On July 20th, the House Committee on Energy and Commerce passed an amended version of the American Data Privacy and Protection Act (ADPPA) and is now ready for a full vote in the House of US Representatives. The bill ‘establishes requirements for how companies, including nonprofits and common carriers, handle personal data, which includes information that identifies or is reasonably linkable to an individual.’ Essentially, this bill is the United States’ first pass, on a federal level, to enact controls on how companies deal with data, particularly data that is identifiable to a specific person. While the bill still has several hurdles to pass before it comes into law, here are a few questions that we have seen, with answers on what the bill is, what it means, and more.
1. What is in the ADPPA bill?
The ADPPA, a bipartisan bill, is a comprehensive information privacy bill that is expected to be voted on in the coming weeks in the US House of Representatives. As it is currently constructed, there are four main components of the ADPPA. These four ‘titles’ are: Duty of Loyalty, Consumer Data Rights, Corporate Accountability, and Enforcement, Applicability, and Miscellaneous.
Duty of Loyalty is broken out into four tenants: data minimization, loyalty duties, privacy by design, and loyalty to individuals with respect to pricing. This section, at a high-level, states that organizations cannot collect, process, or transfer data unless it is necessary for their business, and that they need to establish and maintain the ability to keep data private for necessary purposes.
Consumer Data Rights has ten sections: consumer awareness, transparency, individual data ownership and control, right to consent and object, data protections for children and minors, third-party collecting entities, civil rights and algorithms, data security and protection of covered data, small business protections, and unified opt-out mechanisms. This section is geared towards establishing a baseline for what rights individuals have regarding what businesses do with their data.
Corporate Accountability has five sections: executive responsibility, service providers and third parties, technical compliance programs, commission approved compliance guidelines, and digital content forgeries. Corporate Accountability ensures that beginning one year after the bill passes (if it does) large data holders need to maintain internal controls to comply with it.
Finally, Enforcement, Applicability and Miscellaneous has eight sections: enforcement by the Federal Trade Commission (FTC), enforcement by state attorneys general, enforcement by individuals, relationship to federal and state laws, severability, Children’s Online Privacy Protection Act (COPPA), authorization of appropriations, and effective date. This section outlines how the law will be enforced, how it relates to existing US state privacy laws (the California Consumer Privacy Act comes to mind), how minors are protected, and when the law is in effect.
2. Who does ADPPA apply to?
The ADPPA defines ‘covered entities’ as being any organization that is subject to the Federal Trade Commission (FTC) Act, common carriers under the Communications Act of 1934, or nonprofits that have a means to collect, process, or transfer covered data. The bottom line is that this legislation is geared towards most businesses or organizations that do business and/or process data in the United States.
3. Does it matter the size of my organization and how the legislation is enforced?
Similar to other pieces of legislation, the ADPPA has different standards for organizations of different sizes. This mandate has a cutoff of $250 million in revenue in the most recent calendar year, OR, if the organization has collected, processed, or transferred data of more than 5 million people plus linked devices. Organizations above either of these thresholds need to provide short form notice of its covered data practices, conduct privacy impact assessments every other year, conduct yearly assessments of their algorithms (more on this shortly), and have an executive officer certify annually to the FTC that they maintain internal controls, and have reporting structures to ensure certifying officers are involved and responsible for decisions that impact compliance.
For organizations that are under both guidelines, they are exempt from the requirement to correct covered data at the individuals’ request but are required to delete data in response to an audit. They are also exempt from most of the data security requirements, but they still must delete data that is no longer necessary for specific business purposes.
While the ADPPA has more stringent requirements for larger organizations, there are still things that smaller ones need to account for.
4. How is this different from the California Consumer Privacy Act (CCPA)?
The major difference is that this extends to any organization in the Untied States, and not just California. However, there are some other key differences, including specifically limiting how organizations can target advertising to known minors, and how they transfer their data, specific protections around social security numbers, how data is transferred to third parties, that organizations may not use or collect data that can be used for discrimination, and that organizations are required to evaluate designs of algorithms that are known to collect, process or transfer data.
5. What is all this about algorithms?
This is one of the main pillars of the bill that is raising eyebrows, as any organization that uses algorithms to make business decisions need to be able to provide outlines of how they work, and what data the algorithms use. This is a key piece of the legislation that takes aim at businesses that may be using algorithms for unsavory practices that result in discrimination. Whether intentional or not, this legislation is passing through the American government with this as a flagship component.
6. How can an Identity Governance and Administration (IGA) solution help meet ADPPA requirements?
A modern IGA solution can help organizations meet a litany of requirements within this proposed bill. The most encompassing component of meeting compliance is the internal confidence of being able to present documentation and proof of compliance. With a modern IGA solution, logs and audit reports can be easily configured to prove that Duty of Loyalty is met and that only the right people have the right access to critical data. IGA solutions can also help ensure that third parties and service providers are kept in check, retaining access for only the periods of time that they are contracted for, and access is automatically deprovisioned upon expiration.
While this bill still has a ways to go before it becomes law, having a plan for if, and when it does get signed, can put your organization in a better position to meet compliance, and perhaps more importantly, bolster security controls. For more information on how Omada can help your team meet compliance mandates, whether it is the ADPPA, CCPA, GDPR, SOX, a regularly scheduled audit, or more, check out this compliance eBook on how IGA can help organizations meet compliance and audit requirements.