On June 23, 2022, Representatives Pallone, Rodgers, Schakowsky, and Bilirakis introduced the American Data Privacy and Protection Act, HR 8152. This Act represents an effort to create a comprehensive federal privacy law. Information that could be linked to a person or a device would be covered, and the Act would provide extra protections for sensitive covered data. The Act would not cover publicly available data or de-identified data.

The Act is modeled after existing state laws, such as the California Consumer Protection Act and Europe's GDPR. It provides for limits on the data that can be collected and stored; provides consumers with opt-out rights; requires a transparent privacy policy; permits consumers to correct, delete, or obtain their information; and creates new responsibilities for covered entities, service providers, and third parties.

The Act provides certain exceptions to permit covered entities to use data to complete transactions and customer requests, maintain products and services, respond to "security incidents," conduct internal research and analysis, and comply with legal requirements. In addition, the Act may exempt smaller entities that do not meet revenue or data thresholds.

The Act would be enforced by the FTC, state actors including Attorneys General, and individuals through a private right of action.

The bill passed the House Subcommittee on Consumer Protection and Commerce and is moving to the House Committee on Energy and Commerce, where it is expected to pass. The bill faces significant headwinds in the Senate.

Reprinted with permission from the American Bar Association's Business Law Today June Month-In-Brief: Business Regulation & Regulated Industries.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.