Today, the world is reliant on the internet, and the selling of personal data has become one of the most lucrative industries for companies. If you use the internet and live in the United States, the odds are that your own, personal data is being sold by web browsers, applications, and other software companies every single day.
But what is the scope of data being sold, and why is it sold? Companies track the types of sites you visit, the items that you buy, and even the music you listen to. It helps companies form a plan of how they can market certain products or ideas to you. Most companies then sell data they collect to other companies so that they can also market to you.
Many American citizens have become uncomfortable with the amount and breadth of personal information companies are allowed to collect. While other countries, such as those in the European Union (EU), have comprehensive data privacy regimes that limit the collection of personal data, the United States does not.
Comprehensive Data Privacy is Foreign to American Companies
The first data privacy law in the world was enacted in Hessen, Germany, in 1970. Since then, the EU has been a leader in developing data privacy legislation. The General Data Protection Regulation (GDPR), enacted by the EU on May 25, 2018, covers the personal data of citizens in the EU. The GDPR imposes its privacy obligations onto organizations both inside and outside of EU member countries if they are accessing or collecting data from people located within the EU. The GDPR requires entities to consider data protection in the design of any new activity or product. This means that throughout the development of a product, the entity must be putting safeguards in place to make sure that they are going to limit the data collected and secure it from outside entities.
Additionally, the GDPR only allows personal data to be processed based on consent of the data subject or some other verified basis, such as processing the data to satisfy a contract. The consent must be specific, with an entity telling the data subject how their data will be processed and the purpose for the processing. A data subject can decide, at any time, that they no longer want their data to be processed and can revoke their consent. If an entity fails to follow the guidelines for consent, it will have to pay some hefty fines.
This is a concept that is foreign to many companies in the United States that do not have data subjects in the EU. The United States has various data privacy laws that cover specific sectors, such as financial privacy but does not have a data privacy framework that applies to all consumer data, like the GDPR. For example, the Gramm-Leach-Bliley Act (GLBA), enacted in 1999, requires financial institutions to provide notices to consumers about how and why their financial information might be shared.
Additionally, five individual states now have privacy acts in place that apply to data subjects who are residents of the state. Virginia enacted the Virginia Consumer Data Protection Act (VCDPA) in 2023, which gives Virginia residents certain rights to their data, such as deleting personal data collected by a company and opting out of the processing and sale of their data.
California enacted the California Consumer Privacy Act (CCPA) in 2018, and it is considered the strictest data privacy law in the United States. The rights given to consumers under the CCPA include the right to know about the personal information that is collected from them and how it is used. The CCPA also includes the right of consumers to delete personal information collected about them and the right to opt out of the sale of their personal information. The California Privacy Rights Act (CPRA), an amendment to the CCPA, became enforceable in 2023 and further gave consumers the right to correct inaccurate personal information and the right to limit companies’ use and disclosure of their sensitive information.
As federal policymakers research and draft data privacy legislation for the entire country to follow, there is tension between these state acts and the federal government’s plan for the future of data privacy in America.
Impact of the American Data Privacy and Protection Act
The American Data Privacy and Protection Act (ADPPA) is a drafted bill that was approved by the House Committee on Energy and Commerce with a 53-2 vote on July 20, 2022, but did not advance to the House of Representatives in the last Congressional session. However, the bill is expected to be revised and go through the bill process again.
If passed, the ADPPA would apply broadly to certain businesses in the United States. A covered entity, which is an organization or company that the bill would apply to, is defined in the bill as one that “collects, processes, or transfers covered data and is subject to the Federal Trade Commission Act.” A transfer of data “means to disclose, release, share, disseminate, make available, or license [data] in writing, electronically, or by any other means.” The bill would require covered entities to disclose to consumers the type of data that is being collected, how it is being used, how long the entity keeps the data in their systems, and whether the data is accessible to businesses in other countries. While the ADPPA is similar to the CCPA, the ADPPA would also give consumers the option to correct or delete their data held by a particular entity. However, the CCPA is stricter than the ADPPA. Enforcement of the ADPPA is more lenient towards small businesses. For example, small businesses are exempt from the private right of action of consumers. The CCPA considers the amount of revenue a company generates and how much data it collects when defining covered entities. All companies that qualify could be subject to a private right of action by consumers. The CCPA also includes a ballot initiative that allows amendments in furtherance of consumers’ privacy, creating a privacy “floor” that the regulations must meet or exceed. If the ADPPA is passed, it would prohibit states from passing future laws that are already covered in it, and would most likely eliminate the CCPA’s ballot initiative.
A main reason the ADPPA has not yet advanced through Congress is that its passage would necessarily preempt some current state laws regarding data privacy, such as the CCPA. The Committee on Energy and Commerce Chair, Cathy McMorris Rodgers, is revising the bill to include sections that detail the certain ways in which the ADPPA would preempt the state laws already in place. This has resulted in objections to the bill from states that already have data privacy regimes. The enactment of the ADPPA would mean that consumers in California would see their data privacy protections weakened.
With policymakers eager to enact a complete data privacy framework that is enforced in all states, it is unlikely that specific states will be able to deter Congress from passing a bill that provides a comprehensive regime. In its current form, the ADPPA does not have enough support to be signed into law, but legislators will keep revising and promoting the bill.
The patchwork of state-created data privacy laws is likely to be preempted by the ADPPA, or a similar act. If the ADPPA passes, American citizens can expect to have more of a say in how their data is collected and how they wish for companies to use it. Citizens and government officials in states with data privacy acts have expressed concern about a federal data privacy regime weakening their existing privacy procedures. However, there is also a strong governmental interest in setting a federal data privacy standard.