The proposed American Data Privacy and Protection Act is getting a facelift.

Here are some key changes:

Disclosure and consent:

  • Disclosure for getting affirmative consent can be procured either through the primary medium used to offer the covered entity’s product or service, or only if the product or service is not offered in a medium that permits the making of the request, another medium regularly used in conjunction with the covered entity’s product or service.
  • Disclosure for getting affirmative consent has to be for each processing purpose (Hi GDPR enforcement cases).
  • Same prominence and number of steps for revoking consent as for giving it (Hi CNIL).


  • You can be a service provider of a government entity.
  • Service providers must establish practices to delete or return covered data to a covered entity as requested at the end of the provision of services unless retention of the covered data is required by law.
  • Tiered definition of “knowledge” with more strict requirements for larger entities.
  • Additional requirements for large data holders metrics reporting.
  • New provisions of “covered high impact social media company” with 3,000,000,000 or more in annual revenue or 300,000,000 monthly active users.
  • Entities within a group (affiliates) that share information where such sharing is reasonably expected by the individual will not be deemed third parties to each other (Potential relief from intra group “sale” scenarios).

Scope of Personal Information:

  • Deidentification: (1) includes not being able to link to a device that identifies or is linked or linkable to an individual; (2) new requirements to flow deidentification requirements downstream by contract.
  • First party marketing: Defined narrowly to include only direct communications with a user, or advertising or marketing conducted entirely within the first-party context, such as in a physical location operated by the first party.
  • Precise geolocation: Needs to be derived from a device or technology. Also, “street level” info stayed but an option of 1850 range was added to align with existing US laws.
  • Sensitive information: Includes video communications and online activities over time and across third party websites.

Duty of Loyalty:

  • Data Minimization: Added to “Permissible purposes”: (1) communication that is not an advertisement to an individual, if the communication is reasonably anticipated by the individual within the context of the individual’s interactions with the covered entity and (2) transfers in the context of a reorganization BUT subject to prior notice + reasonable opportunity to withdraw any previously given consents.
  • Privacy by Design: Needs to take into consideration the role of the covered entity or service provider and the information available to it.
  • Retaliation: You can’t retaliate against exercising consumer rights by denying good or services, charging difference prices or providing a different level of quality of goods or services. BUT: voluntary participation in loyalty programs is specifically carved out.

Consumer rights:

  • Need adequate explanation to the individual for declining a consumer request.
  • Declining is permitted if compliance with the request is prohibitively costly, but you need to explain why you are unable to comply.

Data Security:

  • Required: A retention schedule that requires the deletion of covered data when needed to be deleted by law or no longer necessary for the purpose.

Unified Opt out:

  • FTC can issue regs.
  • You must provide appropriate disclosure.
  • It doesn’t need to be the default setting.
  • Has to be consumer friendly, clearly described and easy to use.
  • You may have an authentication process.
  • You need to provide in all “covered languages.”
  • Has to be reasonably accessible to individuals with disabilities.

Corporate Accountability:

  • Deleted requirement for mandatory appointment of privacy and security officers but expanded clarification re: officer certifying compliance.
  • Mandatory impact assessments biennially- even if you are not a large data holder (Hi Again, GDPR DPIA).


  • CPPA specifically named as “state privacy authority.”
  • Private right of action moratorium is only 2 yrs.
  • Narrowed down preemption, including health, education, encryption, etc.
  • Small businesses with less than $25M annual revenue/50,000 users/less than 50% revenue from transferring data are exempt from private right of action.