ADPPA Examined, Part I

ADPPA Examined, Part I
Photo by Joshua Hoehne on Unsplash


A modified 143 page “American Data Privacy and Protection Act” (ADPPA) (H.R. 8152) requires multiple editions of the Wavelength.


As the sponsors of ADPPA, three of the four so-called corners of the Commerce Committees in Congress, modify the package to keep stakeholders happy and onsides, the bill has grown. Numerous changes and tweaks have changed many of the details even if the basic framework remains the same.


The House Energy and Commerce Committee marked up and reported out a new version of ADPPA on 20 July. This article will begin the process of comparing the amended bill sent to the House with the version of ADPPA used at the 23 June subcommittee markup. There are significant changes, as one would expect from wide-reaching legislation, as the sponsors try to accommodate Members and external stakeholders.

ADPPA was amended at the 20 July markup, and here are the amendments that were adopted all by voice vote:

§ Lesko/Kuster expands the group of entities excluded from the “covered entities” (CE) definition, namely Congressionally designated non-profits that help missing and exploited children.

§ Trahan/Bucshon modifies and expands the permissible purpose on public and peer-reviewed research in Section 101(b).

§ Castor/Walberg adds a requirement to the privacy by design in Section 103 regarding “covered minors” (a new term in the 20 July version meaning those 16 and younger) that directs covered entities and service providers to mitigate privacy risks in reasonable and proportionate ways for this class of people.

§ McNerney/Curtis gives the Federal Trade Commission (FTC) notice and comment rulemaking authority to establish processes to help entities comply with Section 208’s data security and protection standards.

§ Carter/Craig expands the exemptions for small businesses from meeting requirements under the bill including the appointment of privacy and data security officers for the smallest entities.

§ Hudson/O’Halleran re-adds Section 302 on service providers and third parties that was in the 23 June version but not in Pallone and Rodger’s revised ADPPA unveiled at the 20 July markup.

Only one amendment was voted on, and it was defeated:

§ Eshoo would delete the language preempting state privacy laws and use language very close to the provision in the “Financial Services Modernization Act of 1999” (P.L. 106-102) (better known as the Gramm–Leach–Bliley Act) that would allow states to legislate greater privacy protection so long as it is not inconsistent with ADPPA. This amendment was not agreed to by an 8-48 vote with all seven California Democrats voting for it. There are no California Republicans on the committee.