USA: How does the ADPPA compare with California's privacy laws?
After years of unsuccessful attempts to enact nationwide data privacy legislation, the American Data Privacy and Protection Act ('ADPPA'), a proposed US federal online privacy bill that would regulate how organisations keep and use consumer data, is the furthest a federal privacy bill has managed to go so far. If enacted, the ADPPA would be the country's first comprehensive federal consumer privacy framework. Paul Lanois, Director at Fieldfisher, provides a brief comparison between specific provisions under the ADPPA and those under the California Consumer Protection Act of 2018 ('CCPA').
On this basis, it may come as a surprise to some that the ADPPA is facing criticism and opposition from privacy advocates. For example, California Governor Gavin Newsom shared their concerns surrounding the ADPPA's preemption provision in a letter1 to the House Committee on Energy & Commerce's chairperson, Frank Pallone, stating that, as it currently stands, 'the ADPPA would undermine California's comprehensive consumer privacy protections'. The ADPPA, as currently drafted, would pre-empt most state privacy laws, such as the California Consumer Privacy Act of 2018 ('CCPA') and the Colorado Privacy Act ('CPA').
U.S. House of Representatives Speaker, Nancy Pelosi, also voiced concerns about the ADPPA to the House Committee on Energy & Commerce, particularly in relation to the ADPPA's pre-emption of privacy state laws, such as the CCPA and California Privacy Rights Act of 2020 ('CPRA'), stating2 that they "will continue to work with Chairman Pallone to address California's concerns". In addition, the California Privacy Protection Agency ('CPPA') has voiced its opposition3 to the current draft of the ADPPA on the basis that it would significantly weaken Californians' privacy protections by pre-empting California's privacy laws, as well as the other state privacy laws.
By way of reminder, in 2018, California became the first state in the US to adopt a comprehensive consumer privacy law, the CCPA, which went into effect on 1 January 2020. Shortly after the CCPA entered into effect, California was also the first state in the US to establish a dedicated data protection authority, the CPPA, when voters amended the CCPA by passing Proposition 24, also known as the CPRA.
So, what are the key differences between the ADPPA and the CCPA/CPRA? This article will explore some of the key areas of differences between the two legislations as they currently stand, but is in no way an exhaustive list of similarities or differences between the two legislations. In addition, both legislations are subject to change (by way of the rulemaking process for the CPRA, whereas the ADPPA is not yet finalised as of the time this article was prepared).
The CPRA applies to any for-profit business that 'collects' the personal information of California residents, determines the purposes and means of processing the personal information, does business in California, and meets one or more of the following thresholds:
- as of 1 January of the calendar year, had annual gross revenues above $25 million in the preceding calendar year;
- alone or in combination, annually buys, sells, or shares the personal information of 100,000 or more California residents or households (up from the CCPA's threshold of 50,000 residents); and/or
- derives 50% or more of its annual revenues from selling or sharing personal information of California residents.
While the CCPA/CPRA's definition of 'business' excludes non-profits as well as small businesses that do not meet the above thresholds, this does not mean that the personal information that they handle would not receive any protection, since third parties that handle personal information may still be subject to certain requirements under the CCPA/CPRA.
Conversely, the ADPPA does not have any such thresholds - instead, it would apply broadly to organisations and businesses operating in the US. The ADPPA defines a covered entity as one that 'collects, processes, or transfers covered data and is subject to the Federal Trade Commission Act', in addition to non-profit organisations and common carriers. In other words, the ADPPA would have a broader coverage as it would apply to non-profits and small businesses, contrary to the CCPA/CPRA.
'Personal information' has a very broad definition under the CPRA: it is defined as information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. In particular, information such as unique personal identifiers and inferences are listed as examples of categories of 'personal information' covered under the CPRA.
'Sensitive personal information' under the CPRA includes government identifiers (social security numbers and driver's license numbers), health information, financial informatoin, biometric and genetic data, login credentials, precise geolocation information, race, religion, or union membership information, communications content, and sexual behaviour information.
Conversely, data covered under the ADPPA is defined as 'information that identifies or is linked or reasonably linkable, alone or in combination with other information, to an individual or a device that identifies or is linked or reasonably linkable to an individual, and may include derived data and unique identifiers'. Importantly, the ADPPA explicitly excludes from its scope employee data (including contractors) and publicly available data.
Some 'covered data' may be considered 'sensitive covered data' under the ADPPA, such as government identifiers (social security numbers and driver's license numbers), as well as communications content, health information, precise geolocation, financial information (financial account number, debit card number, credit card number, income level, or bank account balance information), log-in credentials or access information, racial information, and sexual information. The ADPPA goes beyond the CPRA in this respect, as sensitive covered data under the ADPPA may also include unconventional categories of information which play an increasing role in this digital age, such as television viewing data (whether via a cable service, satellite service, or streaming media service) and intimate images (whether pictures or video).
Duty of loyalty
The CCPA/CPRA limits the collection, use, retention, and sharing of a personal information to what is 'reasonably necessary and proportionate to achieve the purposes for which it was collected or processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected'.
In this respect, the ADPPA appears more specific than the CCPA/CPRA. Section 101 of the ADPPA, titled 'Data minimization', prohibits all covered entities from collecting, using, or transferring covered data beyond what is reasonably necessary and proportionate to provide a service requested by the individual or deliver a communication that is reasonably anticipated by the individual recipient, unless the collection, use, or disclosure would fall under one of 17 permissible purposes. Nevertheless, the ADPPA provides a list of 'permissible purposes' for collecting, processing, or transferring covered data, which specifically includes 'targeted advertising' (as defined in the ADPPA).
Dark patterns or manipulative design
The CPRA introduces the concept of 'dark pattern', which is 'defined as a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision making, or choice, as further defined by regulation'. Importantly, the CPRA provides that an agreement obtained through the use of dark patterns does not constitute consent. In addition, the draft regulations from the CPPA provide certain examples of techniques that may be considered a dark pattern.
The ADPPA also prohibits obtaining consent in ways that are misleading or manipulative, but does not (yet) provide guidance as to what may be misleading. While the lack of guidance under the ADPPA may make it more difficult for organisations to understand what their obligations are under the ADPPA, whereas the CPRA regulations offer more visibility in this respect, this should not have much impact in terms of enforcement.
The CPRA require businesses to disclose, among other things, the categories of personal information they collect and their processing purposes, whether that information is sold or shared and if so, the categories of personal information to be disclosed, the retention period for each category of personal information collected, and how to exercise privacy rights.
The ADPPA would require covered entities to disclose, among other things, the type of data they collect, the processing purposes for each category of covered data, how long the covered data will be retained, how to exercise privacy rights, and whether they make the data accessible to the People's Republic of China, Russia, Iran, or North Korea. In addition, if covered data is transferred, the identity of the recipient, as well as the purposes of such transfer, would need to be disclosed.
In light of the above, both the CPRA and the ADPPA appear broadly equivalent.
Both the CPRA and the ADPPA grant consumers similar privacy rights over covered information, including the right of access, correction, deletion, and portability of covered data. The right to correct inaccurate personal information is an additional privacy right that was not part of the existing CCPA. Both would also require covered entities to give consumers an opportunity to object before the organisation transfers their data to a third party or targets advertising toward them.
There are, however, some differences in their scope. In particular, the ADPPA limits the right of access to information collected, processed, or transferred within the 24 months preceding the request.
Conversely, the CPRA has no such limit, meaning a consumer will have a right to see all personal information held by the business, such that the organisation would have to provide more information upon request under the CPRA than the ADPPA.
This is also one of the key changes between the CPRA and the existing CCPA, where the right of access was limited to the 12 months preceding the request.
Both the CPRA and the ADPPA require covered organisations to establish, implement, and maintain reasonable administrative, technical, and physical data security practices and procedures to protect and secure covered data against unauthorised access and acquisition.
Whereas the text of the CPRA itself does not provide much information as to what constitutes security measures, the ADPPA does provide a list of security measures which, at the minimum, organisations are expected to have in place:
- assessment of any material internal and external risk to, and vulnerability in, the security of each system maintained;
- preventive and corrective action to mitigate any reasonably foreseeable risks or vulnerabilities, including administrative, technical, or physical safeguards or changes to data security practices or the architecture, installation, or implementation of network or operating software, among other actions;
- evaluation of preventive and corrective action in light of any material changes in technology, internal or external threats to covered data, and business arrangements or operations;
- information retention and disposal of covered data no longer necessary for the purpose for which it was collected, unless an individual has provided affirmative express consent to such retention;
- training each employee with access to covered data on how to safeguard covered data and updating such training as necessary;
- designating an officer, employee, or employees to maintain and implement such practices; and
- implementing procedures to detect, respond to, or recover from security incidents or breaches.
In practice, the above measures listed by the ADPPA are likely to also be considered security measures that organisations should have in place pursuant to the CPRA.
Protection of individuals under the age of 16
The CPRA prohibits the sale or sharing of personal information of individuals under the age of 16, unless the consumer authorises such sale or sharing (if aged between 13 and 16), or if the parent or guardian authorises the sale (if aged under 13).
The ADPPA goes further than the CPRA in this respect: for example, the ADPPA would introduce a prohibition on targeted advertising for individuals under the age of 17. In addition, the ADPPA would establish a Youth Privacy and Marketing Division at the Federal Trade Commission ('FTC'), which would be responsible for protecting the privacy of children and minors and would supervise marketing directed at children and minors.
Private right of action
The CPRA only provides a private right of action in relation to security breaches relating to personal information – leaving enforcement for the rest of the CPRA's provisions to the CPPA and the Attorney General.
Conversely, under the ADPPA, injured individuals, or classes of individuals, would be able to sue covered entities in federal court for damages, injunctions, litigation costs, and attorneys' fees. Individuals would, however, have to notify the FTC or their state attorney general before initiating a lawsuit. For injunctive relief or a suit against a small to medium-size business, individuals would be required to give the offending organisation an opportunity to address the alleged violation. The ADPPA also would render pre-dispute arbitration agreements or pre-dispute joint-action waivers with individuals under the age of 18 unenforceable in disputes arising under the ADPAA.
Both the CPRA and the ADPPA share a number of similarities, yet adopt a different approach in many cases. Both legislations appear to be inspired by the GDPR's requirements. If the ADPPA were adopted and enacted in its current form, it would generally pre-empt any state laws that are 'covered by the provisions' of the ADPPA or its regulations, although it would expressly preserve 16 different categories of state laws, including consumer protection laws of general applicability and data breach notification laws. Importantly, the ADPPA, as currently drafted, would pre-empt much of the CPRA. In any case, the ADPPA still has a long way to go before becoming enacted into law and, even if enacted, it may end up looking very different at the end of the legislative process compared to current drafts.
Paul Lanois Director
Fieldfisher, Palo Alto