Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

USA: Permitted processing purposes under the ADPPA

The American Data Privacy and Protection Act1 ('ADPPA'), if passed, would become the first federal comprehensive data privacy bill. The ADPPA aims to provide individuals with specific rights, such as the right to consent and object, enhanced protections for children and minors, and introduces a number of obligations for covered entities, including in relation to data minimisation and legal bases for the collection, processing and transfer of individuals' data. On 20 July 2022, the ADPPA was approved by the House Energy and Commerce Committee with a few amendments, such as making the California Privacy Protection Authority ('CPPA') responsible for enforcing the ADPPA in California, as well as the exclusion of small businesses from private action. At the time of publication, the ADPPA is under review from the full House of Representatives and, if passed, will next be introduced to the Senate. Starr Drum, Shareholder at Maynard Cooper & Gale, LLP, provides an overview of data processing under the ADPPA, with a focus on the 17 permitted purposes and the role of consent.

drnadig / Signature collection / istockphoto.com

Processing under the ADPPA

Pursuant to the data minimisation requirements of §101 of the ADPPA, covered entities may not process covered personal data unless the processing is limited to what is 'reasonably necessary and proportionate' to provide or maintain a specific product or service requested by the individual whose covered data is being processed. The Federal Trade Commission is tasked with issuing guidance on what constitutes 'reasonably necessary and proportionate'. Processing is also permitted under the ADPPA to achieve one of 17 other enumerated purposes:

  1. Perform a transaction or order.

  2. Develop, maintain, improve, or repair a product or service.
  3. Authenticate users of a product or service.
  4. Fulfill a product or service warranty.
  5. Prevent, detect, or respond to a security incident.
  6. Prevent, detect, or respond to fraud, harassment, or illegal activity.
  7. Comply with legal obligations or pursue or defend against legal claims.
  8. Prevent death or bodily harm.
  9. Effectuate a product recall.
  10. Conduct certain research projects.
  11. Deliver non-advertising communications reasonably anticipated by the data subject.
  12. Facilitate the transmission of communications.
  13. Transfer assets in the context of a merger, acquisition, bankruptcy, or similar transaction.
  14. Protect the security of covered personal data.
  15. Prevent, detect, or respond to certain public safety incidents.
  16. Conduct first party advertising or marketing to adults.
  17. Provide targeted advertising.

Although the inclusion of targeted advertising as a permissible processing purpose may seem surprising at first glance, there are actually some significant limitations that covered entities operating in this space will have to carefully navigate if the ADPPA passes. First, targeted advertising is strictly prohibited if the covered entity has knowledge that the individual being targeted to is a covered minor (someone under the age of 17). For social media companies, 'knowledge' includes that the entity 'should have known' that the individual was a covered minor, and for other large data holders, knowledge includes acting in wilful disregard of the fact that an individual is a covered minor. The ADPPA does not permit covered entities to use consent to circumvent this blanket prohibition. Second, targeted advertising is only permitted where covered data has been collected and otherwise processed in accordance with the requirements of the ADPPA, so any collections of covered data prior to the ADPPA's passage (or post-passage) that do not comply with the data minimisation parameters set forth above could not be used for targeted advertising.

Consent no more?

Absent from the list of permissible processing purposes is the ability for covered entities to process personal data based on an individual's affirmative express consent, even where such consent is for a processing purpose beyond those set forth above. This treatment differs considerably from the way consent is treated under the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), wherein consent by the data subject to the processing of their personal data for any specified purpose is enough to legitimise that purpose. Instead, consent under the ADPPA is treated as a supplemental requirement for certain processing operations, not as a standalone basis for processing.

Under the ADPPA, affirmative express consent is mandatory before:

  • transferring an individual's sensitive covered data to a third party;
  • transferring covered data that reveals an individual's viewing history and services selected from a video programming or broadcast service to an unaffiliated third party where such data is not being transferred pursuant to the first 15 permissible purposes set forth above;
  • transferring covered data of a covered minor to a third party where the covered entity has knowledge that the individual is a covered minor, except to submit information relating to child victimisation to law enforcement and the congressionally designated national resource center on missing and exploited children issues; and
  • retaining data for longer than necessary for the purpose for which it was collected.

While obtaining consent for processing activities is often a best practice, for purposes of the ADPPA, consent by itself will not legitimise processing activities not otherwise authorised under §101. Therefore, if the ADPPA passes in its current form, covered entities will need to analyse all of their processing activities and ensure they are 'reasonably necessary and proportionate' to either provide or maintain a specific product or service requested by an individual or that the processing falls under at least one of the permissible purposes set forth in §101.

Concluding thoughts

Whether there will be a shift away from consent if the ADPPA passes remains to be seen, but given that consent is an important legal basis for processing in other global jurisdictions, that consent would still be required for various processing operations under other US federal privacy laws (e.g., Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act of 1996, the Family Educational Rights and Privacy Act, and the Children's Online Privacy Protection Act of 1998), and that consent is still mandatory for certain processing operations under the ADPPA, it seems unlikely that requests for consent would significantly diminish with passage of the ADPPA.

Starr Drum Shareholder
[email protected]
Maynard Cooper & Gale, LLP, Alabama


1. Available to read and track at: https://www.congress.gov/bill/117th-congress/house-bill/8152