Overview
On July 20, 2022, the House Committee on Energy & Commerce voted affirmatively (53-2) to send the American Data Privacy and Protection Act (ADPPA) to the floor of the House of Representatives. While momentum was high last month, the ADPPA is stalled due to opposition from key members of Congress and enforcement agencies. If not advanced before the midterm elections on November 8, the ADPPA faces an unlikely road to success. But even if it is not passed into law, the ADPPA is still the most comprehensive data privacy legislation the US Congress has ever considered. It represents a major shift in federal data privacy regulation.
Background
The United States stands as an outlier among developed countries when it comes to data privacy protection and enforcement. While 18 countries and the European Union have federal data protection laws (see the map below), and have had them for decades in some cases, the US still does not have a comprehensive federal data protection law on the books.
However, five states (California, Colorado, Connecticut, Virginia, and Utah) have taken this issue into their own hands and passed privacy laws, while four more have active legislation to do the same. The California Consumer Privacy Act is the most robust state-level law, and it established the California Privacy Protection Agency (CPPA), the first US agency dedicated to the enforcement of privacy laws. Several of these states that have passed their own legislation are opposed to the ADPPA, including California. The ADPPA includes an enforcement provision that would preempt state laws on data privacy, replacing their current legal language with the ADPPA language. While the ADPPA would mostly mirror state laws on privacy, in some states, including California, it would water down the state’s regulation.
On July 19, 2022, led by California Attorney General Rob Bonta, 10 attorneys general signed a letter opposing the ADPPA as initially introduced. They argued that it created a regulatory “ceiling” for privacy rather than a “floor,” noting that the state preemption component reduces flexibility and the ability of states to enforce the law. While amendments have been introduced to transform the ADPPA into a regulatory “floor” by removing the preemption, they were shut down, according to JD Supra.
While some amendments were added before it passed out of committee, including allowing the CPPA to enforce the law in California, the preemption provision remains in the ADPPA. In its current form, the main provisions of the bill would:
-
Completely prohibit targeting ads to minors.
-
Ban collecting “sensitive covered data” (financial information, Social Security Numbers, sensitive health data, etc.).
-
Ban collecting, processing, or transferring aggregated internet search or browsing history.
-
Require companies to evaluate certain new and existing algorithms for harm reduction.
-
Include a controversial “private rights of action” feature that would go into effect two years after passage. This would create a risk of litigation from private parties, but it is substantially limited.
-
Ask the Federal Trade Commission (FTC) to establish a universal opt-out mechanism that would allow users to reject targeted ads from all companies in one click. The bill also forces the FTC to require entities to inform users about the opt-out option.
Among these items, the most discussed and debated issue is the “private rights of action,” which would set the groundwork for private parties to sue companies that violate the ADPPA. Organizations that advocate for data privacy like the Electronic Frontier Foundation argue that the “private right of action” doesn’t go far enough and includes too many hoops for the private party to jump through. On the other side, advocacy groups like the US Chamber of Commerce oppose the “private rights of action” provision entirely, calling the ADPPA “unworkable” in a CNBC article.
Meanwhile, recent polls conducted by Morning Consult revealed that the average American is in favor of the major aspects of the law, with over 80 percent of Americans approving of Congress’ effort to strengthen data privacy.
Why Is This Important?
Regulations surrounding data privacy and enforcement in the United States have been a point of major contention between tech companies and Congress for years. But more importantly, consumers in the United States have minimal data protections compared with citizens of other developed countries.
The movement on the ADPPA also occurs while social media companies like Meta are experiencing a historic downturn in revenue, some of which can be attributed to increased data protection. Following the Apple software update this year, Meta saw a $10 billion hit in revenue, as reported by CNBC. Similarly, according to Focus Washington, Twitter has experienced declining revenue for months while quarterly shares in Snapchat fell 25 percent after the company confirmed a slowdown in advertising revenue.
While the ADPPA would likely continue the downward push on demand for advertising and adversely affect social media companies, other advertising agencies may benefit as a result. In Europe, following the introduction of data privacy protection laws, advertising agencies like Paris-based Publicis SA saw a more than 20 percent increase in revenue, according to The Washington Post.
What Happens Next?
The path forward for the act is uncertain. Even if the ADPPA passes the House, it will encounter significant opposition in the Senate. Sen. Maria Cantwell, who chairs the Senate Commerce Committee, opposes the act in its current form due to the weak “private rights of action” provision, as reported in The Spokesman-Review. She would prefer a broader right for individuals to sue companies that violate the law.