All Things Newz
Law \ Legal

Federal Privacy Bill Shows Emerging Patterns In US Privacy Law – Privacy Protection


On July 20, 2022, the House Committee on Energy and Commerce
advanced a new federal privacy bill titled the American Data
Privacy and Protection Act (ADPPA) to the House floor. Although it
is not yet law, many commentators are optimistic that it may move
forward in view of the ADPPA’s bipartisan support and the
compromises it reaches on the issues of preemption and private
rights of action, both of which have stalled prior federal privacy
bills. The ADPPA reveals trends in U.S. privacy law that are
emerging from state-level laws passed in California,1
Virginia, Colorado, Utah and Connecticut (the “State Privacy Laws“). It also departs
from all five State Privacy Laws in a few novel ways. This alert
discusses key provisions of the ADPPA, as currently drafted, and
how they compare to the State Privacy Laws. The ADPPA will likely
face further amendment before the House votes on a final bill.

Who Is Covered?

The ADPPA applies to any entity that processes Covered Data and
is subject to the Federal Trade Commission Act (FTC Act). It also
adds common carriers and nonprofits that otherwise would not be
subject to the FTC Act. Banks, air carriers and governments remain
excluded from the ADPPA, which is in line with all five State
Privacy Laws. There are also exceptions for Covered Entities that
are subject to existing privacy laws such as GLBA or HIPAA
(discussed below). The State Privacy Laws have similar
exceptions.

The ADPPA imposes special requirements on Large Data Holders,
defined as a Covered Entity that has over $250 million in gross
annual revenue and processes the Covered Data of more than
5 million individuals, or the Sensitive Data of 200,000
individuals, annually. These thresholds do not include processing
personal email addresses, personal telephone numbers, or personal
login information that allows individuals to access their own
accounts with that Covered Entity. Among other requirements, Large
Data Holders are required to submit annual certifications of
compliance to the FTC, conduct audits and impact assessments of
their data processing activities, and implement a comprehensive
privacy program.

The ADPPA also imposes special requirements for Service
Providers and Third-Party Collecting Entities (i.e., data brokers).
A Third-Party Collecting Entity is a Covered Entity that derives
more than 50% of its annual revenue from processing Covered Data
that it did not collect directly, or that processes for revenue the
Covered Data of more than 5 million individuals that it did not
collect directly. Service Providers are exempt from the definition
of a Third-Party Collecting Entity. Third-Party Collecting Entities
must submit to a searchable, publicly available registry and
periodic audits of their data security practices by the FTC. The
ADPPA would also create a national “Do Not Collect” list,
through which individuals could opt out of allowing data brokers to
process their data.

Finally, Small Businesses are also subject to the ADPPA and must
comply with nearly all of its requirements (with minor exceptions).
Small Businesses under the ADPPA are Covered Entities that are
not data brokers, have less than $41 million in gross
annual revenue, and process the Covered Data of less than
200,000 individuals annually. This is a departure from the State
Privacy Laws, all of which completely exclude businesses that
process data of less than 100,000 individuals annually (or 25,000
individuals for data brokers).2 By contrast, the ADPPA
does not have a lower-limit threshold, and most of its provisions
would apply to even the smallest of businesses.

What Data Is Covered?

Covered Data means any “information that identifies or is
linked or reasonably linkable, alone or in combination with other
information, to an individual or a device that identifies or is
linked or reasonably linkable to an individual, and may include
derived data and unique persistent identifiers.” This broad
definition covers more than the privacy laws of Virginia, Colorado,
Utah and Connecticut, and is arguably broader than California’s
definition of personal data.

Like all State Privacy Laws, Covered Data under the ADPPA
excludes deidentified or publicly available data. But the
ADPPA’s definition of “publicly available” is broader
than any of the State Privacy Laws because it includes information
made lawfully available to the general public by governments,
widely distributed media or a publicly available website, and also
includes information available under federal, state or local law as
well as “a visual observation of an individual’s physical
presence in a public place by another person,” so long as the
observer does not use a recording device.

Like Virginia, Colorado, Utah and Connecticut, the ADPPA has an
exclusion for employee data. But while these states have blanket
exclusions for individuals acting in a commercial context, the
ADPPA’s employee data exclusion is more narrowly defined.
Generally, the ADPPA only excludes employee data when it is
processed by the employer
and only when it is processed
“solely for purposes related to such employee’s
professional activities on behalf of the employer” or in case
of an emergency.

The chart below shows key differences in the definition of
Covered Data between the ADPPA and State Privacy Laws.

1216912a.jpg

What Sensitive Data Requires Greater Protection?

The ADPPA’s definition of Sensitive Data varies widely from
State Privacy Laws. It also differs from the definition of
sensitive personal data found in Europe’s General Data
Protection Regulation.

All five State Privacy Laws grant heightened protection to
sensitive categories of data, including race or ethnicity,
citizenship, religion, health data, sexual orientation, genetic or
biometric data used to identify a person, and precise geolocation.
California, Virginia, Colorado and Connecticut also recognize
children’s personal data as sensitive. Additionally, California
classifies the following categories of data as sensitive: union
membership; Social Security number, driver’s license or
passport number; financial account number with related password or
security code; and the contents of mail, email or texts, unless the
Covered Entity is the intended recipient.

The ADPPA follows the State Privacy Laws by including race,
ethnicity, religion, health data, genetic data, biometric data,
precise geolocation and children’s data in the definition of
Sensitive Data. Like California, the ADPPA also includes union
membership and government identifiers such as a Social Security
number, driver’s license or passport number. Also like
California, the ADPPA includes financial account numbers, but it
adds to that definition any information about an individual’s
income level or bank balances. The ADPPA also exceeds
California’s definition of Sensitive Data by including login
credentials or security codes for any account or device.
California’s definition of Sensitive Data only covers login
information for financial accounts, and only when accompanied by
the account number.

While California protects the contents of mail, email or text
messages, the ADPPA would go further and protect all private
communications and any information pertaining to their
transmission, including phone numbers or addresses, times sent,
duration, recipients, and location information of all parties to
the communication. The ADPPA excludes communications from devices
provided by an employer, but only with “conspicuous”
prior notice to the employee.

The ADPPA does not recognize citizenship or immigration status
as Sensitive Data. But it does add the following categories as
Sensitive Data: skin color; intimate images or recordings; videos
requested from television, cable, satellite or streaming media
sources; and “calendar information, address book information,
phone or text logs, photos, audio recordings, or videos maintained
for private use by an individual.” These categories of viewing
preferences, intimate images and private messages, recordings and
contacts are new to the definition of sensitive data in U.S.
privacy laws. The ADPPA also includes as Sensitive Data any other
information processed for the purpose of identifying any of the
specially enumerated categories.

The chart below shows key differences in the definition of
Sensitive Data between the ADPPA and State Privacy Laws.

1216912b.jpg

How Does the ADPPA Treat Children’s Data?

The ADPPA defines children as anyone under 17, which is a
departure from existing U.S. privacy laws that apply to children
under 13 or 16 years of age. The ADPPA considers all children’s
data as Sensitive Data and expressly prohibits targeted advertising
to anyone that the Covered Entity “knows” is a child, or
any transfer of children’s data without the express affirmative
consent of the parent. The ADPPA imposes a tiered approach to
determine whether a Covered Entity knows an individual is a child:
for large social media companies, the standard is knew or should
have known; for Large Data Holders, the standard is knew or acted
in willful disregard; and for all others, the standard is actual
knowledge. The ADPPA also establishes a new Youth Privacy and
Marketing Division within the FTC that will oversee the privacy of
children and marketing directed at children.

What Rights Does the ADPPA Grant Individuals?

The ADPPA grants individuals the now-familiar privacy rights of
access, correction, deletion and portability, all of which are
found in the State Privacy Laws. The ADPPA also gives individuals
the right to opt out of transferring their data to third parties,
with some exceptions including for legal compliance, data security,
or transfers germane to the requested product or service. Only
California grants individuals a similar right to opt out of most
transfers of their data to third parties, with similar exceptions
as the ADPPA. All five State Privacy Laws allow individuals to opt
out of the sale of their data to third parties.

Right to Access: The ADPPA grants individuals
the right to download, in a human-readable and understandable
format, all of their data that the Covered Entity has collected for
the past two years; the names of third parties and categories of
Service Providers with whom their data was shared; and a
description of the purposes for such sharing.

Right to Correct: The ADPPA grants individuals
the right to correct any material inaccuracy or incomplete
information in their Covered Data and to instruct any third parties
or Service Providers to do the same.

Right to Delete: The ADPPA grants individuals
the right to ask Covered Entities to delete their Covered Data and
instruct any third parties or Service Providers to do the same.

Right to Portability: The ADPPA grants
individuals the right to export or download their Covered Data, in
both a human-readable format and a structured or machine-readable
format, either to themselves or directly to another entity.

Right to Individual Autonomy: The ADPPA’s
right to individual autonomy prohibits a Covered Entity from
attempting to influence the exercise of ADPPA rights through
fraudulent or misleading statements, or by designing a user
interface to impair an individual’s decision-making.

Right to Opt Out of Targeted Advertising: The
ADPPA grants individuals the right to opt out of targeted
advertising. The method to exercise this right must be at least as
easy as it was for the individual to opt in. Colorado, Virginia,
Utah and Connecticut also grant their residents this right.

Right to Withdraw Consent: The ADPPA grants
individuals the right to withdraw any affirmative express consent
previously given. The withdrawal must be as easy to execute as it
was for the individual to give consent in the first place.

How Quickly Must Covered Entities Comply With Individual
Requests?

The ADPPA allows Large Data Holders 45 days to comply with an
individual’s exercise of most privacy rights. Small Businesses
have 90 days to respond. And Covered Entities that fall in between
the definitions of Large Data Holders and Small Businesses have 60
days. Each of these deadlines may be extended by an additional 45
days for good reason and with notice to the individual. By
comparison, all five State Privacy Laws give every entity 45 days
to respond (with less time in California for certain opt-out
requests), and each also gives a 45-day extension for good
cause.

What Entities and Data Are Exempt?

The ADPPA takes a hybrid approach to exemption based on the
types of data involved. The ADPPA sets forth requirements for both
a privacy program and cybersecurity standards. Covered Entities
that are subject to and compliant with the privacy program
requirements of GLBA, HIPAA, HI-TECH, FCRA, FERPA and the Social
Security Act are deemed compliant with the privacy program
requirements of the ADPPA. Covered Entities that are subject to and
compliant with the cybersecurity standards mandated by GLBA, HIPAA,
HI-TECH and the Social Security Act are deemed compliant with the
ADPPA’s cybersecurity standards. However, if a Covered Entity
also collects data outside the scope of these sectoral privacy
laws, it will also have to comply with the ADPPA regarding that
data.

What Are a Covered Entity’s Duties?

Similar to the State Privacy Laws, Covered Entities under the
ADPPA must abide by the duties of data minimization, loyalty,
privacy by design and nondiscrimination.

The Duty of Data Minimization requires Covered
Entities to limit their processing to data that is reasonably
necessary and proportionate to (1) provide or maintain a specific
product or service requested by the individual, (2) deliver a
communication that is reasonably anticipated by the individual
within the context of their interactions with the Covered Entity,
or (3) effect a specific permissible purpose.

The ADPPA identifies 17 specific permissible purposes for
processing Covered Data, including:

  1. To provide the requested good or service, including any
    associated routine administration

  2. To perform system maintenance, improve a product or service,
    manage inventory or repair errors, but only using data previously
    provided

  3. To authenticate users

  4. To fulfill a warranty

  5. To prevent, detect or respond to a security incident

  6. To prevent, detect, or respond to fraud, harassment or illegal
    activity

  7. To comply with laws or defend a legal claim

  8. To prevent harm where the Covered Entity believes in good faith
    that the individual is “at risk of death, serious physical
    injury, or other serious health risk”

  9. To effectuate a product recall

  10. To conduct public or peer-reviewed research that is in the
    public interest and complies with all related laws

  11. To deliver a communication that is not an advertisement if it
    is reasonably anticipated by the individual

  12. To deliver a communication, at the direction of an individual,
    between the individual and other individuals or entities

  13. To transfer assets in the event of a merger or acquisition, but
    only with notice to the individual and opportunity to withdraw
    previous consents

  14. To ensure the security and integrity of Covered Data

  15. To prevent or respond to a public safety incident

  16. To provide first-party marketing or advertising of products or
    services provided by the Covered Entity

  17. As otherwise complies with the ADPPA, including to process
    individual rights requests or provide targeted
    advertising
    , but only using data previously provided

The Duty of Loyalty imposes a number of
specific restrictions on data practices. Covered Entities may not
process Social Security numbers unless necessary to facilitate
credit extensions, enforce a contract between the parties or
prevent illegal activity. Covered Entities may not process any
Sensitive Data except where it is strictly necessary to provide the
requested product or service. Covered Entities are also prohibited
from processing an individual’s search or browsing history
without affirmative express consent, unless it is for the first 15
of the 17 specific permissible purposes listed above. Thus, Covered
Entities may not process an individual’s search or browsing
history for marketing or targeted advertising without affirmative
express consent. These are just a few examples of the processing
restrictions imposed by the ADPPA’s Duty of Loyalty.

The Duty of Privacy by Design requires Covered
Entities to implement policies to comply with laws, mitigate risks
to children, mitigate privacy risks stemming from their products or
services, and implement privacy training and safeguards in the
organization. In creating these policies, Covered Entities may
consider their size, the cost of implementation, the volume of
Covered Data they process, the sensitivity of that data and the
number of individuals involved.

The Duty of Pricing Loyalty prohibits Covered
Entities from discriminating against individuals for exercising
their rights under the ADPPA. All five State Privacy Laws have
similar nondiscrimination provisions.

What Must Covered Entities Include in Their Privacy
Notices?

The ADPPA’s Duty of Loyalty also requires Covered Entities
and Service Providers to publish a public privacy policy describing
their processing activities. At minimum, these policies must
include the following:

  • The identity and contact information of the Covered Entity or
    Service Provider and any other entity under common branding with
    whom they share Covered Data

  • The categories of Covered Data that they process

  • The purposes for processing each category

  • The categories of Service Providers or other third parties with
    whom they share Covered Data and the purposes of such sharing for
    each category or recipient

  • The length of time they intend to retain each category of
    Covered Data or the criteria used to determine that length of
    time

  • A “prominent description” of how to exercise an
    individual’s rights under the ADPPA

  • A general description of their security practices

  • The effective date of the privacy policy

  • Whether they transfer or store any Covered Data in China,
    Russia, Iran or North Korea

If a Covered Entity makes material changes to its privacy
policy, it must notify each affected individual before making that
change and provide a reasonable opportunity for the individual to
withdraw prior consent. Large Data Holders must also provide a
short-form notice of their processing activities, limited to 500
words or less, and must keep a log of and publish every material
change to their privacy policies for 10 years following the
ADPPA’s enactment.

All State Privacy Laws similarly require a notice of processing
activities, including the categories of data processed, the
purposes for processing, the categories of data shared with third
parties and how to exercise consumer rights. Only California
requires notice of the length of time an entity keeps Covered Data.
The ADPPA’s requirements of a description of security practices
and whether any data is processed in China, Russia, Iran or North
Korea are new under U.S. privacy laws.

State Law Preemption

The ADPPA generally preempts all other laws that are
“covered by the provisions” of the ADPPA. But it also
lists 19 categories of state and federal laws that will remain in
effect, including:

  1. Consumer protection laws of general applicability, such as laws
    regulating deceptive, unfair or unconscionable practices

  2. Civil rights laws

  3. Education, employee and student privacy laws

  4. Separate data breach notification laws

  5. Contract or tort laws

  6. Criminal laws governing fraud, theft (including identity
    theft), unauthorized access to information or electronic devices or
    unauthorized use of information

  7. Criminal or civil laws regarding cyberstalking, cyberbullying,
    nonconsensual pornography or sexual harassment

  8. Public safety or sector-specific laws unrelated to privacy or
    security

  9. Laws that address public records and criminal justice
    information systems

  10. Laws that address financial records such as banking or credit
    reporting

  11. Laws that solely address facial recognition technologies,
    electronic surveillance or wiretapping

  12. The Illinois’ Biometric Information Privacy Act and the
    Genetic Information Privacy Act

  13. Laws to address unsolicited email or telephone spam

  14. Laws that address health information and medical records

  15. Laws that address using encryption for providing data
    security

  16. Laws that address the confidentiality of library records

  17. The private right of action granted by the California Consumer
    Privacy Act for certain types of data breaches, and the ability for
    the California Privacy Protection Agency to enforce the ADPPA

  18. All common law rights and remedies or statutory causes of
    action for civil relief, except that the fact of violating the
    ADPPA shall not be pleaded as an element of any such cause of
    action

  19. The Children’s Online Privacy Protection Act

Private Rights of Action

The ADPPA is enforceable by the FTC or state attorneys general,
and private rights of action are prohibited within the first two
years after enactment. After those two years, an individual must
first inform the FTC or their state attorney general of their
intent to bring a civil action under the ADPPA. The FTC and state
attorney general, jointly or severally, then have 60 days to
respond to the individual as to whether they will intervene in the
action. Additionally, the individual must give notice to the
Covered Entity and a 45-day window to cure the violation before
filing a complaint.

The ADPPA specifically preserves a private right of action under
California’s privacy law for data breaches of nonencrypted and
nonredacted personal information, as well as for breaches of an
email address in combination with a password, or a security
question and answer, in violation of a business’s duty to
maintain reasonable security procedures. Thus, it appears the ADPPA
would still allow California residents to bring a private right of
action for these particular breaches under California law, outside
of the restrictions placed on private rights of action under the
ADPPA.

Footnotes

1 Unless noted, references to California privacy law in
this alert are to the California Privacy Rights Act of
2020.

2 California’s privacy law also applies to any entity
with more than $25 million in gross revenue and all data
brokers.

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.



Source link

Related posts

Takeaways From NAD 2022: The FTC’s Enforcement Priorities, New Technologies, Dark Patterns, And The Usual Suspects – Advertising, Marketing & Branding

Germany’s Energy Price Allowance Payments For Employees—What Employers Need To Know – Employee Benefits & Compensation

Vestiaire Collective’s “Trust Report” 2022 – Trademark