ADPPA Examined, Part I (Free Preview)

ADPPA Examined, Part I (Free Preview)
Photo by Joshua Hoehne on Unsplash

We are sharing the same Other Developments, Further Reading, and Coming Events that went to subscribers last night. Subscribe today to get this content along with the entire title article.


A modified 143 page “American Data Privacy and Protection Act” (ADPPA) (H.R. 8152) requires multiple editions of the Wavelength.


As the sponsors of ADPPA, three of the four so-called corners of the Commerce Committees in Congress, modify the package to keep stakeholders happy and onsides, the bill has grown. Numerous changes and tweaks have changed many of the details even if the basic framework remains the same.


The House Energy and Commerce Committee marked up and reported out a new version of ADPPA on 20 July. This article will begin the process of comparing the amended bill sent to the House with the version of ADPPA used at the 23 June subcommittee markup. There are significant changes, as one would expect from wide-reaching legislation, as the sponsors try to accommodate Members and external stakeholders.

ADPPA was amended at the 20 July markup, and here are the amendments that were adopted all by voice vote:

§ Lesko/Kuster expands the group of entities excluded from the “covered entities” (CE) definition, namely Congressionally designated non-profits that help missing and exploited children.

§ Trahan/Bucshon modifies and expands the permissible purpose on public and peer-reviewed research in Section 101(b).

§ Castor/Walberg adds a requirement to the privacy by design in Section 103 regarding “covered minors” (a new term in the 20 July version meaning those 16 and younger) that directs covered entities and service providers to mitigate privacy risks in reasonable and proportionate ways for this class of people.

§ McNerney/Curtis gives the Federal Trade Commission (FTC) notice and comment rulemaking authority to establish processes to help entities comply with Section 208’s data security and protection standards.

§ Carter/Craig expands the exemptions for small businesses from meeting requirements under the bill including the appointment of privacy and data security officers for the smallest entities.

§ Hudson/O’Halleran re-adds Section 302 on service providers and third parties that was in the 23 June version but not in Pallone and Rodger’s revised ADPPA unveiled at the 20 July markup.

Only one amendment was voted on, and it was defeated:

§ Eshoo would delete the language preempting state privacy laws and use language very close to the provision in the “Financial Services Modernization Act of 1999” (P.L. 106-102) (better known as the Gramm–Leach–Bliley Act) that would allow states to legislate greater privacy protection so long as it is not inconsistent with ADPPA. This amendment was not agreed to by an 8-48 vote with all seven California Democrats voting for it. There are no California Republicans on the committee.

There were amendments offered and withdrawn, meaning the sponsors might try to get them folded into a new version that comes to the floor or seek to amend the bill on the floor:

§ Walberg would expand the list of provisions from which small businesses are exempted from meeting.

§ Hudson would expand the carveout for entities the Federal Communications Commission regulates.

§ Curtis would change the definition of “first party advertising or marketing” in a way that would narrow ADPPA’s restrictions on these practices to cover only covered entities and not any entity engaged in these activities.

§ Long would strike the language in Section 404 specifying that the California Privacy Protection Agency (CPPA) can enforce ADPPA.

Ultimately, ADPPA was reported favorably, as amended, to the House by a 53-2 vote with the pair of noes coming from Representatives Anna Eshoo (D-CA) and Nanette Diaz Barragán (D-CA). And yet, as analyzed in yesterday’s edition, Speaker of the House Nancy Pelosi (D-CA) said she will not bring ADPPA to the House floor without changes to the preemption language that will leave in place California’s privacy regime, and this, of course, endangers the bill, for many Republicans and many stakeholders in the technology field have made clear they will not accept a bill that does not preempt all state privacy laws. Having said all that, even if Pelosi was not blocking ADPPA, Senate Commerce, Science, and Transportation Committee Chair Maria Cantwell (D-WA) continues to oppose the bill as drafted, meaning its prospects in the Senate are grim at present.

Subscribe to read the rest and for all the gated content.

Other Developments

The United Kingdom’s (UK) Information Commissioner’s Office (ICO) publisheddraft guidance on privacy-enhancing technologies (PETs) to help organisations unlock the potential of data by putting a data protection by design approach into practice.”

Australia’s eSafety Commissioner “issued legal notices” “to Apple, Meta (and WhatsApp), Microsoft (and Skype), Snap and Omegle under the Australian Government’s new Basic Online Safety Expectations, a key part of the Online Safety Act 2021” “requiring them to report on the measures they are taking to tackle the proliferation of child sexual exploitation material on their platforms and services.”

The United States (U.S.) Federal Trade Commission and six states filed a lawsuit “against rental listing platform Roomster Corp. and its owners John Shriber and Roman Zaks for allegedly duping consumers seeking affordable housing by paying for fake reviews and then charging for access to phony listings.” The agency explained it “and the states filed a proposed order against Jonathan Martinez—who allegedly sold Roomster tens of thousands of fake reviews—requiring him to pay $100,000 and cooperate in the FTC’s case against Roomster.”

The European Data Protection Board has published its Art. 65(1)(a) binding decision “following a dispute between the French DPA as the lead supervisory authority (LSA), and one of the concerned supervisory authorities (CSA), namely the Polish DPA, with regard to the amount of the fine against ACCOR SA, the controller, for their failure to respect the right to object to marketing activities and difficulties encountered in exercising the  right of access.”

United States (U.S.) Senator Bob Casey (D-PA) wrote Secretary of Labor Marty Walsh urging the Department “to take action on the emerging trend of invasive and exploitative surveillance technologies in workplaces across the U.S.”

The United States (U.S.) Federal Communications Commission announced that “it is ready to authorize $791,604,299 through the Rural Digital Opportunity Fund to six providers to fund new broadband deployments to over 350,000 estimated locations in 19 states.”

United States (U.S.) House Oversight and Reform Committee Ranking Member James Comer (R-KY) and House Judiciary Committee Ranking Member Jim Jordan (R-OH) “along with Republican lawmakers on both panels” wrote Meta CEO Mark Zuckerberg “about Facebook’s suppression of the allegations about the Biden family before the 2020 election,” namely “the New York Post’s explosive story about the contents of Hunter Biden’s laptop following guidance from the FBI.”

The United States (U.S.) Environmental Protection Agency (EPA) issued the Congressionally mandated “Technical Cybersecurity Support Plan for Public Water Systems.”

The European Data Protection Board has issued “some statistics on resources made available by Member States to the supervisory authorities (SAs) from the European Economic Area (EEA).”

Australia’s eSafety Commissioner released “a new four-year strategy outlining how the world’s first government online safety regulator will continue to protect Australians from all forms of online harm.”

Tweet of the Day

Further Reading

Big Tech’s $95 Million Spending Spree Leaves Antitrust Bill on Brink of Defeat” By Anna Edgerton and Emily Birnbaum — Bloomberg

Sen. Klobuchar says Big Tech money hasn’t stopped her antitrust push ... yet” By Sara Morrison — Recode

NTIA won’t have the broadband map it needs for BEAD until 2023” By Diana Goovaerts — Fierce Telecom

Internet service providers drop challenge of privacy law” By Patrick Whittle — Associated Press

How Kiwi Farms, the worst place on the web, was shut down” By Alex Hern — The Guardian

One year later, Apple’s privacy changes helped boost its own ads business, report finds” By Sarah Perez — Tech Crunch

Google brings Parler back to Google Play Store” By Sara Fischer — Axios

FTC Wants Zuckerberg to Seek Approval for Any Future Mergers” By Leah Nylen — Bloomberg

Home Affairs to review data harvesting by TikTok and WeChat” By Anthony Galloway — Sydney Morning Herald

Samsung says customer data stolen in July data breach” By Zack Whittaker and Carly — Tech Crunch

Walmart is facing a class action suit for allegedly violating an Illinois privacy law by using surveillance cameras and Clearview AI's facial recognition database” By Caroline Haskins — Business Insider

YouTube’s recommendations pushed election denial content to election deniers” By Nicole Wetsman — The Verge

SoftBank’s Arm Is Suing Qualcomm for Licensing and Trademark Violations” By Ian King — Bloomberg

Apple faces growing likelihood of DOJ antitrust suit” By Josh Sisco — Politico

Facebook parent settles suit in Cambridge Analytica scandal” — Associated Press

FBI says it ‘routinely notifies’ social media companies of potential threats following Zuckerberg-Rogan podcast” By Jared Gans — The Hill

U.S. and China reach landmark audit deal in boon for Chinese tech companies” By Scott Murdoch, Xie Yu, Samuel Shen and Michelle Price — Reuters

US Commerce Chief’s Agenda Reveals Amazon, Apple CEO Meetings” By Emily Birnbaum — Bloomberg

Tech Companies Slowly Shift Production Away From China” By Daisuke Wakabayashi and Tripp Mickle — New York Times

Private equity piles into data centers” By Dan Primack — Axios

Google Defends Meta Deal, Ad Tech Empire From Antitrust Threat” By Leah Nylen — Bloomberg

Microsoft Challenges Intelligence Agency's $1B Task Order to Amazon” By Nick Wakeman — Nextgov

Robotext onslaught” By Erica Pandey — Axios

A ‘high severity’ TikTok vulnerability allowed one-click account hijacking” By Corin Faife — The Verge

Tech tool offers police ‘mass surveillance on a budget’” By Garance Burke and Jason Dearen — Associated Press

Coming Events

§ 8 September

o   The United States (U.S.) Federal Trade Commission (FTC) is “hosting a public forumregarding its Advanced Notice of Proposed Rulemaking (ANPR) on commercial surveillance and data security practices.”

§ 12 September

o   The European Data Protection Board will hold a plenary meeting.

§ 13 September

o   The European Data Protection Board will hold a plenary meeting.

§ 29 September

o   The United States (U.S.) Federal Communications Commission (FCC) will hold an open meeting.

§ 10 October

o   The European Data Protection Board will hold a plenary meeting.

§ 11 October

o   The European Data Protection Board will hold a plenary meeting.

§ 19 October

o   The United States (U.S.) Federal Trade Commission (FTC) will hold a virtual event“to examine how best to protect children from a growing array of manipulative marketing practices that make it difficult or impossible for children to distinguish ads from entertainment in digital media.”

§ 26 October

o   The United States (U.S.) Information Security and Privacy Advisory Board (ISPAB) will hold a meeting.

§ 27 October

o   The United States (U.S.) Information Security and Privacy Advisory Board (ISPAB) will hold a meeting.

§ 1 November

o   The United States (U.S.) Federal Trade Commission (FTC) will hold PrivacyCon.

Photo Credits

Photo by hao wang on Unsplash

Photo by nick on Unsplash

Photo by Joel Mbugua on Unsplash

Photo by Clem Onojeghuo on Unsplash

Photo by Luca Bravo on Unsplash

Photo by Vinicius "amnx" Amano on Unsplash

Photo by Victor on Unsplash