A bipartisan bill is making the rounds in Congress that would constitute the largest privacy and data protection legislation in US history. To date, such legislation has been left to the states, with states like California’s Consumer Privacy Act and Virginia’s Consumer Data Protection Act taking the lead. If passed, the American Data Privacy Protection Act (“ADPPA”), which represents the farthest a privacy bill has gone at the federal level, would have significant implications for businesses. But it still has a ways to go.
The ADPPA includes some significant provisions and changes to the state-level laws that have already passed to date. For one, the categories of data potentially covered by the bill are broad, similar to the EU’s General Data Protection Regulation (“GDPR”) and includes any identifying, linked, or reasonably linkable to either an individual or a device linkable to an individual. Moreover, the definition in the bill of “covered entities” (those entities subject to the bill) includes “any entity that collects, processes, or transfers covered data and is subject to the jurisdiction of the FTC, including nonprofits, and telecommunications common carriers. Whether the full breadth of the current version of the bill makes it through revisions and debate on the House and Senate floors remains to be seen.
In fact, whether the bill even makes it to the House floor is currently uncertain. As mentioned, one of the most prominent states to implement their own data privacy law is California. Representatives and leaders from California have expressed concern that the current version of the ADPPA does not go far enough in providing the same levels of protection as the various data privacy laws currently in place in California. California representative and Speaker of the House Nancy Pelosi issued a statement on September 1, 2022, expressing those same concerns and the need for the Energy and Commerce Committee to continue to work on a bill that adequately provides for those protections. With the Speaker also controlling which bills make it to the House floor, it would appear that, in its current form, the bill may be stalled.
The timing is significant. As more states pass their own privacy laws – California, Connecticut, Colorado, Utah and Virginia – and several more with legislation pending in their respective state legislatures, there is concern what impact the hodgepodge of respective laws may have on the consumers and businesses in an ever-increasing digital world.