![]() The legislation would apply to all organizations, including non-profits and telecoms, and create a new division within the Federal Trade Commission (FTC) tasked with enforcing this law. ![]() The ADPPA would establish basic consumer data rights impose certain obligations (referred to as “duties of loyalty”) on how all organizations process personal data and create additional requirements for large data holders (defined as organizations having sensitive personal data on 100,000 or more individuals or non-sensitive data on 5 million or more individuals) and third-party service providers that process data. But the bill does offer a comprehensive framework for data privacy that serves as a blueprint for federal legislation, and it is worth exploring the pros and cons of these other provisions. Unfortunately, the drafters have included several poorly conceived compromises on state preemption and a private right of action that fail to meet the standards of what is needed in a federal data privacy law. The American Data Privacy and Protection Act (ADPPA), jointly released on June 3 by key members in the House and Senate Commerce Committees, would establish a comprehensive consumer data privacy framework. Unfortunately, as currently drafted, the ADPPA fails to achieve those two goals. Indeed, since the only lawsuits individuals would be proceeding with under the ADPPA are those that neither the FTC nor any attorney general decides to pursue, these are likely to be meritless.Īs ITIF has written, state preemption and no private right of action should be the baseline for a federal privacy law. While the drafters have clearly attempted to construct a narrow private right of action, the fact remains that the ADPPA would still leave open the door for expensive, frivolous lawsuits. There is also a limited right to cure, whereby if a data holder successfully addresses an alleged problem within 45 days, they can seek dismissal of a demand for injunctive relief. To limit duplicative enforcement, individuals must first notify their state attorney general and the FTC of their intent to bring suit, and if one of those agencies decides to initiate an action, individuals cannot file their own lawsuit. The ADPPA would allow individuals to bring civil actions seeking compensatory relief or injunctive relief against data holders starting four years after the act goes into effect. But the legislation also creates a limited private right of action. The legislation would include strong enforcement measures, allowing the FTC as well as state attorneys general to bring action against any data holders violating provisions in the act. The ADPPA also attempts a compromise on a private right of action. Clearly, legislators are trying to reach a compromise, but the state preemption should be much broader to be effective. Moreover, the special carve outs specifically for privacy laws in Illinois and California, while excluding other states that have recently passed state privacy laws, such as Virginia, Utah, Colorado, and Connecticut, is unfair and reeks of backroom dealing. The list of exclusions is lengthy, which fundamentally undermines the purpose of state preemption (i.e., to have uniform laws to reduce compliance costs and simplify rules for consumers) especially on topics like data breach notification where every state already has a law. In an attempt at a compromise the ADPPA would preempt state privacy laws…except for a long list of excluded laws and topics, including the hotly contested Illinois Biometrics Information Privacy Act, part of the California Privacy Rights Act, and broad topics such as facial recognition, non-consensual pornography, data breach notification, and more. Unfortunately, the compromise text failed to adequately address the two most contentious issues in the debate about a federal privacy law: state preemption and a private right of action. The release of a bipartisan draft bill is a welcome development after years of delays and discussion and is the most hopeful sign that Congress will finally address this issue. ![]() Roger Wicker (R-MS) came together to release a draft bill for discussion-the American Data Privacy and Protection Act (ADPPA). Cathy McMorris Rodgers (R-WA), and ranking member of the Senate Commerce Committee Sen. ![]() Frank Pallone (D-NJ), ranking member Rep. PART 1: STATE PREEMPTION AND PRIVATE RIGHT OF ACTIONĬongress reached a major milestone in the effort to create a comprehensive federal data privacy law last week when House Energy and Commerce Chair Rep. ![]()
0 Comments
Leave a Reply. |