American Data Privacy and Protection Act (ADPPA): Explained

Countries across the world have drafted or are in the process of drafting their own versions of data protection legislation. This reflects just how valuable the concept of data protection has become over the years. It is, therefore, quite surprising that despite being such an important space for technological innovation, the United States does not have any federal data protection law. (several U.S. states such as California, Utah, Colorado, Virginia, and Connecticut have passed state level data protection laws).

With the midterm elections due at the end of this year that might change though, as House Energy and Commerce Committee Chair Rep. Frank Pallone (D-NJ), Ranking Member Rep. Cathy McMorris Rodgers (R-WA), and Senate Commerce, Science and Transportation Committee Ranking Member Sen. Roger Wicker (R-MS) released a draft for a proposed federal data protection law called the American Data Privacy and Protection Act (ADPPA) on June 3, 2022, that would apply across the United States.

The proposed draft checks all the right boxes by being the first comprehensive privacy proposal seeking bipartisan support. The ADPPA would also preempt recently enacted state privacy laws, including California, Virginia, Colorado, Utah, and Connecticut. It lays down requirements regarding consumer rights, such as ​​rights of access, correction, deletion, and portability, in addition to the private right of action.

Moreover, under the ADPPA, covered organizations will have a duty to implement reasonable policies, practices, and procedures for collecting, processing, and transferring covered data. The FTC must issue guidance on reasonable policies, practices, and procedures within one year of enactment.

What else does the proposed draft contain, and how would it affect data privacy within the United States? Read on to learn more:

Key Definitions

Here are some key definitions that may help in understanding the terminology used in this resource:

Sensitive Covered Data

The term “sensitive covered data” means a government-issued identifier, such as:

• A social security number, passport number, or driver’s license number that is not required by law to be displayed in public;
• Any information that describes or reveals the past, present, or future physical health, mental health, disability, diagnosis, or healthcare treatment of an individual;
• Any financial account number, debit card number, credit card number, or any required security or access code, password, or credentials allowing access to any such account or card biometric information, genetic information, geolocation, an individual’s private communications, such as voicemails, emails, texts, direct messages, or mail, or information identifying the parties to such communications, login credentials, information related to an individual's race, ethnicity, national origin, religion, or union membership or non-union status;
• Information identifying the sexual orientation or sexual behavior of an individual;
• Information identifying an individual’s online activities over time or across third-party websites;
• Calendar information, address book information, phone or text logs, photos, audio recordings, or videos maintained for private use on an individual’s device;
• Any photograph, film, video recording, or other similar medium that shows the naked or undergarment-clad private area of an individual;
• Any information identifying or revealing the extent or content of any individual’s access or viewing or other use of any television service, cable service, or streaming media service;
• Any information of an individual under the age of 17;
• Any other covered data collected, processed, or transferred for the purpose of identifying the aforementioned data types.

Large Data Holder

The term “large data holder” means a covered entity that has (a) had annual gross revenues of $250 million; (b) collected, processed, or transferred the covered data of more than 5,000,000 individuals or devices or the sensitive data of more than 100,000 individuals or devices.

Affirmative Express Consent

The term “affirmative express consent” means an affirmative act by an individual that clearly communicates the individual’s freely given, specific, informed, and unambiguous authorization for an act or practice, in response to a specific request from a data controller or processor.

Biometric Information

The term “biometric information” means any covered data generated from the measurement, observation, tracking, collecting, or processing of an individual’s biological, physical, or physiological characteristics such as fingerprints, voice, iris or retina imagery scans, facial or hand imagery, gait or any other identifying physical movements.

Covered Entity

The term “covered entity” means any entity or person that collects, processes, or transfers covered data subject to appropriate data regulations within the United States.

Targeted Advertising

The term “targeted advertising” means displaying to an individual or unique identifier an online advertisement that is selected based on known or predicted preferences, characteristics, or interests derived from covered data collected over time or across third-party websites.

Unique Identifier

The term “unique identifier” means a technologically created identifier that is reasonably linkable to an individual or device that identifies or is linked or reasonably linkable to 1 or more individuals, including a device identifier, an Internet Protocol address, cookies, beacons, pixel tags, mobile ad identifiers, or similar technology, customer number, unique pseudonym, or user alias, telephone numbers, or other forms of persistent or probabilistic identifiers that are linked or reasonably linkable to an individual

Who Needs to Comply with the Law

Here’s how the proposed ADPPA applies in terms of territorial jurisdiction, as well as what data it would cover:

Material Scope

“Covered data” is defined as information identifying, linked, or reasonably linkable to an individual or device linkable to an individual. This includes derived data and unique identifiers, but does not include de-identified data, employee data, or publicly available information. The ADPPA also defines all covered “sensitive” personal data. It defines sensitive data as “information identifying an individual’s online activities over time or across third-party websites or online services”.

Territorial Scope

The ADPPA aims to “...​​provide consumers with foundational data privacy rights, create strong oversight mechanisms, and establish meaningful enforcement” of a federal data protection law across the United States.

The Act defines “covered entity” as any entity that collects, processes, or transfers covered data and is subject to the Federal Trade Commission (FTC) jurisdiction, including nonprofits and telecommunications common carriers. Moreover, it also includes any entity or person that controls, is controlled by, is under common control with, or shares common branding with another covered entity.

Exceptions

ADPPA lays down certain exceptions covered entities that fulfill the following criteria for up to three years before the Act’s formulation (in case the entity has been in existence for less than three years, then the period of its existence will count instead) are exempt from having to comply with these new regulations if:

• The covered entity’s average annual gross revenues during the period did not exceed $41 million;
• The covered entity, on average, did not annually collect or process the covered data of more than 100,000 individuals during the period;
• The covered entity did not derive more than 50 percent of its revenue from transferring covered data during any year (or part of a year if the covered entity has been in existence for less than 1 year).

Finally, any covered entity that is required to comply with the following sectoral federal privacy regulations will also be deemed to comply with the ADPPA including:

1. Title V of the Gramm-Leach-Bliley Act (15 U.S.C. 6801 et seq.);
2. The Health Information Technology for Economic and Clinical Health Act (42 U.S.C. 17931 et seq.;
3. Part C of title XI of the Social Security Act (42 U.S.C. 1320d et seq.);
4. Fair Credit Reporting Act (15 U.S.C. 1681 et seq.);
5. Family Educational Rights and Privacy Act (20 U.S.C. 1232g; part 99 of title 34, Code of Federal Regulations), or the
6. Regulations promulgated according to section 264(c) of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

Preemption

The ADPPA states that no political subdivision of a State may adopt, maintain, enforce, prescribe, or continue in effect any law, regulation, rule, standard, requirement, or other provision that addresses any of the provisions described in the ADPPA. However, there is an exception in the following cases:

• Consumer protection laws of general applicability such as laws regulating deceptive, unfair, or unconscionable practices;
• Civil rights laws;
• Laws that govern the privacy rights or other protections of employees, employee information, students, or student information;
• Laws that address notification requirements in the event of a data breach;
• Contract or tort law;
• Criminal laws governing fraud, including identity theft, unauthorized access to information or electronic devices, unauthorized use of information, malicious behavior, or similar provisions, or criminal procedure laws;
• Criminal or civil laws regarding cyberstalking, cyberbullying, nonconsensual pornography, or sexual harassment;
• Public safety or sector-specific laws unrelated to privacy or security;
• Laws that address public records, criminal justice information systems, arrest records, mug shots, conviction records, or non-conviction records;
• Laws that address banking records, financial records, tax records, Social Security numbers, credit cards, credit reporting and investigations, credit repair, credit clinics, or check-cashing services;
• Laws that solely address facial recognition or facial recognition technologies, electronic surveillance, wiretapping, or telephone monitoring;
• The Biometric Information Privacy Act and the Genetic Information Privacy Act Laws to address unsolicited email messages, telephone solicitation, or caller ID;
• Laws that address health information, medical information, medical records, H.I.V. status, or H.I.V. testing;
• Laws that address the confidentiality of library records;
• Section 1798.150 of the California Civil Code (as amended on November 3, 2020, by initiative Proposition 24, Section 16).

Obligations for Organizations Under the ADPPA

Here are the obligations that befall organizations that have to comply with the ADPPA:

Data Minimization

A covered entity shall not collect, process, or transfer covered data beyond what is reasonably necessary and proportionate to the purposes expressly permitted by ADPPA. The collection should be limited to providing or maintaining, a specific product or service requested by an individual or through communication by the covered entity to the individual, which is reasonably anticipated by the individual within the context of their relationship.

Consent Requirements

No organization can proceed with collecting and processing sensitive personal data (such as geolocation, genetic and biometric information, and browsing histories) without first obtaining the user's affirmative express consent. Similarly, the organization cannot proceed with transferring such sensitive data to third-parties without the user’s consent as well.

The organization must also provide users with easy-to-execute means to withdraw their consent whenever they wish. This means they should be as straightforward as possible when collecting and managing users’ consent choices. If a covered entity makes a material change to its privacy policy or practices, the covered entity shall notify each individual affected by a such material change before further processing or transferring any previously collected covered data and provide a reasonable opportunity for each individual to withdraw consent for any further collecting, processing or transferring of covered data under the changed policy.

Registration Requirements

Third-parties that process data of more than 5000 individuals must register themselves with the Commission by the January 31 of each year.

To initiate their registration, the third-party must pay the Commission a $100 fee in addition to providing the following information:

• The legal name and primary physical, email, and internet addresses of the third-party collecting entity;
• A description of the categories of data the third-party collecting entity processes and transfers;
• The contact information of the third-party collecting entity, including a contact person, telephone number, email address, a website, and a physical mailing address;
• Link to a website where an individual may easily exercise their consumer rights.

Moreover, the Commission shall establish and maintain on their website a searchable, publicly available, central registry of third-party collecting entities that are registered with the Commission that includes the following:

• A listing of all third-party collecting entities and a search feature that allows members of the public to identify individual third-party collecting entities;
• Links to individual third-party collecting entities through which an individual may easily exercise the rights provided;
• A “Do Not Collect” registry link and the mechanism by which an individual may, after the Commission has verified the identity of the individual or individual’s parent or guardian, which may include tokenization, easily submit a request to all registered third-party collecting entities to delete all covered data related to such individual that the third-party collecting entity did not collect from the individual directly or when acting as a service provider; and also to ensure that the entity no longer collects covered data related to such individual without the affirmative express consent of such individual.

Privacy Notification/ Privacy Policy Requirements

The Act requires all organizations to publish a detailed privacy policy in a clear, conspicuous, and readily accessible manner related to the organization’s data collection, processing, and transfer activities.

This privacy policy should contain the following information:

• The identity and contact details for the organization collecting the data;
• The identity and contact details of any third-party that has had access to this data;
• Categories of data processed;
• Categories of data processed accessed by any third-party;
• The purpose behind the processing of data;
• The purpose behind the processing of data accessed by any third-party;
• The length of time this collected data will be retained;
• How users can exercise their rights;
• The organization's data security practices;
• The effective date of the privacy policy;
• Whether any data collected by the organization will be transferred or processed in the People’s Republic of China, Russia, Iran, or North Korea.

The privacy policy will be made available in every language the organization provides its product/service in. Additionally, all users will be notified of changes in this privacy policy. The covered entity shall take all reasonable measures to provide direct notification regarding any material changes to the privacy policy to each affected individual, in each language that the privacy policy is made, taking into account the available technology and nature of the relationship.

Security Requirements

The Act requires all organizations to establish, implement, and maintain reasonable administrative, technical, and physical data security practices and procedures that ensure appropriate safeguards for all sensitive covered data.

Some of the specific requirements include the following:

• Assess Vulnerabilities Within Existing Practices & Systems - An organization must assess its existing security practices and infrastructure to identify any vulnerabilities and blind spots that may pose any danger to the collected data.
• Preventive & Corrective Action - An organization must take the necessary steps to adopt appropriate preventive and corrective measures that mitigate any reasonably foreseeable risk or vulnerability to the collected data. These measures may include administrative, technical, or physical safeguards or changes to data security practices or the architecture, installation, or implementation of network or operating software.
• Evaluation of Preventive & Corrective Action - It is not enough to have appropriate preventive and corrective measures in place. It is equally important to consistently evaluate their effectiveness to counter the dynamic dangers the collected data faces.
• Information Retention & Disposal - An organization must have measures in place to ensure it does not retain any data longer than necessary for the purpose for which the data was collected, processed, or transferred unless an individual has provided affirmative express consent to such retention. Similarly, it must have protocols in place to ensure proper disposal or destruction of data, such as making it permanently unreadable or indecipherable and unrecoverable.
• Training - An organization must take proactive measures to ensure that it adequately trains all its staff and employees with the best security practices to eliminate any data incidents resulting from human error.
• Designation - An organization must hire designated employees responsible for maintaining and implementing appropriate security practices related to the protection of any collected data.

Data Breach Requirements

In case of a data breach, the state’s law takes precedence over the ADPPA regarding notifying the impacted users and regulatory bodies.

Data Protection Officer Requirement

The Act designates that a large data holder entity shall designate at least one of its officers as a privacy protection officer who shall report directly to the highest official.

• Establish processes to periodically review and update the privacy and security policies, practices, and procedures of the large data holder, as necessary;
• Conduct regular and comprehensive audits to ensure the policies, practices, and procedures of the large data holder work to ensure the company is in compliance with all applicable laws;
• Develop a program to educate and train employees about compliance requirements;
• Maintain updated, accurate, clear, and understandable records of all privacy and data security practices undertaken by the large data holder; and
• Serve as the point of contact between the large data holder and enforcement authorities.

Data Protection Impact Assessment

The ADPPA requires that no later than one year after its enactment, all organizations that meet the criteria for being a large data holder must conduct a privacy impact assessment of all its practices related to the processing, collecting, and transferring data.

The requirements of such an assessment are as follows:

• The assessment must be reasonable & appropriate in scope concerning the nature and volume of data collected, processed, and transferred;
• Results of the assessment must be documented in written form and maintained until the following assessment;
• The assessment must be approved by the relevant privacy officer of the organization.

Record of Processing Activities

The Act calls on all large data holders to maintain updated, accurate, clear, and understandable records of all privacy and data security practices undertaken by the large data holder.

Vendor Assessment/Third-Party Processing Requirements

Any third-party collecting entity organization must place a clear and conspicuous notice on their website or mobile application.

Third-parties should also not process third-party data for a processing purpose inconsistent with the expectations of a reasonable individual and may reasonably rely on representations made by the covered entity that transferred the third-party data regarding the expectations of a reasonable individual, provided that the third-party conducts reasonable due diligence on the representations of the covered entity and finds those representations to be credible.

They will also have the same responsibilities and obligations as covered entities with respect to covered data under the ADPPA. Furthermore, the entities must also establish measures that allow for and facilitate the auditing of the internal or external access to data that the third-party processed.

Data Subject Rights

The draft for the Act requires the Commission to publish detailed provisions related to each provision, right, obligation, remedies, exemption, protection, and requirement guaranteed by the ADPPA within 90 days of the Act’s enactment with quarterly updates necessitated by any change in law, regulation, guidance, or judicial decisions.

Some of the primary rights guaranteed by the draft include the following:

• Right to Access - All users have the right to access information about any of their data collected, processed, or transferred to third-parties. Additionally, users also have the right to know the sources from which the data was collected, the purpose behind its collection, as well as any data that had been previously collected but is no longer in the collecting entity’s possession.
• Right to Deletion - All users have the right to request the deletion of all data collected about them by an organization. Additionally, the organization must also communicate this request to any third-parties that have access to the data subject’s data to ensure they delete the data in question from their database.
• Right to Correction - Users can request correction of any collected data that has since become inaccurate/outdated/obsolete. Moreover, the organization must communicate this request to any third-parties that have access to this data to make the appropriate correction in their database.
• Right to Opt Out of Data Transfers - All users have the right to opt out of any data transfers related to their data. The organization collecting their data must provide them with an easy opt-out mechanism that allows the users to opt out of having their data transferred to any third-party.
• Right to Opt Out of Targeted Advertising - All users have the right to opt out of any targeted advertising carried out by an organization online. The user may also opt out of any future forms of targeted advertising via an easy opt-out mechanism.
• Right to Data Portability - All users have the right to request that their data be made available to them in a portable, structured, interoperable, and machine-readable format that a reasonable individual can understand and download from the Internet.

Once these requests are made, a large data holder has 30 days to fulfill these requests. Organizations not considered large data holders have 60 days to complete these requests. Furthermore, any organization that has been operational for less than three years before the date of enactment of the ADPPA will have 90 days to fulfill these requests. Users can exercise these rights free of cost twice in 12 months. Afterward, an organization may charge a reasonable fee for such requests.

Regulatory Authority

This is arguably the most comprehensive part of this regulation since it relates to how the ADPPA will be enforced across the United States and what roles will the states themselves play concerning its enforcement.

Pre-emption of State Laws

As mentioned earlier, the ADPPA would preempt recently enacted state privacy laws, except for a list of specified state laws, notably the Illinois’ Biometric Information Privacy Act, and other generally applicable consumer protection laws, employee and student privacy protections, data breach notification laws, contract and tort law, criminal laws regarding unauthorized access to electronic devices, and unauthorized use of personal information, and laws on cyberstalking, cyberbullying, nonconsensual pornography, and sexual harassment.

The Federal Trade Commission (FTC)

The Federal Trade Commission is the first body responsible for enforcing the ADPPA. However, it will do so by establishing a new bureau within the Commission that is comparable in size, structure, authority, and organization with other Commission bureaus that deal with issues surrounding consumer protection and competition.

This bureau must be staffed and be fully operational within a year of the ADPPA’s date of enactment.

Additionally, the FTC is responsible for conducting a study to determine the feasibility of creating a centralized opt-out mechanism to ease individuals' exercise of their rights to opt-out of covered data transfers, targeted advertising, and the single request to all registered third-party collecting entities to have all covered data about themselves deleted.

If the FTC finds that a centralized mechanism for any or all of the rights would be feasible, it must promulgate APA regulations establishing such mechanisms for covered entities to allow individuals to make these designations.

Attorney Generals of US States

The Attorney General of a US state may bring a civil action in the name of the State if they have any reason to believe that a covered entity has violated this Act or a regulation promulgated under this Act.

They may bring a suit in a Federal district court to:

1. Enjoin that act or practice;
2. Enforce compliance with this Act or the regulation;
3. Obtain damages, civil penalties, restitution, or other compensation on behalf of the residents of the State;
4. Get reasonable attorneys’ fees and other litigation costs reasonably incurred.

The Attorney General must notify the Commission before filing such a suit.

Penalties for Non-compliance

The draft of the Act mentions that any organization in violation of this Act will be subject to penalties as well as privileges and immunities provided in the Federal Trade Commission Act (15 U.S.C. 41 et seq.).

Third-parties that are found to be afoul of their registration requirements may incur a civil penalty of $50 each day they fail to register. This amount may not exceed $10,000 each year.

A “Privacy and Security Victims Relief Fund”, known as the Victim Relief Fund, will be established where the amounts of any civil penalty obtained against any covered entity or any other relief the Commission and the State Attorney General obtains to provide redress, payments or compensation, or other monetary relief to individuals that cannot be located or the payment of which would otherwise not be practicable, will be deposited

How an Organization Can Operationalize the Law

Though there will undoubtedly be more information available about the ADPPA as well as how organizations can ensure compliance with it in the coming months, an excellent way to initiate a strong foundation for such compliance would be to undertake the following measures:

• Have an easy-to-read privacy policy that clearly communicates all the users their consumer rights without leaving any room for ambiguity;
• Hire a privacy officer that understands the ADPPA as well as all major US state privacy laws, both legally and strategically, to aid your data compliance efforts within the US;
• Ensure all the company's employees and staff are acutely aware of their responsibilities under the Act;
• Conduct regular data protection impact assessments as well as data mapping exercises to ensure maximum efficiency in your compliance efforts.

How Can Securiti Help

Different data protection regulations put different responsibilities and obligations on data processing organizations. However, some of these responsibilities are uniform across most regulations, such as guaranteeing users some degree of control over their data and undertaking appropriate measures to protect any collected data.

Securiti is a renowned data governance and compliance enterprise solutions provider with products ranging from universal consent management and data classification to DSR automation and assessment automation that can help organizations fulfill their data-related obligations effectively.

Request a demo today to learn more about how Securiti’s products can aid your data compliance efforts.