What does a federal data privacy law mean for corporations?

On July 20, 2022, the House Committee advanced a comprehensive federal data privacy bill in a 53-2 bipartisan vote, pushing the American Data Privacy and Protection act (ADPPA) (H.R.8152) forward in the legislative process. ADPPA aims to set a national standard for how tech companies collect and use Americans’ data, protecting Americans in states that don’t yet have comprehensive data privacy laws. Many corporations have posed the statement, “We don’t do business in California (or a state with data privacy laws).” Well, now this comment could be invalidated if passed. What does this mean for corporations doing business within the United States?

A day before advancing, On July 19, 2022, the committee published an amended version of the bill – called an Amendment in the Nature of a Substitute (AINS). The AINS made a number of significant changes that could seriously effect privacy programs already in effect by corporations. Highlighted changes included:

• The California Privacy Protection Agency was expressly included as a State Privacy Authority that has the power to enforce the ADPPA in California. This change was made to try to assuage criticisms levied by the CPPA earlier this month that it would not have authority to enforce the ADPPA.
• The private right of action grace period was shortened from 4 years to 2. Qualifying businesses could now be sued 2 years after the bill’s effective date, not 4 years. In addition, a small business exemption to the private right of action was added. Businesses with annual revenue of less than $25 million, that engage with the covered data of less than 50,000 individuals, and that earn less than half of their revenue from transferring covered data would no longer be subject to the private right of action.
• The definition of “employee data”, which is exempt from the bill’s provisions, was expanded to include “information processed by an employer relating to an employee who is acting in a professional capacity for the employer, provided that such information is collected, processed, or transferred solely for purposes related to such employee’s professional activities on behalf of the employer.” The amendment significantly expands the employee data carveout.
• The definition of sensitive covered data was expanded to include race, color, ethnicity, religion, union membership, and internet browsing history overtime and across third party websites or online services.
• A new tiered knowledge approach was created for targeted advertising to children.

Committee members offered numerous amendments that were both bi-partisan and passed on voice votes, and some that did not pass – like an amendment from Representative Anna Eshoo (D-California) that would have modified the bills preemption provision to allow states to create stricter laws. Eshoo’s amendment, supported by California colleagues, would set the federal standards as a floor, and allow states to go beyond the federal regulations. This bill is still a work in progress.

A national standard, as opposed to a patchwork of state laws gradually popping up around the country, implies that businesses will have a clear direction to a successful governance program. States with privacy laws already in place may lose state level protections for their citizens. With an amendment specifically for CPPA, does this make California the exception? More amendments for other states may reopen Eshoo’s plan making the law more nuanced.

The bill would give individual users the ability to sue over violations of the law through private right of action. The version of the bill the committee voted to advance allows private enforcement beginning two years after the law goes into effect.

Despite the federal privacy bill’s continued progress in the House, there are concerns and setbacks. Organizations should not sit back and wait for more US states and the federal government to pass comprehensive data privacy laws. With Clarip’s Privacy Impact Assessments, Privacy Intelligence Dashboard, Rules Engine, Vendor Monitor, and Reports Dashboard, we can help you uncover and mitigate data risks. Clarip takes enterprise privacy governance to the next level and helps organizations reduce risks, engage better, and gain customers’ trust! Contact us at www.clarip.com or call Clarip at 1-888-252-5653 for a demo.