Breaking News….Uncle Sam Weighs in on Data Privacy with the ADPPA

6 minute read. Learn how the American Data Privacy and Protection Act (ADPPA) would fundamentally change data privacy in the U.S.

With bipartisan approval, the House Energy and Commerce Committee of the U.S. Congress recently sent the American Data Privacy and Protection Act (ADPPA) to the House of Representatives for consideration. The ADPPA, which regulates how companies collect and manage personal information, seeks to partially replace several state privacy laws like California’s CCPA/CPRA.

What is the ADPPA?

Promoting the principle of data minimization, the ADPPA requires businesses dealing with customer data to collect only "what is reasonably necessary, proportionate, and limited to provide specific products and services requested by individuals." This approach contrasts with a consent-based approach, which assumes that collection is generally allowed as long as the user consents to it.

By adhering to data minimization, businesses commit to collecting data that is adequate, relevant, and limited to what is needed to fulfill their stated business purpose. This approach is very different from businesses gaining consent from data subjects who agree to the processing of their personal data but who cannot indicate the amount of personal data businesses may collect or how they can use, share, or manage it. Under the ADPPA, businesses will be required to ask and receive explicit consent for each piece of data they collect and are restricted to only use the data for the purposes that consumers agreed to.

Other key points of the ADPPA include:

• Establishing the Federal Trade Commission (FTC) as the agency responsible for determining what is reasonably necessary, proportionate, and limited.
• Including a provision to preempt state laws like CCPA/CPRA while preserving some state protections, including consumer protection laws of general applicability and data breach notification laws.
• Providing 17 permissible cases for data collection, including a form of targeted advertising that is more limited than what is used today.
• Banning ads that target minors or use “sensitive covered data,” including health, financial, precise geolocation, sexual, biometric, and racial data, among other types.
• Eliminating sensitive covered data which includes “information identifying an individual’s online activities over time and across third-party websites or online services.
• Allowing users to opt-out of targeted advertisements.
• Supporting private action, such as suing companies that violate the law, after four years have passed.
• Imposing stricter compliance requirements on large social media companies and large data holders.

What does ADPPA mean for your business?

The ADPPA would fundamentally change data privacy in the U.S. By partly replacing the current patchwork of state laws, companies would gain a clearer path to compliance. The law would also change the way that online advertising works, from a model that hyper-targets users to one where users have more control over their data and over the type of advertisements they encounter.

Companies with fifteen or more employees would be required to have a data privacy and security officer. All companies would be required to conduct biennial impact assessments.

Regardless of the size of your business, the ADPPA will affect you as you will have to implement new practices and procedures. The draft requirements differ from the GDPR and various U.S. state laws, requiring businesses to examine them closely and adapt data privacy practices accordingly.

Is the ADPPA viable?

Some members of Congress, including Senate Commerce Committee Chair Maria Cantwell, have reservations. Cantwell has stated that the ADPPA has "major enforcement holes." Her primary concern is the proposed two-year statute of limitations for the private right of action. As the Committee chair, Cantwell’s views are important to the future of the bill.

Privacy advocates have also expressed dissatisfaction with the ADPPA. The Electronic Frontier Foundation (EFF) said it was disappointed by the draft that passed Committee, and noted three initial objections:

1. The bill's overriding of state privacy laws.
2. Changes that might make it harder to enforce an existing federal privacy law that applies to telecommunications companies.
3. The abundance of exceptions written into the bill's right to private action.

While previous federal data privacy bills have failed, the ADPPA may be different. The bill would preempt state laws while preserving some state protections, including consumer protection laws of general applicability and data breach notification laws.

Satisfying the ADPPA

To cost-effectively ensure that you are complying with ADPPA, you will have to manage and track consumers’ requests to opt-out, review, access, delete, and obtain their data.

Business owners and leaders need a system for tracking consumer requests to opt-out, review, access, delete, and obtain their data. Without an accurate system for tracking the status of each request, business owners risk costly penalties and damage to their reputations.

To strengthen and enhance customer loyalty, PrivacyCare offers a system that features:

1. Customizable data-subject-request (DSR) forms that consumers can use to initiate their data request.
2. Consumer authentication.
3. A flexible record-keeping system that can support any DSR process, helping businesses comply with multi-state data privacy laws.
4. A database of the DSRs and their status.
5. A cost-effective solution that avoids unnecessary upgrades involving data analytics, data management, and data security functions.
6. A SaaS platform that eliminates the need for businesses to purchase and manage hardware or software.
7. Up-to-date with the latest changes to data privacy laws across the U.S.

Get started with PrivacyCare for help with your data privacy compliance.

‍