ADPPA was both weakened and strengthened.
The House Energy and Commerce Committee started marking up a revised version of the “American Data Privacy and Protection Act” (ADPPA) (H.R. 8152) (see here for more detail and analysis of the discussion draft.) Next the bill goes to the full committee, and further changes are likely at every step of the process should it continue to the House floor and then the Senate. It is hard to characterize the changes in a few words other than saying it is clear that stakeholders from all sides contributed substantially to the changes.
The revised ADPPA makes the bill more industry friendly in a number of places but also changes the bill in some ways that privacy and civil liberties advocates will like. Yesterday, we covered the markup of the revised ADPPA, and today we will look at the bill’s changes.
As noted yesterday, a notable change that has still not been folded into the package is the restoration of the Federal Trade Commission’s (FTC) historical Section 13(b) authority the Supreme Court of the United States struck down in AMG Capital Management, LLC v. FTC. This may be a bargaining tactic to get Senate Commerce, Science, and Transportation Committee Chair Maria Cantwell (D-WA) onboard given that her committee recently marked up a bill to give the agency back these long used powers (see here for more detail and analysis on Cantwell’s Section 13(b) bill.)
The first major change to the operation of the new privacy regime is the addition of “permissible purposes” to Section 101”s data minimization requirements. To be fair, this is cosmetic to a degree because the drafters have merely moved and renamed the exceptions that were in Section 209 of the draft, and these were the by now de rigueur exceptions to all the rights people would gain and all the obligations covered entities must meet. The basic responsibility to minimize data collection, processing, and transfer remains the same, but now covered entities and service providers may freely collect, process, and transfer covered data regardless of consent for one of these permissible purposes (more on the purposes below.) And so, the substance has not changed, but the nomenclature has. Hence covered entities and service providers are not using an exception (aka a loophole) but rather are using a Congressionally permitted purpose. The change in language reframes the parameters and operation of the bill in a way that is more palatable to the public and will sound better coming out of the mouths of industry representatives justifying their maximizing their usage as much as possible. Incidentally, this is the first of a number of instances where service providers are made to meet the same responsibilities as covered entities.
As for the exceptions/permissible purposes themselves, there are new purposes. The first is “to authenticate users of a product or service.” This seems reasonable and useful given the ongoing challenges of fending off hackers that use tricks to gain access to people’s accounts. The next pertains to communications between individuals at the behest of an individual in the communication. The third new purpose “to process such data as necessary to provide first party marketing or advertising of products or services provided by the covered entity.” First party marketing and advertising are not defined in the bill, but it appears to encompass an entity’s advertising tailored to a person based on the person’s direct interaction with the entity. For example, if I frequent Dick’s Sporting Goods looking at baseball equipment, the sports store may show me ads for such gear or maybe ads for tickets to the local baseball team’s games. However, a fair reading of the new definition of “targeted advertising” might include first party marketing, and ADPPA gives people the right to opt out of targeted advertising, raising the question how first party advertising could be a permissible purpose? This is an issue the drafters will need to address.