The American Data Privacy and Protection Act (ADPPA) is a bill that was introduced to a U.S. House of Representatives subcommittee on June 21st, 2022 and will soon undergo a vote on the House floor. This isn’t the first cybersecurity legislation to be introduced in the House, but if it passes, it will provide the first comprehensive cybersecurity protections at the federal level in the United States. The bill comes on the heels of new cybersecurity legislation at the state level in Connecticut & Utah, as well as a global focus on drafting and enacting stricter data privacy regulations. The ADPPA is undergoing deliberation in the House and does not have a set date for a vote at the time of posting.
If passed as currently drafted, the bill will provide consumer data protections at the federal level and preempt state laws. This means the ADPPA would override the comprehensive data privacy legislation in California, Virginia, Colorado, Connecticut, and Utah. This also means the legislation would provide a foundation for all future cybersecurity legislation produced at the state level. Though the bill is still undergoing revisions, there are steps organizations should take to prepare if/when the ADPPA becomes law.
You’ve probably heard of the internet referred to as the wild west. It’s true that governments have been slow to catch up with technological advancements, and even slower to create legislation around them. The intention behind the ADPPA, then, is to finally have a uniform comprehensive data privacy regulation at the federal level. The bill was drafted with the intention of providing a cyber-protective “band-aid” to consumers, to remedy the lack of much-needed privacy legislation since the internet’s inception. This bill has received significant bipartisan and bicameral support thus far, and many individuals in the cybersecurity and political sectors seem to think it has a better chance of passing at the federal level than previous iterations.
The proliferation of privacy legislation in other countries is also a large part of the reason this bill is finally being prioritized in Washington. The draft of the ADPPA is similar in scope to the EU’s General Data Protection Regulation, which was introduced in 2016 and regulates data protection and privacy in the European Union. Many other countries are also in the process of drafting data privacy legislation for their constituents, and as the global community ramps up cybersecurity regulation, the pressure is on for the United States to catch up.
The EU began enforcing the GDPR in 2018, and it is considered one of the more stringent security frameworks in existence. Even so, countries within the EU have strengthened their privacy policies beyond those provided in the GDPR, such as Germany’s Bundesdatenschutzgesetz (BDSG) and Spain’s Organic Law 3/2018 on Protection of Personal Data and Guarantee of Digital Rights (Spanish Digital Rights Act). American lawmakers have similar intent for the ADPPA: though it preempts state laws, it’s meant to provide a baseline for the nation upon which states can build more robust privacy policies.
The ADPPA focuses on the idea of data minimization, meaning organizations are only able to ingest data for “necessary” purposes, which are defined in the bill. And any data that is “linkable to an individual” is covered under the bill. It protects consumers’ rights regarding the control of their data, and contains significant protections against targeted advertising to minors and targeted advertising based on “sensitive data” (i.e. health information and private communications). These measures alone would require a massive shift in the way companies advertise and track customers online, not to mention new limits on third-party data collecting entities. In fact, some believe that many data brokers may cease to exist if the ADPPA is passed. Other notable features of the bill are transparency standards, anti-discrimination rules, and other cybersecurity requirements.
The ADPPA will apply to all organizations operating within the United States, including nonprofit organizations. The bill will likely affect every industry, and those working in sales and marketing may have the most work to do to get “up to code,” so to speak. This is because digital advertising enjoys a relatively free-for-all landscape as it stands, and because the bill dramatically minimizes what data a company is allowed to collect about a consumer. The bill would be enforceable by the FTC, but also by select state agencies like the California Privacy Protection Agency, which enforces the CCPA.
Whether or not the ADPPA passes, it’s worth taking note of your organization’s cybersecurity stance. If you aren’t already subject to data privacy regulation in some way, you probably will be soon. Individual states are drafting legislation, which means business that crosses state lines will become increasingly regulated. And as other countries develop their own legislation, international businesses will be beholden to those laws as well. The squeeze will come one way or another. Workers and consumers are also becoming more concerned with privacy as daily life becomes increasingly virtual. All things considered, your business should go ahead and take steps to become compliant with widely accepted privacy regulations, such as GDPR.
Many industries are already regulated, and organizations in the United States must comply with the regulations of the states and countries they do business in. You've probably heard of HIPPA, which protects sensitive information of consumers in the healthcare industry. If your business is already subject to data privacy regulations, it's a good time to do a data discovery to make sure you're compliant and up to date on best practices around data privacy in your industry. If you aren't subject to data privacy regulations, it's still a good idea to start with a data discovery.
Understand where your data is, where it comes from, and how it moves to determine the next steps to implement an organization-wide cybersecurity policy. Then, consider aligning yourself with practices you know will likely become law: allow consumers to opt-in to data collection, begin the process of data minimization, stop targeted advertising to minors, etc. Small and medium sized businesses may benefit from outsourcing to cybersecurity experts (like iCorps), as keeping up with compliance best practices and industry standards can be overwhelming for smaller internal IT teams, especially when starting from scratch.
No matter what size your business is or what industry you’re in, if you do business in the United States, a federal data privacy act will affect your organization. It’s time to adapt to the future of the internet—it's here already. Reach out to the IT experts here at iCorps for a free consultation today!