If enacted, the “American Data Privacy and Protection Act (ADPPA)" would create a national standard on what kinds of data companies can gather from individuals and how they use it.
This week, the “American Data Privacy and Protection Act (ADPPA)" was introduced in the U.S. House of Representatives by the Chairman of the House Committee on Energy and Commerce, Rep. Frank Pallone (D-New Jersey) and the committee's top Republican, Rep. Cathy McMorris Rodgers (R-Washington). As of press time, the legislation was being marked-up in the Subcommittee on Consumer Protection and Commerce.
Before the bill was introduced, Reps. Pallone and McMorris Rodgers, as well as Sen. Roger Wicker (R-Mississippi), the top Republican on the U.S. Senate Committee on Commerce, Science, & Transportation, announced that they had reached a deal on data privacy legislation. Notably, Sen. Maria Cantwell (D-Washington), the Chairwoman of the Committee on Commerce, Science, & Transportation, opposes the ADPPA and remains committed to her own legislation, S. 3195, the “Consumer Online Privacy Rights Act".
If enacted, the ADPPA would create a national standard on what kinds of data companies can gather from individuals and how they use it. Importantly, the number of requirements placed on most businesses would be reduced under an exemption for certain small and medium-sized businesses.
In order to qualify for the exemption, for the prior three years a business must have earned gross annual revenues of $41 million or less, did not collect or process the covered data of 100,000 individuals in a year (except for processing payments and promptly deleting covered data for requested products/services), and did not derive more than half their revenue from transferring covered data.
Soon after a discussion draft of the legislation was released, the Big “I" worked with the American Property Casualty Insurance Association (APCIA), the National Association of Mutual Insurance Companies (NAMIC) and the Council of Insurance Agents and Brokers (CIAB) to identify two significant concerns with the legislation. Those concerns were then outlined in a letter to leaders of the House Energy and Commerce Committee.
The first concern was related to the Gramm-Leach-Bliley Act (GLBA). The financial services industry, including the insurance industry, was the first sector of the economy to come under comprehensive nationwide privacy regulation when GLBA was enacted over 20 years ago. GLBA set forth a rigorous regulatory framework for protecting the privacy of nonpublic personal information of financial services consumers. The framework is enforced against insurers, agents, and brokers by state insurance regulators.
While the ADPPA includes a GLBA provision, APCIA, NAMIC, CIAB and the Big “I" have concerns with it and are advocating for language that would clearly exempt insurers, agents, and brokers from the scope of the ADPPA.
The second concern addressed in the letter is the legislation's inclusion of a broad private right of action, which would allow an individual or a group of individuals as part of a class action, to pursue litigation against a company that illegally shares their data or uses it in ways the law prohibits. A broad private right of action would likely mean an increase in claims costs for insurers, which in turn could lead to higher insurance rates for consumers. This is not in the interests of consumers. The joint trade associations made clear that it would be much better for the government to enforce privacy laws which would mean consistent interpretation and implementation leading to a more stable privacy landscape for businesses and consumers.
As Congress continues to discuss ways to better protect consumer privacy, the Big “I" will continue to provide members with updates in the weekly News & Views e-newsletter.
Wyatt Stewart is Big “I" assistant vice president of federal government affairs.