June 07, 2022

Lawmakers Unveil Draft Version Of The American Data Privacy And Protection Act

You've Reached Your
Free Article Limit This Month
Register for free to get unlimited access to all OnPractice content.
Register Now

With time running out in this US Congress, and with midterms around the corner, a bipartisan group of legislators is making what may be a last-gasp attempt at a federal privacy law compromise. On June 3, 2022, House Energy and Commerce Committee Chair Rep. Frank Pallone (D-NJ), Ranking Member Rep. Cathy McMorris Rodgers (R-WA) and Senate Commerce, Science and Transportation Committee Ranking Member Sen. Roger Wicker (R-MS) released a draft of a new comprehensive federal privacy bill, the American Data Privacy and Protection Act (ADPPA). Notably absent from this list of potential sponsors is Sen. Maria Cantwell (D-WA), Chair of the Senate Commerce Committee, who had been given the OK by Sen. Chuck Schumer (D-NY) to attempt to pass federal privacy legislation. Shortly after its release, Senator Cantwell criticized the ADPPA and signaled that she had her own competing proposal. Senator Cantwell's position, plus the absence of any California Representative or Senator, signals that the ADPPA is likely destined to stall on the hill like each of its predecessors.

Nonetheless, with the steady drip of new state consumer privacy laws, many businesses are growing anxious and waiting for action at the federal level, so the ADPPA is noteworthy. This On the Subject highlights several notable features of the ADPPA beyond the anticipated consumer rights of access, correction, deletion and portability. We will start with a look at the private right of action and pre-emption in the ADPPA, as those have traditionally been the sticking points in the federal privacy law debate.


  • Limited private right of action: Beginning four years after the ADPPA's effective date, individuals and classes will gain a private right of action, but it is a proscribed right. Notably, there are no statutory damages. While a successful plaintiff can still recover attorneys' fees, plaintiffs are only permitted to seek injunctive or compensatory damages. The lack of statutory damages may serve to dampen the plaintiffs' bar's interest in bringing ADPPA cases in the first instance. A further deterrent to the private right of action are the procedural prerequisites to suit. First, the allegedly aggrieved person will first have to give notice to the Federal Trade Commission (FTC) and their relevant state Attorney General of the alleged wrong to see if either regulator wants to pursue the action. Absent action by these regulators, the allegedly aggrieved person must then give notice to the prospective defendant and give them 45 days to cure the alleged harm before filing suit.
  • Federal pre-emption with more than some carve-outs: One of the things that businesses are looking for in a federal privacy bill is strong state pre-emption so that businesses can focus on complying with one law and related regulations. The ADPPA creeps closer to that objective, but not by much. There is a broad statement of pre-emption of state laws, but then that pre-emption is effectively gutted by a page-and-a-half long list of state laws that are not pre-empted, including California's California Consumer Privacy Act (CCPA) and Illinois' Biometric Information Privacy Act (BIPA).
  • Broad Definition of "Sensitive" Data: The ADPPA would categorize a large swath of information as "sensitive" that may not immediately come to mind as being particularly sensitive. For example, "information identifying an individual's online activities over time or across third party websites or online services." In effect, this is cookie data. This definition, paired with an affirmative opt-in obligation for the collection of "Sensitive" data, means that the ADPPA would bring many of the requirements of Europe's ePrivacy Directive to the United States.
  • Proscriptive Duty of Loyalty: While the ADPPA's "duty of loyalty" is not the same kind of fiduciary duty that other legislators have attempted to introduce, it is nonetheless quite prescriptive, including a list of eight practices that businesses should not engage in, ranging from the collection and use of Social Security numbers to the transfer of aggregated internet search or browser histories.
  • Targeted Marketing: Similar to other privacy legislation, the ADPPA would require that businesses allow opt-outs from targeted marketing, including intra-corporate family targeted marketing. The ADPPA would also prohibit the delivery of targeted marketing to anyone under the age of 17.
  • Third-Party Collectors Registration: The ADPPA would require third parties who collect information about consumers, but who lack direct contact with that consumer, to file registration and offer certain public disclosures about their practices.
  • Executive Responsibility: Beginning one year after the ADPPA becomes effective, the chief executive officer, the chief privacy officer and the chief information security officer of what the ADPPA defines as "large data holders" would have to certify compliance with the ADPPA to the FTC. This puts these individuals in direct line for potential liability if their company does not, in fact, comply with the ADPPA. A large data holder is an entity that has annual gross revenues of $250 million or more and collects or transfers the personal information of five million or more individuals or devices or the sensitive data of 100,000 individuals or devices.
  • Impact Assessments and Algorithms: Impact assessments would be required for a number of processing activities under the ADPPA, including with respect to any algorithm of a large data holder that uses personal information.
  • Small Business Exemption: In addition to the anticipated exemptions to the ADPPA (e.g., the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act, the Health Insurance Portability and Accountability Act), the ADPPA includes a limited exemption for businesses that for the prior three calendar years (or for the period in which the entity has been existence if less than 3 years) had (i) annual revenue of less than $41 million, (ii) did not collect or process the data of more than 100,000 individuals and (iii) did not derive more than 50% of its revenue from transferring personal information.

Ultimately, while the ADPPA represents another important step forward by signaling that compromise on the two key sticking issues of pre-emption and a private right of action is possible, the bill still has a long way to go before becoming law. With Senator Cantwell likely to introduce a competing bill and with the calendar where it is, it looks like the issue of federal privacy legislation may be left to a subsequent Congress.

McDermott's Global Privacy & Cybersecurity team is always keeping up with the latest changes in the legislative landscape and future-proofing our clients for changes to come. For assistance, please contact Amy Pimentel or David Saunders.

John Ying, a summer associate in the Atlanta office, also contributed to this article.

ALM expressly disclaims any express or implied warranty regarding the OnPractice Content, including any implied warranty that the OnPractice Content is accurate, has been corrected or is otherwise free from errors.

More From McDermott Will & Emery

On the Road Again: Alternative Designs May Impact Trade Dress Functionality Analysis

By Kavya Rallabhandi McDermott Will & Emery May 25 , 2023

The US Court of Appeals for the Sixth Circuit reversed and remanded a summary judgment ruling, finding that there were genuine disputes of material fact regarding whether the plaintiff’s alleged trade dress was functional and therefore excluded from trade dress protection.

Elevate the $: Geographic Isolation Helps Defeat Trademark Infringement Claim

By Kat Lynch McDermott Will & Emery May 25 , 2023

In a case between similarly named banks, the US Court of Appeals for the Tenth Circuit confirmed expert disclosure requirements, conducted a de novo likelihood of confusion analysis and ultimately upheld a finding of no trademark infringement.

First Circuit: Claim Preclusion Shouldn't Apply to Bar Claims Under VARA

By Hannah Cohen McDermott Will & Emery May 25 , 2023

Addressing for the first time whether federal res judicata law recognizes the alternative determinations doctrine, the US Court of Appeals for the First Circuit determined that a plaintiff’s claims under the Visual Artists Rights Act (VARA) were not precluded by a previous action in which she brought a federal copyright claim against the defendant.

More From Privacy

Processing Sensitive Personal Information under U.S. State Privacy Laws

By Zachary S. Schapiro Greenberg Traurig May 23 , 2023

As of now, nine states (CA, CO, CT, IA, IN, MT, TN, UT, and VA) have passed comprehensive privacy laws that are in effect (CA and VA), or are about to go into effect sometime soon (CO, CT, IA, IN, MT, TN, and UT).

Labor Department Releases New Guidance on Agency Enforcement of PUMP for Nursing Mothers Act

By Patricia Anderson Pryor Jackson Lewis P.C. May 19 , 2023

The U.S. Department of Labor Wage and Hour Division (WHD) has published guidance for agency officials responsible for enforcing the “pump at work” provisions of the Fair Labor Standards Act (FLSA), including those enacted under the 2022 Providing Urgent Maternal Protections for Nursing Mothers Act (PUMP Act).

Finding the Delta: Understanding the Differences in How State Privacy Laws Define Corporate Affiliates

By David A. Zetoony Greenberg Traurig May 15 , 2023

All modern privacy statutes regulate when personal information can be shared with third parties, whether those third parties are service providers, vendors, contractors, or business partners.

Featured Stories