The proposed American Data Privacy and Protection Act (ADDPA), now pending in the House of Representatives, would provide a wide-reaching national privacy standard, overriding existing state privacy laws. If the ADDPA becomes law, marketers would only have to conform to one, national data privacy regulation instead of the patchwork of state laws currently covering the same ground - including laws in California, Colorado, Connecticut, Utah, and Virginia (a dozen other states are now considering data privacy laws as well).
The ADDPA would likely serve to loosen some of the highly pro-consumer privacy regulations now in effect under the California Data Privacy Law. For this reason, the ADDPA could face opposition in the Congress from California legislators. As a Los Angeles Times story recently explained, [U.S. Speaker of the House and California Representative Nancy] “Pelosi’s public opposition, which echoes concerns from [CA] Gov. Gavin Newsom and the California Privacy Protection Agency, marks an escalation in the standoff between California lawmakers and a large bipartisan group of [ADDPA] supporters.”
What the ADDPA looks like
While the proposed federal privacy law is still subject to change during the legislative process (it’s become clear that California wants to keep its more pro-consumer data privacy law), the broad outlines of the current federal proposal include the following, according to a report from the Congressional Research Service:
Data collection and management
The ADDPA would cover information that “identifies or is linked or reasonably linkable” to an individual. The bill would prohibit covered entities (including B2B marketers, of course) from collecting, using, or transferring covered data beyond what is reasonably necessary and proportionate to provide a service requested by the individual, with some exceptions. It also would create special protections for certain types of sensitive covered data (like health-related data).
The ADDPA would also require covered entities to adopt data security practices and procedures that are “reasonable in light of the entity’s size and activities.” The Federal Trade Commission (FTC) would be authorized to issue regulations specifying these data security requirements.
Analysis of impact: Most of the ADDPA’s provisions around data collection and data management are already imposed on marketers via GDPR and the California Data Privacy Law, so not much would here. Again, the federal law is generally less protective of consumer privacy than the California law, which is why some of the Big Tech companies support it.
Consumer control and consent
ADDPA would give consumers various rights over covered data, including the right to access, correct, and delete their data held by a particular covered entity. It would further require covered entities to give consumers an opportunity to object before the entity transfers their data to a third party or targets advertising toward them.
Analysis of impact: On these “consumer control and consent” provisions, the ADDPA is aligned with GDPR, so it would very impose minimal “new requirements” on B2B marketers. Obviously, consumer consent and consumer trust are intertwined – B2B marketers should be asking customers for consent as a standard procedure anyway, in order to build trust and foster more data sharing.
Third-Party data collecting entities
ADDPA would create specific obligations for third-party collecting entities, whose main source of revenue comes from processing or transferring data that they don’t directly collect from consumers (e.g., data brokers). These entities would have to comply with FTC auditing regulations and, if they collect data above the threshold amount of individuals or devices, and would have to register with the FTC.
Analysis of impact: The ADDPA shows a clear intent to regulate data brokers through the FTC, which will have the power to audit and issue regulations on how data brokers collect and use/sell data. This is clearly bad news for third-party data, which has become problematic anyway due to changes in third-party cookies (in short, they are getting eliminated).
Protections for youth
The ADDPA would create data protections for individuals under age 17, including a prohibition on targeted advertising, and would also createe a Youth Privacy and Marketing Division at the FTC. These additional protections would only apply when the covered entity knows the individual is under age 17, though certain social media companies or large data holders would be deemed to “know” an individual’s age in some circumstances.
Analysis of impact: Here, the ADDPA is responding to a number of recent studies making the connection between online activities and negative psychological impacts on young people. These additional protections give the FTC the power to crack down on excessive ad targeting and other forms of engagement to young people.
Civil Rights and algorithms
The ADDPA would prohibit most covered entities from using covered data in a way that discriminates on the basis of protected characteristics (e.g., race or sex). It would also require large data holders to conduct algorithm impact assessments, and submit these assessments to the FTC and also make them available to Congress on request. These assessments would need to describe the entity’s steps to mitigate potential harms/discrimination resulting from its algorithms, among other requirements.
Analysis of impact: There’s been a growing public concern that algorithms have massive impacts, but are also beset by patterns of discrimination. Under the category of “garbage in, garbage out,” regulators don’t want data that merely reflects patterns of historical discrimination to be fed into algorithms. Under the more pro-consumer California law, consumers can opt-out of having their data used to build algorithms, while the ADDPA does not allow this, it does empower the FTC to regulate algorithms.
Private right of action
The ADDPA would create a private right of action starting two years after the law’s enactment. Injured individuals, or classes of individuals, would be able to sue covered entities in federal court for damages, injunctions, litigation costs, and attorneys’ fees. Individuals would have to notify the FTC or their state attorney general before bringing suit. Before bringing a suit against a small- or medium-size business, individuals would be required to give the violator an opportunity to address the violation.
Analysis of impact: This “private enforcement” provision of the ADDPA is very similar to enforcement mechanisms within GDPR and the California law, so not much would change here for B2B marketers.
Bottom line? The ADDPA, even if it becomes law, will likely not create additional requirements when it comes to how you collect and manage customer data, largely because the proposed federal law is less protective of data privacy than the current California data privacy law.
Want help in how you collect and manage your data so you not only comply with data privacy regulations but also optimize your marketing ROI? Contact us to start a conversation.