A Review of the New Federal American Privacy Bill

Personal data protection has become an increasingly important topic worldwide. Proof of this is that more than 70% of countries around the world1 have already passed some data protection legislation, creating rules and obligations for companies that process personal data. In addition, technological advances and key learnings over the years have led many countries to update and/or improve their legislation. In the U.S. a draft of a new federal privacy bill, called the American Data Privacy and Protection Act (ADPPA) was introduced in June 2022, and aims, to harmonize and improve data protection legislation at the federal level of government.

At Incognia, ensuring privacy of user data is paramount. In addition to employing  the principles of privacy by design when developing our solutions, our Privacy Team is continuously monitoring developments in privacy laws around the globe in order to adapt procedures when necessary to maintain compliance. 

Considering that privacy is core to Incognia’s mission and values, and that Incognia now operates in more than 20 countries around the world, including the U.S, the Privacy Team at Incognia prepared a summary of some notable provisions regarding this new American Bill. 

Currently, U.S data protection legislation is a patchwork of state privacy laws (California, Virginia, Utah, Colorado and Connecticut) and sector-specific regulations such as HIPPA and COPPA, which can burden organizations and confuse users, as well as inevitably raise compliance costs for businesses.

With the goal of reducing fragmentation in the U.S. data privacy legislation and bringing greater harmony to the regulatory landscape, in June 2022, U.S. House and Senate leaders released a bipartisan and bicameral discussion draft of a comprehensive data privacy bill, the ADPPA - (referred to in this text  as ADPPA, Act or Bill).

Legislators have been attempting to pass a national privacy law for a long time, without success. This bill, however, has a better chance of succeeding as it is the first federal privacy initiative founded on bipartisan agreement between Democrats and Republicans. 

On July, 20, 2022 the authors of the proposed bill released an amended version (amended HR 8152), on the same date that the bill was given the green light by the House Energy and Commerce Committee in a 53 x 2 vote (two California Democrats, Anna Eshoo and Nanette Barragán, voted against it, objecting that it overrides their state law). It marks the first time a federal consumer privacy bill has made it out of committee, a historic feat. The Bill will now be submitted to the U.S. House of Representatives. 

If enacted, the federal law would go into effect 180 days after enactment - a short timeframe as compared to the U.S. state privacy laws and other privacy laws around the world, e.g GDPR (Union European) and LGPD (Brazil) - and would preempt state privacy legislation, with some  exceptions. For example, if passed, the ADPPA’s provisions would not preempt several key components of the California Privacy Rights Act (CPRA) and laws that solely address facial recognition or facial recognition technologies. 

Besides the federal preemptions, the ADPPA addresses other important aspects regarding rights, obligations and enforcement. See below some highlights about the Bill, including considerations from the amended version from July, 20, 2022:

Rights: Similar to recently enacted state privacy laws, the ADPPA provides individuals with rights including access, correction, deletions and portability of their data;

Large Data Holders: There are additional requirements for large data holders such as certification responsibilities, the designation of a data privacy and data security officer, and the creation of privacy impact assessments. Large data holders are covered entities that have annual gross revenue of $250,000,000 or more and either collect, process, or transfer the covered data of 5,000,000 individuals or devices, or the sensitive covered data of 100,000 individuals or devices.  

Annual algorithmic impact assessments: Not later than 2 years after the date of enactment of the Act, and annually thereafter, a large data holder that uses a covered algorithm in a manner that poses a consequential risk of harm to an individual or group of individuals, and uses such covered algorithm solely or in part, to collect, process, or transfer covered data shall conduct an impact assessment of such algorithm and submit it to the FTC (Federal Trade Commission).

Sensitive Data: It will be necessary to obtain express and affirmative consent to process sensitive data.

Precise geolocation data: Precise geolocation is considered sensitive data according to ADPPA. The arguments used in the Act to frame location data as sensitive are related to tracking people and the possibility of inferring sensitive data from location (such as churches, hospitals, etc.). Currently there are no details on exceptions, such as processing of geolocation data without tracking people, or without making inferences based on sensitive personal data of the users. In this context, the kind of geolocation data processing done by Incognia would not have the characteristics that justify the classification of geolocation data as sensitive data. Europe has adopted this understanding and there is the expectation that the U.S regulates this topic with more details, in order to provide exceptions.

FTC: The FTC would be entrusted with ADPPA’s enforcement. The FTC will pick up some new obligations as well, like maintaining a register of data brokers. They will  conduct a study to determine the feasibility of the creation of a unified opt-out mechanism and, in positive cases, the FTC must promote regulations establishing such mechanisms for covered entities. 

California Agency: California Privacy Protection Agency may enforce the ADPPA, in the same manner, it would otherwise enforce the California Consumer Privacy Act (CCPA).

Private Right of Action (PRA): Starting two years after the date the Act takes effect (the prior version before the amendment provided four years instead of two), people or classes of people, may generally bring a civil action in federal court seeking compensatory damages, injunctive relief, declaratory relief, and reasonable attorney’s fees and litigation costs for violations of the Act. 

Privacy Policy: The covered entities will have to provide individuals with privacy policies detailing their data processing in a clear and understandable manner. The Privacy Policy must also disclose as to whether individuals’ data is made available to China, Russia, Iran, or North Korea.

Congress breaks for its August recess and then heads into the midterms, which means that there is little time left in the Congressional calendar to come to an agreement on the Act. In addition, the controversial provisions, especially  the preemption of state laws can impact the approval of this Bill. 

If it is not approved in this legislative session, a version of this bill could be reintroduced in the next legislative session. While the prospects for enactment remain uncertain, this Bill represents the most concrete effort to date to pass a national privacy law in the United States. 

You can read the press release here, the amended HR 8152 here, and track its progress here.

Incognia is following the evolution of the American privacy discussions and the development of this bill to anticipate issues and to be prepared to adapt our processes to be compliant to the potential new legislation. At the same time, we continue to review and refine Incognia’s privacy compliance program based on existing laws.