Privacy Legislation Gains Steam in Congress

A bipartisan, bicameral draft comprehensive consumer privacy bill includes a limited private right of action, numerous exemptions to its preemption of local and state laws, and would place CEOs and other senior officers in the crosshairs of the FTC. Significantly, it seeks to exclude HR data from its coverage.  

Target on company leadership: The American Data Privacy and Protection Act (ADPPA) would require CEOs, chief privacy officers, and chief information security officers of large companies to annually and personally certify compliance with the ADPPA to the FTC, potentially placing them in harm’s way if their company is found in violation of the Act. 

HR data not covered—for the most part: HR Policy’s top priority regarding consumer-focused comprehensive privacy bills—ensuring HR data is not covered by provisions that would do more harm than good if applied to the employment context—is largely accomplished in the bill. Specifically, the bill exempts the applicant data, employee business contact information, emergency contact information, and information related to an employee necessary for administering benefits. However, this may not capture all contexts in which data is used in the employment context. 

AI scrutiny: Large companies would be required to annually submit to FTC impact assessments of algorithms used in the employment context, including assessments of the algorithm’s design, data sets powering the algorithm, and steps the company has taken to mitigate potential harms.  

Private right of action: Beginning four years after enactment of the bill, individuals or classes of individuals would be able to seek relief limited to compensatory damages, injunctive relief, declaratory relief, and attorney’s fees and litigation costs. 

Bill would preempt state laws—not including a long list of exemptions: The exemptions include Illinois’ Biometric Information Privacy Act, facial recognition laws, California’s private right of action concerning data breaches, and many other areas. However, the preemption clause would significantly limit state legislation in the HR space. 

The bill is sponsored by leadership of relevant House and Senate Committees, including House Energy and Commerce Committee Chair Rep. Frank Pallone (D-NJ), Ranking Member Rep. Cathy McMorris Rodgers (R-WA) and Senate Commerce Committee Ranking Member Sen. Roger Wicker (R-MS). Notably absent from the list is Senate Commerce Committee Chair Maria Cantwell (D-WA). 

Outlook: The draft is the beginning of what will be a flurry of activity in the privacy space. Sen. Cantwell plans to release her own measure, and the House Energy and Commerce Committee will hold a hearing on the ADPPA next week. For all its rough edges, the bill is a significant show of bipartisanship. However, given the limited amount of time left on the legislative calendar, and opposition from a number of business groups, it faces a tough uphill battle this Congress.