Bi-Partisan U.S. Federal Privacy Bill Gains Momentum

July 1, 2022

Key highlights:

 

  • Discussion of a federal privacy law has progressed to a bipartisan draft with traction in Congress
  • The proposed act shows similarities to existing state and international legislation, but is a new model
  • Consumer Data Rights include right to access, correction, deletion and portability with provisions for affirmative express consent and opt-outs
  • The proposed act would preempt most existing U.S. consumer-focused privacy laws
  • The proposed act provides for a new bureau within the Federal Trade Commission (FTC) to enforce the act with significant expectations for corporate accountability and increased requirements for large data holders
  • Establishes a third-party registry and mechanism for individuals to opt out of further processing or collection

 


 

On Friday, June 3, 2022, Congress released a discussion draft of the American Data Privacy and Protection Act (ADPPA). Far from the first federal privacy bill, the bipartisan approach and compromises reflected in the draft have garnered attention at this stage.

 

arly analysis concludes the ADPPA is a new model for privacy law. While key concepts carryover, it’s not a retread of General Data Protection Regulation (GDPR), nor existing consumer-driven state laws from California, Connecticut, Colorado, Utah and Virginia.

 

 

Key Definitions

 

  • Covered entity – “any entity or person that collects, processes, or transfers covered data” and subject to the Federal Trade Commission Act, title II of the Communications Act of 1934, or “an organization not organized to carry on business for their own profit or that of their members.” There are exemptions for small businesses and data-level exemptions for entities subject to GLBA, HIPAA, FERPA, etc.
  • Large data holder – a covered entity that, in the most recent calendar year:
    1. had annual gross revenues of $250M or more, AND
    2. collected, processed or transferred
      1. the covered data of >5M individuals or devices OR
      2. the sensitive covered data of >100k individuals or devices, excluding where the qualification is based solely on account of processing personal email addresses, personal phone numbers or log-in information of an individual to an account administered by the covered entity
  • Covered data – “information that identifies or is linked or reasonably linkable to an individual or a device that identifies or is linked or reasonably linkable to 1 or more individuals, including derived data and unique identifiers.” Exclusions include de-identified data, employee data and publicly available data.
  • Sensitive covered data – (see below)

 

  • Government-issued identifiers
    Social Security Number (SSN), passport number, driver’s license number
  • Health information
    Any information that describes or reveals the past, present or future physical health, mental health, disability, diagnosis or healthcare treatment of an individual
  • Financial information
    Account number, debit card number, credit card number, security or access code, password, credentials
  • Biometric information
    Data generated from the measurement, observation, tracking, collecting or processing of an individual’s biological, physical or physiological characteristics
  • Genetic information
    Data that concerns an individual’s genetic characteristics (DNA, geno- and pheno-types
  • Geolocation information
    Past or present actual physical location of an individual or device that identifies or is linked to an individual
  • Privacy communications
    Voicemails, emails, texts, direct messages or mail, or information identifying parties to such communications (telephone bills, voice communications, transmission of voice communications)
  • Account or device log-in credentials
  • Sensitive information
    Race, ethnicity, national origin, religion, union membership or non-union status
  • Sexual orientation
    Information identifying the sexual orientation or sexual behavior of an individual
  • Online activity
    Information identifying an individual’s online activities over time or across third-party websites or online services
  • Private information on a device
    Calendar information, address book, phone or text logs, photos, audio recordings or videos
  • Private images
    Photographs, film, video recording, or other medium that shows the naked or undergarment-clad private area of an individual
  • Viewing habits
    Information identifying or revealing the extent or content of any individual’s access or viewing or other use of any television, cable or streaming media service
  • Underage information
    Information of an individual under the age of 17
sensitive-covered-data-01.jpg

There are four titles to the draft act: Duty of Loyalty, Consumer Data Rights, Corporate Accountability and Enforcement, Applicability, and Miscellaneous.

 

Under Title I – Duty of Loyalty, the draft outlines expectations for the principles of data minimization, restrictions on processing (loyalty duties), privacy by design and loyalty to individuals with respect to pricing.

 

Title II – Consumer Data Rights provides for:

 

  • Access

    • Data in human-readable format
    • Name party’s data is transferred to
    • Purpose of transfer
    • Description of data no longer in possession

     

    Correction

    • Inaccuracies
    • Incomplete information
    • Notify third parties of correction

     

    Deletion

    • Delete data processed by covered entity
    • Delete data that has been transferred to a third party

     

    Portability

    • Without licensing restrictions
    • Human-readable format
    • Download from internet
    • Portable, structured, interoperable and machine-readable

     

    Consent and Object

    • Individual must provide affirmative express consent for collection, processing or transfer of sensitive covered data
    • Consent may be withdrawn in an easy to execute manner

     

    Opt-outs

    • Data transfers
    • Targeted advertising
Image
data-subject-rights.jpg

  • Data protections for children and minors:

      • Prohibition on targeted advertising to individuals under the age of 17
      • Consent for data transfer required from the individual or a parent or guardian if the individual is between 13 and 17 years of age

  • The draft act places additional requirements on third parties that collect individuals’ data and provides for a third-party collecting entity registry. The registry will be maintained by the FTC and contain all registered entities with their name, contact information, description of categories of data the entity processes and transfers, plus a link to their website where an individual may easily exercise their rights provided by the act. In addition, there is a proposed “do not collect” link to allow individuals to submit a request to all registered third-party collecting entities to delete the individual’s data and opt-out of future collection with consent
  •  

    Title III – Corporate Accountability – under this section, entities considered large data holders will be subject to broader requirements intended to ensure compliance and increase transparency:

     

    • Annually attest compliance with the act by the chief executive officer, privacy officer and security officer, ensuring internal controls and reporting structures that certifying officers are involved in, and responsible for, decisions impacting compliance
    • Biennial Privacy Impact Assessments must be conducted to weigh the benefits of the large data holder’s covered data collecting, processing and transfer practices against potential adverse consequences to individual privacy
    • Technical compliance programs specific to any technology, product, service or method used by a covered entity to collect, process or transfer covered data shall be evaluated through a process determined by the commission, the details of which shall be made publicly available to any individual whose covered data is subject to the solutions

     

    Finally, Title IV outlines Enforcement, Applicability and Miscellaneous provisions. Highlights include:

     

    • The FTC will establish a new bureau concerning consumer protection and competition to enforce the act no later than one year after enactment
    • An Office of Business Mentorship shall be established with the bureau to provide compliance guidance
    • Establishment of a “Victims Relief Fund”
    • Enforcement by state attorneys general
    • Private right of action
    • Right to Cure (45 days)

     

    The ADPPA shall preempt state privacy laws with the exception of the Illinois Biometric Information Privacy Act and Genetic Information Privacy Act, Section 1798.150 of the California Civil Code (security provisions of CPRA) and other laws that solely address facial recognition, unsolicited marketing, health information and/or confidentiality of library records. Nor does the proposal change obligations of a covered entity under the Children’s Privacy Protection Act of 1998 (COPPA).

     

     

    What Comes Next?

    The bill will progress according to standard congressional process. As there’s sure to be debate and edits to the current draft, it’s unlikely the bill will pass before the end of the current congressional session. Whether this bill or another, a federal privacy law will eventually unite the patchwork of U.S. privacy legislation under a cohesive, comprehensive consumer data protection law.

     

     

    How to Prepare?

    As federal and state privacy legislation continues to be debated, there are several steps companies can take to position themselves well for the future:

     

    • Monitor and assess privacy practices against current and forthcoming state laws – the clock is already ticking for California, Virginia, Colorado, Utah and Connecticut. Ensure your company is in compliance as the enforcement dates come to pass
    • Incorporate industry best practices – assess your company’s readiness against common threads across U.S. and international privacy laws. Support for the individual’s (data subject’s) privacy rights, impact assessments and applying privacy principles (such as purpose limitation, data minimization and accountability), as well as implementing Privacy by Design, will put your company in a strong position to respond as more individuals realize data privacy rights and protections
    • Start small – don’t have a privacy function or program in place? It’s okay. There are steps to take at any point in your company’s privacy journey to increase and right-size privacy protections for the individuals whose data you collect to prepare for the next evolution of legislation – whether that be at the state, sector or federal level

     

    If you have questions about this draft legislation and how it might affect your organization, please drop us a line.

    Spencer Kindt
    Senior Manager, Data Governance, Privacy and Protection | Optiv
    Spencer specializes in helping organizations design, implement, optimize, assess and operate privacy and data governance programs. He ensures organizations properly handle high-risk data while unlocking the high value associated with it. He also has experience helping clients prepare for and address privacy regulations (e.g., GDPR, CCPA, CPRA, LGPD, HIPAA). Spencer has experience providing customized services to organizations ranging from the global Fortune 500 to smaller, privately-owned organizations across a variety of industries.

    Optiv Security: Secure greatness.™

    Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.