Author

Alison Pepper

4A's EVP of Government Relations & Sustainability

Topic

  • Government Relations
  • Legislation
  • Privacy Law

On July 20, the House Energy and Commerce Committee voted 53-2 to advance a revised version of the American Data Privacy and Protection Act (ADPPA) (H.R. 8152) to the House floor. The latest version of the bill includes several changes to the previous version that was advanced out of the subcommittee earlier this summer. Additional bipartisan amendments were also approved during the committee vote.

During the hearing, several lawmakers from California voiced concerns about how the federal bill could undermine protections from the state’s data privacy law. Reps. Anna Eshoo (D-Calif.) and Nanette Diaz Barragán (D-Calif.) were the only votes against advancing the bill.

Notable changes included in the current version of the ADPPA include:

  • Children’s Privacy
    • The ADPPA bans targeted ads to and treats all information relating to individuals under 17 as sensitive covered data; however the latest version of the bill creates a tiered approach to what constitutes“knowledge” that an individual is under 17:
      • Constructive Knowledge (knew or should have known) applies to “Covered High-Impact Social Media Companies” with platforms primarily used by individuals for user-generated content, at least $3 billion in annual revenue, and 300 million monthly active users for 3 of the prior 12 months.
      • Knew or Acted in “Willful Disregard” of an individual’s age applies to all Large Data Holders, including service providers.
      • Actual Knowledge applies to the remaining smaller covered entities and service providers.
    • Covered entities that do not meet the ADPPA’s small business requirements in Section 209 would be required to consider the developmental needs of different age ranges of covered minors.
  • Sensitive Data: The scope of video data considered sensitive covered data is clarified to include information showing the video content requested or selected by users of consumer-generated media. The categories of sensitive covered data are expanded to to include internet browsing history over time and across third party websites or online service.
  • Private Right of Action: Private enforcement begins two years after the effective date, not four years as it was in the previous bill version. New provisions add clarity that private suits do not limit the ability of the FTC or state enforcement agencies from later commencing an action or intervening in an action. In addition, very small businesses – those who have an annual revenue of less than $25 million, engage with the covered data of less than 50,000 individuals, and earn less than half their revenue from transferring covered data – are no longer subject to private enforcement.
  • Right to Cure: The limited right to cure has been clarified to apply to individual claims rather than entire suits and to require the entity being sued to show a court it has cured the alleged violation.
  • Data Security: In consultation with NIST, the bill gives the Federal Trade Commission (FTC) authority to promulgate technology-neutral regulations to establish processes for compliance with Section 208, the “Data Security and Protection of Covered Data” section.
  • Enforcement Authority: The California Privacy Protection Agency is now expressly included as a State Privacy Authority with the power to enforce the Act with respect to the State of California.
  • First Party Marketing:  The definition of “third party” now clearly establishes that affiliated companies are considered a single covered entity if consumers reasonably expect them to share information with one another.
  • Global Privacy Control: The FTC may now establish or recognize unified opt-out mechanisms, including tools offered by businesses, to allow individuals to exercise their opt-out rights from targeted ads, transferring covered data to third parties, and deleting data held by and preventing future collection by data brokers. Additional requirements on these mechanisms also ensure consumers and businesses can effectively use and comply with the requirements.
  • Privacy Impact Assessments: All entities that do not meet the small and mid-size criteria rather than just large data holders must now conduct annual privacy impact assessments.
  • Reporting: All large data holders must annually compile and publicly disclose metrics of requests and responses from individuals exercising their rights to access, delete, and opt-out of data transfers and targeted advertising.
  • Small Business: Covered entities that do not meet the ADPPA’s small business requirements in Section 209 would be exempt from having a dedicated privacy and data security officer.
  • Service Providers and Third Parties: 
    • Service Providers: Requires service providers to enter into contracts with covered entities containing specific terms, assist covered entities in responding to individual requests, make available information necessary to demonstrate compliance with the ADPPA to covered entities upon their reasonable request, and delete or return all covered data at the covered entity’s direction, in addition to other obligations.
    • Third Parties: Prohibits third parties from processing third party data that is sensitive covered data for a purpose other than the processing purpose for which the individual gave affirmative express consent. For third party data that is non-sensitive covered data, third parties would be prohibited from processing such data for a purpose other than the processing purpose the covered entity disclosed pursuant to Section 202.

Due to significant concerns regarding preemption, the inclusion of a private right of action, and operational standards, the 4As along with other privacy thought leaders from the advertising industry sent a letter to House lawmakers vehemently opposing the advancement of the bill in its current form. 

If passed, it’s unclear what the ADPPA’s chances are in the Senate. Senator Cantwell (D-WA), Chairwoman of the Senate Commerce, Science, and Transportation Committee, has objected to this bill in past iterations, particularly as it relates to issues of forced arbitration. It’s unclear if the myriad of changes the bill has undergone in the past few weeks satisfies her concerns. 

A House vote on the ADPPA could come as early as before the August recess, which begins August 1. While there are currently no plans for the ADPPA to be seriously considered in committee in the Senate, the Senate Commerce Committee will hold a markup on Wednesday, July 27 of the Kids Online Safety Act and the Children and TeensOnline Privacy Protection Act.

For questions regarding the ADPPA or ongoing developments related to a federal privacy bill in the Senate, please contact Alison Pepper

 

Related Posts

View All Posts
A person in a red suit speaks at a podium with a microphone, facing an audience seated at round tables in a bright, modern conference room with large windows.

04/23/2025

Arkansas Legislation Addresses AI-Generated Content Ownership and Publicity Rights

Learn More
A bald man in a gray blazer writes notes during a conference. He is surrounded by people seated at tables. The atmosphere is focused and professional.

03/05/2025

White House Seeks Public Comment on U.S. AI Strategy

Learn More
A woman in a blue sweater speaks into a microphone during a meeting or conference. She is seated at a table with a cup of coffee and a smartphone in front of her. Other attendees are seated nearby, listening attentively.

03/05/2025

Oklahoma Bill Introduced to Broadly Ban DTC Pharmaceutical Advertising

Learn More
View All Posts