This bill — the American Data Dissemination (ADD) Act — would create a national consumer data privacy law that protects both consumers and the internet economy. It’d update the Privacy Act of 1974 to account for modern technology and creates clear protections that consumers can understand and would direct the Federal Trade Commission (FTC) to develop and enforce the updated law.
Within 180 days after this bill’s enactment, the FTC would be required to submit detailed recommendations for privacy requirements for Congress to impose on covered providers. These requirements would be substantially similar to the requirements applicable to agencies under the Privacy Act of 1974.
No earlier than a year after the submission of the FTC’s recommendations (18 months after this bill’s enactment), the FTC would publish and submit to the appropriate congressional committees proposed regulations to impose privacy requirements on covered providers that are substantially similar to the requirements applicable to agencies under the Privacy Act of 1974.
Finally, to ensure that Congress acts in a timely manner, if Congress fails to enact a law based on the FTC’s recommendations by two years after this bill’s enactment, the FTC would be directed to promulgate a final rule to impose privacy requirements based on the narrow, Congressionally-mandated course of action created in this bill. This FTC rule would be finalized no later than 27 months after this bill’s enactment.
The FTC would be required to establish criteria for exempting small, newly formed providers from the requirements under the regulations. These criteria would take into account: how long the provider’s been operating, the provider’s annual revenue, and the number of individuals about whom the provider collects records.
This bill would also provides consumers with rights to access, correct, and delete records maintained by a covered provider that are inaccurate, irrelevant, untimely, or incomplete as defined by the FTC.
This bill would supersede any state laws that pertain to the same consumer data that it governs. Covered consumer data would include names, Social Security Numbers, other government ID numbers, financial transactions, medical histories, criminal histories, employment histories, user-generated content, unique biometric data (e.g., fingerprint, voice print, retina or iris image, or other unique physical representations), and other personal data collected by companies.
“Covered providers” would be defined as entities that provide services that use the internet and collect records.