Category: Blog

Understanding the American Data Privacy and Protection Act

This post is part of a sponsored ComplyTrust blog post series.

If you have read our previous articles on data privacy laws, or if you are following developments in this area, you will probably have noticed that the regulatory landscape is complex. In the United States of America, individual states have started to introduce their own privacy laws by lack of an overarching, federal level legislative framework.

The complexity and its negative impact on businesses was not lost to some of the legislators and other sponsors, which pushed for a federal law that would cover data privacy rights, so draft bill H.R.8152, known as the “American Data Privacy and Protection Act” (ADPPA), was introduced in June 2022.

After many debates, the bill passed by a vote of 53-2 on the House Committee on Energy & Commerce and can now be voted by a full House floor vote. Because the law still needs to be adopted by House, none of its provisions are yet valid or enforced.

ADPPA and Existing Privacy Laws

Once (if) adopted, the ADPPA will become a federal standard privacy law that will have higher authority over state-enacted privacy laws such as CCPA (California Consumer Privacy Act), CPRA (California Privacy Rights Act), and other similar laws adopted by Colorado (ColoPA), Connecticut (CTPA), Virginia (VCDPA), and Utah (UCPA).

In practice, however, some exemptions will exist, and are explicitly stated in the draft bill. For example, certain clauses of the CCPA (for personal information security breaches) will remain valid.

In addition, the ADPPA defines several ways to control and enforce the legislation, at multiple levels:

  • At the federal level, with the Federal Trade Commission (FTC), through a newly created Bureau of Privacy;
  • At the states level, via each state’s Attorney General, Chief Consumer Protection officers, or through already existing organisms (for example, using CCPA provision in California);
  • At the private level, either for individuals (individual or class-action) or private organizations, allowing them to fill-in a civil action.

The last method, private rights of action, is still very controversial and not guaranteed to make it in the final bill. If it does, it could take up to four years to become available after the ADPPA law comes into force, and the legislator has introduced a series of barriers to prevent abuse.

Concepts and New Provisions of ADPPA

With the ADPPA, the legislators have had the opportunity to look at existing privacy laws and determine some of their strong points vs. shortcomings. As a result, some additional concepts were introduced in the ADPPA.

Duty of Loyalty

Among provisions of the ADPPA, a controversial “duty of loyalty” is introduced. The law aims to limit personal data usage to “what is reasonably necessary and proportionate” to “provide or maintain specific products or services requested by the individual” and goes on to define a set of “permissible purposes”.

Consumer Data Rights

ADPPA also enacts a variety of individual data ownership and control rights including access, correction, deletion, and portability, as well as reports related to the scope and purpose of collected personal data. Worth mentioning, the organization must be capable of providing the said data in both human-readable and machine-readable formats.

This makes data not only understandable to humans raising requests, but also simplifies automated personal data processing for Right-of-Erasure requests. This is particularly important for organizations that must handle personal data processing requests at scale.

Consumer data rights also include several provisions around consent withdrawal, data protections for children and minors (data transfer requirements and prohibition of targeted advertising for this population), and data transfers.

Civil Rights and Algorithms

The prevalence of algorithms in our daily lives has a significant impact on the lives and freedoms of individuals. Biases can be introduced in algorithms, impacting hundreds of thousands if not millions. The ADPPA introduces measures to evaluate algorithm designs, seeking to understand if the algorithms use personal data, how the data is used, and if the algorithm can introduce a negative bias based on certain personal criteria such as race, gender, religion, disability status, and more.

In addition, the regulation also introduces specific measures to build “secure by default” personal data processing applications and infrastructure designs, plus introduces the concept of third-party data processing entities, enforcing additional obligations and reporting requirements on these entities.

Potential Blockers

Since the ADPPA’s introduction in June, it has been one of the most heavily lobbied bills in Congress. According to data from the OpenSecrets research group, the ADPPA has drawn attention from more than 180 corporate clients, including Amazon, Disney and Target. Other lobbying reported in Q2FY22 included Airbnb, American Express, eBay, Home Depot, Intuit, T-Mobile, Toyota and Verizon. As the business lobbyists continue to secure some key wins against the bill approval process to-date, both Fox Corp and the Walt Disney Co. hired former US House Representative Greg Walden (ex-House Energy & Commerce Committee), to lobby on the privacy bill, according to other reports filed with Congress.

This heavy industry lobbying could imperil the comprehensive ADPPA bill that would fundamentally shift the way companies collect user data online when passed.

Another key sticking point identified is the private right of action included in the bill, which would allow individuals to sue companies for violating their data privacy rights under the new law. The Consumer Technology Association communicated to the ADPPA sponsors in June requesting them ‘not to burden industry and federal courts with a new private right of action’.

An additional potential blocker contained within the bill itself that would seemingly make the Telecom industry very happy, is removing the Federal Communications Commission’s (FCC) ability to enforce privacy rules for carriers that process billions of text messages and calls. Under the current ADPPA bill, enforcement would be handed over to the Federal Trade Commission, which today has far fewer powers than the FCC.

Conclusion

If the ADPPA is adopted, it has the potential to bring personal data handling and privacy rights to the next level. Undoubtedly a benefit for the rights of individuals, the broad scope of new provisions under the ADPPA significantly increases regulatory risk exposure of organizations.

This continues to strengthen the vision of industry experts such as ComplyTrust, advocates for continuous regulatory compliance with a systematic and automated approach. Their Forget-Me-Yes® (FMY) cloud-native SaaS application manages organizational and individual Right-to-be-Forgotten (RtbF) and Right-of-Erase (RoE) data privacy compliance for Brazil’s LGPD, Europe’s GDPR, California’s Consumer Privacy Act (CCPA/CPRA), China’s Personal Information Protection Law (PIPL), Colorado Privacy Act (CPA), Virginia’s CDPA, Utah’s Consumer Data Privacy Act (UCPA) and the Washington Privacy Act (WPA). Available in a variety of monthly subscription options, FMY is a cost-effective data privacy solution providing easy integration, in-time compliance and automated Data Subject Access Request (DSAR) reinfection prevention technology (RPT), enabling continuous compliance across a variety of data sources.