Introduced to Congress in June, the American Data Privacy and Protection Act advanced toward a floor vote in the House of Representatives in July. If passed, it will be the first comprehensive federal data privacy law in the U.S. — our equivalent to the European Union’s General Data Protection Regulation.
The proposed legislation was considered the biggest breakthrough to date for efforts to pass a long-overdue federal data privacy law. However, some California officials have pushed back on the bill recently, taking issue with the provision that preempts state law. They want a carve-out for California’s consumer data privacy law, which they claim is stronger than the ADPPA.
At this point, the future of the ADPPA is unknown and many businesses, especially those with a national footprint, are left trying to sort through and comply with a patchwork of federal and state privacy laws.
What Would Change
Up until recently, many U.S. companies have not been regulated in terms of their collection, maintenance, use and disclosure of consumer data. As of now, five states have passed comprehensive consumer data privacy laws (California, Colorado, Connecticut, Utah and Virginia), but each law is unique in its scope. The ADPPA — if passed — would set a national baseline for consumer data privacy practices and bring U.S. requirements closer in line with other international privacy laws.
Most significantly, the ADPPA focuses on data minimization and only allows companies covered by the Act to collect, process or transfer individually identifiable data to “what is reasonably necessary and proportionate” to provide a product or service requested by an individual or for other purposes that are enumerated in the bill.
Generally, the current state laws do not limit what companies can collect and maintain; rather, they require companies to notify individuals of what information they collect and for what purposes they use it, and to use the information as reasonably necessary and proportionate for the operational purpose for which it was collected or processed. The ADPPA also:
- Sets baseline standards for transparency, accountability, security and consumer privacy rights;
- Specially protects sensitive personal data, including limiting the use of sensitive personal data to what is “strictly necessary” to provide requested goods and services for such purposes and get consent to share the data with third parties; and
- Uses federal civil rights protections to guard against discrimination in the processing of personal information.
Who and What Is Affected
The current draft of the ADPPA applies more broadly than any existing state laws. The ADPPA applies to a “covered entity,” which means a company that meets certain revenue and data thresholds and collects, processes or transfers “covered data,” which generally means individually identifiable information.
At this time, “covered data” does not include:
- Deidentified data (does not contain individual identifiers),
- Employee data (defined broadly to include hiring data), and
- Publicly available information.
Even if a company does not meet the definition of a “covered entity” under the ADPPA, it could meet the definition of a “service provider” if it processes “covered data” on behalf of a “covered entity.” However, there are a number of exceptions under the current draft of the ADPPA, including a small data exception, exceptions for certain financial institutions/financial data and exceptions for certain healthcare organizations/healthcare data. If the ADPPA is passed, applicability will be a threshold question for companies.
How to Prepare
Although the future of the ADPPA may be unknown, data privacy should remain at the forefront for any organization that is collecting, using, maintaining, processing or disclosing consumer data. It is prudent for companies to understand and actually map out their current data practices, e.g., especially if they are collecting or tracking consumer data or use it through websites and mobile applications. Some version of the ADPPA may gain more traction in the coming months and more states will likely pass consumer data privacy laws in 2023.
Now is a good time for companies to implement or assess privacy-by-design;, follow certain privacy rules as a matter of best practice; put a team in place to monitor this rapidly changing landscape and assure compliance with any applicable laws; and to identify, assess and mitigate privacy risks.
An attorney at Phoenix law firm Coppersmith Brockelman, Erin Dunlap regularly advises clients working in the healthcare industry on a variety of data privacy and security-related issues, offering practical advice and recommendations for compliance.
Did You Know: According to Learning Experience Alliance, nearly 70% of Americans will walk away from a company that requires them to provide highly personal information, including phone numbers and email addresses, to conduct business with them. Additionally, PwC reports 60% of Americans blame the company instead of the hackers when a data breach occurs.
Speak Your Mind
You must be logged in to post a comment.