The United States is home to tech companies that amass the most amount of user data worldwide, but the country does not have a law that regulates what data is collected and how it’s used. For years, lawmakers have tried to pass a federal privacy law, but to no avail. The US lags behind the EU and China on this front. Some states like California, Virginia, and Colorado have their own privacy laws, and there are also sector-specific laws, but all these only protect a subset of US citizens or cases. However, a new privacy bill introduced by lawmakers Cathy McMorris Rodgers, Frank Pallone, and Roger Wicker on June 3 might change things.
The American Data Privacy and Protection Act is the first comprehensive national data privacy framework that has bipartisan and bicameral support, which makes it closer to becoming law than any other federal privacy legislation introduced in the US in the past.
“To say that it’s high time for real progress on a federal privacy bill would be a tremendous understatement. We’ve been waiting for more than a decade for Congress to tackle online privacy and data-security issues. The country sorely needs Congress to create protections against the exploitation and discrimination caused by companies’ unfettered collection, buying, selling, sharing and outright abuse of people’s most personal information.” — Free Press Action Co-CEO Jessica J. González
In summary, the American Data Privacy and Protection Act:
- Requires covered entities to minimise data collection to what is necessary
- Requires covered entities to ensure privacy by design and that users don’t have to pay for privacy
- Requires covered entities to allow consumers to turn off targeted advertisements
- Provides enhanced data protection for children and minors
- Provides consumers rights to access, correct, delete, port their data, and withdraw consent at any time
- Increases transparency on how companies collect and use data
- Provides greater protection to sensitive personal data
- More accountability measures for larger platforms
Never miss out on important developments in tech policy, whether in India or across the world. Sign up for our morning newsletter, with a “Free Read of the Day”, to experience MediaNama in a whole new way.
Who does the law apply to?
Covered data: Any information identifying, linked, or reasonably linkable to an individual or device linkable to an individual. In other words: personal data. This includes derived data and unique identifiers but does not include de-identified data, employee data, or publicly available information.
Covered entity: The Act covers any entity that collects, processes, or transfers covered data and is subject to the jurisdiction of the Federal Trade Commission (FTC), including nonprofits and telecommunications companies.
- Large data holders: These are covered entities with gross revenues above $250 million who collect, process, or transfer covered data of over 5 million individuals/devices or the sensitive covered data of 100,000 individuals/devices in the most recent calendar year.
Obligations of covered entities
Data minimization: All covered entities should not unnecessarily collect or use data, regardless of whether they obtained any consent or met transparency requirements. Specifically, entities are prohibited from collecting, processing, or transferring covered data beyond what is reasonably necessary, proportionate, and limited to providing specific products and services requested by individuals. The FTC will issue guidance to help establish what is “reasonably necessary, proportionate, and limited.”
Privacy by design: Covered entities must mitigate privacy risks by implementing reasonable policies, practices, and procedures for collecting, processing, and transferring covered data depending on the entity’s size, complexity, activities related to covered data, the types and amount of covered data the entity engages with, and the cost of implementation compared to the risks posed. The FTC will issue guidance on reasonable policies, practices, and procedures.
Restrictions on collection and use of sensitive data: Covered entities are significantly restricted in how they collect, use, and transfer sensitive covered data. Sensitive covered data includes government-issued identifiers like Social Security Number (SSN), financial details like credit card number, health data, biometric information, genetic information, geolocation, private communication, information related to race, ethnicity, sexual orientation etc, nude and semi-nude imagery, information identifying an individual’s online activities over time or across platforms, any information of an individual under the age of 17, etc. Transfer of most types of sensitive data is only allowed for specific purposes after obtaining express affirmative consent of the individual or for other law enforcement purposes that come with a warrant. Express affirmative consent is an act by an individual that clearly communicates the individual’s freely given, specific, informed, and unambiguous authorisation after certain disclosures preserved in the Act are made by the entity seeking the consent.
Cannot deny service for refusal to waive rights: Covered entities cannot deny or charge different rates for the provision of services or products based on the individuals waiving any privacy rights in the Act. This prohibition, however, has exceptions such as when financial information is used for billing.
Rights of consumers
Right to access, correct, delete, and port data: Individuals have the right to access, correct, delete, and the portability of covered data that pertains to them. The right to access includes obtaining data in a human-readable and downloadable format that individuals may understand without expertise. The rights to correct and delete covered data also require entities to notify other entities to whom the data was transferred. To the extent technologically feasible, individuals also have the right to export their covered data in a portable format. There are also provisions for the timing and cost of access to consumer data as well as exceptions.
Right to consent and object: Providing and withdrawing consent should both be in a clear, conspicuous, and easy-to-use manner. Individuals should also be allowed to opt-out of the transfer of any covered data to a third party. Covered entities engaged in targeted advertising must provide individuals means to opt-out prior to any targeted advertising and at all times afterwards.
Protections for children and minors: Entities are subject to additional requirements for data with respect to individuals under age 17. Among other things, targeted advertising is prohibited and data transfer to a third party cannot take place without express affirmative consent. The Act also establishes a Youth Privacy and Marketing Division at the FTC, which will be responsible for addressing privacy and marketing concerns with respect to children and minors.
Right to deletion of data used by third-party collecting entities: Entities whose principal source of revenue is derived from processing or transferring the data of individuals that the entity did not directly collect are known as third-party collecting entities. These data brokers must declare their identity using language specified by FTC regulations. Third-party collecting entities that process covered data of more than 5,000 individuals must annually register with the FTC. The FTC will establish and maintain an online registry of third-party collecting entities that has contact information and a “Do Not Collect” feature by which individuals may submit a single request to all registered third-party collecting entities to have all data about them deleted within 30 days.
Algorithmic impact assessment: Entities may not collect, process or transfer covered data in a manner that discriminates on the basis of race, colour, religion, national origin, gender, sexual orientation, or disability. Furthermore, large data holders that use algorithms must assess their algorithms annually and submit annual algorithmic impact assessments to the FTC. These assessments must describe steps the entity has taken to mitigate potential harms from algorithms related to aspects like education, employment, healthcare, insurance, and credit, including any harms specifically related to individuals under 17. Algorithmic evaluations must be conducted at the design phase of an algorithm, including on any training data that is used to develop the algorithm. The FTC must publish guidance regarding compliance with this requirement.
Data security: Entities must implement and maintain data security practices and procedures that protect and secure data against unauthorized use and acquisition. The FTC will determine the reasonability of such protections based on the entity’s size, complexity, activities related to covered data, the types and amount of covered data the entity engages with, the current state of the art in protecting covered data, and the cost of available tools. The Act also provides specific requirements that entities must meet to assess vulnerabilities, take preventive and corrective action, evaluate their systems, and for the retention and disposal of covered data. Entities must also provide training to all employees and designate an officer to maintain and implement their data security practices.
Unified opt-out mechanisms: The FTC must conduct a study to determine the feasibility of centralized opt-out mechanisms to ease individuals’ exercise of their rights to opt-out of data transfers, targeted advertising, and the “Do Not Collect” feature.
Consumer awareness: Within 90 days of enactment of the Act, the FTC must publish a public web page describing all provisions of the Act in plain language to inform individuals and covered entities of their rights and obligations under the Act.
Exceptions to the law
Exceptions for small businesses: Entities that for the prior three years earned revenues of $41 million or less, did not collect or process the covered data of 100,000 individuals in a year and did not derive more than half their revenue from transferring covered data are exempt from the data portability requirements, may choose to delete, rather than correct, an individual’s covered data, and are excluded from some of the data security requirements.
General exceptions: Notwithstanding the provisions in the Act, covered entities can collect, process, or transfer covered data for specific purposes where it is reasonably necessary, proportionate, and limited to the specific purpose. Such exceptions include completing transactions, processing data already collected to perform system maintenance, diagnostics, or internal research, addressing security incidents, guarding against illegal activity and fraud, complying with legal obligations, preventing death or serious physical injury, effectuating product recalls, and conducting research in the public interest.
Corporate accountability measures
Privacy and data security officers: All covered entities must designate one or more privacy and data security officers who must ensure compliance with the Act. Large data holders must also designate at least one of these officers as the privacy protection officer to report directly to the entity’s highest official. This officer will be responsible for establishing processes, conducting regular comprehensive audits, developing training and education programs for employees, maintaining records, and serving as the point of contact with enforcement authorities. Large data holders must also conduct privacy impact assessments weighing the benefits of their data practices against the potential consequences to individual privacy on a biennial basis and have them approved by the privacy protection officer. The CEOs and privacy officers at large data holders must also annually certify that their company maintains reasonable internal controls and reporting structures for compliance with the Act.
Responsibilities of service providers: Service providers may only collect or process data for the purposes directed by the entity they got the data from and may not transfer such data to another entity without the express affirmative consent of the individual to whom it pertains. Service providers generally have the same responsibilities as other covered entities under the Act, with the exception that, given their non-consumer-facing role, they only have to assist the entities they process data for from fulfilling requests by individuals to exercise their rights. Covered entities must conduct reasonable due diligence in selecting service providers and deciding to transfer covered data to third parties.
Technical compliance programs: Within 120 days of enactment, the FTC must promulgate regulations to establish processes for covered entities to submit technical compliance programs for approval. Such programs are to be specific to particular technologies, products, services, or methods regarding data.
Commission-approved compliance guidelines: Entities that meet the small and medium-sized covered entities criteria are eligible to participate in FTC-approved compliance guidelines for handling data. Applications for approval must include how the guidelines will meet or exceed the Act’s requirements, the entities or activities the guidelines intend to cover, any covered entities known at the time of submission who want to participate, and a description of how entities will be independently assessed for compliance. An entity eligible to participate in approved guidelines will be deemed in compliance with the Act if in compliance with the guidelines but will remain subject to enforcement if alleged to not be in compliance with the Act.
Digital content forgeries: Within a year after enactment and annually after that Department of Commerce must publish a report on digital content forgeries, which will define, describe, and assess digital content forgeries, including how to take counter-measures against them.
Enforcement of the law
Preemption of State Laws: The Act addresses the controversial issue of preemption by stating that state laws covered by the provisions of the Act are preempted, except for a list of specified state laws, notably the California Consumer Privacy Act and Illinois’ Biometric Information Privacy Act, and other generally applicable consumer protection laws, employee and student privacy protections, data breach notification laws, contract and tort law, criminal laws regarding unauthorized access to electronic devices, and unauthorized use of personal information, and laws on cyberstalking, cyberbullying, nonconsensual pornography, and sexual harassment.
Enforcement by the Federal Trade Commission: The FTC will establish a new bureau to carry out its authority under the Act. Violations of the Act will be treated as violations of a rule defining an unfair or deceptive act or practise under the FTC Act, meaning it may attract civil penalties for initial and subsequent violations. This Act also establishes a relief fund for victims of entities violating the Act. Any relief the FTC or the Department of Justice obtains enforcing the Act that cannot be provided directly to harmed individuals will be deposited there and be available to the FTC to provide relief to individuals harmed by violations under the Act.
Enforcement by State Attorneys General: State Attorneys General and chief consumer protection enforcement officers may bring cases in federal court for injunctive relief, to obtain damages, penalties, restitution, or other compensation. The FTC retains the right to intervene upon receiving required notice from state enforcement officers and no state enforcement may occur once the FTC or its deputy has initiated an enforcement action regarding that conduct. States reserve the right to bring enforcement actions arising under any existing state law.
Controversial private right to sue provision
Another controversial issue on previous privacy bills has been the individual right to sue. According to this Act, after for years from the enactment of the act, individuals can bring a civil action in federal court for violation of any of their rights under this Act or for the use of data that is inconsistent with the provisions of the Act.
The US Chamber of Commerce specifically objected to the bill because of the private right of action provision:
“A national data protection law including a private right of action would encourage an influx of abusive class action lawsuits, create further confusion regarding enforcement of blanket privacy rights, harm small businesses, and hinder data-driven innovation.”
“More than 130 countries have enacted general privacy protections, and five state legislatures have passed comprehensive data protection bills. However, for good reason, private right of action for privacy is not included in any of these states’ laws, nor is it part of the European Union’s General Data Protection Regulation,” the group said.
Meanwhile, Senate Commerce Chair Maria Cantwell is proposing a privacy bill that offers an even stronger private right to sue provision. In a statement, Cantwell said:
“For American consumers to have meaningful privacy protection, we need a strong federal law that is not riddled with enforcement loopholes. Consumers deserve the ability to protect their rights on day one, not four years later.”
Apple CEO Tim Cook, on the other hand, urged the US Congress to pass the proposed bill as soon as possible:
“We recognize that there are outstanding issues to be resolved, but the areas of agreement appear to far outweigh the differences. Your drafts would provide substantial protections for consumers, and we write to offer our strong support towards achieving this shared goal. […] We strongly urge you to advance comprehensive privacy legislation as soon as possible, and we stand ready to assist in this process in the days ahead.”
This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.