What is the American Data Privacy and Protection Act (ADPPA)?
Since the introduction of the GDPR, the European data privacy law has inspired many other countries around the world to introduce similar mandates of consumer data protection. Unfortunately, although U.S. tech firms are among the most prominent worldwide collectors and processors of consumer data, all attempts to introduce comprehensive federal data laws have so far failed. This is in spite of the fact that 75% of Americans favor a consumer data privacy and protection law dictating how data can be collected and used.
Presently, consumer data privacy is governed only on a state-by-state basis. The personal data of residents of New York, California, Colorado, Connecticut, Utah, and Virginia is subject to stringent mandates. In most other states, consumer data privacy and security laws are virtually nonexistent, and consumer rights over their personal data vary considerably, depending on which side of a state border an individual resides.
Luckily, this might soon change, and it’s about time.
Last month, Senators Schatz, Warner, and Klobuchar introduced The American Data Privacy and Protection Act (ADPPA). The bipartisan bill seeks to present covered entities* with federal regulations restricting the collection of personal data without consent, limiting uses and disclosures, and giving American consumers new rights over their data.
The bill aims to grant consumers the right to know what information is being collected by companies they communicate with, who it’s being shared with, and what it’s being used for. It will be one of the most significant pieces of federal data protection legislation thus far.
What will the ADPPA mean for your business?
Like the GDPR, the NY Shield Act, and various other data protection laws, the ADPPA is set to impose data protection requirements on businesses by forcing them to adopt policies and procedures to protect sensitive data.
The ADPPA will apply to any company or organization engaged in a trade or commerce that collects, maintains, or uses personal information about consumers and regulates how covered entities use and share their customers’ personal data. The ADPPA will not apply to government entities or persons or entities that collect, process, or transfer covered data on behalf of federal, state, tribal, territorial, or local government.
Although all covered entities will need to take stock of their current security framework to make sure it’s in line with the new requirements, the ADPPA will not be a one-size-fits-all, allowing smaller SMBs exceptions from some of the more stringent mandates proposed.
Unlike the NY Shield Act and other data protection laws, the ADPPA does not specify which administrative, technical, and physical safeguards businesses should adopt. Instead, its requirements are stated as broader concepts and focused on policies and best practices to prevent covered data from being accessed by unauthorized individuals.
A summary of ADPPA Compliance Requirements:
- Consent is required to collect, process, and transmit covered data
- Covered entities are required to minimize data collection to what is necessary
- Covered entities must ensure privacy by design and may not require consumers to pay for privacy
- Covered entities must permit consumers to opt out of targeted advertisements
- Consumers are given the right to access/inspect their data, correct errors, delete their data, port their data, and withdraw consent at any time.
- Protections need to be provided for minors under 17 years of age to prevent or restrict the use of their data
- Covered entities must improve transparency about how they collect and use data
- Covered entities must implement enhanced protection for sensitive data types
What Should I Do Now to Prepare?
Even if not enacted as is, the proposed bill should prompt all businesses that are not already in compliance with NY Shield, NYDFS, HIPAA, or other regulations, into action.
Of course, the easiest way to avoid violations of any regulation is to minimize the amount of data you collect. It is simply the best way to limit the consequences of any cyber incident.
Talk to your I.T. provider about best data privacy practices and which compliance regulations apply to your business.
Although the ADPPA is still only a bill, and it could be a while before it’s officially enacted as a law, it never hurts to evaluate your existing data privacy program; see how it holds up to the current and the newly suggested regulations.
If you need help, are unsure where you stand, or want a 3rd party to assess your current state, contact us at any time. Again, no strings attached; simply a chance to find out if and where your gaps are and have a plan to fix them.
Always feel free to reach out. You can reach us at (845) 237-2117. We’re looking forward to your call.
* The draft defines “covered entities” as entities subject to the FTC Act, common carriers under the Communications Act of 1934, or non-profit organizations that determine the purposes and means of collecting, processing, or transferring covered data, as well as those related to a covered entity by virtue of a control.
