American Data Privacy and Protection Act Proposed in U.S. Congress

On Friday, the discussion draft of a new, bipartisan proposed privacy bill titled the "American Data Privacy and Protection Act" was released by House Energy and Commerce Committee Chairman Frank Pallone (D-NJ), Energy and Commerce Republican Leader Cathy McMorris Rodgers (R-WA), and Senate Committee on Commerce, Science, and Transportation Ranking Member Roger Wicker (R-MS). The agreement on the bill draft was first reported by Politico.

In a joint statement, Representatives Rodgers and Pallone and Senator Wicker said the draft is the product of years of effort.

“This bipartisan and bicameral effort to produce a comprehensive data privacy framework has been years in the making, and the release of this discussion draft represents a critical milestone," the lawmakers wrote. "In the coming weeks, we will be working with our colleagues on both sides of the aisle to build support and finalize this standard to give Americans more control over their personal data. We welcome and encourage all of our colleagues to join us in this effort to enable meaningful privacy protections for Americans and provide businesses with operational certainty. This landmark agreement represents the sum of years of good faith efforts by us, other Members, and numerous stakeholders as we work together to provide American consumers with comprehensive data privacy protections."

The text of the draft bill says its purpose is to "provide consumers with foundational data privacy rights, create strong oversight mechanisms, and establish meaningful enforcement."

The 64-page document is broken into four main sections: duty of loyalty, consumer data rights, corporate accountability, and enforcement and applicability. The document empowers the Federal Trade Commission (FTC) to enforce its provisions. Below is a nonexclusive summary of the draft's provisions.

Duty of Loyalty

This section contains provisions around 'data minimization,' 'loyalty duties,' 'privacy by design,' and 'loyalty to individuals with respect to pricing.' For instance, the FTC would issue guidance about data minimization "to establish what is reasonably necessary, proportionate, and limited to comply with this section." That would include answering questions on the sensitivity, volume and complexity of data collected or used by covered entities.

Under loyalty duties, the bill introduces restrictions and prohibitions on the use of some types of information, such as "the collection, processing, or transferring of social security numbers," the "transfer of an individual’s precise geolocation information to a third party" outside of certain conditions, "collection, processing, or transferring of biometric information" apart from certain applications, the transfer of passwords in most contexts, and various other forms of data such as the use of genetic information, aggregated internet search browsing history and physical activity information.

The 'privacy by design' provisions require covered entities to establish policies and practices that "consider the mitigation of privacy risks" and "implement reasonable training and safeguards within the covered entity to promote compliance with all privacy laws applicable to covered data the covered entity collects, processes, or transfers and mitigate privacy risks." The bill requires the FTC to issue guidance on what constitutes 'privacy by design'.

Loyalty by design with respect to pricing refers to provisions that prevent a covered entity from restricting or charging different rates for products based on an individual's agreement to waive any privacy rights in exchange.

Consumer Data Rights

The consumer data rights section of the bill includes provisions to make consumers aware of their rights, and to require companies to offer transparent privacy policies, including how an individual can exercise their new rights, what affirmative consent means, and what notifications are necessary when material changes are made to policies.

The bill gives individuals a measure of 'data ownership and control' to include access to their own personal data, information on what and how their data is shared with third parties and for what reason, the right to correct inaccurate or incomplete information, the right to delete covered data, the right to export data, etc. There are provisions for the timing and cost of access to consumer data, and specific language about exceptions to consumer rights and access. This section would appear to address so-called 'dark patterns' in website design.

There is a 'right to consent and object' to the collection of 'sensitive covered data,' along with provisions on how to withdraw consent, opt out of data transfers to other parties, and to opt out of targeted advertising.

A 'data protections for children and minors' section institutes specific protections for individuals under the age of 17, and creates a "Youth Privacy and Marketing Division" inside the FTC that would be responsible for addressing the privacy of children and minors.

A section on third-party collecting entities requires conspicuous notice on any website using such entities, as well as provisions for transparency, audit logs, and the creation of a "third-party collecting entity registry" which would permit a "do not collect" registry to be created.

"Civil rights and algorithms" are addressed in a unique section that creates new obligations for the FTC to look at problems that data collection creates with regard to civil rights. It also requires "large data holder" entities to conduct algorithm 'impact assessments' to mitigate potential civil rights harms to individuals, and it requires covered entities to submit to 'algorithm design evaluation,' preferably utilizing an "external, independent auditor or researcher" to conduct the assessments and evaluations.

The bill also institutes language around data and cybersecurity practices, including requirements that covered entities assess their own system vulnerabilities and take preventative actions to prevent the illicit transfer of data. And, it creates the possibility of a 'unified opt-out mechanism,' require the FTC to "initiate and finalize a feasibility study on the creation of a privacy protective, centralized mechanism for individuals to exercise all such rights through a single interface."

Corporate Accountability

The corporate accountability section creates responsibility at the executive level in covered entities, including a requirement that entities designate a 'privacy and data security officer' with responsibility for delivering on the requirements of the bill, including compliance, and instituting systems and practices, and in the case of 'large data holders' serving as "the point of contact between the large data holder and enforcement authorities."

It also creates accountability mechanisms for service providers and third parties, requires the FTC to create regulations for technical compliance, and creates a public process for the creation of compliance guidelines.

Interestingly, this part of the proposed bill also includes a section focused on 'digital content forgeries,' requiring the Secretary of Commerce or the Secretary's designee to "publish a report regarding digital forgeries' that defines what they are, the "methods and standards available to identify digital content forgeries as well as a description of the commercial technological counter-measures," and a "description of the types of digital content forgeries, including those used to commit fraud, cause harm, or violate any provision of law."

Enforcement and Applicability

The section on enforcement and applicability creates a new "bureau" inside the FTC "to assist the Commission in exercising the Commission’s authority under this Act and related authorities," as well as an "Office of Business Mentorship" headed by the director of the new bureau responsible for providing "guidance and consultation to covered entities regarding compliance" with the Act. And, it clarifies the powers of the FTC to enforce the bill's provisions.

The bill also creates a "Data Privacy and Security Victims Relief Fund" funded by civil penalties assessed by the FTC in the enforcement of the legislation or by the Attorney General. State attorneys general are also empowered to enforce the provisions of the Act, and maintain their own investigative powers.

- - -

Some advocacy groups hailed the news of the draft bill.

“To say that it’s high time for real progress on a federal privacy bill would be a tremendous understatement," said Free Press Action Co-CEO Jessica J. González. "We’ve been waiting for more than a decade for Congress to tackle online privacy and data-security issues. The country sorely needs Congress to create protections against the exploitation and discrimination caused by companies’ unfettered collection, buying, selling, sharing and outright abuse of people’s most personal information."

TechNet, which refers to itself as a "national, bipartisan network of innovation economy CEOs and senior executives" also issued a statement Friday from its Senior Vice President, Carl Holshouser. "While the bill still needs further improvements, it’s an indication that leaders from both parties are committed to action and willing to compromise on key issues like a private right of action and preemption. Additional negotiation is needed but we’re more hopeful than we have been in years that a bipartisan privacy bill can make its way to the President’s desk this Congress."

The clock is ticking.