On June 14th, the U.S. House Energy and Commerce Committee held a hearing on the newly proposed federal privacy law, called the American Data Privacy and Protection Act (“ADPPA”). ADDPA is presently not an official bill, just a discussion draft. Still, the Committee Members (on both sides of the aisle) all voiced support for ADDPA and for national standards for data privacy. ADDPA also has bipartisan support in the Senate, making it perhaps the federal privacy bill with the strongest chance of becoming law.
What is Congress’ focus in the federal privacy law?
Committee Members at the ADDPA hearing agreed on the desperate need for a national set of “rules of the road” for data privacy. They also agreed that those rules should be consumer-focused, without overburdening small and medium-sized businesses. Three points of emphasis stood out at the hearing:
- The need for privacy policies and notices to be written in plain English and in easily understandable language;
- How expansive ADDPA’s preemption provisions should be; and
- The scope of the private right of action.
Plain English privacy. Members on both sides of the aisle lamented how complicated and incomprehensible many company privacy policies can be. Their chief concern centers around the average consumer’s inability to understand exactly what s/he is agreeing to in sharing her/his personal data. Some privacy policies are long documents, written in legalese and often difficult for everyday people (and even lawyers) to fully understand. In the Committee’s opinion, a consumer cannot give informed consent for data sharing without simple, straightforward privacy policies and notices that detail sharing parameters.
How much preemption. If and when Congress passes a nationwide law, it may include a provision that preempts, or overrides, any state law on the same subject. Many states have passed their own privacy laws in the absence of federal regulation, including California, Colorado, Connecticut, Virginia, and Utah. The ADDPA discussion draft includes a compromise on preemption: the ADDPA would preempt many state laws, but a long list of exceptions is included. Some interested parties want full preemption to make compliance much simpler; others want to maintain some state privacy laws that offer consumers stronger protections than the ADDPA might.
When can consumers sue. Another sticking point that the hearing addressed is the scope of the ADDPA’s private right of action. In the draft, the ADDPA allows for a limited private right of action through the following process:
- The aggrieved consumer first submits the claim to the Federal Trade Commission (“FTC”) and the applicable state Attorney General;
- If the FTC or state AG declines to prosecute, then the consumer’s right to sue begins after a 45-day period in which the subject company may cure the alleged violation;
- If a consumer does sue the offending company, her/his damages are limited to actual damages and attorney fees spent litigating the ADDPA claims.
Please note that this process is a departure from similar private rights of action included in other consumer protection statutes, such as the Telephone Consumer Protection Act (“TCPA”). With respect to the TCPA, a plaintiff can sue directly and can recover statutory damages of $500-1,500 per violation. Limiting the private right of action the way ADDPA does is a compromise between no private right and the sometimes abused private rights of action contemplated by other consumer-protection statutes, such as the TCPA. Overall, Members appear to be struggling to balance consumer rights with the burdens (on mostly small and medium-sized businesses) that these types of lawsuits can impose.
Why does the ADDPA matter to your business?
The ADDPA represents a strong first step toward adopting a federal privacy law. The benefits of such a measure are clear: a single set of rules that all businesses can follow, offering a level of predictability and compliance efficiency sorely lacking with the present statutory regime. Some businesses could spend tens of thousands of dollars per year to comply with the five state privacy laws that will be in effect next year. While these five laws have overlap, the burdens each place on businesses (especially businesses relying on personal data collection) can be enormous.
While the ADDPA is not a cure-all (it is not a bill yet, much less a law), this federal-level effort does show significant progress. No law is perfect, but this bipartisan and bicameral proposal would positively impact the U.S. privacy landscape.
Hire experienced privacy attorneys.
Even if Congress passes the ADDPA, it will be some time before a federal privacy law would go into effect. Regardless of the proposal’s fate, businesses still need to navigate the present state privacy law waters. Checking all the privacy compliance boxes across five states will take significant time and require real expertise. Hiring experienced data privacy attorneys can take that burden off your to-do list. The attorneys at Klein Moynihan Turco have years of experience in all things privacy law, and can help your business stay compliant in a rapidly changing sector.
If you need assistance with updating your website’s Privacy Policies and/or preparing for 2023’s new privacy laws, please email us at info@kleinmoynihan.com or call us at (212) 246-0900.
The material contained herein is provided for informational purposes only and is not legal advice nor is it a substitute for seeking legal advice from an attorney. Each situation is unique, and you should not act or rely on any information contained herein without seeking the advice of an experienced attorney.
Photo by Towfiqu barbhuiya on Unsplash
Attorney Advertising
Similar Blog Posts:
Privacy Policies for Websites and Mobile Applications