The Consensus Data Privacy Bill Changed (Free Version)

The Consensus Data Privacy Bill Changed (Free Version)
Photo by Bernard Hermant on Unsplash

Again, today we are sharing the same Other Developments, Further Reading, and Coming Events that went to subscribers last night. Subscribe today to get this content along with the entire title article.


ADPPA was both weakened and strengthened.


The House Energy and Commerce Committee started marking up a revised version of the “American Data Privacy and Protection Act” (ADPPA) (H.R. 8152) (see here for more detail and analysis of the discussion draft.) Next the bill goes to the full committee, and further changes are likely at every step of the process should it continue to the House floor and then the Senate. It is hard to characterize the changes in a few words other than saying it is clear that stakeholders from all sides contributed substantially to the changes.


The revised ADPPA makes the bill more industry friendly in a number of places but also changes the bill in some ways that privacy and civil liberties advocates will like. Yesterday, we covered the markup of the revised ADPPA, and today we will look at the bill’s changes.

As noted yesterday, a notable change that has still not been folded into the package is the restoration of the Federal Trade Commission’s (FTC) historical Section 13(b) authority the Supreme Court of the United States struck down in AMG Capital Management, LLC v. FTC. This may be a bargaining tactic to get Senate Commerce, Science, and Transportation Committee Chair Maria Cantwell (D-WA) onboard given that her committee recently marked up a bill to give the agency back these long used powers (see here for more detail and analysis on Cantwell’s Section 13(b) bill.)

The first major change to the operation of the new privacy regime is the addition of “permissible purposes” to Section 101”s data minimization requirements. To be fair, this is cosmetic to a degree because the drafters have merely moved and renamed the exceptions that were in Section 209 of the draft, and these were the by now de rigueur exceptions to all the rights people would gain and all the obligations covered entities must meet. The basic responsibility to minimize data collection, processing, and transfer remains the same, but now covered entities and service providers may freely collect, process, and transfer covered data regardless of consent for one of these permissible purposes (more on the purposes below.) And so, the substance has not changed, but the nomenclature has. Hence covered entities and service providers are not using an exception (aka a loophole) but rather are using a Congressionally permitted purpose. The change in language reframes the parameters and operation of the bill in a way that is more palatable to the public and will sound better coming out of the mouths of industry representatives justifying their maximizing their usage as much as possible. Incidentally, this is the first of a number of instances where service providers are made to meet the same responsibilities as covered entities.

As for the exceptions/permissible purposes themselves, there are new purposes. The first is “to authenticate users of a product or service.” This seems reasonable and useful given the ongoing challenges of fending off hackers that use tricks to gain access to people’s accounts. The next pertains to communications between individuals at the behest of an individual in the communication. The third new purpose “to process such data as necessary to provide first party marketing or advertising of products or services provided by the covered entity.” First party marketing and advertising are not defined in the bill, but it appears to encompass an entity’s advertising tailored to a person based on the person’s direct interaction with the entity. For example, if I frequent Dick’s Sporting Goods looking at baseball equipment, the sports store may show me ads for such gear or maybe ads for tickets to the local baseball team’s games. However, a fair reading of the new definition of “targeted advertising” might include first party marketing, and ADPPA gives people the right to opt out of targeted advertising, raising the question how first party advertising could be a permissible purpose? This is an issue the drafters will need to address.

Subscribe to read the rest of the analysis of how ADPPA changed between the discussion draft and the version marked up a few weeks ago.

Other Developments

A British appeals court upheld a regulator’s order to Meta to sell off Giphy, a deal which the Competition and Markets Authority investigated and ordered unwound after the merger had closed. Meta may appeal further.

The European Data Protection Board adopted a number of documents at its plenary meeting in June: Guidelines on certification as a tool for transfers; EDPB response to EDRi regarding the structural and procedural enforcement of the GDPR and its work to promote and safeguard data protection; EDPB response to the European Commission's targeted consultation on a digital euro; and “an Art. 65 dispute resolution decision concerning Accor SA.”

The United Kingdom’s (UK) Information Commissioner’s Office (ICO) “set out a revised approach to working more effectively with public authorities…outlined in an open letter from the UK Information Commissioner John Edwards to public authorities, will see use of the Commissioner’s discretion to reduce the impact of fines on the public sector, coupled with better engagement including publicising lessons learned and sharing good practice.”

The United States (U.S.) Department of Justice (DOJ) “entered into a settlement agreement resolving allegations that Meta Platforms, Inc., formerly known as Facebook, Inc., engaged in discriminatory advertising in violation of the Fair Housing Act (FHA)” the agency stated.

In a recently decided case, the Court of Justice for the European Union (CJEU) found that “[i]n the absence of a genuine and present or foreseeable terrorist threat to a Member State, EU law precludes national legislation providing for the transfer and processing of the PNR data of intra-EU flights and transport operations carried out by other means within the European Union” according to a summary.

The Office of the Privacy Commissioner of Canada and “several international data protection and privacy regulators” published “guidance on “credential stuffing attacks”, to combat a significant and growing global cyber threat to personal information.”

The United States (U.S.) Department of Energy published a “National Cyber-Informed Engineering (CIE) Strategy” that “seeks to guide energy sector efforts to incorporate cybersecurity practices into the design life cycle of engineered systems to reduce cyber risk.”

United States (U.S.) Secretary of Commerce Gina Raimondo “met with the Advisory Committee on Supply Chain Competitiveness (ACSCC) to receive updates, hear recommendations, and gather additional feedback on supply chain-related issues” per the agency’s press release.

The European Commission welcomed “the publication of the strengthened Code of Practice on Disinformation…[and] [t]he 34 signatories, such as platforms, tech companies and civil society followed the 2021 Commission Guidance and took into account the lessons learnt from the COVID19 crisis and Russia's war of aggression in Ukraine.”

In a new position paper, the Australian Communications and Media Authority (ACMA) “called on broadcasters and other professional content providers to address the expectations of today’s audiences — no matter how they read, watch and listen to content.”

United States (U.S.) Senators Elizabeth Warren (D-MA), Cory Booker (D-NJ), and Ron Wyden (D-OR) wrote “BetterHelp and Talkspace, two leading mental health apps, expressing deep concerns about the companies’ use of patients’ personal health data and requesting more information about their data sharing and privacy practices.”

The United Kingdom’s (UK) Department for Digital, Culture, Media & Sport (DCMS) issued a policy paper “UK's Digital Strategy” that aims to make the UK “the best place in the world to start and grow a technology business.”

The European Commission announced that “[t]he Consumer Protection Cooperation (CPC) Network, endorsed 5 key principles of fair advertising towards children that were established by representatives from both consumer and data protection authorities during the European Year of Youth 2022.”

The European Union’s General Court annulled “the Commission decision imposing on Qualcomm a fine of approximately €1 billion” due to a number of “procedural irregularities” according to a summary.

United States (U.S.) House Financial Services Committee Ranking Member Patrick McHenry (R-NC), “released a discussion draft of new legislation to modernize financial data privacy laws and give consumers more control over how their personal information is collected and used” per his press release.

The United States (U.S.) Cybersecurity and Infrastructure Security Agency (CISA) held its third Cybersecurity Advisory Committee meeting and issued a readout summarizing the outcomes.

United States (U.S.) Senator Ben Ray Luján (D-NM) and 11 colleagues urged the “Federal Communications Commission (FCC) to ensure timely public disclosures on providers most responsible for enabling illegal robocalls.”

Tweet of the Day

Further Reading

How one senator’s broken hip puts net neutrality at risk” By Russell Brandom — The Verge

The Digital Divide Is Coming for You” By Chris Stokel-Walker — WIRED

The Age of Peak TV Is Ending. An Age of Austerity Is Beginning.” By Lucas Shaw — Bloomberg

Apple unveils new security feature to block government spyware” By Joseph Menn — Washington Post

Disinformation Has Become Another Untouchable Problem in Washington” By Steven Lee Myers and Eileen Sullivan — New York Times

Online Abortion Pill Provider Hey Jane Used Tracking Tools That Sent Visitor Data to Meta, Google, and Others” By Jon Keegan and Dara Kerr — The Markup

China wants to control how its famous livestreamers act, speak, and even dress” By Zeyi Yang — MIT Technology Review

China: Buyout of UK's largest microchip plant raises concerns” By Gordon Corera — BBC

What Europe’s push to simplify chargers means for you” By Chris Velazco — Washington Post

The public sharing of intimate images without consent is a growing problem in Australia. And teenagers are paying the price” By Maani Truu — ABC News

People searching for abortion online must wade through misinformation” By Rachel Lerman — Washington Post

Report: Internet shutdowns already cost more than $10 billion in 2022” By Andrea Peterson — The Record

European Union Passes Landmark Big Tech Regulations” By Lauren Leffer — Gizmodo

The Ukraine war could provide a cyberwarfare manual for Chinese generals eyeing Taiwan” By Tim Starks and AJ Vicens — Cyberscoop

US Wants Dutch Supplier to Stop Selling Chipmaking Gear to China” By Jillian Deutsch, Eric Martin, Ian King, and Debby Wu — Bloomberg

End-to-End Encryption’s Central Role in Modern Self-Defense” By Lily Hay Newman — WIRED

Coming Events

§ 12 July

o   The European Data Protection Board will hold a plenary meeting.

§ 19 October

o   The United States (U.S.) Federal Trade Commission (FTC) will hold a virtual event “to examine how best to protect children from a growing array of manipulative marketing practices that make it difficult or impossible for children to distinguish ads from entertainment in digital media.”

§ 1 November

o   The United States (U.S.) Federal Trade Commission (FTC) will hold PrivacyCon.