The American Data Privacy and Protection Act (ADPPA) aims to introduce national privacy and data security protections for consumer data. Here we explain what ADPPA compliance will entail.
The Need for a Federal Consumer Data Privacy Law
Despite many U.S. tech firms being among the largest worldwide collectors and processors of consumer data, the U.S. lacks a federal data privacy and protection law, and instead there is a patchwork of privacy laws covering each of the 50 states. National data privacy and protection laws have been introduced in many countries worldwide, yet all attempts to introduce comprehensive consumer data laws in the United States have failed to date.
As it stands, the personal data of residents of California, Colorado, Connecticut, Utah, and Virginia is subject to quite stringent laws, but that is far from the case elsewhere. In other states, consumer data privacy and security requirements are far lower or even virtually nonexistent. That means that consumer rights over their personal data can vary considerably, depending on which side of a state border an individual resides. There are several federal laws that have privacy and data security requirements, but whether those requirements apply depends on the entity collecting the data.
The amount and extent of data now being collected – and often sold without individuals’ knowledge – is considerable, and there is strong public support for a federal consumer data privacy and protection law. One survey suggests that 75% of Americans are in favor of a consumer data privacy and protection law that dictates how data can be collected and used. A federal law would also help to prevent companies from engaging in exploitation and discrimination, as they are largely free to do through the current collection, buying, selling, and sharing of consumers’ personal information.
The American Data Privacy and Protection Act
ADPAA (H.R. 8152) was introduced in the House of Representatives by Reps. Frank Pallone (D-NJ), Cathy McMorris Rodgers (R-WA), Janice Schakowsky (D-IL), and Gus Bilirakis (R-FL) and aims to introduce the first national data privacy and protection law, restricting the collection of personal data without consent, limiting uses and disclosures, and giving Americans new rights over their personal data, regardless where in the United States they live.
ADPPA will preempt state laws, although currently not the California Consumer Privacy Act and Illinois’ Biometric Information Privacy Act, and other consumer protection laws will also not be preempted, such as data breach notification laws and laws on cyberstalking, cyberbullying, and sexual harassment.
Covered Entities and Covered Data
Covered data is any information that identifies or is linked or reasonably linkable to an individual or device, by itself or in combination with other information. ADPPA does not apply to de-identified data, employee data, publicly available information, and inferences made exclusively from multiple independent sources of publicly available information that do not reveal sensitive covered data with respect to an individual.
Greater privacy and security requirements apply to sensitive covered data, which includes government-issued identifiers, health information, financial information, biometric data, genetic information, precise geolocation information, and a range of other sensitive data types.
Covered entities are entities that, alone or jointly with others, determine the purposes and means of collecting, processing, or transferring covered data and are:
- Subject to the Federal Trade Commission Act
- Common carriers subject to the Communications Act of 1934
- Organizations not organized to carry out business for their own profit or that of their members
- Entities that control, are controlled by, or are under common control with another covered entity
ADPPA will not apply to government entities or persons or entities that collect, process, or transfer covered data on behalf of federal, state, tribal, territorial, or local government. Covered entities required to comply with the Gramm-Leach-Bliley Act, Fair Credit Reporting Act, FERPA, HITECH Act, and HIPAA, will be deemed to be compliant if they are compliant with those laws for data privacy and security.
There is a separate classification for large data holders. A large data holder is an entity with gross annual revenue of $250 million or more, which collects, processes, or transfers the data of more than 5 million individuals or devices, or the sensitive data of 200,000 or more individuals or devices.
Summary of ADPPA Compliance Requirements
- Consent is required to collect, process, and transmit covered data
- Covered entities are required to minimize data collection to what is necessary
- Covered entities must ensure privacy by design and not require consumers to pay for privacy
- Covered entities must permit consumers to opt-out of targeted advertisements
- Consumers are given the right to access/inspect their data, correct errors, delete their data, port their data, and withdraw consent at any time.
- Protections are provided for minors under 17 years of age to prevent or restrict the use of their data
- Improved transparency about how companies collect and use data
- Improved protection for sensitive data types
- Introduces greater accountability for large data holders, such as data brokers and large tech firms.
ADPPA Compliance Requirements
There are considerable ADPPA compliance requirements for all covered entities, the most important of which are summarized below.
Consent to Collect, Process, Share, and Sell Data
Covered entities must obtain express consent from an individual in order to collect, process, share, or sell their personal data, and are prohibited from pretextual consent such as obtaining consent using false, fictitious, fraudulent, or materially misleading statements or representation, and the use of interfaces for obtaining consent that manipulate consumers. Covered entities, service providers, and third parties are prohibited from engaging in deceptive advertising or marketing. Data may not be collected, processed, or transferred in a manner that discriminates on the basis of race, color, religion, national origin, sex, or disability.
Covered entities that collect, process, or transfer covered data must ensure the data collected is limited to what is reasonably necessary and proportionate to providing a product or service or for delivering communications that are reasonably anticipated by the consumer.
Restricted use of Sensitive Data
Sensitive data must not be collected and processed unless the collection of that data is necessary to provide or maintain a specific product or service. Transfers of sensitive data to third parties are prohibited unless affirmative consent is obtained, if necessary to comply with federal, state, or local laws, and good-faith disclosures are permitted to prevent an individual from imminent injury. Biometric data may only be transferred to facilitate data security or authentication, and passwords may only be transferred if necessary to use a designated password manager or for identifying password reuse on multiple sites. Genetic information may only be transferred for medical diagnosis or research, with appropriate consent.
Privacy by Design
Covered entities and service providers must establish and maintain reasonable privacy policies and practices, must assess privacy risks to individuals under 17, and mitigate privacy risks, including substantial privacy risks, related to products and services. Reasonable training and safeguards must be implemented to comply with all applicable privacy laws. The privacy by design principle is tailored to the nature, scope, and complexities of the processing. The FTC will publish guidance, within a year of enactment, on what constitutes reasonable privacy policies, practices, and procedures.
Denial of Services or Pricing Based on Individuals Exercising Rights
It is prohibited to deny, condition, or effectively condition the provision of products or services on the individual’s agreement to waive certain rights or to terminate services if an individual chooses to exercise their rights under ADPPA. It is not permissible to price a product or service based on whether an individual agrees to provide financial information or if they exercise rights under APPA. It is not permissible to offer a loyalty program that provides discounts or free services in exchange for continued business with a covered entity or for such a program to be created to allow the covered entity to collect additional covered data it would not normally collect or process.
Covered entities and service providers must establish, implement, and maintain reasonable administrative, technical, and physical data security practices and procedures to protect and secure covered data against unauthorized access and acquisition. What is considered reasonable will be based on the size and complexity of the covered entity or service provider, and the nature and scope of the collection, processing, and transferring of covered data.
Restrictions on the Collection, Use and Transferring of Minors’ Data
There are restrictions on the collection, use, and transferring of the data of minors under the age of 17. Restrictions include a ban on targeted advertising to any minor under 17 if the covered entity knows the individual is under 17. Data transfers are only permitted with express consent if the covered entity knows the individual is under 17. The FTC will establish a Youth Privacy and Marketing Division tasked with ensuring ADPPA compliance with respect to the privacy of children and minors and ADPPA compliance related to marketing directed at children and minors.
Appointment of Privacy and Data Security Officers
Covered entities and service providers are required to designate one or more qualified employees as privacy and data security officers to ensure ADPPA compliance. These officers will be responsible for developing and implementing a data privacy program and data security program and ensuring ADPPA compliance.
Large data holders have additional ADPPA compliance requirements. They must conduct a privacy impact assessment initially, and biannually thereafter, to assess potential adverse consequences as a result of the collecting, processing, and transferring of covered data, and the potential for algorithms to cause harm to an individual. These algorithmic impact assessments must be performed at the design stage, including using training data, and annually thereafter.
Consumer Right to Transparency
Ensuring consumers can exercise their rights is a major part of ADPPA compliance. Consumers have the right to transparency and must clearly be told how their data will be collected and used, and to which categories of third parties their data will be collected via clear and easy-to-understand privacy policies. Privacy policies must also explain consumer rights and how they can be exercised. If privacy policies change, consumers must be notified and allowed to withdraw their consent.
Consumer Right to Access, Correct, Delete, and Port their Data
Consumers must be allowed to access the data held by a covered entity and have that data provided in a human-readable downloadable format that is easy to understand. Consumers will have the right to correct any data and to have their data deleted. A covered entity must also notify any third party to whom the data has been transferred to notify them about the request to delete. Consumers have the right to data portability and have a machine-readable copy of their data provided, as far as is technologically possible.
Consumer Right to Withdraw Consent at any Time
Consumers have the right to withdraw their consent to collect, use, and transfer their data at any time, including consent to share their data with third parties. If data is used for providing targeted advertising, consumers must be provided with an easy way to opt-out prior to providing consent and after consent has been given.
Impact of ADPPA Compliance on Small Businesses
ADPPA compliance will have an impact on all covered entities, but steps have been taken during the bicameral development process to ease the compliance burden, especially for small- and medium-sized businesses. There is not a one-size-fits-all approach to ADPPA compliance. Small businesses will be exempt from some of the data security requirements, and small businesses – those with annual revenues lower than $41 million and did not collect or process the data of 100,000 in a year and did not derive more than half of their income from transferring consumer data – will not be required to comply with the data portability requirements. Instead of correcting any errors, small businesses may instead choose to delete the data.
Penalties for ADPPA Compliance Failures
The Federal Trade Commission (FTC) will be the main enforcer of ADPPA compliance, with state attorneys general also permitted to enforce compliance in their respective states. The FTC is required to establish a Bureau of Privacy, comparable in size and structure to other FTC Bureaus responsible for enforcing other consumer protection and competition laws, that will oversee ADPPA compliance. The Bureau of Privacy must be fully operational within a year of the enactment date.
ADPPA compliance failures, such as unfair or deceptive acts or practices, will be treated in the same manner as others described in section 18(a)(1)(B) of the Federal Trade Commission Act and will be subject to the same penalties described in the FTC Act. The maximum fine, adjusted for inflation in 2022, is $46,517. The FTC must establish a victims’ relief fund and deposit civil monetary penalties in that fund for distribution to victims of ADPPA compliance failures and there are limited other permissible uses of funds.
State attorneys general can bring civil actions over ADPPA compliance failures in the name of the state or on behalf of state residents to obtain damages, civil penalties, restitution, or other compensation, and reasonable attorneys’ fees.
Consumers Get the Right to Sue for ADPPA Compliance Failures
There is a private cause of action in ADPPA that allows consumers to sue for ADPPA compliance failures, although this will not come into force until 4 years after the date that ADPPA takes effect. Individuals will be able to sue for ADPPA compliance failures if they suffer an injury as a result of an ADPPA compliance violation. Any successful civil action brought against a covered entity over an APPA compliance violation could see the court award an amount equal to the sum of any actual damages sustained, injunctive relief, and the reimbursement of reasonable attorneys’ fees and litigation costs.
However, there is a caveat. In order to bring a civil suit against a covered entity for an ADPPA compliance violation, the FTC and the attorney general of the state where the individual resides must be notified in writing of the intent to commence a civil action. The FTC and the state attorney general then have 60 days to make a determination. If the FTC or state attorney general decides to independently intervene and bring their own civil case, the individual right to bring a civil action will not apply. ADPPA does have a right to cure. If a violation is corrected within 45 days, any action for injunctive relief will be dismissed.
Expected ADPPA Timeline
The first draft of the bill was released in early June, closely followed by a discussion draft. The discussion draft was dissected in a hearing on June 23, 2022, by the U.S. House Energy and Commerce Committee’s Subcommittee on Consumer Protection and Commerce. A revised version of the bill was introduced in the house shortly thereafter. Given that this is an election year, the current momentum will need to be maintained to get this bill signed into law this year.
While there is considerable support for ADPPA, critics would need to see several changes in order to provide their support, so there may be some watering down of the requirements. However, due to the bicameral development process and bipartisan support, ADPPA has the best chance of being signed into law of any comprehensive consumer data privacy law to date.
The post What Will ADPPA Compliance Entail? appeared first on HIPAA Journal.