The American Data Privacy and Protection Act (ADPPA)
The American Data Privacy and Protection Act (ADPPA) aims to give internet users more control over their personal data. If passed, the ADPPA will be the first comprehensive federal privacy law in the US.
In regards to children, Section 205 calls out data protections for children and minors: Covered entities are subject to additional requirements for covered data with respect to individuals under age 17. Targeted advertising is expressly prohibited [if covered entities have actual knowledge that an individual is under 17]/[to any individual under 17]. Covered entities may not transfer the covered data of individuals between 13 and 17 years old to third parties without express affirmative consent [where the covered entity has actual knowledge the individual is between 13 and 17].
This section establishes a Youth Privacy and Marketing Division at the FTC, which shall be responsible for addressing privacy and marketing concerns with respect to children and minors. The division must submit annual reports to Congress and hire staff that includes experts in youth development, data protection, digital advertising, and data analytics.
This section also requires the FTC Inspector General to submit a report to Congress every two years analyzing the fairness and effectiveness of the safe harbor provisions in the Children’s Online Privacy Protection Act of 1998 (COPPA). These reports must be published on the FTC web site.
Notably, there are several other important provisions with heightened or specific call-outs to children and minors throughout the legislation.
Other highlights of the bill include:
- A data minimization approach: companies will be allowed to collect and use users' data only for 17 permitted purposes. These include users' authentication, fraud prevention and online payments.
- Stricter limitations on targeted ads: On top of the provisions mentioned above, the FTC will be responsible for creating standard opt-out methods that companies will be obliged to follow.
- A ban on using sensitive data for targeted ads: This includes health information, precise geo-localization details like personal IP address and private communications.
According to the ADPPA's pre-emption principle, no States will be allowed to enforce their own regulations on the same privacy issues that the federal law will cover. This will de-facto statutes like the California's Consumer Privacy Rights Act.