Securiti Named a 2022 Cool Vendor in Data Security by GartnerDownload Now
Countries across the world have drafted or are in the process of drafting their own versions of data protection legislation. This reflects just how valuable the concept of data protection has become over the years. It is, therefore, quite surprising that despite being such an important space for technological innovation, the United States does not have any federal data protection law. (several U.S. states such as California, Utah, Colorado, Virginia, and Connecticut have passed state level data protection laws).
With the midterm elections due at the end of this year that might change though, as House Energy and Commerce Committee Chair Rep. Frank Pallone (D-NJ), Ranking Member Rep. Cathy McMorris Rodgers (R-WA), and Senate Commerce, Science and Transportation Committee Ranking Member Sen. Roger Wicker (R-MS) released a draft for a proposed federal data protection law called the American Data Privacy and Protection Act (ADPPA) on June 3, 2022, that would apply across the United States.
The proposed draft checks all the right boxes by being the first comprehensive privacy proposal seeking bipartisan support. The ADPPA would also preempt recently enacted state privacy laws, including California, Virginia, Colorado, Utah, and Connecticut. It lays down requirements regarding consumer rights, such as rights of access, correction, deletion, and portability, in addition to the private right of action.
Moreover, under the ADPPA, covered organizations will have a duty to implement reasonable policies, practices, and procedures for collecting, processing, and transferring covered data. The FTC must issue guidance on reasonable policies, practices, and procedures within one year of enactment.
What else does the proposed draft contain, and how would it affect data privacy within the United States? Read on to learn more:
Here are some key definitions that may help in understanding the terminology used in this resource:
The term “sensitive covered data” means a government-issued identifier, such as:
The term “large data holder” means a covered entity that has (a) had annual gross revenues of $250 million; (b) collected, processed, or transferred the covered data of more than 5,000,000 individuals or devices or the sensitive data of more than 100,000 individuals or devices.
The term “affirmative express consent” means an affirmative act by an individual that clearly communicates the individual’s freely given, specific, informed, and unambiguous authorization for an act or practice, in response to a specific request from a data controller or processor.
The term “biometric information” means any covered data generated from the measurement, observation, tracking, collecting, or processing of an individual’s biological, physical, or physiological characteristics such as fingerprints, voice, iris or retina imagery scans, facial or hand imagery, gait or any other identifying physical movements.
The term “covered entity” means any entity or person that collects, processes, or transfers covered data subject to appropriate data regulations within the United States.
The term “targeted advertising” means displaying to an individual or unique identifier an online advertisement that is selected based on known or predicted preferences, characteristics, or interests derived from covered data collected over time or across third-party websites.
The term “unique identifier” means a technologically created identifier that is reasonably linkable to an individual or device that identifies or is linked or reasonably linkable to 1 or more individuals, including a device identifier, an Internet Protocol address, cookies, beacons, pixel tags, mobile ad identifiers, or similar technology, customer number, unique pseudonym, or user alias, telephone numbers, or other forms of persistent or probabilistic identifiers that are linked or reasonably linkable to an individual
Here’s how the proposed ADPPA applies in terms of territorial jurisdiction, as well as what data it would cover:
“Covered data” is defined as information identifying, linked, or reasonably linkable to an individual or device linkable to an individual. This includes derived data and unique identifiers, but does not include de-identified data, employee data, or publicly available information. The ADPPA also defines all covered “sensitive” personal data. It defines sensitive data as “information identifying an individual’s online activities over time or across third-party websites or online services”.
The ADPPA aims to “...provide consumers with foundational data privacy rights, create strong oversight mechanisms, and establish meaningful enforcement” of a federal data protection law across the United States.
The Act defines “covered entity” as any entity that collects, processes, or transfers covered data and is subject to the Federal Trade Commission (FTC) jurisdiction, including nonprofits and telecommunications common carriers. Moreover, it also includes any entity or person that controls, is controlled by, is under common control with, or shares common branding with another covered entity.
ADPPA lays down certain exceptions covered entities that fulfill the following criteria for up to three years before the Act’s formulation (in case the entity has been in existence for less than three years, then the period of its existence will count instead) are exempt from having to comply with these new regulations if:
Finally, any covered entity that is required to comply with the following sectoral federal privacy regulations will also be deemed to comply with the ADPPA including:
The ADPPA states that no political subdivision of a State may adopt, maintain, enforce, prescribe, or continue in effect any law, regulation, rule, standard, requirement, or other provision that addresses any of the provisions described in the ADPPA. However, there is an exception in the following cases:
Here are the obligations that befall organizations that have to comply with the ADPPA:
A covered entity shall not collect, process, or transfer covered data beyond what is reasonably necessary and proportionate to the purposes expressly permitted by ADPPA. The collection should be limited to providing or maintaining, a specific product or service requested by an individual or through communication by the covered entity to the individual, which is reasonably anticipated by the individual within the context of their relationship.
No organization can proceed with collecting and processing sensitive personal data (such as geolocation, genetic and biometric information, and browsing histories) without first obtaining the user's affirmative express consent. Similarly, the organization cannot proceed with transferring such sensitive data to third-parties without the user’s consent as well.
Third-parties that process data of more than 5000 individuals must register themselves with the Commission by the January 31 of each year.
To initiate their registration, the third-party must pay the Commission a $100 fee in addition to providing the following information:
Moreover, the Commission shall establish and maintain on their website a searchable, publicly available, central registry of third-party collecting entities that are registered with the Commission that includes the following:
The Act requires all organizations to establish, implement, and maintain reasonable administrative, technical, and physical data security practices and procedures that ensure appropriate safeguards for all sensitive covered data.
Some of the specific requirements include the following:
In case of a data breach, the state’s law takes precedence over the ADPPA regarding notifying the impacted users and regulatory bodies.
The Act designates that a large data holder entity shall designate at least one of its officers as a privacy protection officer who shall report directly to the highest official.
The ADPPA requires that no later than one year after its enactment, all organizations that meet the criteria for being a large data holder must conduct a privacy impact assessment of all its practices related to the processing, collecting, and transferring data.
The requirements of such an assessment are as follows:
The Act calls on all large data holders to maintain updated, accurate, clear, and understandable records of all privacy and data security practices undertaken by the large data holder.
Any third-party collecting entity organization must place a clear and conspicuous notice on their website or mobile application.
Third-parties should also not process third-party data for a processing purpose inconsistent with the expectations of a reasonable individual and may reasonably rely on representations made by the covered entity that transferred the third-party data regarding the expectations of a reasonable individual, provided that the third-party conducts reasonable due diligence on the representations of the covered entity and finds those representations to be credible.
They will also have the same responsibilities and obligations as covered entities with respect to covered data under the ADPPA. Furthermore, the entities must also establish measures that allow for and facilitate the auditing of the internal or external access to data that the third-party processed.
The draft for the Act requires the Commission to publish detailed provisions related to each provision, right, obligation, remedies, exemption, protection, and requirement guaranteed by the ADPPA within 90 days of the Act’s enactment with quarterly updates necessitated by any change in law, regulation, guidance, or judicial decisions.
Some of the primary rights guaranteed by the draft include the following:
Once these requests are made, a large data holder has 30 days to fulfill these requests. Organizations not considered large data holders have 60 days to complete these requests. Furthermore, any organization that has been operational for less than three years before the date of enactment of the ADPPA will have 90 days to fulfill these requests. Users can exercise these rights free of cost twice in 12 months. Afterward, an organization may charge a reasonable fee for such requests.
This is arguably the most comprehensive part of this regulation since it relates to how the ADPPA will be enforced across the United States and what roles will the states themselves play concerning its enforcement.
As mentioned earlier, the ADPPA would preempt recently enacted state privacy laws, except for a list of specified state laws, notably the Illinois’ Biometric Information Privacy Act, and other generally applicable consumer protection laws, employee and student privacy protections, data breach notification laws, contract and tort law, criminal laws regarding unauthorized access to electronic devices, and unauthorized use of personal information, and laws on cyberstalking, cyberbullying, nonconsensual pornography, and sexual harassment.
The Federal Trade Commission is the first body responsible for enforcing the ADPPA. However, it will do so by establishing a new bureau within the Commission that is comparable in size, structure, authority, and organization with other Commission bureaus that deal with issues surrounding consumer protection and competition.
This bureau must be staffed and be fully operational within a year of the ADPPA’s date of enactment.
Additionally, the FTC is responsible for conducting a study to determine the feasibility of creating a centralized opt-out mechanism to ease individuals' exercise of their rights to opt-out of covered data transfers, targeted advertising, and the single request to all registered third-party collecting entities to have all covered data about themselves deleted.
If the FTC finds that a centralized mechanism for any or all of the rights would be feasible, it must promulgate APA regulations establishing such mechanisms for covered entities to allow individuals to make these designations.
The Attorney General of a US state may bring a civil action in the name of the State if they have any reason to believe that a covered entity has violated this Act or a regulation promulgated under this Act.
They may bring a suit in a Federal district court to:
The Attorney General must notify the Commission before filing such a suit.
The draft of the Act mentions that any organization in violation of this Act will be subject to penalties as well as privileges and immunities provided in the Federal Trade Commission Act (15 U.S.C. 41 et seq.).
Third-parties that are found to be afoul of their registration requirements may incur a civil penalty of $50 each day they fail to register. This amount may not exceed $10,000 each year.
A “Privacy and Security Victims Relief Fund”, known as the Victim Relief Fund, will be established where the amounts of any civil penalty obtained against any covered entity or any other relief the Commission and the State Attorney General obtains to provide redress, payments or compensation, or other monetary relief to individuals that cannot be located or the payment of which would otherwise not be practicable, will be deposited
Though there will undoubtedly be more information available about the ADPPA as well as how organizations can ensure compliance with it in the coming months, an excellent way to initiate a strong foundation for such compliance would be to undertake the following measures:
Different data protection regulations put different responsibilities and obligations on data processing organizations. However, some of these responsibilities are uniform across most regulations, such as guaranteeing users some degree of control over their data and undertaking appropriate measures to protect any collected data.
Securiti is a renowned data governance and compliance enterprise solutions provider with products ranging from universal consent management and data classification to DSR automation and assessment automation that can help organizations fulfill their data-related obligations effectively.
Request a demo today to learn more about how Securiti’s products can aid your data compliance efforts.