Long title | An act to provide consumers with foundational data privacy rights, create strong oversight mechanisms, and establish meaningful enforcement |
---|---|
Acronyms (colloquial) | ADPPA |
Legislative history | |
|
The American Data Privacy and Protection Act (ADPPA) was a United States proposed federal online privacy bill that, if enacted into law, would have regulated how organizations keep and use consumer data. The bipartisan, bicameral bill was the first American consumer privacy bill to pass committee markup, which it did with near unanimity.
The American Data Privacy and Protection Act (ADPPA) aimed to regulate how organizations keep and use consumer data. The Act had several main principles: data minimization, individual ownership, and private right of action. The burden of evaluating each organization's programs would fall to the organization. [1]
Data collectors would have had to minimize the data they collected down to that which was "necessary, proportionate, and limited to" their purpose, whether administering a product or communicating. The bill would have given the Federal Trade Commission a year to define those terms. Data minimization is a common principle among other privacy laws, but the ADPPA would have affected business functions beyond compliance operations. ADPPA would also have specifically limited transfer and some processing of Social Security numbers, precise geolocation, biometric and genetic data, passwords, browsing history, and physical activity tracking. [1]
Individuals would have had the right under ADPPA to know how their personal data was to be used and which third parties would have received it. They would have had the right to correct and download their user data. Organizations would have had up to 90 days to process these requests, depending on the organization's size. Individuals would also have had the right to take legal action against organizations in violation of the Act for four years after its execution after first giving their state Attorney General and Federal Trade Commission 60 days' notice to respond. [1]
Designated "large data holders"—with adjusted gross revenue over $250 million in the last calendar year and processing either five million personal records or 100,000 sensitive individual records—would have been subject to additional controls. These organizations would have been required to designate a corporate officer for administering data policy, training employees, keeping records, and communicating with the government. Large data holders' highest ranking corporate officers and data security officers would have had to certify reasonable compliance with the Federal Trade Commission. Large data holders would have needed to provide a privacy impact assessment of their controls and risk to users every two years. [1]
"Small data holders", on the other hand, would have been exempt from some requirements. Defined as organizations with adjusted gross revenue below $41 million over the past three calendar years, that process data for fewer than 100,000 individuals annually, and whose business does not primarily rely on transferring data, small data holders could delete records rather than processing corrective requests and would be exempt from many requirements apart from the user right to delete data no longer in use. [1]
Third-party data collectors, whose primary business revenue comes from user data collected for another platform's use, would also have been subject to specific rules, such as displaying a notice about data collected on behalf of another organization, allowing for data audits, and populating a registry for such data collectors. [1]
As the first federal user data privacy legislation, ADPPA would have largely superseded state laws like the California Consumer Privacy Act and Colorado Privacy Act, though carve-out state provisions about biometric data and data breaches would be protected. The federal bill would have include nonprofit organizations (whereas many state privacy laws do not), though nonprofits would largely fall under the "small data holder" exemptions. [1]
There is no federal law governing online privacy in the United States. [2] In July 2022, the American Data Privacy and Protection Act (ADPPA) became the first federal online privacy bill to pass committee, the House Energy and Commerce Committee, and did so with near unanimity. [2] [3] Sponsored by the committee chair Frank Pallone, [2] the bicameral bill had bipartisan support and had included bipartisan concessions that had restricted prior attempts at a bipartisan privacy bill. [3] The bill was additionally led by House Representative Cathy McMorris Rodgers and, in the other legislative chamber, Senator Roger Wicker. [4] While Consumer Reports and the Electronic Privacy Information Center both showed optimism towards the bill, several Democratic senators opposed the bill because it might nullify stronger protection from several state laws. [3]
Though the bill had bipartisan support as it advanced to the House floor, it faced opposition from California lawmakers, the chair of the Senate Commerce Committee Maria Cantwell, and big tech companies. [2]
As the chair of the Senate committee responsible for data privacy, Maria Cantwell was the gatekeeper for any such bill to reach the senate floor. Cantwell, who had her own online privacy bill in draft, had similarly declined another bipartisan online privacy bill proposed by Senators Richard Blumenthal and Marsha Blackburn earlier in the year. Her primary concern for ADPPA was its enforcement provisions. Cantwell's own draft bill had been grappling with a provision that would restrict consumers from creating class-action lawsuits against companies that had harmed them. [4]
The 2022 overruling of Roe v. Wade led to increased interest in a federal privacy bill, with concern over how unmitigated tracking by data brokers and app developers, such as user visits to abortion clinics or period app usage, could be used to target users in states where abortion is criminalized. ADPPA would have protected health privacy and not directly address Roe. [3]
Internet safety and missing persons advocate Alicia Kozakiewicz—herself a victim of an Internet abduction in 2002—expressed concern about the ADPPA's effect on law enforcement efforts to quickly investigate and solve child abduction cases. Although she supported the majority of the provisions in the bill, Kozakiewicz worried that "If the current version of the American Data Privacy and Protection Act had been in place when [she] was held captive, it may have been nearly impossible for law enforcement to find [her] and identify [her] captor as quickly as it did, if at all." [5]
Other privacy-related bills during ADPPA's advancement included Elizabeth Warren's Health and Location Data Protection Act, Suzan DelBene's Information Transparency and Personal Data Control Act, and Sara Jacobs's My Body, My Data Act. In the absence of federal legislation, state laws have included California's Consumer Privacy Act and Privacy Rights Acts, Illinois's Biometric Information Privacy Act, and Vermont's Data Broker Act. [3]
Action on the ADPPA had not been completed prior to the adjournment of the 117th Congress on January 3, 2023. [6]
The Gramm–Leach–Bliley Act (GLBA), also known as the Financial Services Modernization Act of 1999, is an act of the 106th United States Congress (1999–2001). It repealed part of the Glass–Steagall Act of 1933, removing barriers in the market among banking companies, securities companies, and insurance companies that prohibited any one institution from acting as any combination of an investment bank, a commercial bank, and an insurance company. With the passage of the Gramm–Leach–Bliley Act, commercial banks, investment banks, securities firms, and insurance companies were allowed to consolidate. Furthermore, it failed to give to the SEC or any other financial regulatory agency the authority to regulate large investment bank holding companies. The legislation was signed into law by President Bill Clinton.
Consumer privacy is information privacy as it relates to the consumers of products and services.
The Electronic Privacy Information Center (EPIC) is an independent nonprofit research center established in 1994 to protect privacy, freedom of expression, and democratic values in the information age. Based in Washington, D.C., their mission is to "secure the fundamental right to privacy in the digital age for all people through advocacy, research, and litigation." EPIC believes that privacy is a fundamental right, the internet belongs to people who use it, and there's a responsible way to use technology.
Information privacy is the relationship between the collection and dissemination of data, technology, the public expectation of privacy, contextual information norms, and the legal and political issues surrounding them. It is also known as data privacy or data protection.
Maria Ellen Cantwell is an American politician and former businesswoman serving as the junior United States senator from Washington since 2001. A member of the Democratic Party, she served in the Washington House of Representatives from 1987 to 1993, and in the United States House of Representatives from Washington's 1st congressional district from 1993 to 1995.
Clifford Bundy Stearns Sr. is an American businessman and politician who was the U.S. representative for Florida's 6th congressional district from 1989 to 2013. He is a member of the Republican Party.
Center for Democracy & Technology (CDT) is a Washington, D.C.-based 501(c)(3) nonprofit organisation that advocates for digital rights and freedom of expression. CDT seeks to promote legislation that enables individuals to use the internet for purposes of well-intent, while at the same time reducing its potential for harm. It advocates for transparency, accountability, and limiting the collection of personal information.
A privacy policy is a statement or legal document that discloses some or all of the ways a party gathers, uses, discloses, and manages a customer or client's data. Personal information can be anything that can be used to identify an individual, not limited to the person's name, address, date of birth, marital status, contact information, ID issue, and expiry date, financial records, credit information, medical history, where one travels, and intentions to acquire goods and services. In the case of a business, it is often a statement that declares a party's policy on how it collects, stores, and releases personal information it collects. It informs the client what specific information is collected, and whether it is kept confidential, shared with partners, or sold to other firms or enterprises. Privacy policies typically represent a broader, more generalized treatment, as opposed to data use statements, which tend to be more detailed and specific.
Information privacy, data privacy or data protection laws provide a legal framework on how to obtain, use and store data of natural persons. The various laws around the world describe the rights of natural persons to control who is using its data. This includes usually the right to get details on which data is stored, for what purpose and to request the deletion in case the purpose is not given anymore.
Privacy law is a set of regulations that govern the collection, storage, and utilization of personal information from healthcare, governments, companies, public or private entities, or individuals.
The Personal Data Privacy and Security Act of 2009, was a bill proposed in the United States Congress to increase protection of personally identifiable information by private companies and government agencies, set guidelines and restrictions on personal data sharing by data brokers, and to enhance criminal penalty for identity theft and other violations of data privacy and security. The bill was sponsored in the United States Senate by Patrick Leahy (Democrat-Vermont), where it is known as S.1490.
The Protecting Children from Internet Pornographers Act of 2011 was a United States bill designed with the stated intention of increasing enforcement of laws related to the prosecution of child pornography and child sexual exploitation offenses. Representative Lamar Smith (R-Texas), sponsor of H.R. 1981, stated that, "When investigators develop leads that might result in saving a child or apprehending a pedophile, their efforts should not be frustrated because vital records were destroyed simply because there was no requirement to retain them."
Do Not Track legislation protects Internet users' right to choose whether or not they want to be tracked by third-party websites. It has been called the online version of "Do Not Call". This type of legislation is supported by privacy advocates and opposed by advertisers and services that use tracking information to personalize web content. Do Not Track (DNT) is a formerly official HTTP header field, designed to allow internet users to opt-out of tracking by websites—which includes the collection of data regarding a user's activity across multiple distinct contexts, and the retention, use, or sharing of that data outside its context. Efforts to standardize Do Not Track by the World Wide Web Consortium did not reach their goal and ended in September 2018 due to insufficient deployment and support.
The USA Freedom Act is a U.S. law enacted on June 2, 2015, that restored and modified several provisions of the Patriot Act, which had expired the day before. The act imposes some new limits on the bulk collection of telecommunication metadata on U.S. citizens by American intelligence agencies, including the National Security Agency. It also restores authorization for roving wiretaps and tracking lone wolf terrorists. The title of the act is a ten-letter backronym that stands for Uniting and Strengthening America by Fulfilling Rights and Ensuring Effective Discipline Over Monitoring Act of 2015.
The Email Privacy Act is a bill introduced in the United States Congress. The bipartisan proposed federal law was sponsored by Representative Kevin Yoder, a Republican from Kansas, and then-Representative Jared Polis, a Democrat of Colorado. The law is designed to update and reform existing online communications law, specifically the Electronic Communications Privacy Act (ECPA) of 1986.
Alicia Kozakiewicz, also known as Alicia Kozak, is an American television personality, motivational speaker, and Internet safety and missing persons advocate. Kozakiewicz is the founder of the Alicia Project, an advocacy group designed to raise awareness about online predators, abduction, and child sexual exploitation. She is also the namesake of "Alicia's Law", which provides a dedicated revenue source for child rescue efforts. Kozakiewicz has worked with television network Investigation Discovery (ID) to educate the public on, and effect change for, issues such as Internet safety, missing people, human trafficking, and child safety awareness education.
The Biometric Information Privacy Act is a law set forth on October 3, 2008 in the U.S. state of Illinois, in an effort to regulate the collection, use, and handling of biometric identifiers and information by private entities. Notably, the Act does not apply to government entities. While Texas and Washington are the only other states that implemented similar biometric protections, BIPA is the most stringent. The Act prescribes $1,000 per violation, and $5,000 per violation if the violation is intentional or reckless. Because of this damages provision, the BIPA has spawned several class action lawsuits.
The EARN IT Act is a proposed legislation first introduced in 2020 in the United States Congress. It aims to amend Section 230 of the Communications Act of 1934, which allows operators of websites to remove user-posted content that they deem inappropriate, and provides them with immunity from civil lawsuits related to such posting. Section 230 is the only surviving portion of the Communications Decency Act, passed in 1996.
Data minimization is the principle of collecting, processing and storing only the necessary amount of personal information required for a specific purpose. The principle emanates from the realisation that processing unnecessary data is creating unnecessary risks for the data subject without creating any current benefit or value. The risks of processing personal data vary from identity theft to unreliable inferences resulting in incorrect, wrongful and potentially dangerous decisions.
The American Privacy Rights Act (APRA) is a comprehensive data privacy law proposed in the United States. It would place limitations on the kinds of data companies can collect about their users, create processes for users to access or remove data about them, and allow users opt-out from having data sold by data brokers. The bipartisan proposal was introduced in April 2024 by Senator Maria Cantwell (D-WA), and Representative Cathy McMorris Rodgers (R-WA). Cantwell is Chair of the Senate Committee on Commerce, Science, and Transportation and McMorris Rodgers is Chair of the House Committee on Energy and Commerce. If passed, it would supersede some state-based laws which have emerged in the absence of a comprehensive federal data privacy law. The bill underwent controversial revisions in June 2024, removing several consumer protections under pressure from House Republicans, including a section about civil rights. The changes led many privacy and civil society organizations to withdraw support, and the June 27, 2024, committee markup session was canceled amid signals from Republicans that they would kill the bill if it got out of committee.