ADPPA Preview

ADPPA Preview (A Bipartisan U.S. Data Security Bill Makes it Out of Committee)

As an organization that manages and revolves around compliance with data security legislation, we at Accountable HQ are always paying close attention to any moves for a potential national US data privacy legislation. 

Recently, a new bill titled “the American Data Privacy and Protection Act”, or ADPPA, was just successfully passed by the U.S. House Committee on Energy and Commerce. By making it out of committee, that means it will be presented in front of the entire House in the coming days or weeks–- which is the farthest a potential federal-level data privacy legislation has ever made it in the United States. To put it simply, this is a bit of a big deal. 

In this guide, we’ll explore what the ADPPA is, what the bill includes at this point, and what it would mean for US organizations if it is eventually passed into law.

What does the ADPPA Include?

Recent bipartisan legislation announced by congressional leaders would create the first comprehensive federal privacy law in the country if it were to be passed. The American Data Privacy and Protection Act (ADPPA) would grant Americans a variety of rights relating to the data that is kept on them, including the ability to view, update, and delete such data as well as the right to stop certain uses of it without permission. As a result, businesses operating in a wide range of industries would be subject to significant new requirements pertaining to the information they gather on the clients they serve.

The ADPPA is similar to comprehensive state privacy laws that have recently been passed, such as the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), in many ways. It also incorporates some of the rules established by the Health Insurance Portability and Accountability Act, the country's health privacy law (HIPAA). The General Data Protection Regulation (GDPR), which governs privacy in Europe, is the American counterpart of those regulations, but it also goes much further than they do in many ways.

Among the provisions of the bill are:

• Raising the current limit of 13 years set by the Children's Online Privacy Protection Act for the age at which children's data can be gathered and utilized for behavioral advertising online to 17 years old.
• Preventing the adoption of any future state-level legislation that would enhance online data security while maintaining Illinois' Biometric Information Privacy Act, a crucial state regulation that recently led to a ban on the use of Clearview AI's enormous facial surveillance database across the country.
• Limiting the types of information that may be gathered about users online and sent to outside AdTech firms for use in behavioral advertising. Additionally, it would allow consumers to completely decline to receive such advertisements.

Key Terms Under ADPPA

It helps to understand a few key terms when trying to understand what ADPPA actually entails:

• Covered Entities - A covered entity is a business, organization, individual, or other entity that is subject to the regulations that the ADPPA sets forth.
• Service Providers - A service provider is a person or organization who collects, processes, or transfers protected information at the direction of or on behalf of a protected entity and that accepts protected information from or on behalf of a protected entity in accordance with a signed agreement.
• Opt-Out Mechanisms - Such mechanisms are various ways to make it possible for consumers to opt-in or out of letting an organization collect or use their data.
• Consumer Data Rights - Individuals would have a variety of rights in relation to the information that covered entities have about them under the ADPPA. Numerous of these  rights are comparable to those guaranteed to people by the GDPR, HIPAA, and extensive state privacy laws.

What Kind of Data Does the Bill Apply To?

There is a wide range of data that would be covered under the ADPPA if it were to be put into law.

Covered Data

Inferences drawn only from independent sources of publicly accessible data that do not reveal sensitive covered data with regard to a person are now excluded from the definition of covered data. The recent judgment of the California Attorney General, which said that conclusions made from information that is publicly available must be released in response to an access request, may have served as the impetus for this modification.

Sensitive Covered Data

The definition of "sensitive covered data" has changed in a number of ways, including the removal of information revealing a person's race, ethnicity, national origin, religion, or union membership or nonunion status in a way that is inconsistent with the person's reasonable expectation regarding disclosure of such information. Although the criterion that the covered entity must be aware that the individual is under the age of 17 has been included, the definition still covers information from individuals under the age of 17.

Biometric Data

The term "biometric data" now more closely resembles the phrase "data" as used in the Connecticut Data Privacy Act. In particular, a digital or physical image, an audio or video recording, or data derived from a digital or physical photograph, an audio or video recording, or a video recording that cannot be used to identify a specific person are not considered to constitute biometric data.

Who Would It Apply To?

The ADPPA would require a number of entities to become compliant with the potential new law, including covered entities and service providers that deal with sensitive data.

Covered Entity

Entities "operating in a non-commercial context" are not included in the definition of a covered entity. Additionally, the definition did away with the "common branding" terminology used in the CCPA and CPRA. Governmental agencies, as well as people or organizations operating on their behalf, now have new exemptions.

Service Providers

As mentioned earlier, this new potential law would affect service providers. Service providers are any entities that use or process covered data on behalf of a covered entity under the ADPPA. Service providers are often data processing software vendors.

Note:

It is worth noting, especially for our clients, that as the ADPPA is written now, all organizations or individuals who have achieved and maintained HIPAA compliance will also be in compliance with ADPPA. The legislation specifically states that HIPAA compliance will supersede ADPPA compliance. This makes now a great time to assure you’ve ensured your HIPAA compliance so that you are completely covered if this bill does become law. 

Duty of Loyalty

The ADPPA's Section 101 specifies that covered organizations are prohibited from collecting, processing, or transferring protected data unless such actions are deemed to be proportional to specifically stated activities and reasonably necessary. There are currently twelve permitted purposes listed in the provision. Unless an exemption applies, some processing operations are prohibited under Section 102. Sensitive covered data is processed in a variety of ways as part of those processing operations, and sensitive covered data is also sent to other parties.

What Happens Next?

The ADPPA is still being worked on, and it remains unknown how well it will do in the Senate. Despite all the optimism over whether this draft bill and the procedure leading up to it may become law, a number of possible obstacles were brought to light during the most recent session. Each of the eight witnesses described changes they would make to the draft's different elements. These criticisms highlight the flaws in the proposal, but they also show the reality of the continuous stakeholder process that lawmakers are engaged in, despite the bipartisan draft's origins in consultations. 

We will continue to monitor the progress of this bill as it journeys its way through the US government. We will post any and all updates that are released regarding progress or edits to the ADPPA as we have detailed it.