September 14, 2022

Kyle Backer

What the American Data Privacy and Protection Act means for Arizona businesses

The printing press, invented around 1440 by Johannes Gutenberg, marked the beginning of a revolution in the way that individuals encountered new ideas. The Journal of Economic History estimates that output of books in Europe rose from a few million to around 1 billion in less than four centuries, paving the way for the modern world.

Today, many now have access to a breadth of knowledge thought to be relegated to science fiction novels just decades ago. The internet stands amongst other society-altering communicative technologies, such as the invention of the telephone and television. Nearly anything can be delivered with the click of a button. Navigation services turned paper maps into quaint relics and matchmaking platforms have connected future spouses that otherwise would’ve remained strangers.


READ ALSO: Ranking Arizona: Top 10 law firms for 2022


“Data privacy is a recognition that each of us has personal information that we would prefer to keep to ourselves,” explains Todd Kartchner, chief privacy officer at Fennemore. “It’s recognizing that we want to take some measures to protect information that we don’t want the public at large to have.”

To that end, Congress is considering the American Data Privacy and Protection Act (ADPPA), which — if passed and signed into federal law — would codify consumer data rights and raise the baseline requirements for businesses and how they handle data.

Erin Dunlap, of counsel at Coppersmith Brockelman.

Individual rights

Laws regulating personal data already exist, with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), being amongst the most well known. Erin Dunlap, of counsel at Coppersmith Brockelman, considers HIPAA to be the foundation for data privacy law in the U.S. even though it only applies to a small segment of data overall.

“When we talk about data privacy, I think HIPAA has been at the forefront and in the background of everyone’s mind,” Dunlap says. “But as the landscape changed over the years — particularly with respect to the internet and electronic data — we realized that there were a lot of entities that had no rules and no restrictions on what they could do with consumer data. And I think as consumers, we’ve all seen the impact of that, which is targeted advertising, and the use of data in ways that we weren’t expecting, hadn’t authorized or aren’t OK with.”

Many have the unsettling experience of searching for something online — maybe out of sheer curiosity or to prove a point to a friend — only to be hounded by targeted advertisements from a company that somehow relates to that search on social media or other webpages. Under the ADPPA in its current form, businesses will be required to give consumers an opportunity to opt out of having their data used in such a way, according to Kartchner.

“One of the things that the Federal Trade Commission (FTC) has been tasked with under the bill, as it’s currently drafted, is to conduct a study to assess whether it’s possible to give consumers an opportunity to opt-out in general from targeted advertising, or, at a minimum, certain types of advertising,” he says. “It’s essentially just a version of the Do Not Call Registry that we already have in place at the national level, but it would be for targeted advertising on the computer.”

Todd Kartchner, chief privacy officer at Fennemore.

The ADPPA would allow individuals, after the law has been in effect for four years, to “bring a civil action in federal court seeking compensatory damages, injunctive relief, declaratory relief, and reasonable attorney’s fees and litigation costs. This right applies to claims alleging violations of specified prohibited uses of covered data,” according to the draft legislation section by section summary.

The bill also has provisions to protect children, defining any data relating to minors as “sensitive covered data” which is subject to higher privacy requirements — the same as social security numbers and genetic information. This will build off the federal guarantees provided in the Children’s Online Privacy Protection Act of 1998 (COPPA).

“There’s a real push that information of individuals under the age of 17 has to be looked at differently, in ways that we are not used to necessarily seeing outside of COPPA,” Dunlap notes. “[The ADPPA] is not supposed to relieve or change the obligations under COPPA, but there’s going to be some follow up with the FTC to make sure these two are married up.”

Kartchner adds that certain provisions pertaining to children’s data within the ADPPA are bracketed, meaning that lawmakers are still soliciting feedback about the final wording. One such section states that targeted advertising is expressly prohibited to any individual under 17, but there is debate whether companies should be subject to that rule only if they have actual knowledge that the user is a minor.

“The first question that’s going to come to mind is, ‘How would I know that this person that I’m interacting with is underage?’ and it’s going to be interesting to determine how that will be assessed,” he says.

Duty of businesses

One of the core elements of the ADPPA is requiring certain companies to adhere to the concept of “privacy by design” — that businesses need to implement policies, practices and procedures for collecting, processing and transferring covered data. Large data holders would be required to certify annually that they are maintaining internal controls and reporting structures for compliance. There would also be a requirement for companies to designate a privacy and data security officer.

“That’s something that’s already been in place over in Europe as one of the requirements of the General Data Protection Regulation (GDPR),” Kartchner explains. “[The ADPPA’s authors] believe that if you have somebody who is devoted to [data privacy] that you’re going to get better oversight, and you’re going to be in a better position to meet the requirements of the federal statute.”

The regulations would be less stringent than the GDPR, according to Kartchner, but the ADPPA’s authors do take inspiration from their European Union counterparts. Another important concept lifted from the GDPR is the idea of certain consumer rights, where individuals could find out what information the company has about them and the right to ask that it be altered or deleted if it’s inaccurate — so long as there’s no exception under the law. Consumers would also have the ability to request a copy of their personal data from an organization, so long as it’s not economically infeasible for the company to comply.

In general, the ADPPA is unlike other federal data privacy legislation since it would affect far more companies. It will also help those larger organizations avoid having to sort through a patchwork of state privacy laws, though the bill would carve out some exceptions, such as data breach notification requirements.

“HIPAA applies to covered entities, which are healthcare providers who are transmitting data electronically to health plans, the health plans themselves, and then healthcare clearinghouses and their business associates,” Dunlap says. “[The ADPPA] is going to apply much more broadly to a category of entities that have historically not been regulated. And then within that, depending on the nature of your business, you’re going to have different requirements that will apply.”

A number of thresholds and exceptions laid out in the ADPPA will determine the level of a business’ obligations, but Kartchner adds that the vast majority of companies are likely to be affected, regardless of what industry they’re in. Undoubtedly, meeting these statutory requirements will impact their bottom lines, which is why Kartchner believes there will be lobbying efforts to pursue certain carve outs on behalf of businesses.

The million-dollar question, according to Dunlap, is whether the ADPPA — which has bipartisan support — will become law. She believes that this is the closest that federal data privacy legislation has been to passing, even if she’s skeptical that it will happen this year.

“We need federal legislation. It’s up to our legislators on both sides to come together and figure out where we can compromise on certain positions, but to give us something,” she concludes. “Some people fear that if they put something out there, it’s not going to be able to be amended easily down the road. Maybe that’s true. But I think we need something to move forward with because right now the current landscape is unworkable.”