Today as use of the internet to conduct business surges forward at warp speed, creation of appropriate legal guidance struggles to keep pace. The evolving use of the internet for consumers to conduct their day-to-day business has created the need for new laws to ensure that individuals’ rights are protected.
Currently in the United States there is no federal law governing online privacy. In July 2022, the American Data Privacy and Protection Act (ADPPA), H.R. 8152 [117th Congress (2021-2022)] became the first federal online privacy bill to pass the House Energy and Commerce Committee.
The ADDPA incorporates many of the privacy protections found in the state’s privacy laws, such as how companies, including nonprofits and common carriers, handle personal data, which includes information that identifies or is reasonably linkable to an individual. Specifically, the bill requires most companies to limit the collection, processing, and transfer of personal data to that which is reasonably necessary to provide a requested product or service and other specified circumstances. It also generally prohibits companies from transferring individuals' personal data without their affirmative express consent.
The bill establishes consumer data protections, including the right to access, correct, and delete personal data. Prior to engaging in targeted advertising, the bill requires companies to provide individuals with a means to opt out of such advertising. The bill also provides additional protections with respect to personal data of individuals under the age of 17. It further prohibits companies from using personal data to discriminate based on specified protected characteristics.
Additionally, companies must implement security practices to protect and secure personal data against unauthorized access, and the Federal Trade Commission (FTC) may issue regulations for complying with this requirement.
The bill provides for enforcement of these requirements by the FTC and state attorneys general. Beginning four years after the bill's enactment, individuals may, subject to certain notification requirements, bring civil actions for violations of the bill.
Finally, the bill preempts state laws that are covered by the provisions of the bill except for certain categories of state laws and specified laws in Illinois and California, such as Illinois’ Biometric Information Privacy Act and Genetic Information Privacy Act and California’s private right of action for victims of data breaches.