One Step Closer to Federal Data Privacy Law Reform: H.R. 8152, the American Data Privacy and Protection Act (ADPPA)
Several bills have been under consideration by legislators in Washington, D.C., and the US Federal Privacy Legislation Tracker (hosted at IAPP) is a good starting point for those looking to get caught up. There have been several bills, but the major ones under deliberation have been the Consumer Data Privacy and Security Act of 2021 (S.1494, introduced April 29, 2021), the Setting an American Framework to Ensure Data Access, Transparency and Accountability (SAFE DATA) Act (S.2499, introduced July 28, 2021), and the Consumer Online Privacy Rights Act (S.3195, introduced Nov. 4, 2021). Legislators have been at an impasse, which has typically been attributed to two issues: (1) whether a federal law should preempt the state privacy laws that have emerged and (2) whether a federal law should include a private right of action for enforcement.
On June 3, 2022, an important new bill entered the mix when a discussion draft of the American Data Privacy and Protection Act (ADPPA) was released by leaders of the Senate Committee on Commerce, Science, and Transportation and the House Committee on Energy and Commerce. The bill was formally introduced as H.R. 8152 on June 21, 2022, before a House subcommittee markup that occurred on June 23, 2022. Less than a month later, the full House committee held a markup hearing on July 20, 2022, that resulted in the Amendment in the Nature of a Substitute (or AINS) for the ADPPA being reported out of committee by a vote of 53-2.
The changes made by the AINS to the text of H.R. 8152 were not minor, so a quick overview of the bill’s changes is appropriate.
Gist of the Bill (according to the bill’s text as of 7/18/22—i.e., prior to the markup hearing on 7/20/22)
A nonpartisan overview of the bill was prepared by the Congressional Research Service. The original text of ADPPA would apply to a wide array of entities, including common carriers and nonprofit organizations that are often out of reach of current privacy law enforcement authority. The law would apply to “information that identifies or is linked or reasonably linkable, alone or in combination with other information, to an individual or a device that identifies or is linked or reasonably linkable to an individual, and may include derived data and unique identifiers” (§2(8)(A)) and would expressly not include “de-identified data” (§2(8)(B)). The ADPPA would impose duties of loyalty (§101-104) and transparency (§202) and provide certain consumer controls on their data (such as the right to access, correct and delete data as well as data portability) (§201-210). It would relax certain obligations to make compliance less burdensome for small and mid-size businesses. As proposed, the ADPPA would (§207) prohibit the use of algorithms in ways that discriminate “on the basis of race, color, religion, national origin, sex, or disability” but would permit algorithms to either prevent such discrimination or promote diversity. The same section would require large data holders to conduct annual algorithmic impact assessments. The ADPPA would preempt state laws on privacy with specific exemptions carved out in §404(b), including, for example, the generally applicable state statutes on unfair and deceptive acts and practices (UDAPs), breach notification laws, health information laws, employment and student privacy laws, and more. The Federal Trade Commission (§401) and state attorneys general (§402) would be responsible for enforcing the ADPPA. While a private right of action for individuals is included in the bill (§403), ADPPA would delay the availability of this right for four years after the law is enacted.
It is important to note that ADPPA would not apply to governmental entities. Also, entities required to comply with already existing privacy laws (i.e., HIPAA, HITECH, FERPA, Fair Credit Reporting Act and Gramm-Leach-Bliley Act) would be considered in compliance with ADPPA with respect to those types of data if they are compliant with those sector-specific laws. Thus, the bill would not necessarily mandate consistency in data governance, even if data (e.g., health data) are within the scope of the ADPPA requirements, as HIPAA covered entities would govern health data according to HIPAA and those not subject to HIPAA would handle such data pursuant to ADPPA requirements.
As an aside, both “biometric information” and “genetic information” are defined in the bill, with the former apparently leaving biometric source materials unprotected (focusing only on the “biological, physical and physiological” identifiers “generated from” computational steps that have been taken) and the latter including not only genotypic information but also phenotypic information derived from analysis of “raw sequence data.” These definitions deviate from definitions on biometrics used in various state laws and bills on biometrics and from the definition of “genetic information” used in the Genetic Information Nondiscrimination Act of 2008 (GINA). It seems likely that ADPPA would cause confusion if the bill is enacted in its introduced form, as carve outs would preserve both the Biometric Information Privacy Act (BIPA) and Genetic Information Privacy Act in Illinois (§404(b)(L)) but not similar or identical statutes on biometrics and genetic information that might be enacted in other states. ADPPA has separate carve out to preserve state statutes providing data privacy protections regarding facial recognition technologies (§404(b)(K)) but not state statutes addressing biometrics more broadly. With the current carve outs, it is unclear whether ADPPA would alleviate compliance challenges posed by variation among the states.
Gist of the AINS to ADPPA Reported out of Committee on July 20, 2022
The version of the bill favorably reported out of committee on July 20, 2022 makes a number of changes to the original text of the bill. The version of the text that was to be marked up by the full committee differed from the bill originally introduced, and a committee staff memo was made available that summarized those differences. During the markup hearing on the AINS to ADPPA, there were also several bipartisan amendments debated and approved by voice vote. The most heated exchanges were, perhaps not suprprisingly, over preemption of state laws (such as the consumer data protection laws that have been adopted in California, Colorado, Virginia and Connecticut). Some experts, such as Stacey Gray at the Future of Privacy Forum, have indicated that this bipartisan bill would be stronger than state protections.
While a copy of the AINS text with the adopted amendments that was reported favorably out of the House committee is not yet available (as of 7/21/22), a few of the changes from the original version include reducing the delay on a private cause of action from four years to two years after enactment; a right to cure is to be available to each claimed violation rather than to entire cases; clarifying the definitions so that covered entities include those who use data to provide services for governmental entities; use of a tiered approach to whether covered entities have “knowledge” that data relates to individuals under 17 years of age; an exemption for health data use for research purposes in the public interest; a provision alleviating the burdens on small businesses to designate a privacy officer; a provision harmonizes FCC and FTC oversight and clarifies the FTC has sole enforcement authority for ADPPA; and a provision for consultations between the FTC and NIST to establish data security standards.
What’s the Outlook?
H.R. 8152 potentially offers hope that privacy law reform is achievable; however, with this being an election year and with Congress rapidly approaching the August recess for work in each members’ districts, the clock is certainly ticking. A sense of urgency was apparent during the debate in the House committee during its markup of the AINS to ADPPA on July 20, 2022. Reporting the bill out of committee was a major step toward federal data privacy law reform: indeed, as others have pointed out, it is the first time this has occurred in either chamber for a comprehensive data privacy bill. While public outcry for such reforms have been intensifying following the Supreme Court ruling on Dobbs (the implications of which were anticipated on this blog) and while a widespread sentiment expressed by those watching the committee advacne the amended AINS to ADPPA to the full House was to the effect that legislative inaction is not an option, it still seems rather unlikely that legislators will pass privacy law reform before the mid-term election. The Senate Commerce Committee would need to approve of any privacy law reform bill before the full Senate could consider it, and the bill reportedly (and not surprisingly) has its critics on that committee. Nevertheless, the debates on H.R. 8152, a bipartisan effort in Washington, DC, is important to monitor along with the ongoing efforts in Harrisburg, PA to protect data privacy for Pennsylvanians (e.g., H.B. 2257, “The Pennsylvania Consumer Data Protection Act”; H.B. 2022, “The Consumer Data Privacy Act”; or H.B. 1126, “the Consumer Data Privacy Act”)—particularly given the continued and heated debates regarding whether a federal law would preempt state efforts to ensure data privacy. For the near future, all eyes will be on Senator Maria Cantwell, Chair of the Senate Commerce Committee, who has been championing comprehensive privacy law reforms for years but is reportedly not yet sold on H.R.8152.
Jennifer K. Wagner, J.D., Ph.D., is a solo practicing attorney and also is Assistant Professor of Law, Policy and Engineering at the Pennsylvania State University. She has been a member of the PBA Cybersecurity & Data Privacy Committee since 2018, is a former contributing editor of the Genomics Law Report, and has published scholarly articles in prominent legal and scientific journals, including the Journal of Law & Biosciences; Journal of Law, Medicine, & Ethics; Albany Law Journal of Science & Technology; Virginia Sports and Entertainment Law Journal; North Carolina Journal of Law and Technology; Science; Nature Communications; Nature Medicine; American Journal of Human Genetics; Human Genetics and Genomics Advances; Genetics in Medicine; and PLOS Genetics. She served as a AAAS Congressional Fellow in a U.S. Senator’s office in 2014-2015, and her work has been cited by the Supreme Court of the United States. You may follow her on Twitter as @DNAlawyer. Views expressed are her own.