The American Data Protection and Privacy Act, if passed, would represent federal legislation pre-empting state data privacy regulation. It’s a big deal, not least because in its current version it has bipartisan support. It’s important to emphasize “current version,” because it has been through several drafts and may get extensively amended or rewritten between now and the finish line.
Nevertheless, it’s worth getting familiar with the main points in the current draft.
- The law will apply only to “covered data.” So what data is covered by this legislation? “Information that identifies or is linked or reasonably linkable, alone or in combination with other information, to an individual or a device that identifies or is linked or reasonably linkable to an individual, and may include derived data and unique persistent identifiers.” Personal identifiable information, in other words, and quite broadly construed.
- This isn’t really about consent. Yes, covered data can only be collected with the explicit, affirmative consent of an individual to a clear and unambiguous request. But that doesn’t mean that providing one of those easy-to-click “I agree” buttons allows you to grab anything the individual might knowingly or unknowingly offer up.
- Only some types of data can be collected or processed at all. This is where the legislation has teeth. There are just seventeen permissible purposes for data collection, processing or transfer. The details appear beginning on page 14 of the linked draft, but here’s the short version:
- Data can be collected to complete a transaction or a fulfill an order.
- Data already collected (pursuant to the Act) can be processed for a range of trouble-shooting or administrative purposes such as network or inventory management.
- Data can be collected to authenticate users of a product or service.
- Data can be used to fulfill a warranty.
- Data can be processed in response to a security incident.
- Data can be used to prevent or respond to fraud or other illegal activity.
- Or to comply with legal obligations (such as responding to a lawsuit).
- Or in a good faith effort to prevent physical harm.
- Or to effectuate a product recall.
- Or to conduct a public or peer-reviewed scientific project.
- Or to deliver a message an individual might reasonably expect to receive “which is not an advertisement.”
- Or “to deliver a communication at the direction of an individual between such individual and one or more individuals or entities.”
- Or to transfer assets in a case such as merger, acquisition or bankruptcy.
- Or to ensure the security and integrity of covered data.
- Or to “prevent, detect, protect against or respond to a public safety incident.”
- Or “(w)ith respect to covered data collected in accordance with this Act…to process such data as necessary to provide first party advertising or marketing of products or services provided by the covered entity for individuals who are not-covered minors.”
- Or “(w)ith respect to covered data previously collected in accordance with this Act…and provided such collection, processing, and transferring otherwise complies with the requirements of this Act, including section 204(c), to provide targeted advertising.”
Section 204(c) mandates a clear and conspicuously offered right to opt out of targeted advertising.
Why we care. Marketers will be relieved to have read all the way down to numbers 16 and 17 on that list; they appear to offer a glimmer of hope that data can be used for marketing purposes. While we’re not lawyers, we would draw your attention to that qualifier in each case that it applies only to covered data collected in accordance with the Act. In other words, only data collected under the foregoing provisions can be used for marketing purposes. There is no provision we can see allowing data to be collected for marketing purposes. Not primarily, anyway.
The specter (benevolent or otherwise) of this legislation is hovering over the many attempts out there to develop alternatives to third-party cookies, including Google’s own Privacy Sandbox initiative. Will the identifiers already on offer, or in development, be in compliance with this legislation if it passes?
Finally, does it apply to everyone?
Covered entities. Pretty much everyone is covered by this draft legislation; we see no small business exemption (as there is with the CCPA). Federal, state and local government are excluded, as are service providers working on their behalf. And enforcement? That’s going to be down to the FTC.