Review of the Proposed “American Data Privacy and Protection Act,” Part 1: State Preemption and Private Right of Action

Congress reached a major milestone in the effort to create a comprehensive federal data privacy law last week when House Energy and Commerce Chair Rep. Frank Pallone (D-NJ), ranking member Rep. Cathy McMorris Rodgers (R-WA), and ranking member of the Senate Commerce Committee Sen. Roger Wicker (R-MS) came together to release a draft bill for discussion—the American Data Privacy and Protection Act (ADPPA). The release of a bipartisan draft bill is a welcome development after years of delays and discussion and is the most hopeful sign that Congress will finally address this issue. Unfortunately, the compromise text failed to adequately address the two most contentious issues in the debate about a federal privacy law: state preemption and a private right of action.

In an attempt at a compromise the ADPPA would preempt state privacy laws…except for a long list of excluded laws and topics, including the hotly contested Illinois Biometrics Information Privacy Act, part of the California Privacy Rights Act, and broad topics such as facial recognition, non-consensual pornography, data breach notification, and more. The list of exclusions is lengthy, which fundamentally undermines the purpose of state preemption (i.e., to have uniform laws to reduce compliance costs and simplify rules for consumers) especially on topics like data breach notification where every state already has a law. Moreover, the special carve outs specifically for privacy laws in Illinois and California, while excluding other states that have recently passed state privacy laws, such as Virginia, Utah, Colorado, and Connecticut, is unfair and reeks of backroom dealing. Clearly, legislators are trying to reach a compromise, but the state preemption should be much broader to be effective.

The ADPPA also attempts a compromise on a private right of action. The legislation would include strong enforcement measures, allowing the FTC as well as state attorneys general to bring action against any data holders violating provisions in the act. But the legislation also creates a limited private right of action. The ADPPA would allow individuals to bring civil actions seeking compensatory relief or injunctive relief against data holders starting four years after the act goes into effect. To limit duplicative enforcement, individuals must first notify their state attorney general and the FTC of their intent to bring suit, and if one of those agencies decides to initiate an action, individuals cannot file their own lawsuit. There is also a limited right to cure, whereby if a data holder successfully addresses an alleged problem within 45 days, they can seek dismissal of a demand for injunctive relief. While the drafters have clearly attempted to construct a narrow private right of action, the fact remains that the ADPPA would still leave open the door for expensive, frivolous lawsuits. Indeed, since the only lawsuits individuals would be proceeding with under the ADPPA are those that neither the FTC nor any attorney general decides to pursue, these are likely to be meritless.

As ITIF has written, state preemption and no private right of action should be the baseline for a federal privacy law. Unfortunately, as currently drafted, the ADPPA fails to achieve those two goals.