House Committee Takes Aim at National Privacy Framework

The American Data Privacy and Protection Act (ADPPA) has weaved through the halls of Capitol Hill, and its pending national privacy framework has substantial security implications for businesses and end users.  The American Data Privacy and Protection Act (ADPPA) has weaved through the halls of Capitol Hill, and its pending national privacy framework has substantial security implications for businesses and end users.  The House Energy and Commerce Committee introduced the bill on June 21. It was drafted to create a comprehensive federal consumer privacy framework. Simply meaning, it would govern how companies across different industries treat consumer data.  “[We are] in an age where Americans have lost control of their data and online tracking is out of control,” tipped Caitriona Fitzgerald, Electronic Privacy Information Center (EPIC) Deputy Director, in a blog tied to the bill. The legislation would provide multiple data access and opt-out rights for Americans, and would “provide enforcement by the Federal Trade Commission (FTC), state attorneys general, and in some cases individuals,” according to EPIC.  In light of past legislation, the bill compromises on two issues that have halted previous attempts to create national privacy law – whether to preempt state privacy laws, and whether to create a private right of action.  ADPPA would “generally preempt any state laws that are covered by the provisions of the ADPPA or its regulations” according to the Congressional Research Service. Contradictory, the bill would preserve 16 various categories of state laws and favor specific state laws in Illinois and California. “The preemption provision of state privacy laws seems to be confusing and inconsistent,” commented Adam Marrè, CISO at security firm Arctic Wolf, via email. “For example, federal law should not weaken privacy protections enacted into laws in individual states.” While the bill is a nod toward national privacy law, its literature remains vague in some areas— most notably the preemption provision as noted, duties of loyalty, and company-size-based reliefs. The “Duties of Loyalty” provision ambiguously refers to obligations for organizations on how they process personal data. Although the bill’s definition of the term “defines several specific prohibited data practices … [it] does not broadly prohibit providers from acting in ways that could harm individuals,” according to the Congressional Research Service.  “A few areas that seem ill-defined or seem to conflict with other definitions include the mentions of ‘Duty of Loyalty,’” wrote Marrè. “For this type of proposed legislation, we must be specific and direct in order to ensure accountability from all parties.” ADPPA would relieve small- and medium-sized businesses from several requirements. The act defines small- and medium-sized businesses as having an annual revenue of less than $41 million, does not collect or process the data of more than 100,000 individuals, and does not derive more than 50% of its revenue from transferring information. Contrary to larger enterprises, these businesses have the ability to delete data at a consumer’s request, rather than correcting it. Critics of ADPPA have noted privacy rules should apply the same to all organizations, regardless of size.  “Using the size of companies as a guide for when provisions of the bill take effect is not a productive form of measurement,” Marrè wrote. “The sensitivity of private information does not change with the size of the company, nor does size or revenue reflect the type or sensitivity of data sets used by a company.” The bill would additionally relieve small- and medium-sized companies from legal liabilities present on larger companies. While all companies could be brought to federal courts, injured individuals would be required to give small- or medium-sized businesses an opportunity to address a violation, according to the Congressional Research Service. Larger organizations would not have this leniency.  The bill also addresses data protections for those under 18 years old, such as prohibiting targeted advertising, which would be enforced under a new Youth Privacy and Marketing Division at the FTC.  The Congressional Research Service noted that members in the ADPPA’s draft markup questioned whether youth protection should be redressed and strengthened.  Congressional critics have panned the bill’s major enforcement roles and failure to specify several provisions. Notably, Senate Commerce Committee Chair Maria Cantwell, who has questioned the bill’s legitimacy, plans to introduce her own competing privacy legislation dubbed the Consumer Online Privacy Rights Act (COPRA).  ADPPA is awaiting Energy and Commerce Committee approval. If approved, it could receive consideration from the House of Representatives.  “Although the potential bill doesn’t fully succeed in unifying the patchwork of individual state privacy laws under one cohesive structure and further specifies and protects the privacy rights of all citizens, this is a good start for common ground legislation that protects the privacy of all Americans,” Marrè added. “It is far better than continuing to do nothing at the federal level on privacy.”