“The right to privacy is really important. You remove this brick and another and very soon the house collapses.
—Tim Cook, Apple CEO
As the Internet has become an integral part of everyday life, the average user has begun to realize that many aspects of their privacy are being compromised by every click, Google search, and purchase transaction. Applications that collected personal information were often lax in data protection, and hacking of corporate databases containing personal data became all too common. Some users have experienced abuse and anguish resulting from the unauthorized posting of intimate photos or videos on websites. In response, a few states have begun passing laws to protect privacy and personal data.
California launched the first privacy law with the California Consumer Privacy Act. Other states followed, including Virginia, Colorado, Utah and Connecticut. While each state’s legislation covered similar data and privacy issues, none were identical in terms of definitions and scope of coverage. Compliance with multiple standards has become complex and confusing for even the most responsible companies. While the need for federal legislation to protect privacy on the Internet has been recognized for many years, the contentious partisan gridlock in Congress has made progress difficult. These delays stand in stark contrast to around 150 countries around the world that have already passed strict data protection laws.
The House Bill
An important step on the road to comprehensive federal privacy legislation was taken last month. On July 20, 2022, the House Committee on Energy and Commerce passed the United States Data Privacy and Protection Act (ADPPA) from the committee to the House floor. This bill has bipartisan support and includes key compromises on issues that have stymied privacy legislation in previous sessions of Congress. While passing any legislation immediately before midterm elections is difficult, the bipartisan ADPPA may prove to be an exception. This article provides an overview of the key provisions of the ADPPA and compares it to some of the current state laws.
ADPPA covers a wide range of businesses and entities that appear on the Internet. Generally, any business that processes “covered data” and is subject to the Federal Trade Commission Act falls within the scope of that act. Unlike most current state laws, covered entities also include common carriers and non-profit organizations. The ADPPA provides a detailed and useful definition of the data covered and the scope of what is included. This includes collecting biometric information, such as fingerprints and facial mapping. It provides general guidance with the following definition: “The term “data covered“means information that identifies or is linked or reasonably likely to be linked, alone or in combination with other information, to a person or device that identifies or is linked or reasonably linked to a person, and may include derived data and unique identifiers.
ADPPA adds a second category of information classified as “sensitive covered data”. Items in this second category are the types of information that most individuals would not want to see used except for absolutely essential transactions. These “sensitive” items include government-issued identifiers, such as social security numbers, passport numbers, and driver’s license numbers. Information about an individual’s physical health, mental health, biometrics, and genetic data is also included. Personal financial account numbers and credit and debit card numbers are classified as sensitive items.
The definition of sensitive data also includes two broad categories that are generally not covered by national privacy laws. First, private communications such as phone calls, text messages and emails, including the phone numbers called and the time of such communications. Second, any “covered data” that an entity knows relates to a person under the age of 17. This standard goes well beyond the scope of the Children’s Online Privacy Protection Act (COPPA), passed in 1998, which provides online privacy restrictions affecting children. under 13 years old.
Some entities are subject to enhanced requirements because they are classified as “large data holders”. Typically, these are companies with gross annual revenue of $250 million or more that also process five million people’s covered data or 200,000 sensitive data each year. individuals or more.
Scope of individual rights
ADPPA tracks some of the individual privacy rights that are covered by the laws of each state. It requires data transparency, ie the disclosure of the type of data collected, its use and the duration of its retention. Upon request, individuals have the right to access their personal data in an easily readable format. Individuals can also correct and delete specific data. With respect to “covered sensitive data”, the company or entity is required to obtain the individual’s affirmative consent before using it. Finally, people can oppose the transfer of data to third parties or when they are used in the context of targeted advertising.
Protection of civil rights
In a significant departure from state policies, the ADPPA directly addresses the potential use of data collected from the Internet to discriminate against minority and marginalized groups within our society. It specifically states: “A Covered Entity or Service Provider may not collect, process, or transfer Covered Data in a manner that discriminates against or renders unavailable the equal enjoyment of goods or services on the basis of race, colour, religion, nationality, origin, sex or disability”.
To confirm compliance with this policy objective, ADPPA requires Big Data Holders to conduct an annual “Algorithm Impact Assessment”. The first of these assessments must be completed within two years of the enactment of the law.
The mandatory assessment requires a review of the methodologies used by all algorithms within the entity’s systems. Data inputs and outputs should be reviewed. The entity must determine whether the systems have a disparate impact depending on whether or not the individual belongs to a protected class, such as a racial minority. Finally, the entity must determine the steps that could be used to prevent discriminatory harm to a protected person.
This impact assessment is a new approach to protecting the civil rights of people who may have experienced unequal treatment and discrimination when using websites and applications available on their computers and smartphones. .
One of the stumbling blocks to getting earlier adoption of privacy legislation was a conflict between the federal government’s enforcement powers and the enforcement procedures already included in state privacy laws. the protection of privacy. For example, the California Privacy Protection Agency (CPPA) has been granted the power to make regulations and enforce California privacy laws. In a unique compromise, the ADPPA is enforceable by both the FTC and state attorneys general. Specifically, the ADPPA requires the FTC to establish an enforcement Privacy Office.
In a concession to existing state laws, the ADPPA provides a private right to sue civilly beginning four years after the law is enacted. However, before filing a civil action, a person must provide notice of their intent to sue with the FTC and their home state’s attorney general, who may intervene in the civil action. The ADPPA also allows for a private right of action for limited issues under California privacy law.
Brown Stone is the principal of Peter Brown & Associates, where he focuses on information technology transactions and the arbitration of technology disputes. He is the co-author of two treatises on computer law and forms.