[author: Anvi Yalavarthy]
(i) is subject to the Federal Trade Commission Act;
(ii) is a common carrier subject to the Communications Act of 1934; or
(iii) is an organization not organized to carry on business for their own profit or that of their members.
The term “covered entity” does not include a governmental entity or political subdivision of the Federal, State or local government, or any person or entity that is collecting, processing or transferring covered data on behalf of a Federal, State, Tribal, territorial or local government entity.
The ADPPA protects “covered data” which means information that identifies or is linked or “reasonably linkable” (alone or in combination with other information) to an individual or a device that identifies or is linked or “reasonably linkable” to an individual. This may include derived data and unique identifiers, but excludes de-identified data, employee data, publicly available information, and inferences made exclusively from multiple independent sources of publicly available information that do not reveal sensitive covered data with respect to an individual.
General Provisions in the ADPPA
While the ADPPA is far from its final form, some key provisions of the current version of the bill are detailed below:
The ADPPA’s data minimization provision requires covered entities to limit the collection, processing and transferring of covered data to what is “reasonably necessary and proportionate” to (i) provide or maintain a product or service requested by the individual, (ii) deliver a communication that is reasonably anticipated by the recipient, or (iii) effect a purpose expressly permitted under the ADPPA (g., completing a transaction or fulfilling an order requested by the individual, authentication, preventing or responding to a security incident, etc.).
Enforcement of the ADPPA & Private Right of Action
The ADPPA would be enforced by the FTC, which may promulgate regulations and guidance pursuant to the ADPPA. In order to assist the FTC in exercising its authority under the ADPPA, the FTC must establish both a new “Bureau of Privacy” and a “Youth Privacy and Marketing Division”. The ADPPA may also be enforced by State Attorneys General, who may bring civil actions to enjoin practices, enforce compliance with the ADPPA or obtain damages or civil penalties. However, the relevant Attorney General must first notify the FTC before initiating a civil action so that the FTC can choose to intervene.
Individuals who suffer an injury can also bring a civil action against an entity for violation of the ADPPA. However, the individual must first notify both the FTC and the relevant Attorney General, who may choose to take action, superseding the individual’s action. This private right of action would not go into effect until 4 years after the enactment of the ADPPA.
Any civil penalties obtained by the FTC or an Attorney General in enforcing the ADPPA must be deposited into the “Privacy and Security Victims Relief Fund”, which would be established in the U.S. Treasury. The fund can be used to compensate individuals affected by an act or practice for which relief has been obtained, to conduct technological research the FTC considers necessary to enforce the ADPPA, and to fund the activities of the Office of Business Mentorship, which will be established by the new Bureau of Privacy to provide guidance and consultation to entities regarding compliance with the ADPPA.
Points of Contention and Current Status
Two major points of contention in the ADPPA that will need to be resolved before it moves forward are (1) the private right of action and (2) the preemption provisions. In particular, some believe that a private right of action is unnecessary given the other enforcement methods that the ADPPA provides. Others, however, not only believe the private right of action is necessary but that it is not strong enough given that it will not become effective until 4 years after the law goes into effect. Similarly, the California Privacy Protection Agency opposes the current preemption provision, stating that the ADPPA is weaker than the CCPA, and that the ADPPA’s preemption provision would essentially “lower the bar on privacy protections for Californians”.
The bill underwent markup on June 23, 2022, in the Consumer Protection and Commerce Subcommittee and was then referred to the full House Committee on Energy and Commerce. If it is passed by the full Committee, it would then be considered by the full House of Representatives and later by the Senate.
While there are still several hurdles for the ADPPA to overcome before it becomes the law of the land, this is the first federal privacy legislation in the U.S. to make it this far, which gives proponents of a comprehensive federal privacy law a glimmer of hope.
See more »
DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.
© Moore & Van Allen PLLC | Attorney Advertising
Refine your interests »
This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.
Back to Top
Explore 2022 Readers’ Choice Awards
Copyright © JD Supra, LLC