The American Data Privacy and Protection Act: a look into the United States' first federal privacy law

Following the fall of Roe vs Wade, new concerns about the security of women's online health data have spread across the country. And, while privacy advocates are urging to ditch period tracking apps and secure online anonymity with the best VPN services, lawmakers are busy crafting a new legislation with the goal to better protect the privacy of all US citizens. 

In a rare bipartisan effort, the American Data Privacy and Protection Act (ADPPA) aims to give internet users more control over their personal data. Contrary to people in Europe that have been protected from GDPR since 2018, the ADPPA will be the first comprehensive federal privacy law in the US. At the moment, just a handful of States enforce their own regulations. 

An ambitious objective brings big responsibilities and burdens, though. And, if some commentators are satisfied with the current version of the proposed law, others think that it isn't enough - just yet.

Let's take a closer look at how the ADPPA seeks to protect US internet users.

What is the ADPPA?

As mentioned above, the American Data Privacy and Protection Act (ADPPA) marks a landmark achievement. This is because - if it becomes law - it will be the first comprehensive federal privacy law in the US to contrast the current fragmented landscape protecting internet users.

The ADPPA is the result of the compromises between Democrats and Republicans on how to tackle the main issues defining today's digital societies. On July 20, a revised version of the bill successfully passed to the next stage in the House Committee on Energy & Commerce with a vote of 53-2.

As the members wrote in a joint statement: "The American Data Privacy and Protection Act puts people back in control of their online data. It creates a strong national standard that will finally minimize the amount of Americans’ information companies are allowed to collect, process, and transfer. This will rein in Big Tech’s power and establish clear, robust protections for people, especially children." 

What does the ADPPA do?

With the protection of internet users' privacy at its core, the ADPPA seeks to address long-standing issues in the realm of Big Tech, collection of personal information and data security. 

Similarly to the EU and UK's GDPR, it strives to do so by adopting a data minimization approach. This means that companies are allowed to collect only users' information strictly necessary to provide a specific service. It also contains rules to prevent a discriminatory use of such data. 

The ADPPA wants to bring more transparency over privacy issues. That's why larger data holders will also have to regularly conduct impact assessments of the algorithms they employ. All companies operating on the web must also provide users with a statement explaining their privacy policies in a way that everybody can understand. 

Another pivotal point of the proposed legislation is about online advertising and marketing. While it always permits first-party advertising, targeted advertising is permitted but companies must provide a clear way to opt-out from receiving customized ads. The ADPPA aims to especially protect minors, making it illegal to display both first-party and targeted ads to anyone under the age of 17. 

The body responsible for enforcing these provisions will be the Federal Trade Commission (FTC).

The ups...

So far, the ADPPA seems to have taken the right path to tackle many issues around US citizens' online privacy. 

"One of the main good things is that it will give privacy protection to individuals in the US that have never had it before," Nigel Jones - former head of the Google legal team in Europe and now co-founder of The Privacy Compliance Hub - told TechRadar. 

From better transparency standards, to anti-discrimination and new cybersecurity regulations, areas of privacy many citizens want pinpointed include:

• A data minimization approach: companies will be allowed to collect and use users' data only for 17 permitted purposes. These include users' authentication, fraud prevention and online payments.
• Stricter limitations on targeted ads: On top of the provisions mentioned above, the FTC will be responsible for creating standard opt-out methods that companies will be obliged to follow.
• A ban on using sensitive data for targeted ads: This includes health information, precise geo-localization details like personal IP address and private communications.  

...and the downs

If many experts and privacy advocates expressed their support for the amended version of the bill, other commentators are worried that some provisions could fail to better protect US users. 

According to the ADPPA's pre-emption principle, no States will be allowed to enforce their own regulations on the same privacy issues that the federal law will cover. This will de-facto statutes like the California's Consumer Privacy Rights Act.

For some experts, this is problematic because the ADPPA isn't strong enough to substitute existing and future state privacy laws. According to privacy advocates group the Electronic Frontier Foundation (EFF), it can also hinder the ability to update the legislation on a state level when new issues arise. 

"EFF wants Congress to set a baseline for privacy protections. But the ADPPA should not trade away states' ability to react in the future to current and unforeseen problems," they wrote in a blogpost. 

Other worries are around the private right of action provision. At the moment, the ADPPA rules that individuals cannot sue companies for the first two years that the act is enforced. What's more, "the bill has a number of unnecessary and disruptive procedural hurdles before a suit can go forward," wrote again the EFF. "Each additional roadblock makes this remedy less accessible." 

Critics have also sparked over the shift of the regulator body for privacy related matters from the Federal Communications Commission (FCC) to the Federal Trade Commission (FTC). The first was indeed the organisation which proposed huge fines in 2020 against some of the country’s biggest telecommunications companies guilty of illegally selling users' location data. As Vice reported, this move might have the side effect of wiping out FCC privacy protections.   

Despite these limitations, Jones thinks that the prospect of a federal privacy law in the US is still a very good thing. 

"People will always argue whether the move has been sufficient, whether the legislation has gone far enough to protect individuals. But, if this legislation is passed, individuals in the US will be in a way better position than they are today, a way better position than they have been for a very long time," he said.

What's next for the ADPPA?

After successfully advancing from the House Committee on Energy & Commerce, the House will be the next step. However, for the bill to pass it will also need to overcome any scepticism in the Senate. 

With the midterms elections on the way, the process throughout the two parliamentary chambers might be slowed down; a delay that will weigh on US citizens' privacy, once again. 

That's why around 50 organisations have signed an open letter to urge Speaker of the US House of Representatives Nancy Pelosi to vote the ADPPA on the House floor as soon as possible. These include privacy advocates Access Now, Electronic Privacy Information Center (EPIC), Center for Democracy & Technology (CDT) as well as Swiss-based cybersecurity firm Proton, provider of the top Proton VPN service.

"We will continue to work to improve the bill as it moves to the floor and concerns are considered, however we strongly believe that H.R. 8152 [ADPPA] will provide long overdue and much needed protections for individuals and communities," they wrote. 

"The time is now to pass a comprehensive federal privacy and civil rights law. We fear that a failure to move the bill in this Congress will forestall progress on this issue for years to come."

• How excessive government interference is threatening internet freedom as we know it