If you have been following privacy news lately, you may have seen that states such as Virginia, Colorado, Utah, and Connecticut have all passed new privacy laws that go into effect in 2023.
Those of us that work in the field have labeled the phenomenon of each state passing different privacy laws with different requirements as the “privacy law patchwork.”
As privacy laws can apply to businesses outside of the state in which the laws have passed, the patchwork leads to businesses having to comply with numerous laws with different requirements.
The patchwork is caused by the fact that the United States does not have one uniform privacy law for business websites (unless you are in finance, healthcare, or if you target children with your website).
As the number of state privacy laws increases, the best long-term solution is to pass a federal privacy law.
When the American Data Privacy and Protection Act (ADPPA) was proposed, it aimed to provide Americans with privacy rights and provide businesses with a homogenous set of rules they would need to follow to protect consumers’ privacy online.
In this article, we will discuss the ADPPA, including who it would apply to, what privacy rights it would provide to consumers, the business obligations of the Act, and its future.
Please note that at the time of writing this article, the ADPPA was still in the legislative process, meaning that some of the items in this article may change if the text of the ADPPA changes.
Who Does the American Data Privacy and Protection Act Apply?
Generally, ADPPA applies to any entity or person that determines the purposes and means of collecting, processing, or transferring covered data and is subject to the Federal Trade Commission Act or a common carrier subject to the Communications Act of 1934.
The Act explicitly exempts individuals acting in a non-commercial context. The Federal Trade Commission Act applies to all persons engaged in commerce across several states, regardless of the number of employees or the revenue you make.
This means that the ADPPA can apply to small and large businesses as long as they engage in commerce across multiple states.
What Privacy Rights Does ADPPA Provide?
The American Data Privacy and Protection Act aims to protect the privacy of individuals when they browse or shop online by providing them with the following privacy rights:
- The right to access, in a human-readable format, the covered data that has been processed by the business;
- The right to correct any incorrect data;
- The right to delete data;
- The right to export the data to another entity;
- The right to withdraw consent;
- The right to opt out of certain data transfers; and
- The right to opt out of targeted advertising.
Entities must respect the above privacy rights and respond to individual requests to exercise those rights within 45 to 90 days, depending upon the entity’s size.
What Business Obligations Does the ADPPA Impose?
- The identity and contact information processing the data;
- The categories of data the entity collect or processes;
- The processing purposes for each category of data collected or processed;
- Whether the entity transfers data and if so, each category of the third party to whom the data is transferred, the names of the third parties to whom the data is transferred, and the purposes of transferring;
- The length of time each category of data will be retained for;
- A description of how an individual can exercise their privacy rights;
- A general description of the entity’s data security practices;
- Whether or not data will be transferred to, stored in, or otherwise accessible to the People’s Republic of China, Russia, Iran, or North Korea.
The American Data Privacy and Protection Act also imposes a duty of loyalty, which includes:
- Data minimization – entities may not collect data unless the collection is limited to what is reasonably necessary and proportionate to provide or maintain a specific product or service requested by the individual or effect a permissible purpose.
- Loyalty duties – entities may not collect, process, or transfer a Social Security Number except when necessary to facilitate the extension of credit, authentication, fraud detection and prevention, the payment or collection of taxes, the enforcement of a contract, or the prevention or prosecution of fraud or illegal activity or otherwise as required by law;
- Entities may not collect or process sensitive data except where such collection and processing is strictly necessary to provide or maintain a specific product or service requested by the individual;
- Entities may not transfer an individual’s sensitive data to a third party unless the individual has provided their consent, the transfer is necessary to comply with a legal obligation, or the transfer is necessary to prevent an individual from imminent injury or if the transfer meets certain other legal requirements.
Entities are also required to follow privacy by design principles, including:
- Establishing, implementing, and maintaining reasonable policies, practices, and procedures that reflect the privacy and security requirements of the entity;
- Implementing reasonable training and safeguards to ensure compliance with all applicable privacy laws.
Lastly, entities may not retaliate against an individual for exercising any of the rights provided by the ADPPA, including denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods or services for those that have exercised their privacy rights under this Act.
The ADPPA includes a clause stating that the Federal Trade Commission must establish a Bureau of Privacy to enforce this Act.
In addition, the Act states that any violation will be considered an unfair or deceptive act or practice and that the FTC may bring civil action against any violators.
Lastly, individuals may sue businesses directly for violations of the Act in a federal court.
The Future of the ADPPA
Although the idea of a uniform set of rules through a federal privacy law is good, the ADPPA has been receiving some pushback from certain states and groups.
For example, the California Privacy Protection Agency wrote a letter stating that the Act would remove important protections and weaken Californians’ current privacy protections.
The fact that the ADPPA would preempt state privacy laws has not been received well by those in California.
In addition, the Chief Policy Innovation Officer of the Information Accountability Foundation has written an article with suggested changes to the ADPPA that would further strengthen it through amendments.
While there has been some pushback for the bill, it has gained more traction than other federal bills on privacy and it will be interesting to see whether the United States will gain a federal privacy law at last.