What You Need to Know
The truth is that whenever a federal privacy law is proposed in the United States, everyone (especially privacy professionals) becomes very excited. Why? Because the current US state privacy law patchwork, where every state is proposing and passing its own privacy laws, is very difficult to navigate and compliance is becoming increasingly complex and costly. A federal privacy law would alleviate this complexity by setting one standard that businesses must follow. However, much of the privacy professional community has also become increasingly jaded as numerous federal privacy laws have been proposed that have failed to become law. The latest federal privacy law to be proposed in the United States is the American Data Privacy Rights Act of 2024 (ADPRA), which is a bipartisan privacy bill that legislators are currently considering. This article will discuss the ADPRA, including who it would apply to, which privacy rights it would provide, and the opposition to its passage.
Who would the ADPRA Apply to?
If passed, the ADPRA would apply to any entity that determines the purposes and means of collecting, processing, retaining, or transferring personal data subject to the Federal Trade Commission Act, is a common carrier subject to Title II of the Communications Act, or is a non-profit. However, it is important to note that “small businesses” would be exempt from this law. The bill defines “small business” as an entity:
- Whose average annual gross revenue for the past 3 years did not exceed $40,000,000;
- That did not annually collect, process, retain, or transfer the data of more than 200,000 individuals;
- That did not transfer data to a third party in exchange for revenue or anything of value.
The ADPRA does not fully explain what “transferring data to a third party in exchange for anything of value” would mean in practice, which means that small businesses may be subject to this privacy law even if they do not meet the first and second factors above if they transfer data to third parties such as email marketing vendors or advertising providers. It is also important to note that, unlike most US state privacy laws, the ADPRA would also apply to nonprofits if they meet the above criteria.
ADPRA transparency requirements
The ADPRA would require businesses that need to comply with the law to provide a publicly available, easy to read Privacy Policy that includes the following information:
- The identity and contact information of the business and any affiliates within the same corporate structure;
- The categories of personal data collected, processed and retained;
- The purposes for processing each category of personal data;
- Each category of third party to whom personal data is transferred;
- The name of each data broker to whom personal data is transferred;
- The purposes for which the personal data is transferred;
- The length of time that each category of personal data is retained or the criteria used to determine how long the data will be retained;
- How an individual can exercise their privacy rights;
- A general description of the business’s security practices;
- The effective date of the Privacy Policy; and
- Whether any data is transferred to, processed in, retained in, or otherwise accessible to a foreign adversary.
Privacy rights provided by the ADPRA
The ADPRA would help Americans ensure the privacy of their personal data by providing them with the following privacy rights:
- Access the personal data in a format that is naturally read by a human;
- Access the name of any third party or service provider to whom the personal data has been transferred, as well as the categories of sources from the which the personal data was collected;
- Access a description for which the business transferred the personal data to a third party;
- Correct any inaccuracy or incomplete information regarding the personal data;
- Delete the personal data of the individual;
- Export the personal data in a portable, structured, and machine-readable format;
- Opt out of targeted advertising;
- Opt out of certain transfers of personal data.
Pre-emption of state privacy laws
Due to the fact that the US state privacy law patchwork is so complex, the ADPRA attempts to simplify compliance by preempting state privacy laws. This means that, subject to limited exceptions, no state would be allowed to adopt, maintain, or enforce any privacy law covering the items that are already covered by the ADPRA. Due to this pre-emption, certain states, such as California, have voiced opposition to this proposed federal privacy bill, stating that “national data privacy laws passed by Congress should strengthen, not weaken our existing laws here in California.”
Private right of action
Generally, the ADPRA would be enforced by State Attorneys General and the Federal Trade Commission. However, the bill would also provide consumers with the right to sue businesses directly for violations. In such a lawsuit, consumers could seek damages, injunctive relief, and legal and litigation costs. Prior to filing a lawsuit, consumers would need to contact the business and the business would have a chance to cure any violations. However, if a business does not respond or does not effectively cure a violation, consumers could sue the business directly for a violation.
Opposition to the ADPRA
The ADPRA is very far from being a “done deal.” Certain members of Congress have voiced opposition to the bill, mainly citing the preemption and private right of action provisions. In addition, privacy rights groups such as the Electronic Frontier Foundation, stated that the ADPRA does not provide adequate protection for consumer privacy as a federal privacy law should make it easier to sue businesses for privacy violations and should limit sharing with the government as well.
It will be very interesting to see whether the ADPRA moves forward and is passed into an actual privacy law. While this is certainly an exciting development, many privacy professionals are not holding their breath due to the disappointments in failure to pass a federal privacy law in the past.
