In the words of Johnny Cash’s Folsom Prison Blues, “I hear the train a comin’, it’s rolling ’round the bend…” and for us in the United States data privacy space, that train symbolizes the new US Federal data privacy law, the American Data Privacy Protection Act (ADPPA) that is gaining momentum in congress.
The ADPPA is much needed by businesses in the United States to help distill down the ever growing number of state privacy laws into a single federal legislation. This will make compliance with privacy easier for corporations, both US-based and those that “target” US citizens. Currently, companies doing business within the US must contend with numerous state-based privacy laws, all with different restrictions and requirements, that make compliance cumbersome and very time consuming. Federal legislation will streamline privacy efforts and help better protect personal data by making it easier to create processes and procedures around data privacy objectives. It’s better for businesses and better for individuals.
What’s in the proposed ADPPA US Federal Privacy Law as it stands?
The ADPPA is a bill designed to regulate how organizations, referred to as covered entities, collect, store and process personal information. The bill states that covered entities must minimize the processing of personal information to what is “necessary, proportionate, and limited” in order to provide the service, product or communicate with individuals.
Some of the general requirements and protections that the bill will provide include:
- Clearly defining what data companies can collect about a person
- Making it easier and accessible for people to know what personal data is being collected, third parties that their data is being shared with, and the ability and knowledge of how to update and/or delete personal data
- Prohibiting manipulative design that tricks or traps people in subscriptions
- Prohibiting targeting digital ads at children and teenagers
- Increasing the FTC’s funding and ability to enforce privacy compliance
- Allowing citizens to supplement FTC enforcement with their own private litigation
One of the controversial pieces of the currently proposed legislation is the issue of preemption. Preemption would mean that the federal law would override any state laws, and as currently written some are saying that the federal law would weaken state laws such as California’s CCPA. Preemption would certainly be advantageous to businesses and their ability to comply with a single law versus the current, and growing, problem of a myriad of laws.
Looking into the future, there will still be a burden on global corporations to build compliance programs and operate in a compliant manner with the myriad of international, country/region-level laws. GDPR, PIPL, ADPPA, to name a few. But having federal privacy legislation in the United States will still streamline those efforts.
How does ADPPA compare to GDPR and other international privacy requirements?
Similar to the GDPR and other international laws, the ADPPA will require organizations to collect only the personal data that is “reasonably necessary, proportionate, and limited to provide specific products and services.”
Some of these restrictions include:
- Collecting, processing or transferring social security numbers
- Selling or giving a third party a person’s exact geolocation
- Collecting, processing or transferring physical activity information from a smartphone or wearable device, biometric and/or genetic data
- Transferring passwords, internet search or browsing history to a third party
The ADPPA will also address the way organizations incorporate privacy into their overall business practices, called privacy by design. This means that privacy practices must be built into every aspect of business being operated, both internally and customer facing, and that the entire tech stack must comply with the organization’s data privacy policy.
It will make it easier for organizations doing business within the US to achieve privacy compliance across the 50 states, and also bring us one step closer to global privacy policies.
Making federal law is a complicated, often messy process, and I will not speculate on whether the US congress can actually get a bi-partisan bill passed during a midterm election cycle.
When, or should I say if, the ADPPA is finally signed into law it will also be an untested law. Thus it will take additional time for the law to fully come into effect and enforcement. Conversely, the United States could adopt the GDPR as the law of the land with respect to data privacy, a law that has already been tested, one that global corporations are already familiar with and have privacy programs in place to comply with the law.
The ADPPA should offer some baseline protections for foreigners in regards to the FISA surveillance concerns, but it will also not solve EU-US data transfer problems associated with complying with GDPR in the wake of Schrems II.
For more information the bill’s current version can be found here. If you’d like to speak with someone at Tealium about how Tealium helps support your data privacy planning, click here to schedule a demo.