The American Data Privacy and Protection Act (ADPPA) presented in June was considerably revised in just a few days. Then, last month there was a new draft of ADPPA law presented having more changes. The modified ADPPA has drawn substantial bipartisan support and it passed with a vote of 53-2. There is a big possibility that ADPPA will be the first federal privacy and data protection law in the United States.
The Federal Data Privacy Law is Seriously Necessary
ADPPA is not the only attempt to have a federal data privacy and protection bill approved. A lot of other bills were presented that have tried to present minimum requirements for privacy and data protection at the government stage, however, all efforts did not succeed. The United States only had privacy and data protection regulations at the state level and a variety of industry-specific regulations like FERPA and HIPAA. The difficulty is that the legal demands for making sure privacy and the security of information differ considerably depending on where a person resides. A few types of sensitive information – health data for example – are just governed by rigid controls on uses and disclosures when kept by particular entities.
Expose sensitive reproductive health data to a healthcare company and that data is secured and can’t be exposed without authorization. Expose that data by means of a health application and the data can be shared or sold, although the data is similar. Californians got some of the most stringent data privacy regulations in the U.S.A., however, if you reside over the border in Oregon, privacy requirements are very low. Although individual states can all present laws to enhance privacy protections for residents of the state, the simplest way forward is to get a federal data privacy and protection regulation that guarantees the safety and privacy specifications are similar for every American.
ADPPA Moves to the House Floor
Although the advancement of the ADPPA from the House Committee in July was a major achievement, there are still critics of this bill. Particularly, representatives in California mentioned not supporting the bill because the ADPPA law offers lesser protections for state citizens compared to what is now available.
Aside from the issues aired by California, 10 state attorneys general also submitted to congressional leaders a request to have ADPPA set minimum requirements for data privacy, and to give each state the liberty to improve protections for state locals as they see it proper. Nonetheless, this suggested change to ADPPA law was not passed.
So far, the committee has passed the modified ADPPA law and it is heading to the House floor. Will the bill progress? A number of committee members said they will not support the bill except if modifications are done. They only voted for ADPPA so the bill will advance to the House floor. Furthermore, Senate Commerce Committee Chair Maria Cantwell is not sure to support the ADPPA, which is necessary for ADPPA to be approved in the Senate.
Modifications in the Most Recent Draft of ADPPA Law
As a response to criticisms, ADPPA has been modified to enable the California Privacy Protection Agency to impose ADPPA compliance as the California Consumer Privacy Act (CCPA) is presently imposed, to try to reinforce support for the bill in California.
The definition of employee data, which is not covered by ADPPA, has been modified. Employee data is now defined as information processed by a company associated with an employee who is working in a professional way for the company, so long as such data is obtained, processed, or transmitted exclusively for uses associated with such employee’s professional activities for the company.
Sensitive-covered data need extra protection. The new ADPPA law extended the definition of sensitive covered data to include data associated with race, ethnicity, color, union membership, or religion, and data identifying a person’s online activities with time and through third-party sites or online services.
One principal change to the modified ADPPA law is about the private right of action, which enables people to file suit for ADPPA violations. Currently, the private right of action has certain limitations, for instance, the right being taken away when the action resulting in violation was governed by the FTC or state attorneys general. ADPPA additionally included a gap of 4 years between the approval of ADPPA and the taking effect of the private right of action. The most recent draft lessens that gap to 2 years, and small businesses are currently exempted. Small businesses refer to those with a yearly income of under $25 million, that manage the covered data of less than 50,000 persons, and with less than half of their income coming from transmitting or selling covered data. Also, forced arbitration is already prohibited for gender-based violence or physical harm disputes.
ADPPA prohibited companies from sending targeted ads n minors under the age of 17 when the covered entity is aware that a person is below 17. The new ADPPA law has adopted a new tiered knowledge approach that includes:
- “constructive knowledge” tier – covered high-impact social media companies that knew or should have known that a person is below 17 years old
- “willful disregard” tier – all big data managers and service providers who knew that a person is below 17 years old
- “actual knowledge” tier – smaller covered entities
Additionally, there is a new exemption for the National Center for Missing and Exploited Children that will still permit it to work lawfully with children’s information to accomplish its objective to fight child abuse, trafficking, and abduction.
Large data holders are only required yearly privacy impact evaluations. The text has been modified to call for all entities that fail to meet the small- and medium-sized conditions to perform yearly assessments. Algorithmic impact assessments and evaluations are already needed when big data holders’ algorithms present a resulting risk to a person or individuals.
A few other changes were made and the wordings of the ADPPA law were edited for clarity, for example making it clear that an entity cannot retaliate against persons who exercise their legal rights as provided in the ADPPA, for example penalizing them for privacy.
What’s Next to Get the ADPPA Law Approved
If the House passed the bill, it will go to the Senate Committee on Commerce, Science, and Transportation. After being studied and scrutinized, if the ADPPA passes, it will move to the Senate floor. If the bill passes the Senate vote, it will go to President Biden’s office for his final approval to become law.