June 07, 2022

Lawmakers Unveil Draft Version Of The American Data Privacy And Protection Act

You've Reached Your
Free Article Limit This Month
Subscribe now to get unlimited access to all OnPractice content. Your subscription is free.
Subscribe Now

With time running out in this US Congress, and with midterms around the corner, a bipartisan group of legislators is making what may be a last-gasp attempt at a federal privacy law compromise. On June 3, 2022, House Energy and Commerce Committee Chair Rep. Frank Pallone (D-NJ), Ranking Member Rep. Cathy McMorris Rodgers (R-WA) and Senate Commerce, Science and Transportation Committee Ranking Member Sen. Roger Wicker (R-MS) released a draft of a new comprehensive federal privacy bill, the American Data Privacy and Protection Act (ADPPA). Notably absent from this list of potential sponsors is Sen. Maria Cantwell (D-WA), Chair of the Senate Commerce Committee, who had been given the OK by Sen. Chuck Schumer (D-NY) to attempt to pass federal privacy legislation. Shortly after its release, Senator Cantwell criticized the ADPPA and signaled that she had her own competing proposal. Senator Cantwell's position, plus the absence of any California Representative or Senator, signals that the ADPPA is likely destined to stall on the hill like each of its predecessors.

Nonetheless, with the steady drip of new state consumer privacy laws, many businesses are growing anxious and waiting for action at the federal level, so the ADPPA is noteworthy. This On the Subject highlights several notable features of the ADPPA beyond the anticipated consumer rights of access, correction, deletion and portability. We will start with a look at the private right of action and pre-emption in the ADPPA, as those have traditionally been the sticking points in the federal privacy law debate.


  • Limited private right of action: Beginning four years after the ADPPA's effective date, individuals and classes will gain a private right of action, but it is a proscribed right. Notably, there are no statutory damages. While a successful plaintiff can still recover attorneys' fees, plaintiffs are only permitted to seek injunctive or compensatory damages. The lack of statutory damages may serve to dampen the plaintiffs' bar's interest in bringing ADPPA cases in the first instance. A further deterrent to the private right of action are the procedural prerequisites to suit. First, the allegedly aggrieved person will first have to give notice to the Federal Trade Commission (FTC) and their relevant state Attorney General of the alleged wrong to see if either regulator wants to pursue the action. Absent action by these regulators, the allegedly aggrieved person must then give notice to the prospective defendant and give them 45 days to cure the alleged harm before filing suit.
  • Federal pre-emption with more than some carve-outs: One of the things that businesses are looking for in a federal privacy bill is strong state pre-emption so that businesses can focus on complying with one law and related regulations. The ADPPA creeps closer to that objective, but not by much. There is a broad statement of pre-emption of state laws, but then that pre-emption is effectively gutted by a page-and-a-half long list of state laws that are not pre-empted, including California's California Consumer Privacy Act (CCPA) and Illinois' Biometric Information Privacy Act (BIPA).
  • Broad Definition of "Sensitive" Data: The ADPPA would categorize a large swath of information as "sensitive" that may not immediately come to mind as being particularly sensitive. For example, "information identifying an individual's online activities over time or across third party websites or online services." In effect, this is cookie data. This definition, paired with an affirmative opt-in obligation for the collection of "Sensitive" data, means that the ADPPA would bring many of the requirements of Europe's ePrivacy Directive to the United States.
  • Proscriptive Duty of Loyalty: While the ADPPA's "duty of loyalty" is not the same kind of fiduciary duty that other legislators have attempted to introduce, it is nonetheless quite prescriptive, including a list of eight practices that businesses should not engage in, ranging from the collection and use of Social Security numbers to the transfer of aggregated internet search or browser histories.
  • Targeted Marketing: Similar to other privacy legislation, the ADPPA would require that businesses allow opt-outs from targeted marketing, including intra-corporate family targeted marketing. The ADPPA would also prohibit the delivery of targeted marketing to anyone under the age of 17.
  • Third-Party Collectors Registration: The ADPPA would require third parties who collect information about consumers, but who lack direct contact with that consumer, to file registration and offer certain public disclosures about their practices.
  • Executive Responsibility: Beginning one year after the ADPPA becomes effective, the chief executive officer, the chief privacy officer and the chief information security officer of what the ADPPA defines as "large data holders" would have to certify compliance with the ADPPA to the FTC. This puts these individuals in direct line for potential liability if their company does not, in fact, comply with the ADPPA. A large data holder is an entity that has annual gross revenues of $250 million or more and collects or transfers the personal information of five million or more individuals or devices or the sensitive data of 100,000 individuals or devices.
  • Impact Assessments and Algorithms: Impact assessments would be required for a number of processing activities under the ADPPA, including with respect to any algorithm of a large data holder that uses personal information.
  • Small Business Exemption: In addition to the anticipated exemptions to the ADPPA (e.g., the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act, the Health Insurance Portability and Accountability Act), the ADPPA includes a limited exemption for businesses that for the prior three calendar years (or for the period in which the entity has been existence if less than 3 years) had (i) annual revenue of less than $41 million, (ii) did not collect or process the data of more than 100,000 individuals and (iii) did not derive more than 50% of its revenue from transferring personal information.

Ultimately, while the ADPPA represents another important step forward by signaling that compromise on the two key sticking issues of pre-emption and a private right of action is possible, the bill still has a long way to go before becoming law. With Senator Cantwell likely to introduce a competing bill and with the calendar where it is, it looks like the issue of federal privacy legislation may be left to a subsequent Congress.

McDermott's Global Privacy & Cybersecurity team is always keeping up with the latest changes in the legislative landscape and future-proofing our clients for changes to come. For assistance, please contact Amy Pimentel or David Saunders.

John Ying, a summer associate in the Atlanta office, also contributed to this article.

ALM expressly disclaims any express or implied warranty regarding the OnPractice Content, including any implied warranty that the OnPractice Content is accurate, has been corrected or is otherwise free from errors.

More From McDermott Will & Emery

Proposals to Reform the UK Data Protection Regime

By Sharon Lamb McDermott Will & Emery June 15 , 2022

On 10 May 2022 and as part of the Queen’s speech, which sets out the programme of legislation for the forthcoming parliamentary session, the government announced proposals to table a Data Reform Bill (the Bill) to reform the UK’s data protection regime and to diverge from European GDPR1. This follows the consultation by the Department for Digital, Culture, Media and Sport (DCMS) consultation released last September.

Preparing for the Demise of Roe v. Wade and the Criminalization of Abortion in Some US States: Practical Considerations for a Post-Roe World

By David Quinn Gacioch McDermott Will & Emery June 14 , 2022

Sometime in the next several weeks, the Supreme Court of the United States will issue its decision in Dobbs v. Jackson Women’s Health Organization (Dobbs). Based on the draft majority opinion authored by Justice Samuel Alito that was leaked to Politico in early May, there is a significant chance that the Court will overrule Roe v. Wade (Roe) and Planned Parenthood v. Casey (Casey) by holding that there is no federal constitutional right to obtain an abortion and leaving individual states free to substantially restrict abortion or prohibit abortion altogether.

New SEC Rule Mandates Electronic Filing of Form 144s and "Glossy" Annual Reports

By Eric Orsic McDermott Will & Emery June 10 , 2022

On June 3, 2022, the US Securities and Exchange Commission (SEC) adopted amendments to Rule 101 of Regulation S-T that eliminate the option for issuers and filing persons to file a number of forms in paper format. The amendments mandate that issuers and filing persons electronically submit the following forms on EDGAR: Form 144 for sales of securities of issuers subject to the reporting requirements of Section 13 or 15(d) of the Exchange Act

More From Privacy

DOJ Limits Application of Computer Fraud and Abuse Act, Providing Clarity for Ethical Hackers and Employees Paying Bills at Work Alike

By Kyle R. Freeny Greenberg Traurig May 24 , 2022

On May 19, 2022, the Department of Justice announced it would not charge good-faith hackers who expose weaknesses in computer systems with violating the Computer Fraud and Abuse Act (CFAA or Act), 18 U.S.C. § 1030. Congress enacted the CFAA in 1986 to promote computer privacy and cybersecurity and amended the Act several times, most recently in 2008. However, the evolving cybersecurity landscape has left courts and commentators troubled by potential applications of the CFAA to circumstances unrelated to the CFAA’s original purpose, including prosecution of so-called “white hat” hackers. The new charging policy, which became effective immediately, seeks to advance the CFAA’s original purpose by clarifying when and how federal prosecutors are authorized to bring charges under the Act.

EEOC and DOJ Release Expectations on Employers' Use of Technology, AI for Employment Decisions

By Joseph J. Lazzarotti Jackson Lewis P.C. May 19 , 2022

For decades, employers have used technology to help decision-making, from hiring to performance bonuses. While seemingly taking human biases out of the equation, the U.S. Equal Employment Opportunity Commission (EEOC) and the Department of Justice (DOJ) have voiced concerns over potential disability discrimination from the use of technology.

New Jersey: Notice to Employees Required Before Using Tracking Devices on Vehicles Used by Employees

By Luke P. Breslin Jackson Lewis P.C. May 19 , 2022

The new law, codified as N.J.S.A. § 34:6B-22, went into effect on April 18, 2022.  Under the law, an employer that: knowingly makes use of a tracking device in a vehicle used by an employee without providing written notice to the employee shall be subject to a civil penalty in an amount not to exceed $1,000 for the first violation and not to exceed $2,500 for each subsequent violation.

Featured Stories