The United States Congress is debating the American Data Privacy and Protection Act (ADPPA), a bill designed to regulate how organizations collect, process, manage, and even securely store personal information or “covered data.” The federal privacy bill has bipartisan support but faces opposition both internally and externally from privacy advocates who want a stronger law and business groups who have voiced their concerns about the private right of action in the bill. It remains to be seen if this bill will pass, but momentum is clearly on the upswing for a federal privacy law.
The ADPPA, as currently drafted, would preempt most existing state laws, like the California Consumer Privacy Act and Colorado Privacy Act, however, laws covering biometric data as well as the breach provisions under the CPRA would be allowed to coexist and are specifically mentioned in the proposed law. Having a single law in effect nationwide would likely make the management of data privacy programs much simpler compared to having to track standards from multiple states, but with several carve-outs it’s likely that organizations will need to account for certain state requirements
Here are some key elements in the ADPPA that you need to know about.
Data Minimization and Restrictions
This federal privacy bill states that covered entities must minimize their collection, processing, and transferring of data to what is “necessary, proportionate, and limited to” their ability to provide or maintain a specific product or service or communicate with the individual.
If the ADPPA becomes law, the Federal Trade Commission will establish what constitutes “necessary, proportionate, and limited to” within one year. The data minimization principle requirement we see in many other privacy laws and is a core component of any data privacy program. It can also be one of the more challenging and impactful requirements to implement as it has ripple effects across the entire business and not just the privacy or compliance department.
Further, ADPPA includes additional, and not before seen requirements/restrictions surrounding how covered data can be processed and transferred. These include:
- The collection, processing, or transferring of social security numbers (finally)
- The transfer of an individual’s precise geolocation information to a third party
- The collection, processing, or transferring of biometric and genetic information
- The transfer of passwords
- The transfer of an individual’s aggregated internet search or browsing history.
- The transfer of an individual’s physical activity information from a smartphone or wearable device.
Individual Ownership and Control
Under the ADPPA, the subjects of personal data have the right to:
- Access their data through a downloadable file
- Be given the name of a third party also in possession of their data
- Know the purpose of the data
- Correct any inaccurate data
Depending on how an organization is classified (large data holder, covered entity, or a covered entity as described in 209(c)), it will have 30, 60, or 90 days to respond to a request. This could impact an organization’s current process of honoring consumer requests as the majority of states set the time to 45 days with a 45-day extension. Organizations will need to ensure procedures are updated if this law passes.
Private Right of Action
Four years after the ADPPA goes into effect, it would give private citizens the ability to take legal action against a covered entity they believe violated the ADPPA. Before bringing a civil action, a person must first notify their state’s Attorney General and the Federal Trade Commission of their intent. The FTC and AG’s office have 60 days to respond if they will act independently or allow the suit to proceed.
As a note, and something that may dissuade some, any written communication by the complainant requesting monetary payment sent before the 60-day window the AG’s office must respond is considered to be sent in “bad faith” and is unlawful.
The Impact on Large Data Holders
It’s clear the federal legislators are concerned about how data brokers, big tech, and other organizations that process large volumes of data are protecting and processing consumer data. There are multiple requirements in the ADPPA specifically designed for “large data holders”, which are defined as any organization that meets any of the following criteria:
- Had an adjusted gross revenue of over $250 million in the last calendar year, AND;
- Collected, possessed, or transferred data for more than 5,000,000 individuals, or the sensitive data for more than 100,000 individuals
Within one year of the ADPPA becoming law, the CEO or highest-ranking officer, along with each privacy officer and data security officer at a larger data holder must certify with the FTC by showing that “reasonable” controls are in place to comply with the ADPPA and that reporting structures are in place so certified officers are involved in decisions regarding compliance with the law.
Further, large data holders must have at least one officer responsible for the implementation and review of data policy programs, employee privacy training, records maintenance, and serving as the point of contact with enforcement agencies. This officer must report to the CEO or highest-ranking official within an organization.
Within a year of the ADPPA going into effect, and every 2 years thereafter, large data holders are required to conduct a privacy impact assessment that measures the effectiveness of their privacy protection methods and the potential risk to individuals whose data is being collected, processed, and transferred.
Exemptions for Small Data Holders
Included in the ADPPA are some exemptions for small data holders which are defined as an organization that:
- Has an average adjusted gross revenue that is less than $41 million over the last 3 years
- Collects or processes data for less than 100,000 individuals annually
- Generates less than 50% of its revenue from transferring data
Small data holders are exempt from the requirement to make data corrections at the individual’s request. The organizations are allowed to simply delete the data. Small data holders are also exempt from most of the data security practice requirements, the exception being the requirement to delete data that is no longer necessary.
While the majority of the state privacy laws exempt nonprofits, it’s worth noting that nonprofits fall under the umbrella of a covered entity in the ADPPA. However, many nonprofits will qualify as a small data holder which will grant them these exemptions.
Rules for Third Parties Collecting Entities
In the ADPPA third-party collecting entities are defined as “covered entity whose principal source of revenue derived from processing or transferring the covered data of individuals that the covered entity did not collect directly from the individuals to which the covered data pertains.”
Third-party collecting entity rules in the ADPPA include:
- Place a clear notice on its websites or apps stating it is collecting data on behalf of another organization
- Establish measures that allow for the auditing of covered data
- Provide the required information for the Third-Party Collecting Entity Registry
Every organization will need to evaluate its existing data privacy program to see how it holds up to the ADPPA or a similar federal privacy bill that were to become law.