Unlike the European Union, Canada, Brazil and China, the United States does not have a federal personal data protection law. Only certain states, such as California, Nevada and Colorado have passed such bills, meaning that privacy protection for Americans varies widely throughout the country depending on the rules in force in each state.
To put an end to this situation, American members of Congress have been working since July 2022 on a bill comparable to the EU’s GDPR. Called the American Data Privacy and Protection Act, or ADPPA, the first draft was written by the House Committee on Energy and Commerce. It must be approved by the full House of Representatives and the Senate before it can become law. While it will not come into force before some time, it is nevertheless an important step forward.
New rules for data collection
The bill aims to make personal data collection more transparent by limiting it to what is reasonably necessary for a company or organisation to provide online customers with their products and services. The text defines “personal data” as any information that can be linked to a person’s identity or used to recognise their device. Additional protections are provided for sensitive data such as those resulting from geolocation, those concerning a person’s health and any data for users under 17 years of age.
What organisations does this bill impact? Those that collect, process or transfer personal data gathered online and whose activities are monitored by the Federal Trade Commission. This includes e-commerce sites that keep their customers’ forms and mobile applications and software that analyse data from cookies. This law also concerns non-profit organisations and telecommunications companies.
All these organisations must reduce the amount of data they collect. They will also need to tell users how to request the correction, deletion and portability of their personal data. Each organisation must appoint and provide the contact details of at least one officer in charge of protecting personal data. Furthermore, these organisations must specify whether the data they collect will be available in “sensitive” countries such as China, Russia, Iran and North Korea.
In addition to protecting privacy, ADPPA also seeks to reign in the use of AI. Organisations who use this technology must not discriminate when collecting, processing or sending data. The processing phase includes tasks carried out by algorithms. Organisations using these methods must assess whether using AI can have harmful effects.
The bill includes details on this assessment. It must specify the data used, the tasks these algorithms perform and the expected result. It must also explain why an algorithm is being used in place of human workers. Organisations must also detail how they intend to prevent any damage this technology could cause and provide an audit of the algorithm from an independent organisation.
More resources to enforce privacy protections
The ADPPA tasks the Federal Trade Commission with enforcing the law. A Bureau of Privacy will be established and must publish a website within 90 days of the Act becoming law to explain citizens’ rights as to the privacy of their personal data. The Commission must keep a register of third parties who may collect data, including data brokers, so that they can be audited for compliance.
In the law’s fifth year of application, the Bureau of Economics, part of the FTC, must report on whether organisations have complied with US citizens’ requests under the Act. The key change in this law is that it allows individuals a right of action against non-compliant organisations. This includes individual and class-action lawsuits.
To prevent misuse, plaintiffs must notify the FTC and the Attorney General to have their request examined. If it is found admissible, they must allow the defending organisation time to make amends, delete unlawfully collected data and come into compliance with the law.
The supporters of this law
Although the bill has yet to become law, Congress is likely to approve it given the consensus that has emerged on the need to harmonise legislation on personal data collection. Businesses also approve of the ADPPA: in a September 2022 press release, the Business Roundtable, which brings together the leaders of large US companies, considered its implementation advisable since the law would relieve US companies of the work required to comply with each piece of legislation.
Meanwhile, privacy NGOs have welcomed a bill that furthers their cause. They are supported by women’s organisations for whom protecting anonymity is a new priority. After the repeal of Roe v. Wade (link in French), access to abortion varies by state. This has resulted in an increased risk of surveillance of those who may assist abortions for people living in abortion-prohibiting states.
This risk is even more significant since states like Texas and Oklahoma allow charges to be brought against individuals who obtain abortions in states where they are legal. Pro-choice activists therefore consider the law’s passage crucial, as the ADPPA provides protections for women seeking an abortion.
However, the text is not exempt from criticism. For example, one cannot object to data collection if it allows for the development or update of features on websites and applications, nor does its scope include government organisations. Companies and NGOs cannot refuse to share personal data with US authorities, either. And the bill’s biggest limit is that, once it comes into force, it prevails over any existing local laws.
States that have already passed personal data privacy laws fear a rollback of the rules. California passed the California Consumer Privacy Act, the most restrictive law on data protection, and the director of its privacy protection agency warned of the risks posed by the federal bill last September.
Despite this, President Joe Biden and members of Congress in both parties are calling for the bill to pass. The president has spoken out twice since the start of 2023 on the importance of protecting privacy throughout America.