What is the American Data Privacy and Protection Act (ADPPA)?

The ADPPA is the most significant milestone the U.S. has ever reached in passing comprehensive federal privacy legislation. According to the Library of Congress, “This bill establishes requirements for how companies, including nonprofits and common carriers, handle personal data, which includes information that identifies or is reasonably linkable to an individual.” 

The 2022 act was part of a national effort to legislate a national data protection regulation and digital privacy standard, similar in spirit to Europe’s GDPR. 

The American Data Privacy and Protection Act moved through Congress in 2022. But it’s too early, still, to get excited about it. To date, the bill has all but stalled in Congress, and instead, many states have created or are in the process of creating a patchwork of state-level privacy laws, with California leading the trend. 

Although the ADPPA had good bipartisan momentum behind it, the proposed law’s broad exceptions to preemption indicate that in the meantime,  state-by-state strategies seem to be the preferred method. Practically, this means that there is a lot of overlapping work for businesses to do to update their systems for a patchwork of state privacy laws that apply to them.

One can only imagine the issues of preemption that will arrive if the ADPPA continues to weave its way through the legislative process. Indeed, this stands to be one of the biggest challenges of a potential federal consumer data privacy regulation.

What the ADPPA Means To You

We’ll summarize briefly what the ADPPA would mean to the average American.

Under the ADPPA, people would be entitled to information about how their personal data was being used and who would process it. In addition, they would have the right to update and download their user data. For four years after the Act’s implementation, people would also be able to file lawsuits against organizations that had broken its rules, but only after providing the Federal Trade Commission and the Attorney General of their state 60 days’ notice to react.

History of the ADPPA

On June 21, the American Data Privacy and Protection Act, a long-awaited federal comprehensive data privacy bill, was introduced in the House of Representatives. The bill was introduced by:

• Committee chair Frank Pallone
• House Representative Cathy McMorris Rodgers 
• Senator Roger Wicker, R-MS
• Janice Schakowsky, D-IL
• Gus Bilirakis, R-FL

Otherwise known as the H.R. 8152, the American Data Privacy Protection Act gained both bipartisan and bicameral support. This came as a surprise to many experts in light of the current political strife between the GOP and the DNC. 

On July 20th, 2022, the House Energy and Commerce Committee voted 53-2 to advance the ADPPA through the House of Representatives political process toward a floor vote. 

The ADPPA is at a full stop in the U.S. House for the most part due to California’s concerns over current provisions for preemption of state comprehensive privacy laws.

What would this impact of federal legislation be on United States businesses? Read on as we discuss some key takeaways of the proposed federal privacy legislation.

Does the ADPPA Address Future Digital Innovation?

According to Victor Platt, a CISSP security specialist, it’s not just designed for today but the future, as digitalism becomes even more enmeshed in modern society:  “It codifies a broad definition of covered data and high bars for consent, purpose limitation, and opt-out; high-level inscrutable privacy policies will no longer be enough; and things you think aren’t personally identifiable information (PII) today, like unique IDs, will be in the future.”

Which Data is Protected in the ADPPA?

Covered data 

The term “covered data” refers to any information that “identifies or is linked or reasonably linkable, alone or in combination with other information, to an individual or a device that identifies or is linked or reasonably linkable to an individual”. 

The ADPPA would NOT apply to: 

• de-identified data
• employee data
• information that is publicly available

Sensitive Covered Data

The term “sensitive covered data” is a special category of covered data that includes personal information that is not made publicly available, such as:

• Social security, driver’s license, and passport numbers
• Personal health or financial information
• Biometric data, such as fingerprints or voice or retinal scans
• Exact geolocation information
• Private communication information concerning emails, text or direct messages, phone calls, and voicemails

Who Does the Bill Apply To?

Covered Entities

ADPPA compliance would apply to most businesses, including nonprofits and common carriers, referred to as “covered entities”. Large data holders would be bound by different or additional requirements. 

Covered entities who alone or jointly collect, process, or transfer covered data and who are subject to the FTC Act or are non-profit organizations would be covered by the ADPPA. The ADPPA expressly exempts people acting in a non-commercial environment, much as the “household exception” in the GDPR.

Large Data Holders

Large data holders, defined as organizations with gross annual revenue in the most recent calendar year of $250 million or more, are those that collect, process, or transfer covered data of more than 5 million individuals or devices, or sensitive covered data of 100,000 individuals or devices. 

Additional requirements are placed on Large data holders by the ADPPA. For instance, they would have to post copies of all of their prior privacy policies on their websites for at least ten years. Large data holders would also need to conduct and provide a privacy impact assessment of their controls and risk to consumers biannually.

Small Data Holders

SMBs are companies with a gross annual income of less than $41 million for each of the three years prior, who process the data of no more than 200,000 people, and who do not get more than half of their income from transmitting covered data. SMBs would still be subject to ADPPA regulation, but the so-called “small data exception” would free them from key important requirements. For instance, rather than rectifying the data in response to a customer’s request, they could delete it. Additionally, they would not be required to designate a privacy and data security officer. 

Third-Party Collectors or Service Providers

These entities collect, process, or transfer data on behalf of, and at the direction of, a covered entity, each has responsibilities related to covered data. As such, they may only collect or process covered data for the purposes directed by the covered entity it got the data from and may not transfer such data to another entity without express affirmative consent of the individual to whom it pertains.

Any third-party collecting organizations that gather data on more than 5,000 people or devices are required to register with the FTC and adhere to FTC auditing rules. 

How Will Data Be Protected Under the ADPPA?

Data Minimization

Covered entities are prohibited from collecting, processing, or transferring covered data beyond what is reasonably necessary, proportionate, and limited to provide specific products and services requested by individuals, communicate with individuals in a manner they reasonably anticipate given the context of their relationship with the covered entity, or for a purpose expressly permitted by the act.   

Loyalty Duties

Except in limited instances, covered organizations are considerably restricted from engaging in certain data practices relating to specified types of covered data in order to ensure that they are protecting individual privacy and preventing harmful uses of specific sensitive data. 

Collecting, processing, or transferring biometric information, genetic information, random internet browsing, and search history, information about one’s physical activity, or transferring precise geolocation information to third parties precludes complying with a warrant or meeting stricter requirements for obtaining the person’s express affirmative consent.  

Further prohibitions apply to Social Security numbers, password information, and non-consensual intimate photos.

Privacy by Design

Covered entities have a requirement to implement “reasonable policies, practices, and procedures” in regard to the collecting, processing, and transferring of covered data.  These policies should consider the covered entity’s size, complexity, the type and volume of the data it engages with, and the cost of implementation of the policy compared to the entity’s risk exposure.  

Loyalty to Individuals with Respect to Pricing

Covered entities may not condition services or pricing on whether an individual will have waived any privacy rights in the act.  This prohibition does not prevent covered entities from differentiating the price of or levels of services based on an individual providing financial information necessarily collected and used for payment when an individual specifically requests a product.  Covered entities are also not prevented from offering loyalty programs that provide discounts in exchange for continued business. 

Privacy policy

Covered entities and service providers must publish a privacy policy for the purpose of disclosing their processing activities in an understandable manner. Any material changes to the privacy policies or practices would have to be communicated to the individuals affected who in turn would have an opportunity to withdraw their consent to any future processing.

Centraleyes Privacy Tracker

Staying abreast of the latest federal privacy developments is a massive undertaking. Make sure you have all the latest updates by checking out our brand-new privacy law tracker.

How Centraleyes Facilitates Compliance With Privacy Laws

Many data protection controls are uniform across multiple standards and privacy regulations. Leveraging a solution like Centraleyes that allows you to smart map between requirements on different standards and laws is a tremendous advantage. 

With our legendary rapid onboarding and deployment processes, you can start by implementing strong security policies today and ensuring you comply with the ADPPPA and other privacy laws in the future. 

Interested in learning more? Schedule a free demo today!