ADPPA would enact a unified federal privacy law governing the use of citizens’ personal information. Learn what it means for your business
The comprehensive federal data protection legislation has been a stumbling block for the US government. Trying to reach a consensus for years, the government has far failed to pass the legislation. Finally, a bipartisan draft bill titled the American Data Privacy and Protection Act (ADPPA) was released on June 3, 2022. The law is expected to be passed soon and enforced by Federal Trade Commission (FTC).
The bill aims to provide comprehensive data privacy legislation by unifying the national data privacy framework and a robust set of consumer privacy rights under one umbrella. It will also harmonize the American data protection legislation with its European and Canadian counterparts. What does it mean for businesses? The good news is that most companies already know what to expect from the ADPPA since they have already worked with similar legislations. The bad one is that companies will have one more data privacy law to comply with. But first things first.
The ADPPA is not a one-of-a-kind data privacy law, as you may know. Canada, for instance, implemented its Personal Information Protection and Electronic Documents Act (PIPEDA) back in 2000. The European Union (EU) enforced General Data Protection Regulation (GDPR) in 2018. These regulations have not only shown their effectiveness but have already gone through a set of qualitative changes.
While both PIPEDA and GDPR aim to protect consumers’ privacy, the latter is proved to be far more tough legislation by reach and enforcement. GDPR requires all organizations dealing with EU residents’ personal data to adhere. It means that even global giants like Apple, Meta, and Google, along with smaller companies located in the U.S or any other country, must follow GDPR if they make transactions with the personal data of EU residents. PIPEDA also applies to non-Canadian companies making transactions with personal data of Canadian residents. However, the enforcement capabilities of the law are limited. While GDPR leveraged millions of Euros in fines since its inception, PIPEDA experts still argue about circumstances upon which a foreign violator may be subject to the jurisdiction of the Canadian courts.
At any rate, the future ADPPA will follow the world’s best practices of data privacy and security legislation.
Until now, the U.S. has fallen behind in data privacy legislation, leaving the onus of maintaining data privacy to states or industries. Thus, as of June 2022, when we were writing this post, comprehensive consumer data privacy laws have been enacted in five states — California, Colorado, Connecticut, Utah, and Virginia. Of these five laws, the California Consumer Privacy Act (CCPA/CPRA) is the toughest legislation. Utah Consumer Privacy Act (UCPA), in turn, is the most business-friendly one. You may find the review of these two state laws in our previous posts – UCPA: The Most Business-Friendly Privacy Law and Core Aspects of California Consumer Privacy Act. Despite the reasonability of these state data privacy laws, there is one problem uniting them – they only protect the residents of the state where they are enacted. It means that other states have substantial gaps in managing personal data correctly.
In addition to the state privacy laws, there is a mix of federal industry-specific privacy legislation. They go by acronyms like HIPAA, FCRA, FERPA, GLBA, COPPA, etc. These laws either look at specific data types, like health information or financial data, or target particular populations like minors. Thus, they cannot solve the issue of protecting all data at the federal scale.
There is a third issue, which unites both the state and industry-specific regulations. The patchwork of the different laws is confusing for people and businesses. In the race to comply with them all, organizations are at risk to fail. Therefore, establishing federal data protection law would help unify a set of consumer rights and create one set of rules for all businesses.
The ADPPA would protect personal information related to finance, health, biometrics, geolocation, sexual orientation, religious beliefs, citizenship, and social security numbers. It will also govern how the information of children and minors is kept safe. One of the additional tasks that the law would solve is bringing U.S. data security in harmony with GDPR and PIP EDA. In other words, the ADPPA will protect the whole scope of data that other states and industry-related laws try to protect separately.
Logically, many businesses would wonder if they will need to comply with all the existing state and industry-specific laws after ADPPA is passed and come into power. The ADPPA would preempt similar state laws like UCPA, though it excludes the CCPA/CPRA in California from that preemption. At the same time, covered entities subject to certain other federal industry-specific privacy laws, including HIPAA, are deemed to comply with the “related requirements” of the ADPPA, but only with respect to data subject to such regulations.
Let’s talk about the ADPPA more specifically. The law is expected to cover any entity or person that collects, processes, or transfers covered data. Whereas covered data is defined as broadly as “information that identifies or is linked or reasonably linkable to an individual or a device.”
Just like the CPRA (which amended CCPA in 2020), APPA defines a particular category of sensitive covered data. This data category would include an individual’s health-related information, financial account data, and biometric information, along with government identifiers such as social security information. Businesses will not be allowed to collect sensitive covered data without the individual’s affirmative consent.
Like any other data protection legislation, ADPPA will impose a set of policies, practices, and procedures. The covered entities must implement all of these before making any transactions with such data.
The draft legislation follows the principle of limiting data processing to what is necessary for relation to the purposes for which they are processed.
Covered entities would be required to provide individuals with privacy policies detailing data processing, transfer, and security activities. The policies would need to contain contact information and the covered entity’s affiliates to whom data may be transferred. Data collection, processing, and transferring purposes are also necessary. Everything should be provided in a “readily available and understandable manner.” Those subjected to CCPA/CPRA already know what this means; those unaware – will learn soon.
Large data holders (those with annual gross revenue of $250,000,00, collecting data of more than 5,000,000, or sensitive data of more than 100,000 individuals) should be ready for additional requirements. These include annual certifications for the purpose of maintaining internal controls.
Third-party service providers are not going unnoticed by the ADPPA requirements. Thus, if you are a third-party vendor, be ready to place a clear notice on your website or mobile application notifying users that you are processing sensitive personal data.
The ADPPA would grant individuals the right to access, correct, delete, and portability of covered data that pertains to them. These rights are similar to those California residents have under the CCPA/CPRA. Read our post CCPA/CPRA: Upcoming Changes to the Law to have a general understanding of what these rights mean.
Children and minors will be also protected by ADPPA. Remarkably, the law prohibits targeted advertising to these categories of individuals. The covered entities shall not transfer the covered data of minor individuals without their consent.
The ADPPS would prohibit covered entities from collecting, processing, or transferring data that discriminate based on race, color, religion, national origin, gender, sexual orientation, or disability. This section of the law would require those large data holders that use data transaction algorithms to assess their algorithms annually and submit annual impact assessments to the FTC.
The purpose and scope of the bipartisan draft bill titled the American Data Privacy and Protection Act will make it the primary data protection law in the U.S. The ADPPA would solve several challenges and bring U.S. data privacy legislation to a new level. Like the PIPEDA and GDPR, the pioneers in the sphere, ADPPA will grant individuals a broad spectrum of rights and impose strict requirements on businesses. The future law will also solve the issue of the patchwork of state and industry-specific laws.
Thus, keep calm and start learning the new ADPPA to be ready to comply in the nearest future. Don’t hesitate to contact Planet 9 team if you have any questions. We’ll be happy to assist!