What is the American Data Privacy and Protection Act (ADPPA) and what does it mean to enterprises?

When the bipartisan draft bill of the American Data Privacy and Protection Act (ADPPA) was released earlier this month, speculation abounded about the impact new data privacy requirements would have on enterprises in the US and beyond. 

One of the most significant changes is that “covered entities” — broadly referred to in the bill as any entity subject to the FTC Act — need to minimize the collection, processing and transfer of “covered data.” ADPPA defines covered data as “information that identifies or is linked or reasonably linkable to an individual or a device that identifies or is linked or reasonably linkable to one or more individuals, including derived data and unique identifiers.”

In practice, covered data could be as simple as government ID numbers or Social Security numbers (SSNs) in private communications, or any information related to subjects under 17 years old. 

What would ADPPA mean for enterprises? 

Much like the General Data Protection Regulation (GDPR), ADPPA would impose new data protection requirements on enterprises, forcing them to implement policies to protect covered data from access by unauthorized individuals. 

“The ADPPA, if enacted, is a pretty big deal — it would represent a much-needed step for both individual privacy rights and how enterprises collaborate in the world’s largest digital ecosystem,” said Victor Platt, a certified information systems security professional (CISSP) and head of security and privacy at integrate.ai.

However, ADPPA could raise significant data protection liabilities, as the definition of covered data is expansive, and there’s a lot of data that can potentially link to an individual or a device. 

As Platt explains, “it codifies a broad definition of covered data and high bars for consent, purpose limitation and opt-out; high-level inscrutable privacy policies will no longer be enough; and things you think aren’t personally identifiable information (PII) today, like unique IDs, will be in the future.” 

In addition, Platt also notes that enterprises will be obligated to demonstrate how they minimize what data they collect, how they protect it, and ensure that transfers of covered data to third parties are subject to opt-outs and enhanced requirements. 

How ADPPA could protect an individual’s data  

ADPPA would also grant individuals new data privacy rights over their data. 

For instance, “the bill would provide individuals across the United States extensive rights to correct, delete, access and port personal data,” said Alex Iftimie, Morrison Foerster partner and co-chair of the firm’s global risk and crisis management group,

At the same time, it would also give individuals the right to pursue civil action against violations. 

“One of the controversial aspects of this bill is that it offers U.S. residents a private right of action against covered entities for violations, which will allow private parties to enforce provisions of the law via civil litigation,” Iftimie said. 

More broadly, the Federal Trade Commission (FTC) would also be responsible for enforcing penalties on noncompliant organizations. When considering how broad the law is, at least in the current draft, the FTC would have lots of opportunities to make judgments on what constitutes a violation and what doesn’t. 

How enterprises can prepare 

While the ADPPA is still just a bill, and would require bipartisan agreement to pass, it’s important for enterprises to consider what controls they’d need to meet these potential data protection obligations. 

Out of the new requirements is that enterprises would need to know how much data was proportional to collect about individuals, and ensure they have a process to minimize its collection, so they can limit it to that which is reasonably necessary. 

Likewise, organizations would also need to prepare to deactivate targeted advertisements, and offer children or minors greater data protection support to ensure their data stays protected.

For now, enterprises will have to wait and see and, as Iftimie points out, it could be quite some time before a decision is made, particularly with congress in recess for most of August and midterm elections beginning in fall.