American Data Privacy and Protection Act

This article or section is in a state of significant expansion or restructuring. You are welcome to assist in its construction by editing it as well. If this article or section has not been edited in several days, please remove this template. If you are the editor who added this template and you are actively editing, please be sure to replace this template with {{in use}} during the active editing session. Click on the link for template parameters to use. This article was last edited by Czar (talk | contribs) 2 years ago. (Update timer)

American Data Privacy and Protection Act

Long title	An act to provide consumers with foundational data privacy rights, create strong oversight mechanisms, and establish meaningful enforcement
Acronyms (colloquial)	ADPPA
Legislative history
Introduced in the House as H.R. 8152 by Frank Pallone D‑NJ on June 21, 2022 Committee consideration by House Energy and Commerce

American Data Privacy and Protection Act (ADPPA) is a United States proposed federal privacy bill that would regulate how organizations keep and use consumer data. The bipartisan, bicameral bill is the first American consumer privacy bill to pass committee markup, which it did with near unanimity.

The American Data Privacy and Protection Act (ADPPA) would regulate how organizations keep and use consumer data. The Act has several main principles: data minimization, individual ownership, and private right of action. The burden of evaluating each organization's programs would fall to the organization.^[1]

Data collectors would have to minimize the data they collect down to that which is "necessary, proportionate, and limited to" their purpose, whether administering a product or communicating. The bill would give the Federal Trade Commission a year to define those terms. Data minimization is a common principle among other privacy laws but would affect business functions beyond compliance operations. ADPPA would also specifically limit transfer and some processing of Social Security numbers, precise geolocation, biometric and genetic data, passwords, browsing history, and physical activity tracking.^[1]

Individuals would have the right to know how their personal data will be used and which third parties receive it. They would have the right to correct and download their user data. Organizations would have up to 90 days to process these requests, depending on the organization's size. Individuals would also have the right to take legal action against organizations in violation of the Act for four years after its execution after first giving their state Attorney General and Federal Trade Commission 60 days' notice to respond.^[1]

Designated "large data holders"—with adjusted gross revenue over $250 million in the last calendar year and processing either five million personal records or 100,000 sensitive individual records—would be subject to additional controls. These organizations would have to designate a corporate officer for administering data policy, training employees, keeping records, and communicating with the government. Large data holders' highest ranking corporate officers and data security officers would have to certify reasonable compliance with the Federal Trade Commission. Large data holders would need to provide a privacy impact assment of their controls and risk to users every two years.^[1]

"Small data holders", on the other hand, would be exempt from some requirements. Defined as organizations with adjusted gross revenue below $41 million over the past three calendar years, that process data for fewer than 100,000 individuals annually, and whose business does not primarily rely on transferring data, small data holders could delete records rather than processing corrective requests and would be exempt from many requirements apart from the user right to delete data no longer in use.^[1]

Third-party data collectors, whose primary business revenue comes from user data collected for another platform's use, would also be subject to specific rules, such as displaying a notice about data collected on behalf of another organization, allowing for data audits, and populating a registry for such data collectors.^[1]

As the first federal user data privacy legislation, ADPPA would largely supersede state laws like the California Consumer Privacy Act and Colorado Privacy Act, though carve-out state provisions about biometric data and data breaches would be protected. The federal bill would include nonprofit organizations whereas many state privacy laws do not, though nonprofits would largely fall under the "small data holder" exemptions.^[1]

By July 2022, the bicameral bill had bipartisan support and had included bipartisan concessions that had restricted prior attempts at a bipartisan privacy bill. While Consumer Reports and the Electronic Privacy Information Center both showed optimism towards the bill, several democratic senators still opposed the bill. It became the first American consumer privacy bill to pass committee markup, which it did with near unanimity.^[2]

The 2022 overturning of Roe v. Wade led to increased interest in a federal privacy bill, with concern over how unmitigated tracking by data brokers and app developers, such as user visits to abortion clinics or period app usage, could be used to target users in places where criminalization of abortion. ADPPA would protect health privacy and not directly address Roe.^[2]

Other privacy-related bills during ADPPA's advancement have included Elizabeth Warren's Health and Location Data Protection Act, Suzan DelBene's Information Transparency and Personal Data Control Act, and Sara Jacobs's My Body, My Data Act. In the absence of federal legislation, states laws have included California's Consumer Privacy Act and Privacy Rights Acts, Illinois's Biometric Information Privacy Act, and Vermont's Data Broker Act.^[2]