Negotiators in Congress are within striking distance—but momentum is slowing—on a federal privacy law, which means now is the perfect time to address a burning question: how well do the major provisions of the bill match up with small app companies’ interests? For this, we analyze how the bill that has made the most progress and seen the most changes along the way—the American Data Privacy and Protection Act (ADPPA, H.R. 8152)—handles the “4 Ps of privacy”: Preemption, Private right of action, a Path to compliance, and Protection against unauthorized access.
- Preemption
ADPPA’s overarching preemption language is reasonably strong, but negotiators could improve it. As drafted, the provision says that no state or political subdivision of a state may “adopt, maintain, enforce, prescribe, or continue in effect” any law or provision having the force and effect of law, “covered by” the provisions of ADPPA or regulations promulgated under it. This construct should mostly capture the general-applicability privacy laws that would create the most significant confusion, conflict, and compliance issues we have urged Congress to avoid as states enact slightly differing privacy requirements.
However, there are so many exceptions to the main preemption provision that courts may ultimately uphold state laws that differ substantially from ADPPA’s requirements. Each exception to the preemption language adds further uncertainty as to Congress’ intent with respect to establishing a single set of rules rather than simply placing a federal layer on top of a divergent state patchwork.
- Protection Against Unauthorized Access
Most of ADPPA would regulate the privacy practices of covered companies, which include how they obtain consumers’ consent to collect and process personal information and the kinds of processing activities they can engage in under color of consumer authorization. Fortunately, ADPPA also requires covered companies to take certain steps to detect, prevent, and remediate unauthorized access to personal information. We support the inclusion of data security requirements that preempt most state laws that would otherwise impose conflicting or substantially different data security obligations. Strong federal data security provisions would raise the average readiness of American companies to defend against cyberthreats of all kinds, from state-sponsored ransomware campaigns to social engineering and phishing attacks.
- Path to Compliance
ADPPA would provide a compliance program for small businesses adhering to
Federal Trade Commission-approved compliance guidelines that “meet or exceed” ADPPA’s requirements, with a reasonable threshold described at 209(b). Notably, 209(b)’s threshold is pegged at $41 million in annual revenue, along with related factors. ADPPA would also deem companies that participate in approved compliance programs as complying with ADPPA itself, providing a legal presumption that would allow small companies to demonstrate privacy competence without being subject to immediate civil penalties for even small violations. The compliance program would ensure that App Association members are rightfully viewed as—and held accountable for—complying with a federal framework, while alleviating liability concerns and compliance burdens.
- Private Right of Action
The private right of action (PRA) in ADPPA would clearly authorize individuals to sue for alleged violations of ADPPA. The provision would apply to the entire Act and its regulations—except for data minimization, privacy by design, or data security requirements—and to any person or class injured by a violation. This provides especially broad coverage in terms of both which kinds of violations can give rise to a PRA and which categories of consumers may bring a PRA.
Importantly, the PRA provision addresses concerns we voiced with how private litigants could use it to inappropriately target smaller companies covered by ADPPA. Specifically, the PRA in ADPPA as reported to the full chamber does not apply to covered companies with $25 million or less in annual revenue, if they handle data on fewer than 50,000 individuals and also derive less than 50 percent of their revenue from transferring covered data. Similarly, if individuals accuse a company of violating ADPPA, that company could in most cases demonstrate that they have rectified the problem before the claim can go to court. Without guardrails like these, the attractive payouts PRAs offer can pose a risk of opportunistic litigation strategies involving a pattern of suing and settling for frivolous reasons unrelated to protecting consumers. Therefore, we appreciate the safeguards negotiators adopted in the latest version of ADPPA to help prevent abuse.
We urge negotiators to mind the 4Ps of privacy as they continue to work on a federal privacy law. If Congress strikes the right balance on these concepts, it would help avoid the impending compliance tsunami from differing state laws and better enable our members to continue innovating, creating jobs, and revolutionizing industries from healthcare and education to agriculture and finance.