The American Data Privacy and Protection Act (ADPPA) establishes federal regulation of how personal data is collected and handled by companies in the United States. U.S. Congress describes the bill's purpose as providing consumers with foundational data privacy rights, creating strong oversight mechanisms, and establishing meaningful enforcement.
This article will overview what the ADPPA accomplishes, how this legislation impacts business owners, and how to comply to avoid potential penalties.
- Answer a few questions about your business:
- Enter the country and click on the "Next Step" button:
- 1. What is the American Data Privacy and Protection Act?
- 2. What Data Does the ADPPA Cover?
- 3. Data Rights For the Individual
- 4. Responsibilities of Businesses
- 5. What Businesses Does the ADPPA Apply to?
- 5.1. Data Controllers
- 5.2. Service Providers
- 5.3. Large Data Holders
- 5.4. Exemptions
- 6. How to Comply With the ADPPA
- 6.1. Get Express Consent
- 6.2. Only Collect Necessary Data
- 6.3. Implement Privacy by Design and Data Security
- 6.5. Appoint Data and Privacy Security Officers
- 7. What are the Penalties For Not Complying with the ADPPA?
- 8. Summary
What is the American Data Privacy and Protection Act?
The ADPPA outlines requirements for how companies in the United States obtain and use personal information, as well as rights for Americans' access to and control of their data.
Previously unregulated on the federal level, without the ADPPA most Americans have minimal to no protection for their data. Federal legislation ensures that privacy protections do not change across state lines. Therefore, the bill preempts many existing state laws regarding data collection, protection, and processing, even if the state law provides stronger data privacy, such as the California Consumer Privacy Act (CCPA/CPRA).
As enforceable privacy legislation, the ADPPA provides certainty to Americans and businesses alike. It protects personal and sensitive information from being uncontrollably spread or misused and it outlines clear rules for businesses to follow while maintaining their ability to function and innovate efficiently.
The main goals that the ADPPA aims to accomplish are as follows:
- Secure user data
- Minimize the collection of personal data
- Give users access to and control of their data
- Require transparency in data collection, usage, and distribution
What Data Does the ADPPA Cover?
It is important to understand what data is included under the protections put in place by the ADPPA. Only the data of U.S. residents is covered under the legislation. The scope of the data covered is broad and it is divided into two categories, "covered data" and "sensitive covered data."
- In general, any data that identifies an individual or their device can be "covered data". The provided definition in Section 2 of the ADPPA is unspecific but conveys that data such as ID numbers, phone numbers, digital fingerprints, and IP addresses are covered.
- "Sensitive covered data" specifies categories where the data must be protected such as financial information, healthcare data, exact location, private communications, private photos, and more. All data for persons under the age of 17 is also considered "sensitive covered data."
There are several exclusions to "covered data '' outlined in the ADPPA that excludes the following types of data from being federally regulated:
- Employee information
- Information that exists in the public domain
- De-identified data (the person identifiers have been redacted)
Data Rights For the Individual
With the ADPPA, Americans have outlined rights when it comes to their personal information. Some control is granted for individuals to monitor and manage their information. These rights are identified under Title II of the ADPPA entitled Consumer Data Rights:
- Right to awareness - Companies must inform individuals of their privacy practices.
- Right to access - Users can request access to their data and companies must grant access to it. Individuals are also allowed to move their data to other companies.
- Right to correction and deletion - Users can request data be corrected or deleted and companies must grant the request.
- Right to consent and objection - Individuals can elect for any of their personal information not to be used. For companies to process "sensitive covered data" they must express consent.
- Right to opt out - Individuals can opt out if they do not want their data transferred and if they do not want targeted advertising.
The legislation also outlines timeframes that consumer requests regarding data must be resolved. The time frame to resolve data requests also depends on the type and size of the company. Individuals can request data from within the last 24 months from a qualifying entity.
Responsibilities of Businesses
The ADPPA determines how qualifying companies must protect user data and uphold their user's privacy. The scope of the data protection practices required by the ADPPA is determined by a business's size, the volume of data, and the type of organization.
While each data obligation has exceptions and specifications for which entities are included, in general, qualifying businesses are required to do the following to comply with the ADPPA:
- Minimize the collection of user data to what is "reasonably necessary"
- Not collect, process, or transfer prohibited data
- Provide users with an opt-out choice prior to transferring data to a third party
- Allow users to opt out of receiving targeted advertisements
- Comply with user requests for data awareness and data accessibility
- Employ a data security officer or officers to execute and manage data protection practices
- Don't use discriminatory algorithms that collect and manage data based on a user's race, ethnicity, gender, religion, or sexual orientation
There are also special data practices required for minors' data.
- All data from a minor is considered "sensitive covered data" and must be handled as such
- Advertisements must not be created specifically for children and targeted to children
- Data from a minor can not be transferred without permission from a legal guardian
What Businesses Does the ADPPA Apply to?
In one way or another, the ADPPA applies to all U.S. businesses and businesses with U.S. consumers. While "covered entity" is defined broadly, the bill does describe three types of entities and their specifications for complying with the ADPPA: data controllers, service providers, and Large Data Holders.
Companies that must comply with the ADPPA are defined by the bill as "covered entities". This is all companies with U.S. users that collect, process or transfer covered data including internet and cellphone providers, nonprofits, and sole proprietors. Section 2 (9) of the ADPPA states a covered entity is:
"...any entity or any person, other than an individual acting in a non-commercial context, that alone or jointly with others determines the purposes and means of collecting, processing, or transferring covered data..."
Data controllers are covered entities that decide and manage data usage. Generally, these companies determine what happens to that data including how it gets used within the company and how it is processed by external sources.
Service providers are companies that process data at the direction of a data controller. The ADPPA requires data controllers and service providers to have a contract that outlines the obligations of data protection. Data controllers are not liable if their service provider does not comply with the ADPPA and the data controller has.
Large Data Holders
This type of covered entity is a company that meets the following three parameters in the last calendar year:
- Gross annual revenue of $250 million or more,
- Collected or processed data for 5 million or more persons or devices, and
- Has sensitive data for more than 200,000 persons or devices
This category targets large technology companies such as social media platforms and search engines.
Large data holders require stricter data protection and privacy obligations than a standard covered entity. For instance, they are required to implement internal assessments of their algorithms and provide results to authorities. They also have 45 days to respond to individual data requests while standard covered entities have 60 days to respond.
All government agencies including state and municipal are exempt from complying with the ADPPA. Trial and territorial government agencies are also exempt.
There are also significant exemptions for small businesses. While they must comply with the ADPPA in general, certain requirements are waived or reorganized to accommodate them. The goal of this is to avoid putting financial and managerial burdens on small businesses.
A small business is considered to be one that meets the following criteria for the previous three consecutive years:
- Annual gross revenue of less than $41 million,
- Processes no more than 100,000 individuals' data (including payment data), and
- Not a data broker
Small businesses are not required to comply with data portability requirements. If a user finds an error in his data and requests that the data be corrected, a small business is allowed to choose to delete that data instead of correcting the errors.
While larger businesses will have 45 days to respond to user requests, small businesses will have more time, with a 60 day window.
How to Comply With the ADPPA
The ADPPA can be overwhelming for business owners at first glance. There are several data practices that will likely need to be implemented or adjusted in order to comply with this legislation:
- Get consent when collecting, processing and transmitting covered data
- Minimize data collection to only what is necessary
- Implement Privacy by Design
- Allow users to opt out of targeted advertising
- Honor user rights
- Prevent or restrict the use of data of minors under 17 years old
- Honor protections for sensitive types of data
Get Express Consent
Express consent involves requiring a user to take an action to make it very clear that consent is granted. For example, clicking a checkbox next to a statement that says, "By clicking this checkbox, you agree to having your data collected and processed" would be an example of express consent.
Before collecting, processing or sharing covered data, obtain this consent.
Here's an example of this:
You must make it possible for users to withdraw this consent at any time after it has been granted.
Only Collect Necessary Data
Minimize the data you collect by only collecting what you actually need for your intended purposes. For example, if you plan to send out an email newsletter, you don't need to collect home addresses.
This is especially important if the data you're collecting is considered to be "sensitive." This type of data must only be collected when it's truly necessary.
Implement Privacy by Design and Data Security
The best way to ensure your entire business is appropriately addressing privacy law compliance is to implement Privacy by Design at all stages. Whether you're just starting out, or doing a retroactive self-audit, PbD can help you spot areas in your business where privacy could be boosted. It's also a helpful way to see where you're lacking in data security practices that you can better implement.
Data Impact Assessments are another useful way to evaluate the state of data security at your business and make adjustments where needed.
Appoint Data and Privacy Security Officers
These individuals should be appointed with the goal of helping you create and implement a data privacy program that will help you comply with the ADPPA (and other privacy laws).
What are the Penalties For Not Complying with the ADPPA?
Under the ADPPA, individuals have a right to take civil action against companies that do not comply with the requirements. The individual will first need to notify the FTC and their state's attorney general. The regulators will determine if it is necessary for them to take action or if it is best handled by civil legal proceedings.
The Bureau of Privacy can penalize businesses by fining them under the Federal Trade Commission Act.
The ADPPA will initiate substantial changes in how companies use consumer data. Depending on the scale of your company these changes could be costly and time-consuming to navigate or a simple modification to how you advertise.
Complying protects your user's data and provides transparency to further build trust with your consumer. Data protection legislation not only protects the consumer but can protect your business' data from other companies and large data holders.
To comply with the ADPPA, do the following:
- Minimize data collection and get appropriate consent
- Comply with individual data requests under user rights
- If necessary, meet data privacy and protection officer requirements
- Keep Privacy by Design in mind at all stages of your business
- Take required data security measures for the collection, processing, and transferring of data
- Be aware of safeguards in place for children under the age of 17