We previously reported that the House and Senate released a bipartisan bill concerning data privacy called the American Data Privacy and Protection Act (ADPPA). On June 23, the Subcommittee Consumer Protection and Commerce of the House Committee on Energy and Commerce held a mark up session on the ADPPA, which during that session the subcommittee ordered and favorably reported the bill to the full committee as amended by a substitute. The amended bill contains several changes including:

  • Amendment to the “covered data” definition to exclude “inferences made exclusively from independent sources of publicly available information that do not reveal sensitive covered data with respect to an individual.”
  • Amendment to the “sensitive covered data” definition that (1) removed “information identifying an individual’s online activities over time or across third party websites or online services”, (2) removed “information revealing an individual’s race, ethnicity, national origin, religion, or union membership or nonunion status in a manner inconsistent with the individual’s reasonable expectation regarding disclosure of such information,” and (3) adds the requirement that the covered entity must know the individual is under the age of 17.
  • Amendment to the “biometric data” definition to exclude a digital or physical photograph, an audio or video recording, or data generated from a digital or physical photograph, an audio or video recording or video recording that cannot be used to identify an individual.
  • Amendment to the “covered entity” definition (1) to exclude entities “acting in a non-commercial context,” (2) removed the “common branding” language, and (3) added new exclusions for governmental entities and persons or entities acting on behalf of such entities.
  • Amendment to the “service provider” definition to read “The term ‘service provider’ means a person or entity that collects, processes or transfers covered data on behalf of, and at the direction of, a covered entity and which receives covered data from or on behalf of a covered entity pursuant to a written contract, provided that the contract meets the requirements of section 302.” Section 302 was also substantially revised to add new obligations on service providers and to specify requirements for contracts between covered entities and service providers.
  • The data minimization section was revised to include that covered entities must not collect, process, or transfer covered data unless such activities are reasonably necessary and proportionate to certain listed activities and lists 12 permissible purposes.
  • The loyalty duties section prohibits certain processing activities, such as certain types of processing of sensitive covered data and transfers of sensitive covered data to third parties, unless an exception applies.
  • The Federal Trade Commission is required to establish one or more acceptable privacy protective, centralized mechanisms, including global privacy signals such as browser or device privacy settings for individuals to exercise all such rights through a single interface for a covered entity.

ADPPA will continue to the House but foreseeable support of the Senate remains unclear.