What You Need to Know About the U.S.’s Forthcoming Data Privacy Legislation

HR 8152 - American Data Privacy and Protection Act (ADPPA) is a proposed national privacy law that could have wide implications. If passed by Congress and signed by the President, the ADPPA will fundamentally change privacy law in the United States and around the world. For companies that collect personal information, staying compliant will require new processes and enhanced privacy control.

On May 25, 2018, the General Data Protection Regulation (GDPR) became effective in the European Union (EU). Businesses in the EU, and those collecting, processing, or storing data on EU citizens, were required as of the enactment date to comply with the new, much stricter privacy regulations. At the time the regulation was passed, it was the toughest privacy law in the world, and it necessitated a complete overhaul of some businesses' approach to customer/consumer/citizen data. For two years, between the time the regulation was passed and its enforcement date, businesses scrambled to update every data handling mechanism, from how they collected personal data to where they stored it, how they disposed of it, to the makeup of their executive team. The adoption was quite cumbersome for some businesses. Nonetheless, these moves were necessary, given that data collection and use had grown so significantly out of control without any oversight, and consumers were paying the price for businesses’ shoddy data handling.

Today, almost five years later, the GDPR remains one of the toughest data privacy laws in the world. And it has become common operating practice, in the EU, at least. Meanwhile, in the US, privacy laws have continued to lag. This is partially due to US citizens’ attitudes toward privacy — which is generally more lax than in Europe. But it’s also due to the tradition of letting individual states decide their rights and the divisiveness that can crop up across state lines. While several US states have enacted respectable privacy laws in the past few years, no federal law exists.

This creates a conundrum for businesses, as most have at least some customers who reside in other states. While many US states have adopted some form of privacy laws, only five states have passed comprehensive privacy requirements. As of October 2002, per the International Association of Privacy Professionals (IAPP), more than a dozen states do not have any privacy laws, and at least seventeen states have not introduced a comprehensive privacy law.

Comprehensive privacy laws

What does “comprehensive” mean in this context? Broadly speaking, it means that limits are placed on how companies can collect consumer data, the purposes for which they can collect it, how they must store and process it, the amount of time they can hold onto it, and how they share or sell it. States with comprehensive privacy laws also grant consumers personal data privacy rights, including the right to access or obtain copies of their data, the right to correct errors to their personal data, the right to delete certain data, the right to refuse marketing solicitations, and more. States like California, Virginia, and Colorado have additional requirements, making them even stricter. 

But this is in contrast with states like Alaska, New Jersey, Hawaii, Mississippi, and Florida, all of which have very few privacy requirements. Yet, a business in New Jersey doing business with a resident of New York, for instance, is required to abide by New York’s laws for that data subject. Yet, if they are also doing business with a resident of Florida, their processes can be different for different individuals.

Following each individual state’s laws can be confusing, time consuming, and costly.

Which is why HR 8152 — American Data Privacy Protection Act (ADPPA) was introduced to US Congress on June 21, 2022. The stated purpose of the bipartisan bill is “To provide consumers with foundational data privacy rights, create strong oversight mechanisms, and establish meaningful enforcement.” In other words, it would take the fragmented and disparate states’ laws and supersede them with one, overarching federal law to which all businesses would be subject. If passed, the Federal Trade Commission (FTC), federal and state regulators, and states attorneys general would be responsible for enforcement. 

What is the ADPPA?

The proposed legislation is extensive and you can read the entire ADPPA proposal, if you choose . Boiled down, the key components are:

Covered entities

Per the bill, entities subject to compliance of the ADPPA:

1. Data controllers: organizations that determine how and the purposes for which personal information is collected, processed, and/or transferred.

2. Service providers: organizations that use data on behalf of other organizations.

3. Large data holders: organizations with gross annual revenues of $250 million USD or more that also collect or process data for five million individuals (or devices) and the sensitive personal information is greater than 200,000 individuals or devices.

Covered data

1. Government issued identifiers such as Social Security numbers, passport numbers, driver’s license numbers

2. Any information about a US citizen’s past, present, or future health condition or status

3. Personal financial information such as bank account or credit card information, or information regarding income levels or account balances

4. Biometric information, such as fingerprints and voice identification 

5. Genetic information

6. Precise geographic location

7. Information about individuals’ private communications, such as voicemails, emails, texts, direct messages, phone numbers, or any information that identifies individuals involved in these communications, as well as information pertaining to the transmission of these communications, such as time of communication, duration, and so forth

8. Account or device login credentials, including security or access codes

9. Information on an individual’s sexual identity

10. Calendar information

11. Sensitive media that shows individuals in a compromised state

12. Information that reveals video content or services requested or selected by an individual from a provider of broadcast television, cable, satellite, or streaming media service

13. Information on individuals under the age of 17

14. Any other covered data collected, processed, or transferred for the purpose of identifying the above data types

Requirements

Under the ADPPA, some of the more pertinent rules for data handling include:

• Data minimization

• Unified opt-out mechanisms

• Impact assessments

• Metrics reporting

• Privacy by design

• Consumer rights, including

  • access 

  • deletion 

  • corrections

  • the right to export covered data

  • the right to opt out (transfer of data and targeted advertising)

• Obtaining consent

What does this mean for businesses?

Federal over state

If passed (and this bill is not without its opponents), every business in the US, and those outside the US doing business with US residents, will be required to alter their current business practices. To start, businesses will have to comply at the federal level, regardless of their state’s laws (or lack thereof). The federal law will preempt any individual state’s requirements.

Data minimization

Second, while businesses have been allowed to run rampant with data collection over the last years, the new norm under this will be data minimization This means that companies will no longer be allowed to require consumers to supply extraneous data just to buy goods or services. Excess data collection will be prohibited, eliminating the creepy feeling many consumers get when they notice they’re being tracked across the internet. It also means that businesses won’t be able to store excessive personal data (since they can’t collect it in the first place), meaning, there will be less data that can be breached or stolen. In effect, data minimization shrinks the attack surface.

Required opt out mechanisms

Most businesses in the US will also likely have to change their web presence and will certainly have to alter marketing/advertising practices; they will need to simplify and make prevalent an option for consumers to opt out of tracking and marketing campaigns. Further, the universal opt out requirement means that if a consumer opts out once using the universal opt out feature, they will be opting out of the receipt of all advertising and marketing from any business, in perpetuity.

Consent

Building upon the above, to process, share, or transfer consumers’ personal data, businesses must obtain explicit consent. This means that consumers will gain greater control over how their data is used, sensitive or not—no more sneaky sharing, selling, analyzing, or manipulating consumer data. This will fundamentally change how businesses analyze (a.k.a., surveille) consumers to sell more goods and services.

However, the proposed law includes a few exclusions to the use of certain data for analysis purposes. Principally, this means that anonymized or pseudonymized data may still be used in various ways. Deidentifying the individual makes the use somewhat less Orwell’s 1984, but it still means data subjects are subject to analysis whether they like it or not.

Privacy impact assessments

Larger businesses and businesses collecting, processing, or storing large amounts of data will be required to conduct impact assessments, meaning, they will need to determine on a somewhat regular basis what could happen if the data is not properly secured or handled. This will undoubtedly incur costs, either in terms of internal staff time and skill or because companies will have to hire third-party assessors.

Privacy by design

If the ADPPA passes, businesses will not only have to limit how they collect and use data, but the products and services they offer must be designed to use as little personal data as possible. This could be a tricky situation for social media sites (and what to do about digital personal assistants…) and so it will be interesting to watch how this will be handled in actuality (if the law comes to pass). Based on the lack of comment from Big Tech, my guess is that there are either loopholes in this bill or they have some “exceptions”  in their back pocket that will still allow them to violate consumer rights.

Data requests

Under the proposed regulation, most businesses will need to fulfill consumer data access requests, portability requests, and (in some cases) correction and deletion requests. The timeframe to respond to requests ranges from 45-90 days, depending on the size and classification of the business. Small businesses, that is, those with annual revenues less than $41 million USD and that do not process more than 100,000 individuals’ data, will not need to comply with these requirements.

But larger businesses will; for many, it will be a major challenge to even find all the data in the first place. Most businesses store different parts of consumers’ data in multiple places—it’s spread across disparate data stores. As such, finding all locations and ensuring that the entirety of a consumer’s data is provided to them and handled under the law will undoubtedly require more staff, time, expertise, and the use of new data identification technology. (Importantly, Some forward-thinking companies have already built platforms that promise to identify personal data stores, even when the stores are SaaS, segmented, and siloed. Should this rule pass, expect many other vendors to emerge.)

Oversight officers

Unlike GDPR, the ADPPA won’t require most businesses to have a Chief Data Privacy Officer. However, they will be required to designate a member of their staff to oversee the rules. This could be problematic if the person designated is not an expert in data handling or privacy laws.

Data security

Good news for the security industry! Many businesses will be required under the new law to have certain security measures in place and will be required to train employees on best security practices. While the collection and use of certain personal data is still allowed—to transact, this is inevitable—one of the requirements will be stronger protection mechanisms for things like authentication, data storage, and encryption.

The wrap up (and TL;DR)

While this article is long, it is not exhaustive. Thus, in short, if ADPPA becomes a federal law in the US, businesses: 

• Will have to be more conscientious about how they collect, process, and store consumer data.

• Will be required to implement privacy and security procedures that protect consumer data better than before. 

• Will be required to know what they are collecting, where they are storing it, and how they are using it. No more data collection for collection’s sake (i.e., no more creepy personal data analytics). This is possibly the most burdensome result.

• Will be subject to scrutiny of governance bodies and hefty fines, if they are found to be in non-compliance.

One last thing to note: The US already mandates a few federal privacy laws, including HIPAA, GLBA, and COPPA. As such, ADPPA is not creating an entirely new precedent. Thus, just like the privacy and data handling laws before it, the ADPPA will necessitate new business practices, new staff to manage the processes, potentially new technology implementation, and new audit requirements.