By Ryan Johnston
As billions of federal dollars are invested into bringing disconnected households online, the amount of user-generated data will exponentially increase. Advocates across the country are working to help communities devise and implement broadband plans. They must also build an understanding of how evolving privacy standards can impact the residents, businesses, and organizations they are working to connect.
Significant privacy legislation touches more than just a user’s data, but could also impact the entire landscape of how broadband is deployed, adopted, and used. New controls over online generated data could necessitate adjustments to digital literacy training benchmarks. Additionally, ever-increasing incentives to collect or monetize user data should be factored into local broadband adoption plans.
For years Congress has tried to pass comprehensive federal privacy legislation. While several states have succeeded in doing so, there has yet to be a federal law protecting consumer data writ large. However, that may change soon. On June 21, 2022, the House Energy and Commerce Committee introduced the American Data Privacy and Protection Act (ADPPA). This Act will empower the Federal Trade Commission (“FTC”) to set rules for the policies and procedures covered entities must put in place to protect consumer data and take enforcement actions against those who violate them.
The bill would create a comprehensive federal consumer privacy framework that would apply to any entity subject to the jurisdiction of the FTC, including nonprofits and telecommunications common carriers that collect, process, or transfer covered data. There is a specific carve-out for government entities at the federal, state, and local levels. This means that any governmental entity such as a body, authority, board, bureau, commission district, agency, political subdivision of the Federal, State, or local government, or any person or entity that is collecting processing, or transferring data on behalf of a Federal, State, Local, Tribal, or territorial government is not bound by the provisions of the ADPPA.
The act also specifies that there are two types of covered data. The first identifies, is linked to, or is reasonably linkable to an individual or device linkable to an individual. This includes data that is derived, and uniquely identified but does not include de-identified data, employee data, or data that is publicly available.
The second is “sensitive covered data.” This data is any information related to individuals under the age of 17. It also includes data on government-issued identifiers not required to be displayed in public, such as social security numbers, passport numbers, health information, financial account information, biometrics, and geolocation to name a few. Notably, the ADPPA grants the FCC rulemaking authority to include additional categories within the definition of sensitive covered data.
Title 1: The Duty of Loyalty
Title One of the act lays out the duty of loyalty that covered entities have to help prevent harmful uses of particular data including sensitive data. If a covered entity is found to be collecting or processing covered data the ADPPA would require that entity to not collect, process, or transfer covered data beyond what is reasonably necessary and proportionate and limited to provide the products and services requested by the individual. In other words, covered entities need to minimize the data they collect. Additionally, it would be the FTC’s responsibility to issue guidance on the definition of “reasonably necessary, proportionate, and limited.”
Further, covered entities would be required to implement reasonable policies, practices, and procedures for collecting, processing, and transferring covered data. These policies and practices should take into account the risks posed by the uses of the data by the covered entity and what is collected. The FTC is also responsible for issuing guidance on acceptable policies and practices.
Title 2: Built-In Consumer Data Rights
Title Two outlines the consumer rights baked into the ADPPA. It recognizes a consumer’s right to understand the protections afforded to them under the Act. To that end, within 90 days of enactment, the FTC would be required to create a web page that hosts a plain language description of the ADPPA and advises individuals and covered entities of their rights. Additionally, covered entities would need to revise their privacy policies to detail the processing, transfer, and security activities in a readily understandable manner. It is important to note that this is a departure from the current standard that requires privacy policies to be truthful, but not understandable.
What’s more, if passed, the ADPPA would give individuals a right to access, correct, delete, and transfer the covered data that pertains to them. Users would also have the right to export their covered data in a portable format. However, this would not be required if it would be technologically infeasible or if a covered entity could not verify the user’s identity. The FTC would also be responsible for promulgating rules that establish how covered entities are to comply with these responsibilities.
For the collection of sensitive data, covered entities would not be permitted to collect it without the express consent of the individual it pertains to. Additionally, covered entities would need to provide users with the means to provide and withdraw consent in easy-to-understand and usable means. For individuals under the age of 17 targeted advertising is expressly prohibited if a covered entity has actual knowledge the individual is under 17. This provides a certain level of protection for covered entities for unauthorized users under the age of 17. However, it may incentivize covered entities to turn a blind eye to the age of their users.
The ADPPA also requires covered entities to collect and process covered data in ways that do not discriminate based on race, color, religion, national origin, sexual orientation, or disability. The ADPPA also requires large data holders that use algorithms to collect and parse information to assess their algorithms and submit annual algorithmic impact assessments to the FTC. These assessments must describe the steps covered entities have taken or will take to mitigate any algorithm-based harms. If a covered entity wishes to use an algorithm, algorithmic evaluations are required at the design phase and must evaluate any training data used to develop the algorithm. As with the other sections of the ADPPA, the FTC will publish guidance regarding compliance. In addition, the Commerce Department and FTC must conduct a study to review submitted algorithmic impact assessments.
Data security and protection measures are also contained within the ADPPA. Covered entities must implement and maintain data security practices that protect covered data against unauthorized use and acquisition. The FTC would be responsible for determining, on a case-by-case basis, whether a covered entity’s protections are reasonable. The ADPPA lays out the specific requirements that covered entities must meet to assess vulnerabilities and evaluate their systems.
Currently, there is no centralized opt-out mechanism contained in the ADPPA. However, the FTC is required to undertake a study to determine the feasibility of creating this centralized opt-out. If the FTC finds it would be feasible, it must promulgate regulations establishing such a mechanism.
Title 3: Accountability
Title three of the bill sets forth the corporate accountability provisions. These provisions will require CEOs or corporate privacy officers to certify annually that their company maintains compliance with the Act. Large data holders will also be required to conduct privacy impact assessments to weigh the benefits of their data collection practices against the potential consequences to individual privacy.
The bill also considers the role of third parties and service providers and how they handle covered data on behalf of covered entities. Third parties and service providers may only collect or process covered data for the purposes that the covered entity has directed them to and they are disallowed from transferring data without the affirmative consent of the individual to whom it pertains. In addition to the rules the FTC must promulgate under this section, it will also be required to publish a report on digital content forgeries. The report will describe and assess digital content forgeries and identify strategies to combat them.
Title 4: How the ADPPA Will be Enforced
The ADPPA would mandate that the FTC establish a new bureau to carry out its responsibilities under the Act. In addition, violations of the act shall be treated as violations of a rule defining an unfair or deceptive act or practice under the FTC act. A relief fund for victims of violations of the ADPPA will also be created if the bill passes. Any award obtained by the FTC or Department of Justice will be deposited into the fund and then distributed by the FTC.
States Attorneys General and chief consumer protection enforcement officers may also bring cases in federal court for injunctive relief and may obtain monetary damages against covered entities for violating the ADPPA. The bill also provides that FTC shall retain the right to intervene in these litigations upon receiving the required notice. Once the FTC has initiated an enforcement action state litigation becomes prohibited. The ADPPA would preempt state laws unless they are specifically named in the act.
Finally, four years after the enactment of the ADPPA, individuals may bring civil actions in federal court seeking damages or injunctive relief against covered entities violating the ADPPA. Individuals would be required to notify the FTC and their state’s attorney general of their intent to sue. Agencies then have 60 days to determine whether they wish to bring suit. Covered entities are provided a 45-day window from the time they receive notice of the provisions they have allegedly violated to cure them.
Allowing individuals and state governments to help enforce the ADPPA ensures that consumers are not waiting for the FTC to receive a critical mass of complaints before taking action.
There is still a long way to go to see the ADPPA make it to the President’s desk. The importance of establishing a federal privacy standard cannot be overstated. A federal standard sets a critical policy floor that ensures that all consumers are protected and gives states the opportunity to increase protections for their residents.