Updated 7/22/22: The blog post below has been updated to reflect changes made to the bill during a July markup of the bill held by the House Energy and Commerce Committee.
Updated 7/14/22: The blog post below has been updated to reflect changes made to the bill during a July markup of the bill held by the House Energy and Commerce subcommittee on consumer protection and commerce.
Congress is taking steps towards a much-needed federal privacy law that could help protect consumers while creating consistent obligations for startups. This week, the House Energy and Commerce subcommittee on consumer protection and commerce held a hearing discussing the American Data Privacy and Protection Act (ADPPA). The ADPPA has support from key members of Congress on both sides of the aisle and in both chambers and would replace a state-by-state patchwork of privacy laws, helping startups by easing compliance costs and lowering barriers. Engine has been a longtime advocate for such a law and commends lawmakers for taking an important step in developing a federal privacy standard.
Background: Earlier this month, a bipartisan group of congressional leaders including Rep. Frank Pallone (D-N.J.), Rep. Kathy McMorris Rodgers (R-Wash.), and Sen. Roger Wicker (R-Miss.) released a draft federal privacy framework that, if passed, would create a uniform set of obligations for entities that collect consumer data and protections and rights for consumers across the country. As three-quarters of the bipartisan leadership of the House Energy and Commerce and the Senate Commerce Committees, each of these members would play a significant role in the bill’s passing.
While other jurisdictions have enacted privacy legislation in recent years, like the European Union with their General Data Protection Regulations (GDPR), the U.S. presently lacks a comprehensive federal privacy law. This absence has led states to pass their own laws in order to codify privacy rights for their citizens, creating a patchwork of state laws for companies to navigate. For startups, this patchwork is especially burdensome, and some startup founders forgo growing their businesses in certain states to avoid compliance costs. As Andrew Prystai, CEO of Omaha-based Event Vesta explained, “[p]art of the reason that we have not expanded into certain states like California is because of the resources required to handle California Consumer Privacy Act (CCPA) compliance, which is something that we have to think about every time we look at entering a state that has its own, unique privacy compliance requirements.”
A federal privacy law can solve these issues by preempting state laws, and, given the lawmakers behind it, the ADPPA is the most credible proposal with a chance of passage. In reviewing the draft legislation, there are several provisions that will be significant for startups to consider as they evaluate the bill.
What’s in the bill:
The bill builds off of elements found in other privacy frameworks.
The ADPPA contains some substantively similar consumer rights and obligations to those found in the EU’s GDPR and state privacy laws. Enshrining these things at a federal level would help harmonize obligations, including around transparency, data ownership and control, and different requirements for first and third parties. It also creates tiered obligations for companies depending on their size, including with a narrow and limited small business exemption.
Data rights for consumers: Similar to state laws like the California Consumer Privacy Act or the Virginia Consumer Data Protection Act, the ADPPA dictates that companies have to respond to consumer requests to access, delete, and correct their data as well as consumer requests to port their data, which involves companies providing a consumer’s data in machine-readable format to be used elsewhere. The draft bill also specifies the timeframe that companies must comply with these requests, which varies from 45 to 90 days, depending on the size of the company.
The bill creates additional protections for sensitive data—which includes biometric, financial account, and ethnicity or national origin information, among other categories—including that companies must first receive the affirmative express consent of the consumer to process that data.
(The version of the bill passed by the Energy and Commerce Committee in July expanded the definition of sensitive data to include “information identifying an individual’s online activities over time and across third party websites or online services.” )
The bill also gives consumers the right to opt-out of targeted advertising and data transfers, and it requires companies to establish simple and easy to use mechanisms for consumers to withdraw their consent. It contains exceptions for when businesses can collect, process, or transfer data without a consumer’s consent, including responding to data security threats, protecting against illegal or fraudulent activity and performing system maintenance or diagnosis. Members of the online advertising ecosystem—including the International Advertising Bureau—have expressed concern that these limitations may disrupt the ecosystem. Startups—especially those in early stages and those that offer free services to consumers—often rely on data-driven advertising revenue.
(The version of the bill passed by the Energy and Commerce Committee in July includes a prohibition retaliating against consumers for exercising their rights within the law.)
Small Business Exemption: The ADPPA creates tiers of obligations based on a company’s size, including through additional requirements for “large data holders”—defined as (1) having an annual threshold of over $250 million, (2) collected over 5 million accounts of covered data or sensitive covered data of over 200,000 accounts—and a small business carveout. The bill exempts small businesses that generate less than $41 million in annual revenue, collect and process the data for fewer than 200,000 accounts, and acquire less than 51 percent of revenue from transferring personal data. Businesses meeting the criteria are exempt from designating a privacy and data security officer; do not have to port user data; may delete, rather than correct data upon receipt of a correction request; and are not required to implement certain data security practices required by the bill.
(In June, the House Energy and Commerce Subcommittee on Consumer Protection and Commerce held a markup in which the user account threshold was raised from 100,000 to 200,000 accounts.)
While it is encouraging that policymakers have attempted to ease burdens for small businesses by removing some of the obligations that will create administrative burdens, the thresholds are too low and the exemption is too narrow, meaning many startups will still have to comply with many of the costly and time-consuming provisions in the law. For example, startups with little revenue and few employees are still likely to serve more than 100,000 users in a year. In the current draft, the 100,000 user figure is bracketed, indicating lawmakers are still debating it. To make the exemption more meaningful, the threshold should be revised upward.
Service Providers and Third Parties: Similar to GDPR and some state privacy frameworks, ADPPA distinguishes between the companies that interact directly with consumers and the vendors that those companies use, and therefore share user data with. The framework for service providers is especially important for startups, as many startups rely on a network of dozens of vendors to do everyday business processes, such as payment processing, analytics, or communicating with users en masse via email (especially as compared to large companies, which can often build those capacities in-house). The bill limits what service providers can do with data provided by a company that interacts directly with consumers, including a prohibition on using that data in new ways and transferring the data to other entities. Under the bill, the Federal Trade Commission (FTC) would issue guidance regarding how companies should select and decide to transfer data to service providers.
(During the June markup, new obligations were placed upon service providers. These new obligations include maintaining reasonable safeguards to protect the security of covered data, returning or deleting any covered data upon request, assisting a business with obligations to consumer requests, and demonstrating compliance to the Act.)
The bill creates new regulatory processes, which could lead to clearer obligations for startups.
The ADPPA creates new processes that will allow the FTC to write rules and guidance, which could create much-needed clarity on evolving issues around consumer data. However, it also opens the door to complex and inconsistent regulatory processes and enforcement. These processes can be opaque and difficult for startups with limited time and resources to participate in.
Data Security: The bill would have the FTC write new rules around the data security practices that companies have to employ in order to protect users’ data. As we discussed when Engine testified on this issue last year, there’s no one-size-fits-all solution for data security given how vast and diverse the startup ecosystem is. Startups collect and use different kinds of data of varying sensitivity, and they have limited time and resources to invest in protecting themselves against an ever-evolving and increasingly sophisticated threat landscape. Policy should encourage and incentivize companies to take steps to protect users’ data but not create unnecessarily high compliance costs or penalize responsible companies that still find themselves the victims of data breaches. In having the FTC write data security rules, the ADPPA provides factors for the agency to consider including the size and complexity of the business, the nature and scope of the data that is collected and processed, and the cost and availability of data security measures.
Privacy By Design: The ADPPA would have companies implement “privacy by design” principles, i.e., create their products and services from the outset with the goal of protecting users’ privacy, and have the FTC issue guidance on the issue. The bill gives a number of factors to consider; the volume of data collected, the size of the business, and the cost of implementing the practices in relation to the type of data a business holds, are just a few. The FTC must consider the unique perspectives of startups—for instance, some startups set out to provide one product or service but find that, equipped with the right data, they’re better off pivoting to a related product or service—when writing this guidance.
Data Minimization: The bill prohibits companies from collecting, processing, and transferring data outside of what they need to provide the product or service they offer and what they need to communicate with consumers in a way that’s “reasonably anticipated” given the relationship between the company and the consumer. The FTC would issue guidance on reasonable data minimization practices and is supposed to take into account several factors including the sensitivity of the data a company is collecting, the amount of data, and the size, nature, scope, and complexity of activities a company is engaging in. Data minimization practices are a good way for resource-strapped startups to reduce their risk, including in the event of a data breach, but obligations must be right-sized to ensure they do not preclude future uses of data and data-driven innovations.
Loyalty Duties: The ADPPA would create “loyalty duties'' that largely prohibit specific data collection and processing activities, including the collection, use, and sharing of social security numbers, known non consensual intimate images, precise geolocation information without affirmative express consent from the user, physical activity from a wearable device, and biometric and genetic information without affirmative express consent from the user in most cases. The bill currently contains language—though it’s bracketed, meaning it’s still being considered—that a company cannot transfer a user’s aggregated Internet search or browsing history without affirmative express consent of the user.
(At the June markup, an amendment eliminated the restriction on the collection and processing of non-consensual images, genetic information, and biometric information.)
Technical Compliance Programs: The bill would create a system for “technical compliance programs” that companies could use to help them comply with the law. The bill establishes how the FTC would evaluate and approve these programs, and the agency and state attorneys general are supposed to take into account whether a company is participating in a technical compliance program before bringing an enforcement action under the law. However, the bill does not limit the FTC and state attorneys general from bringing enforcement actions if a company participates in a technical compliance program, meaning a startup could be open to an enforcement action even if it’s taken the necessary steps outlined in a technical compliance program approved by the FTC. Compare that to other frameworks, such as the one found in the Children’s Online Privacy Protection Act (COPPA), where liability is limited for businesses that join a technical compliance program and implement specific privacy practices. Without the guarantee of a similar liability limitation, the compliance program in the ADPPA fails to be a true safe harbor.
The bill creates some major shifts in existing laws and frameworks.
Many of the provisions in the bill significantly mirror ideas and language startups might have seen in other privacy frameworks, but the ADPPA also departs from existing laws in some significant ways and would create new obligations that startups are unlikely to have encountered in the past.
Privacy for Minors: The ADPPA creates a new framework for users under the age of 17, deviating from the existing data protection for children under COPPA. Specifically, the bill prohibits targeted advertising to users under the age of 17 and requires affirmative express consent from either the user or the user’s parent or guardian to transfer data from users between the ages of 13 and 17. Here, it’s crucial that the law only apply these additional requirements and prohibitions when companies know for a fact that they’re dealing with young users. Otherwise, startups will run the risk of unintentionally serving targeted ads to young users or engaging in unpermitted data transfers unless they implement changes for all users regardless of age or spend their limited resources gathering additional data to try to ascertain the age of their users.
(The version of the bill passed by the Energy and Commerce Committee in July includes a tiered knowledge standard for covered entities that engage in targeted ads to children. Large social media companies—defined as covered entities that provide any Internet accessible platform where the covered entity generates primarily used by individuals for user-generated content with at least $3 billion or more in annual revenue, and has 300 million monthly active users for three of the prior 12 months, and offers a product or service that is primarily used to access or share user generated content—have a constructive knowledge standard, meaning they have to determine, using a reasonable level or care or diligence, whether a user is under the age of 17. The second knowledge tier applies to any large data holder—covered entities or service provider with annual gross revenue of $25M, engaged in the collection, processing or transferring of 5M users’ covered data, and 200k users’ sensitive covered data—that knew or acted in willful disregard of a user’s age. The last knowledge tier, actual knowledge, applies to the remaining covered entities and service providers.)
Privacy and Data Security Officers: The ADPPA mandates that companies designate at least one privacy officer and data security officer who will be responsible for implementing and overseeing the company’s privacy and data security program. While the bill creates more obligations for large companies—including new reporting requirements—most startups would have to use their limited resources and employee pool to designate a privacy and data security officer under the bill.
(The June version of the ADPPA exempted companies with fewer than 100,000 users from the privacy and data security officer requirements. The version of the bill passed by the Energy and Commerce Committee in July removed the exception for companies with fewer than 100,000 users and created an exemption only for entities with 15 employees or fewer.)
Civil Rights Protections: The bill prohibits companies from collecting, processing, or transferring data in ways that discriminate against protected classes of consumers, including on the basis of race, religion, gender, etc. However, the ADPPA includes exceptions that allow a company to engage in these activities to self-test for discrimination or to diversify an applicant or participant pool.
The bill preempts comprehensive state privacy laws.
The ADPPA preempts the kinds of overarching, comprehensive consumer privacy laws that many states have passed and considered in recent years, which is a large step toward avoiding a patchwork of state laws that startups are particularly ill-equipped to navigate. However, the bill leaves intact specific narrower state laws—such as Illinois’ Biometric Information Privacy Act and the private right of action found in the California Consumer Privacy Act—and leaves the door open to future narrow state privacy laws regarding things like health information or facial recognition data
(The version of the bill passed by the Energy and Commerce Committee in July would preserve additional categories of state privacy and data breach laws, including laws regarding the use of encryption as a data security tool.)
Preemption of state laws is a necessary step to ensure that startups can grow their businesses across state lines. And given how much of a sticking point preemption has been in previous negotiations over a federal privacy framework, it is encouraging that policymakers have included partial preemption in this bill.
The bill is enforced by the FTC, state Attorneys General, and includes a private right of action.
Federal Trade Commission, state attorneys general, and private individuals may each enforce parts of the ADPPA.
Enforcement by FTC: The bill grants the FTC the power to enforce the law, including by creating a new bureau tasked with enforcement specifically. This provision also enables the FTC to collect civil penalties from companies that violate the ADPPA and place it in a fund to, among other things, compensate individuals who have been harmed by violations of the law.
Enforcement by State Attorneys General: The ADPPA also allows for state attorneys general or the chief consumer protection officer to bring a civil action against violators. State enforcers have to give the FTC an opportunity to intervene before filing a civil lawsuit to enforce the law, and state attorneys general cannot bring cases that are redundant of enforcement actions being pursued by the FTC. The bill also allows for state attorneys general to notify the FTC of enforcement actions immediately after filing a civil lawsuit in rare cases where pre-notification is “not feasible.”
(The version of the bill passed by the Energy and Commerce Committee in July includes a provision allowing the California Privacy Protection Agency to enforce the ADPPA in the same manner it would enforce the California Consumer Privacy Act.)
Enforcement by Private Lawsuits: The ADPPA creates a complex private right of action that—two years after the bill becomes law—would give consumers the ability to seek injunctive relief (as in, to stop a company from doing a practice that violates the law), compensatory damages, and attorney’s fees. If an individual (or class of individuals) wants to sue, they must first confer with their state attorney general and the FTC. From here, the state attorney general or the FTC has 60 days to determine if they will independently take action and, if neither entity decides to pursue the case, the individual can continue with their lawsuit. The bill also requires that, before individuals proceed with a civil suit for injunctive relief or against a business that’s covered by the small business exception discussed above, they must first give the company 45 days to “cure,” or correct violations of the law.
(The version of the bill passed by the Energy and Commerce Committee in July would have the law’s private right of action go into effect two years after the bill is enacted, as compared to the original bill’s four years. That version of the bill also contains a small business exception where covered entities that have an annual revenue less than $25 million, earn less than half of their revenue from transferring covered data, and engage with covered data of no more than 50,000 accounts are not subject to private right of action, and it clarifies that a private suit does not bar the FTC or the state enforcement agencies from bringing or intervening in a lawsuit. The amended version also changes how a company can avoid lawsuits if it cures violations of the law. If a company adheres to a written notice, implements a cure, and then demonstrates to the court it has been implemented within 45 days of receiving written notice then a consumer’s claim for injunctive relief is not permitted.)
The bill’s authors have clearly put effort into crafting a system that lets individuals who have been harmed enforce their rights while trying to minimize opportunity for bad faith lawsuits. But we remain concerned about the impact private lawsuits—or even the threat of lawsuits—could have on startups, which don’t have the resources to withstand litigation that can cost hundreds of thousands of dollars. Additionally, creating a clearance process for the FTC and relevant state attorneys general to weigh in on private lawsuits before they can proceed could result in the agency and officials enforcing meritorious cases while private litigants attempt to bring lawsuits that official enforcers have deemed not worth pursuing. That could increase the bad private lawsuits that companies, including startups, see under the law.
What’s next:
Now that the full Energy and Commerce Committee has passed the bill, the ADPPA could go to the House floor for a full vote by the chamber. A similar committee process and floor vote would have to happen in the Senate before a privacy bill can become law.
Engine has long been an advocate for a federal privacy framework that creates consistent obligations for startups while providing users with control over their data, which would boost overall consumer trust in the Internet ecosystem. This draft bipartisan, bicameral bill is the first meaningful step in years towards actually enacting federal legislation, but the path ahead is long and contains several potential stumbling blocks.
Most notably, Senate Commerce Committee Chair Maria Cantwell (D-Wash.) is absent on the list of key members backing the bill. Instead, she has her own privacy bill and issued a statement criticizing the group’s draft. Other key Democrats on the Senate Commerce Committee which is the remaining panel to consider, potentially amend, and take the first votes on a privacy bill—have also been critical of the bill for perceived shortcomings when it comes to obligations for companies and the ability of individuals to enforce the law. At the same time, industry representatives have pushed back on the bill from the other side, taking issue with the fact that the bill allows for private lawsuits and doesn’t preempt all state privacy laws.
Engine applauds the bipartisan lawmakers behind the bill for taking this landmark step in creating a much-needed federal privacy framework, and we hope the perspective of startups will be a priority in considerations moving forward.
Disclaimer: This post provides general information related to the law. It does not, and is not intended to, provide legal advice and does not create an attorney-client relationship. If you need legal advice, please contact an attorney directly.