Federal Consumer Privacy Legislation: Getting Closer to The Finish Line

By Alexander Slizewski

                 Federal consumer privacy legislation, named the American Data Privacy and Protection Act (ADPPA), is undergoing review by Federal legislators.[1] The act would require entities to disclose data collected, what the data is used for, and how long it will be retained.[2] Upon request, individuals are given the right to access the data collected from them via an easily readable format; individuals may also correct and delete specific data, object to the transfer of data to third parties, or object when their data is used for targeted advertising.[3] An entity is required to obtain the individual’s consent to use sensitive data before use.[4] The ADPPA also requires the entity produce a “short form” 500-word privacy policy that is readable to a common person that explains what the data will be used for.[5]

Currently, the United States does not have established Federal consumer privacy laws.[6] Although some States have taken the lead by passing consumer privacy legislation, they are in the minority.[7] Only five States have enacted consumer privacy protection laws, whereas most States have either failed to pass them or have yet to propose comprehensive bills.[8]

To the contrary, the EU’s General Data Protection Regulation (GDPR) allows consumers to request the expungement of private information collected by entities who gather consumer data.[9] This law creates privacy legislation uniformity within the EU; instead of having private entities struggle to comply with varying privacy laws across different European countries, the GDPR’s uniformity makes it streamlined for entities to comply with European consumer privacy laws across EU-affiliated nations.[10] 

For the States that enacted consumer privacy protection laws, the differences between the legislations are stark.[11] The two most prominent state-passed consumer privacy bills are the California Consumer Privacy Act (CCPA) and Virginia Consumer Data Protection Act (VCDPA); both of which have distinctions that make it challenging for private entities to follow the differences.[12]

For example, entities that are covered under the CCPA must fall either under the amount of data limit, or an annual gross revenue threshold: (i) an entity must exceed an annual gross revenue of $25 million, (ii) obtain the personal information of at least 50,000 consumers, or (iii) obtain at least 50% of annual revenue from selling the private data.[13]

The VCDPA differentiates itself by omitting the revenue requirement of $25million, and instead requires that the entity must control or process (i) the personal data of at least 100,000 consumers in a calendar year, or (ii) the personal data of at least 25,000 consumers, while deriving over 50 percent of gross revenue from the sale of that data.[14]

The difference between the VCDPA and CCPA is significant. Whereas the VCDPA has broadened applicability to entities by removing the revenue requirement, the CCPA is narrower by limiting entities covered with a revenue cap.[15] In either case, if an entity were to operate within Virginia or California, its privacy policy must be in alignment with both State’s privacy laws.[16] Otherwise, it risks litigation brought by the State-respective attorney generals, or individually affected entities.[17]

If the ADPPA is passed, it will homogenize U.S. privacy laws by nullifying State laws, becoming the ruling consumer privacy regulation within the United States.[18] In other words, entities that operate throughout multiple States would no longer need to comply with diverse State consumer privacy regulation; they would only need to be in congruence with the ADPPA.[19] For the time being, however, entities will need to develop flexible policies that correspond to diverse privacy laws across the U.S. while acting as a base for global privacy policies going forward.

[1] Heather Egan Sussman, Revised ADPPA: The Top 10 Takeaways, Orrick (Aug. 24, 2022), https://www.orrick.com/en/Insights/2022/08/Revised-ADPPA-The-Top-10-Takeaways (last visited Sep 1, 2022).

[2] Id.

[3] Id.

[4] Id.

[5] Peter Brown, Federal Privacy Legislation Moves Closer to Reality, N.Y.  L. J. (Aug. 8, 2022), https://www.law.com/newyorklawjournal/2022/08/08/federal-privacy-legislation-moves-closer-to-reality/?slreturn=20220818153733 (last visited Sep 16, 2022).

[6] Hayley Tsukayama et al., Americans Deserve More Than the Current American Data Privacy Protection Act, EFF (July 24, 2022), https://www.eff.org/deeplinks/2022/07/americans-deserve-more-current-american-data-privacy-protection-act (last visited Sept. 1, 2022).

[7] Id.

[8] Taylor Kay Lively, US State Privacy Legislation Tracker, Int’l Ass’n of Privacy Pros. (Aug. 11, 2022), https://iapp.org/resources/article/us-state-privacy-legislation-tracker/.

[9] Matt Burgess, What is GDPR? the summary guide to GDPR compliance in the UK, WIRED UK (Mar. 24, 2020, 4:38 PM), https://www.wired.co.uk/article/what-is-gdpr-uk-eu-legislation-compliance-summary-fines-2018.

[10] Id.

[11] Sherrese Smith et al., Analysis and Comparison: The Virginia Consumer Data Protection Act and California Privacy Laws, Paul Hastings (Feb. 17, 2021), https://www.paulhastings.com/insights/ph-privacy/analysis-and-comparison-the-virginia-consumer-data-protection-act-and.

[12] Id.

[13] Courtney Bowman & Kristen Mathews, The California Consumer Privacy Act of 2018, Privacy Law Blog (July 13, 2018), https://privacylaw.proskauer.com/2018/07/articles/california/the-california-consumer-privacy-act-of-2018/.

[14] Sarah Rippy, Virginia Passes the Consumer Data Protection Act, Int’l Ass’n of Privacy Pros. (Mar. 3, 2021), https://iapp.org/news/a/virginia-passes-the-consumer-data-protection-act/ (l.

[15] See Smith, supra note 11.

[16] Id.

[17] Id.

[18] Sussman, supra note 1.

[19] Id.