In May 2022, the U.S. Congress introduced the American Data Privacy and Protection Act (ADPPA), which was amended and passed on for a House floor vote shortly thereafter.

While the bill is still a work in progress, companies managing data should take notice of the scope and requirements that could become federal law in the near future. Not unlike the existing and upcoming state laws, the federal bill has several requirements that will impact how companies can collect, process and share data, as well as what mechanisms they need to put in place to accommodate these requirements.

Below is a summary of the proposed bill’s impact:

Whom does it apply to?

  • Companies (including nonprofits and common carriers) that handle personal data, including information that identifies or can be reasonably linked to an individual.

What is covered?

  • The collection, processing and transfer of personal data reasonably necessary to provide a requested product or service or other specified circumstances.

What are the key provisions? 

  • Established consumer data protections, including the right to access, correct and delete personal data. 
  • Prohibits companies from transferring individuals’ personal data without their affirmative express consent.
  • Companies are required to provide individuals with a means to opt out of targeted advertising.
  • The bill additionally protects personal data of individuals under the age of 17 and is prohibiting companies from discrimination based on specified protected characteristics when using personal data.
  • Companies are required to implement security practices to protect and secure personal data against unauthorized access.

How would it be enforced?

  • Initially: The FTC and state attorneys general would enforce the above requirements. 
  • Four years following the bill’s enactment: Individuals may bring civil actions for violations of the bill, following certain notification requirements.

How will it impact the existing state laws?

  • The bill preempts state laws that are covered by the provisions of the bill with certain exceptions, e.g. certain categories of state laws and specified laws in Illinois and California.

The proposed U.S. Federal Law sets a much lower data protection standard for U.S. data subjects than the EU’s General Data Protection Regulation (GDPR) by lacking:

  • Supervision by an impartial entity
  • Judicial compensation for data subjects
  • Necessity-based data processing restrictions
  • Protections from U.S. government surveillance

Below is a high-level outline of the areas covered in the proposed bill:

Consumer Data Rights

  • Unified Opt-Out Mechanism
  • Data Subject Rights & Awareness
  • Individual data ownership and control
  • Private Right of Action
  • Civil rights protections and algorithms
  • Data security and protection of covered data
  • Small business protections

Duty of Loyalty

  • Data Minimization/Prohibited Data Usage
  • Privacy by Design

Corporate Accountability

  • New Bureau of Privacy
  • Privacy Officer requirements
  • Technical compliance programs
  • Executive responsibility
  • Service providers and third parties

For a full version of the proposed ADPPA bill, please visit:

https://www.congress.gov/bill/117th-congress/house-bill/8152