In early June, a bipartisan group of US lawmakers put forward a draft of the American Data Privacy and Protection Act (ADPPA), showing a commitment to bringing a comprehensive federal legislation into effect as soon as possible. Further progress was made in a mark-up session held by the House Committee for Energy and Commerce on July 20, after which there was an affirmative vote (53-2) in favor pushing the amended version of ADPPA to the full House of Representatives.
The proposed legislation has long been viewed as a way to overcome conflicts and complexities brought about by the country’s patchwork of state laws. Much like the recent privacy developments in Canada, the ADPPA draws upon many key principles from Europe’s GDPR which has set the international standard for data privacy and would (if passed) provide the US with a single framework that would further support a sustainable data economy.
The ADPPA covers a lot of ground with its draft legislation outlining requirements for corporate accountability, transparency, data security, third-party data collection, individual rights relating to stored data, data consent and opt-out rights, data protection controls for children and minors and algorithmic impact assessments. For a deep dive into the full scope of the legislation, you can visit IAPP but for a quick overview, here’s a summary of the 10 ways that the ADPPA would impact business operations:
- Businesses with more than 15 employees would be required to appoint a data protection officer and security officer
- Businesses would be limited in terms of how certain sensitive data types could be stored and shared; this includes geolocation data, browser/internet search history and biometric or genetic information
- Businesses would be limited to collecting and processing only data that is deemed reasonably necessary under 17 permitted purposes that ADPPA outlines
- Businesses would need to implement suitable technical measures to ensure de-identified data cannot be re-identified or linked to an individual or device
- Businesses would be responsible for identifying and mitigating data privacy risks, as well having readily accessible evidence that adequate safeguards are in place
- Businesses would be able to be sued by consumers for violations of the law in relation to their data
- Businesses would be required to unify opt-out mechanisms as consumers would have more rights over data access, correction and deletion
- Large data holders would have to provide annual metrics reporting, access to privacy policies and conduct annual assessments on the impact of their algorithms and submit these assessments to the Federal Trade Commission (FTC)
- The ADPAA would pre-empt the privacy laws of the US states, including the CPRA (California), streamlining the US privacy compliance burden for companies (but this is a sort of contention for some states, particularly California)
- The FTC would be tasked with keeping a centralized registry of data traders
It is clear from the draft that the US intends to promote strengthened accountability and transparency measures for companies that handle personal information. And while the passing of the ADPAA is far from guaranteed, there is an overall consensus that the US needs a federal law sooner rather than later to address growing privacy concerns in a data-led economy.
There are already further signs that the US will continue to place privacy front and center as it looks at how intertwined data privacy and security are, not only at a business level but also at a political level. On June 23, just a couple of weeks after the unveiling of the ADPPA, US lawmakers introduced draft legislation that would bar US data flows to high-risk countries, which would give the Biden administration the power to block exports of US personal data to countries they say pose national security risks.
All roads seem to point to a radical overhaul in the way that personal data is handled by businesses, so as momentum continues to gain, we can expect to see US businesses pivoting policies and operational processes much like their European counterparts did following the rollout of the GDPR. For data-centric leaders who want to move at pace, this will mean looking towards a trusted privacy partner that can help them to navigate the regulatory landscape with technologies and solutions that take the complexity out of compliance.
If you’re looking at privacy developments in the US and understanding that we’re on the cusp of change, now is the time to connect with our experts who can help you to future-proof your data strategy with advanced de-identification technology or anonymization solutions that are already powering privacy-protected data collaboration initiatives across industries.