In July, the American Data Privacy and Protection Act (ADPPA) passed the House Energy & Commerce Committee, marking the furthest any federal privacy legislation has progressed in the United States. While the bill may have enough bipartisan support to be passed into law, with the midterm elections approaching, it is unlikely to happen this fall. Nevertheless, the ADPPA bill provides a future compliance roadmap for U.S. companies across a wide variety of sectors.
Many businesses have already implemented rigorous data collection practices to comply with the individual state regulations in California, Colorado, Connecticut, Utah and Virginia that come into effect in 2023 (see Key Business Considerations for Impending State Data Privacy Laws). Others have made changes to comply with international regulations, such as the EU’s General Data Protection Regulation (GDPR), which was enacted in 2018. The addition of a federal U.S. law will bring an onslaught of new protocols and processes that are sure to create headaches for compliance and operations teams in organizations across the country.
Organizations that have yet to deal with any data privacy regulation will need to determine the ideal time to begin implementing the procedures and technologies that will be required for compliance. This is especially important given that, once the bill passes, companies will likely only have about a year to get ready. Meanwhile, companies that have already worked to comply with GDPR or other regulations will need to understand how the ADPPA will stack up against existing standards, or if it will preempt them entirely.
What do companies need to do to proactively manage their risk and integrate data privacy requirements into existing business frameworks in preparation for potential new federal regulations?
Who Could Be Affected
The fact that the bill unexpectedly passed committee is a sign that national data privacy legislation is on the horizon. Any data regulation would need to carefully balance the needs of consumer rights with the advertising and marketing technology ecosystem, including the powerful tech giants of Google, Amazon and Facebook. Attempting to balance these interests, the ADPPA seeks to set up federal standards to protect U.S. consumers’ personal data, including establishing oversight and enforcement mechanisms, while also not reducing competition or being unenforceable.
The first thing companies must consider is whether they fall under the aegis of the law. ADPPA aims to not overburden small- and medium-sized businesses, so it provides some exemptions for companies with less than $41 million in gross revenue and/or sensitive covered data of less than 200,000 individuals or devices. Meanwhile, the bill contains extra requirements for large enterprises—so-called “large data holders”—that have gross revenues of over $250 million and deal with the covered data of more than five million individuals or devices. Leaders of small- and medium-sized businesses should not feel they have a free pass, however, as they are still required to comply with basic provisions of the law.
For large data holders, it is reasonable to assume that many have already worked to comply with data privacy standards, either to comply with GDPR requirements or to align with trending consumer expectations. Such enterprises may not need to reinvent the wheel to bolster their operational resilience.
However, any large data holder that has managed to postpone data privacy implementations would be wise to get ahead of a potentially disruptive rush to comply once a new federal law passes. A shift in the regulatory environment can expose business vulnerabilities, lead to failures in services and products, and result in financial losses. Companies of all sizes need to monitor the constantly morphing regulatory landscape and determine where the company’s current and evolving vulnerabilities might be.
Privacy by Design
On its most fundamental level, the ADPPA bill calls for businesses to adopt a “privacy by design” mindset. This starts by incorporating data minimization into business functions, an approach that requires outlining what consumer data is acceptable to capture and what is deemed invasive. For professionals in privacy, operations or compliance, this means combing through a lengthy list of acceptable types of data with an eye toward minimum information companies require for purposes like transactions, authentication and security.
The bill also calls for firms to be completely and unambiguously transparent about their data collection practices. It requires them to publish a privacy policy that outlines exactly what type of data is gathered, who it is transferred to (including technology providers), the company’s cybersecurity practices, and more. The legislation mandates better data security practices, transparency and accountability. This includes a rule that requires companies to designate a data security officer to implement procedures for assessing vulnerabilities, information retention and disposal, and incident response.
Most importantly for the public, the bill sets out guidelines for a unified opt-out for consumers with regard to online advertising. Instead of being served a pop-up with an unreadable data policy and being compelled to click “accept all cookies,” consumers will be offered a single, universal opt-out option.
Data Privacy Officer Responsibilities
In line with a general market shift toward greater accountability, the law requires large companies to have an official data privacy officer and a data security officer to implement mandated programs. The ADPPA bill places a greater burden on large companies’ leadership to: conduct comprehensive biennial audits and a privacy compliance training program for all employees; develop a plan to receive and respond to unsolicited reports of vulnerabilities; provide a biennial privacy impact assessment report; and maintain records of all privacy and data security practices. Documentation of these measures must be made readily available to regulators. In an effort to avoid long, perplexing privacy policies, large data holders must take an extra step by providing a concise “short form” version of their guidelines that is under 500 words.
Large data holders should begin appraising their potential risks of noncompliance now, including looking at technology stacks and third-party providers’ data collection methods, since they will also be subject to any federal directive. Companies and their technology providers will not be held responsible for each other’s violations, but companies still must exercise due diligence in selecting compliant technology providers, given that any privacy violation on the part of the provider could pose a heightened reputation risk under the new level of scrutiny.
Exceptions and Preemptions
The complexity of preparing to comply with multiple overlapping laws at state, national and international levels is compounded by the numerous exceptions and preemptions that may apply. This combination makes it challenging to avoid a fragmented privacy compliance program down the road.
Currently, the ADDPA would preempt various state regulations. Unlike the GDPR, which applies to EU citizens no matter where they reside, the law would only apply to U.S. residents. ADDPA exceptions include those for small businesses, first-party data, employee data, government entities and certain types of targeted advertising data. However, given the contentious nature of the push and pull between the corporate ad ecosystem and consumer advocates, the types of targeting data prohibited will likely change numerous times before the bill becomes law.
The Push for Data Privacy
With the increased focus on data privacy, corporations and lawmakers are responding to consumers’ expectations: A 2021 KPMG study revealed that 88% of Americans want corporate America to take the lead in establishing more responsible data practices. Aside from the five states that have already passed their own privacy legislation, four other states—Michigan, New Jersey, Ohio and Pennsylvania—currently have active bills in committee. Further, many other international jurisdictions have either passed data privacy laws or have proposals actively in the works.
The surprising advance of the ADPPA serves as an urgent reminder to keep a close eye on the evolving data regulation landscape. The 2021 Data Compliance Survey by Business 2 Community revealed that 62.4% of respondents said that their company is not “completely compliant” with the data regulations that apply to them, and a continual stream of data privacy-related enforcement actions would appear to confirm this.
Companies should begin putting the right people, processes and technologies in place for a sound data privacy and security compliance program. Adopting a substantive data protection policy now and keeping a close eye on the regulatory negotiations can help future-proof organizations for whatever legal requirements may emerge.