U.S. Senator Marco Rubio (R-Fla.) recently introduced the American Data Dissemination Act (“ADD”), which targets businesses that collect personal data through the internet. Considering the lack of federal regulation in this area, a federal bill has been anticipated for some time. The ADD is largely seen as a response to California’s Consumer Privacy Act (“CCPA”), a GDPR-style law that places strict regulations on a company’s collection and sharing of consumer data.
What Does the Bill Require?
The ADD is largely devoid of specific data privacy regulations. Instead, it requires the FTC to submit detailed recommendations to Congress within 180 days after the bill is passed. If Congress fails to enact the FTC’s recommendations within two years, the ADD gives the FTC authority to issue a final rulemaking. Realistically, this means that within two and a half years of this bill becoming law, there would be a federal privacy law in the United States.
The FTC, however, has been given instructions that limit the content and scope of its recommendation. The ADD requires that the FTC’s recommendation be “substantially similar, to the extent practicable” to the requirements of the 1974 Privacy Act. Many have criticized this restriction, calling the 1974 Privacy Act too old and antiquated to address the data privacy concerns of the modern consumer.
The ADD includes many more limiting instructions. For example, the following provisions must be included in the FTC’s final recommendation to Congress:
- criteria for exempting certain small, newly formed businesses;
- criteria for restricting the disclosure of records maintained by covered businesses;
- criteria for granting individuals access in response to their requests of records and, if a covered businesses elects, the record may be deleted subject to certain requirements;
- criteria for consumers to update incomplete and inaccurate records;
- establishing a dispute resolution process modeled after section 611(a) of the Fair Credit Reporting Act (FCRA);
- establishing accepted standards for a code of practices to ensure the secure collection, maintenance, and dissemination of records for covered businesses; and,
- establishing a process for accounting records of disclosures for a reasonable period.
If the bill passes, the FTC will have significant discretion in determining the stringency of privacy regulations adopted. Proponents of strict regulation are advocating for a GDPR-style regulation. This, however, seems unlikely considering the ADD’s limited scope and exemptions for small businesses and startups.
Effect on State Law
The ADD specifically states that the regulations promulgated under the Act shall supersede any provision of state law regulating businesses that are subject to the Act. States could continue to regulate businesses not covered by the ADD.
Proponents of the ADD welcome this preemption provision, arguing that it may curb the broad reach of CCPA and/or prevent companies from dealing with a “patchwork” of state laws and regulations. Consumer privacy advocates and many states are likely to oppose the bill on grounds that it doesn’t go far enough and unnecessarily preempts state laws.
Mac Murray & Shuster will keep you updated on this bill and other privacy developments.
* Ali Najaf contributed to this post.
Nick is a Partner at M&S where he leads the firm’s Compliance practice areas. He brings more than a decade of experience helping clients understand and comply with federal and state privacy, advertising, and telemarketing laws and regulations.