the covered entity or service provider knows is under the age of 18 solely in order to submit information relating to child victimisation to law enforcement or to a non-profit, national resource center and clearinghouse congressionally designated to provide assistance to victims, families, child-serving professionals, and the general public on missing and exploited children issues.
On the protection of minor Drum highlighted, "Numerous companies made business decisions about processing the personal information of children under the age of 13 in response to Children's Online Privacy Protection Rule ('COPPA'), and, for a smaller subset, the sale of personal data from children under 16 under the California Consumer Privacy Act of 2018, last amended in 2019 ('CCPA'). HR 8152 places stringent requirements on processing data from, targeting advertisements to, and sharing data from minors who are under the age of 17, so entities interacting with covered data from children under 16 would have significant risk calculations to undertake concerning that processing if the ADDPA was to pass in its current form".
As outlined above, the enforcement period for civil actions once the HR 8152 takes effect has been shortened from four years to two years. Notably, apart from the reduced scope for the private right of action, the current iteration of HR 8152 provides an exception, whereby such private right of action will not apply to claims against covered entities that have less than $25 million per year in revenue, or covered entities that collect, process, or transfer the covered data of fewer than 50,000 individuals, and derive less than 50% of their revenue from transferring covered data.
Compatibility with State laws
The amended HR 8152, consistent with the first draft, provides provisions on the pre-emption of state laws stating that, in general, no State or political subdivision of a State may adopt, maintain, enforce, prescribe, or continue in effect any law, regulation, rule, standard, requirement, or other provision having the force and effect of law of any State, or political subdivision of a State, covered by the provisions of HR 8152, or a rule, regulation, or requirement promulgated under HR 8152.
On the point of pre-emption, Drum noted, "the scope of pre-emption is less than clear. While certain state laws or provisions thereof are specifically identified in HR 8152 as not being pre-empted (e.g. Illinois' Biometric Information Privacy Act of 2008 ('BIPA') and the data breach-based private right of action under the CCPA/ California Privacy Rights Act of 2020 ('CPRA') other descriptors are so broad that they could put numerous State laws back in play. For example, the carve-out for 'laws pertaining to the use of encryption as a means of providing data security' could arguably mean that the entire CCPA/CPRA would not be pre-empted".
In regard to expected guidance and limitations of the amended HR 8152, Drum further provided, "Although the HR 8152 would eliminate some of the uncertainty of disparate State law applicability and compliance obligations, it does not create a single uniform federal privacy standard. Sector-specific privacy and security laws like Family Educational Rights and Privacy Act ('FERPA'), Health Insurance Portability and Accountability Act ('HIPAA'), Gramm–Leach–Bliley Act ('GLBA'), and others, would continue to apply solely and exclusively with respect to data subject to the requirements of such regulations. It is not clear what exactly that means for entities subject to other sector-specific laws. Would the HR 8152 not apply to data elements within the scope of those laws, to certain types of processing, or something else? The Federal Trade Commission has up to a year to issue guidance on the sector-specific exemptions and until that guidance is promulgated, businesses in the education, health, financial, and other sectors would simply have to guess as to the scope of interplay between the regulations".
In terms of next steps, HR 8152 will now be submitted to the House of Representatives for consideration.
Francesco Saturnino Privacy Analyst
Comments provided by:
Starr Drum Lead of the privacy division of the Cybersecurity & Privacy Practice Group
Maynard Cooper & Gale PC, Birmingham