The American Data Privacy and Protection Act (ADPPA) has been sent to the House of Representatives for consideration and would fundamentally change data privacy in the U.S. By partly replacing the current patchwork of state laws, companies would gain a clearer path to compliance.
With bipartisan approval, the House Energy and Commerce Committee of the U.S. Congress recently sent the American Data Privacy and Protection Act (ADPPA) to the House of Representatives for consideration. The ADPPA, which regulates how companies collect and manage personal information, seeks to partially replace several state privacy laws like California’s CCPA/CPRA.
Promoting the principle of data minimization, the ADPPA requires businesses dealing with customer data to collect only "what is reasonably necessary, proportionate, and limited to provide specific products and services requested by individuals." This approach contrasts with a consent-based approach, which assumes that collection is generally allowed as long as the user consents to it.
By adhering to data minimization, businesses commit to collecting data that is adequate, relevant, and limited to what is needed to fulfill their stated business purpose. This approach is very different from businesses gaining consent from data subjects who agree to the processing of their personal data but who cannot indicate the amount of personal data businesses may collect or how they can use, share, or manage it. Under the ADPPA, businesses will be required to ask and receive explicit consent for each piece of data they collect and are restricted to only use the data for the purposes that consumers agreed to.
Other key points of the ADPPA include:
The ADPPA would fundamentally change data privacy in the U.S. By partly replacing the current patchwork of state laws, companies would gain a clearer path to compliance. The law would also change the way that online advertising works, from a model that hyper-targets users to one where users have more control over their data and over the type of advertisements they encounter.
Companies with fifteen or more employees would be required to have a data privacy and security officer. All companies would be required to conduct biennial impact assessments.
Regardless of the size of your business, the ADPPA will affect you as you will have to implement new practices and procedures. The draft requirements differ from the GDPR and various U.S. state laws, requiring businesses to examine them closely and adapt data privacy practices accordingly.
Some members of Congress, including Senate Commerce Committee Chair Maria Cantwell, have reservations. Cantwell has stated that the ADPPA has "major enforcement holes." Her primary concern is the proposed two-year statute of limitations for the private right of action. As the Committee chair, Cantwell’s views are important to the future of the bill.
Privacy advocates have also expressed dissatisfaction with the ADPPA. The Electronic Frontier Foundation (EFF) said it was disappointed by the draft that passed Committee, and noted three initial objections:
While previous federal data privacy bills have failed, the ADPPA may be different. The bill would preempt state laws while preserving some state protections, including consumer protection laws of general applicability and data breach notification laws.
To cost-effectively ensure that you are complying with ADPPA, you will have to manage and track consumers’ requests to opt-out, review, access, delete, and obtain their data.
Business owners and leaders need a system for tracking consumer requests to opt-out, review, access, delete, and obtain their data. Without an accurate system for tracking the status of each request, business owners risk costly penalties and damage to their reputations.
To strengthen and enhance customer loyalty, PrivacyCare offers a system that features:
Get started with PrivacyCare for help with your data privacy compliance.
PrivacyCare CEO and Co-Founder Brad Garsten joins Microsoft, Squire Patton Boggs and moderated by IAPP - International Association of Privacy Professionals, to discuss the business, legal, and technical implications of the new state privacy laws and how they will impact your business.
January 20, 2023
To cost-effectively ensure that you are complying with data privacy laws like GDPR and CPRA, business owners will have to manage and track consumers’ requests to opt out, review, access, delete and obtain their data. Are you ready for 2023 consumer data privacy laws?
December 14, 2022
With limited budgets and resources available to implement all the necessary requirements, small and medium-sized businesses may be challenged to comply with consumer data privacy regulations. If you fail to comply with CPRA regulations, you may face expensive financial penalties and possible damage to your reputation.
December 17, 2022
Avoid costly fines, protect your customers personal data and protect your brand value by building customer trust. Jumpstart your consumer data privacy program and get started for free today.Get Started
No credit-card required