Bi-Partisan U.S. Federal Privacy Bill Gains Momentum
July 1, 2022
Key highlights:
- Discussion of a federal privacy law has progressed to a bipartisan draft with traction in Congress
- The proposed act shows similarities to existing state and international legislation, but is a new model
- Consumer Data Rights include right to access, correction, deletion and portability with provisions for affirmative express consent and opt-outs
- The proposed act would preempt most existing U.S. consumer-focused privacy laws
- The proposed act provides for a new bureau within the Federal Trade Commission (FTC) to enforce the act with significant expectations for corporate accountability and increased requirements for large data holders
- Establishes a third-party registry and mechanism for individuals to opt out of further processing or collection
On Friday, June 3, 2022, Congress released a discussion draft of the American Data Privacy and Protection Act (ADPPA). Far from the first federal privacy bill, the bipartisan approach and compromises reflected in the draft have garnered attention at this stage.
arly analysis concludes the ADPPA is a new model for privacy law. While key concepts carryover, it’s not a retread of General Data Protection Regulation (GDPR), nor existing consumer-driven state laws from California, Connecticut, Colorado, Utah and Virginia.
Key Definitions
- Covered entity – “any entity or person that collects, processes, or transfers covered data” and subject to the Federal Trade Commission Act, title II of the Communications Act of 1934, or “an organization not organized to carry on business for their own profit or that of their members.” There are exemptions for small businesses and data-level exemptions for entities subject to GLBA, HIPAA, FERPA, etc.
- Large data holder – a covered entity that, in the most recent calendar year:
- had annual gross revenues of $250M or more, AND
- collected, processed or transferred
- the covered data of >5M individuals or devices OR
- the sensitive covered data of >100k individuals or devices, excluding where the qualification is based solely on account of processing personal email addresses, personal phone numbers or log-in information of an individual to an account administered by the covered entity
- Covered data – “information that identifies or is linked or reasonably linkable to an individual or a device that identifies or is linked or reasonably linkable to 1 or more individuals, including derived data and unique identifiers.” Exclusions include de-identified data, employee data and publicly available data.
- Sensitive covered data – (see below)
- Government-issued identifiers
Social Security Number (SSN), passport number, driver’s license number - Health information
Any information that describes or reveals the past, present or future physical health, mental health, disability, diagnosis or healthcare treatment of an individual - Financial information
Account number, debit card number, credit card number, security or access code, password, credentials - Biometric information
Data generated from the measurement, observation, tracking, collecting or processing of an individual’s biological, physical or physiological characteristics - Genetic information
Data that concerns an individual’s genetic characteristics (DNA, geno- and pheno-types - Geolocation information
Past or present actual physical location of an individual or device that identifies or is linked to an individual - Privacy communications
Voicemails, emails, texts, direct messages or mail, or information identifying parties to such communications (telephone bills, voice communications, transmission of voice communications) - Account or device log-in credentials
- Sensitive information
Race, ethnicity, national origin, religion, union membership or non-union status - Sexual orientation
Information identifying the sexual orientation or sexual behavior of an individual - Online activity
Information identifying an individual’s online activities over time or across third-party websites or online services - Private information on a device
Calendar information, address book, phone or text logs, photos, audio recordings or videos - Private images
Photographs, film, video recording, or other medium that shows the naked or undergarment-clad private area of an individual - Viewing habits
Information identifying or revealing the extent or content of any individual’s access or viewing or other use of any television, cable or streaming media service - Underage information
Information of an individual under the age of 17

There are four titles to the draft act: Duty of Loyalty, Consumer Data Rights, Corporate Accountability and Enforcement, Applicability, and Miscellaneous.
Under Title I – Duty of Loyalty, the draft outlines expectations for the principles of data minimization, restrictions on processing (loyalty duties), privacy by design and loyalty to individuals with respect to pricing.
Title II – Consumer Data Rights provides for:
-
Access
- Data in human-readable format
- Name party’s data is transferred to
- Purpose of transfer
- Description of data no longer in possession
Correction
- Inaccuracies
- Incomplete information
- Notify third parties of correction
Deletion
- Delete data processed by covered entity
- Delete data that has been transferred to a third party
Portability
- Without licensing restrictions
- Human-readable format
- Download from internet
- Portable, structured, interoperable and machine-readable
Consent and Object
- Individual must provide affirmative express consent for collection, processing or transfer of sensitive covered data
- Consent may be withdrawn in an easy to execute manner
Opt-outs
- Data transfers
- Targeted advertising
- Prohibition on targeted advertising to individuals under the age of 17
- Consent for data transfer required from the individual or a parent or guardian if the individual is between 13 and 17 years of age
Title III – Corporate Accountability – under this section, entities considered large data holders will be subject to broader requirements intended to ensure compliance and increase transparency:
- Annually attest compliance with the act by the chief executive officer, privacy officer and security officer, ensuring internal controls and reporting structures that certifying officers are involved in, and responsible for, decisions impacting compliance
- Biennial Privacy Impact Assessments must be conducted to weigh the benefits of the large data holder’s covered data collecting, processing and transfer practices against potential adverse consequences to individual privacy
- Technical compliance programs specific to any technology, product, service or method used by a covered entity to collect, process or transfer covered data shall be evaluated through a process determined by the commission, the details of which shall be made publicly available to any individual whose covered data is subject to the solutions
Finally, Title IV outlines Enforcement, Applicability and Miscellaneous provisions. Highlights include:
- The FTC will establish a new bureau concerning consumer protection and competition to enforce the act no later than one year after enactment
- An Office of Business Mentorship shall be established with the bureau to provide compliance guidance
- Establishment of a “Victims Relief Fund”
- Enforcement by state attorneys general
- Private right of action
- Right to Cure (45 days)
The ADPPA shall preempt state privacy laws with the exception of the Illinois Biometric Information Privacy Act and Genetic Information Privacy Act, Section 1798.150 of the California Civil Code (security provisions of CPRA) and other laws that solely address facial recognition, unsolicited marketing, health information and/or confidentiality of library records. Nor does the proposal change obligations of a covered entity under the Children’s Privacy Protection Act of 1998 (COPPA).
What Comes Next?
The bill will progress according to standard congressional process. As there’s sure to be debate and edits to the current draft, it’s unlikely the bill will pass before the end of the current congressional session. Whether this bill or another, a federal privacy law will eventually unite the patchwork of U.S. privacy legislation under a cohesive, comprehensive consumer data protection law.
How to Prepare?
As federal and state privacy legislation continues to be debated, there are several steps companies can take to position themselves well for the future:
- Monitor and assess privacy practices against current and forthcoming state laws – the clock is already ticking for California, Virginia, Colorado, Utah and Connecticut. Ensure your company is in compliance as the enforcement dates come to pass
- Incorporate industry best practices – assess your company’s readiness against common threads across U.S. and international privacy laws. Support for the individual’s (data subject’s) privacy rights, impact assessments and applying privacy principles (such as purpose limitation, data minimization and accountability), as well as implementing Privacy by Design, will put your company in a strong position to respond as more individuals realize data privacy rights and protections
- Start small – don’t have a privacy function or program in place? It’s okay. There are steps to take at any point in your company’s privacy journey to increase and right-size privacy protections for the individuals whose data you collect to prepare for the next evolution of legislation – whether that be at the state, sector or federal level
If you have questions about this draft legislation and how it might affect your organization, please drop us a line.
Optiv Security: Secure greatness.®
Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.