American data privacy and protection act (ADPPA): What business don’t know
Protecting personal information has been a concern throughout history.
Just like renting safety deposit boxes or locking filing cabinets for physical documents, it’s a way to keep things private and secure.
But now, with the internet, it gets tricky. Imagine you have pictures, messages, and more posted online—it’s like having bits of your life scattered across a vast space. And it’s not easy to keep track of everything.
Think about your business. If you’re operating in the digital age, there’s a pretty good chance that you have loads of customer data or you might not be aware of it.
Keeping all that secret is not just about the customers’ privacy; it’s also about the business’s reputation.
If people find out their info isn’t safe, trust goes down, and business profits crumbles.
So, in this digital age, safeguarding information is like protecting a treasure trove, and businesses need to be the modern guardians.
Data privacy, however, is a problem that affects individuals and companies.
As a business, you have a lot at stake regarding your customers’ data privacy.
The more you know about it, the better you’ll be able to help protect your customer’s data from many risks and your company falling apart.
Let us provide you with some stats to shed some light on the public’s concerns about the privacy of their data.
- Nine out of ten Americans believe protecting their online privacy is a significant concern.
- 85% of adults worldwide want to take more action to safeguard their online privacy.
- Every day, 1 in 4 Americans are prompted to accept a privacy policy.
- Global customers, as a whole, believe that digital businesses have an excessive amount of control over their data.
- iOS apps that track private user data total 72.6%.
- Paid apps are four times less likely than free apps to track user data.
- Less than 25% of smartphone users in America feel they have control over their data online.
- Most Americans value their privacy online, and 75% think they could be targets of cyberattacks.
Between awareness and action, there is a gap.
Only 64% of people use tools to help safeguard online privacy, and only 56% believe they have control over their data.
With the increasing public awareness about data privacy and related concerns, it becomes essential for you as a business to understand your customers’ problems, respect their privacy, and follow the culture of permission marketing.
To achieve this, it’s essential to comprehend and adhere to various data governance laws or acts by understanding the particulars of these laws, and we are here to help you with the same.
This article will help you learn about another important Data Privacy Act, the American Data Privacy and Protection Act (ADPPA).
What is the ADPPA Act?
The proposed American Data Privacy and Protection Act (ADPPA) was adopted by the House Energy and Commerce Committee on July 20, 2022, with a vote of 53-2.
The bill would establish national guidelines and security measures for the personal data that businesses collect, along with safeguards designed to counteract any potential discriminatory effects of algorithms.
ADPPA is a distinctive privacy law. It’s a nonpartisan, bicameral legislation that aims to create a thorough foundation for data privacy in the United States.
Additionally, five of the fifty states in the U.S. (California, Connecticut, Utah, and Virginia) have their own comprehensive data privacy laws.
The European Union and China, in particular, have privacy and data protection regulations.
As a result, organizations that collect, store, and handle customer data face a “patchwork” challenge.
Since each jurisdiction’s laws provide varied degrees of protection, it is challenging to establish privacy protections that comply with each one.
The ADPPA aims to harmonize U.S. standards with foreign privacy law regimes by standardizing privacy protections in the United States.
The Act would set a minimum standard for privacy for every state and territory, while states would still be entitled to go even further if necessary.
Difference between ADPPA and other U.S. privacy laws
The American Data Privacy and Protection Act’s shift toward a “Privacy-by-Design” and data minimization approach is among the most significant differences between it and other U.S. privacy laws.
The ADPPA only permits businesses to collect and use user data if it is essential for one of the 17 legal purposes; it does not mandate that companies consider privacy when designing their procedures.
The Federal Trade Commission would be in charge of enforcing any prohibited uses.
Applicability of ADPPA
The Act specifies that “a covered entity may not collect, process, or transfer covered data unless the collection, processing, or transfer is limited to what is reasonably necessary and proportionate to” fulfills one of the 17 permitted purposes.
In other words, the Act’s fundamental objective is data minimization. This can be observed mainly in how it approaches targeted advertising.
Although it doesn’t explicitly ban the practice, it severely restricts targeted advertising. Banns are included in the following ways:
- Advertisements aimed at children.
- Advertising is based on “sensitive data” such as health data, precise location, private messages, and other “information identifying an individual’s online activities over time and across third-party websites or services.”
- Deceptive “accept all” techniques draw customers to opt in to receive targeted advertising.
First-party advertising and specific targeted advertising are still acceptable.
For instance, if you purchase online, the seller can use the information you provide about your purchases and other purchases to promote other things you might like.
An excellent example is the “Recommended for You” advertisement on Amazon.
They cannot connect your purchasing preferences with your phone and online surfing history to avoid revealing irrelevant ads.
Additionally, businesses (like Google and Facebook) are prohibited from placing trackers in free apps or websites to compile user profiles for sale to marketers.
The law also establishes transparency guidelines, improved data brokers regulation, cybersecurity, and anti-discrimination laws.
To comply with the transparency standards, data collectors must provide information about the “type of data they collect, what they’re going to use it for, how long they keep it, and whether they make the data accessible to the People’s Republic of China, Russia, Iran, or North Korea.”
Suppose the ADPPA is approved in its current form.
In that case, it will create a comprehensive privacy law that will apply to all Americans and put a cap on privacy safeguards that would supersede any stricter regulations, such as the California privacy law.
Covered data under ADDPA?
“Covered data” refers to “information that identifies or is linked or reasonably linkable to one or more individuals, including derived data and unique identifiers.”
Importantly, neither publicly accessible nor employee data are included in this definition.
Government identifiers (like driver’s licenses or Social Security numbers) and “traditionally” sensitive information about one’s health, location, finances, login credentials, race, and sexual history or identity are examples of specific types of covered data referred to as sensitive covered data.
Other sensitive data types may include private photos, television viewing information, and “information identifying an individual’s online activities over time or across third-party websites or services.”
Who would be affected by the ADDPA?
The ADPPA will apply to anybody who collects, stores, and processes data about American consumers. NGOs and common carriers are included in this.
In other words, the U.S. data privacy regulations will apply if your website caters to Americans.
For small and medium-sized firms, there are a few exceptions, though.
Talking about the definition of a large entity, A “large” organization collects sensitive covered data on more than 100,000 individuals or devices.
It collects protected data on more than 5 million individuals or widgets. It has annual gross revenues of at least $250 million.
The Act provides a private right of action for compensatory damages, injunctive relief, and legal costs.
Plaintiffs must first give notice of their intention to launch a lawsuit to the FTC and their state’s attorney general.
The FTC and state A.G. have 60 days to decide whether to join the action as an intervenor.
Protections and requirements may change when the measure leaves the committee and progresses through the House and Senate.
Still, it is safe to state that companies collecting data on American consumers must ensure compliance with the law.
Conclusion: What’s next?
Despite having bipartisan solid support, the bill has faced significant opposition from California lawmakers who claim that it would supersede the California Privacy Rights Act (“CPRA”), which they claim offers residents of California stronger protections (although some experts, including a former chairman of the FTC, have questioned whether the CPRA does so).
Additionally, several state attorneys general have written a joint letter to Congress urging it to swiftly amend the law to permit states to pass future privacy, data explicitly, and artificial intelligence-related requirements as technology and online practices develop.
On the other hand, several corporate organizations have voiced worries that the measure does not properly preempt state laws, leaving in place, at least in part, a patchwork of privacy regulations throughout the United States.
The ADPPA offers essential insights into the kind of control over A.I. technologies that legislators and regulators may want to exercise shortly, even though its enactment is yet to be clarified.
As seen by the recent release of a Blueprint for an AI Bill of Rights by the White House Office of Science & Technology Policy, it is a topic that will probably continue to garner federal government attention.