If you’re brushing up on privacy laws and familiar with the European Union’s General Data Protection Regulation, you’re probably wondering what the U.S. equivalent of the GDPR is. The American Data Privacy and Protection Act (ADPPA)is a House bill sponsored by Rep. Frank Pallone. It was introduced on June 21, 2022. If H.R. 8152 clears the House, Senate, and executive branch, this bipartisan legislation could provide comprehensive federal data privacy protections to everyone living in the U.S.
What is the U.S. Data Protection Act?
The ADPPA is a unique privacy act. First, it’s a bipartisan and bicameral piece of legislation aiming to produce a comprehensive framework for data privacy in the U.S. It also comes at a time when five out of the fifty United States (California, Colorado, Connecticut, Utah, and Virginia) have their own comprehensive data privacy laws.
Other global territories—specifically, Europe and China—also have their own privacy and data protection laws. This creates a “patchwork” problem for companies who collect, store, and process consumer data. It’s difficult to enact privacy protections that comply with each territory since each law offers varying levels of protection.
The ADPPA seeks to unify U.S. privacy protections and bring U.S. requirements into greater harmony with international privacy law regimes. States will still be free to go even further, should they feel it’s necessary, but the Act will provide a minimum privacy baseline for every state and territory.
One of the biggest differences between the American Data Privacy and Protection Act and other US privacy laws is in how it moves toward a “privacy by design” and data minimization framework. Instead of a generic requirement that companies consider privacy in the design of their processes, the ADPPA only allows companies to collect and use user data if it’s necessary for one of 17 permitted purposes under the law. Other uses are prohibited, and the Federal Trade Commission would be in charge of enforcement.
What does the American Data Privacy and Protection Act cover?
First and foremost, the Act states that “a covered entity may not collect, process, or transfer covered data unless the collection, processing, or transfer is limited to what is reasonably necessary and proportionate to” achieve one of the 17 allowed purposes.
In other words, data minimization is the Act’s main focus. This is primarily seen in the way it addresses targeted advertising. While it doesn’t ban the practice outright, it does impose strict limits on targeted advertising. This includesbanning:
- Targeted ads to minors
- Targeting ads based on “sensitive data” like health information, precise geolocation, private communications, and any other “information identifying an individual’s online activities over time and across third-party websites or online services”
- Misleading “accept all” tricks to get consumers to opt into targeted advertising
Certain targeted advertising is still acceptable, including first-party advertising. For example, if you buy something online, that company can use your sales and other provided data to advertise other products you might like. Amazon’s “Recommended for You” advertising is a good example. However, they can’t match your shopping habits with your web and phone browsing history to show you unrelated ads. Companies (such as Google and Facebook) also cannot place trackers in websites or free apps to create a customer profile to sell to advertisers.
The law also sets standards for transparency, increased oversight of data brokers, cybersecurity, and anti-discrimination policies. The transparency provisions require data collectors to describe the “type of data they collect, what they use it for, how long they retain it, and whether they make the data accessible to the People’s Republic of China, Russia, Iran, or North Korea.”
Should the ADPPA pass in its current form, it will establish a comprehensive privacy law that applies across the United States, setting a ceiling on privacy protections that would preempt any stricter requirements, such as those in the California privacy law.
Who would be affected by the ADPPA?
If the ADPPA passes, the Act will apply to anyone collecting, storing and processing American consumer data. This includes common carriers and nonprofits. In other words, if your website targets U.S. residents, the U.S. data privacy laws will apply. However, there are certain exceptions for small and medium-size businesses.
The Act offers a private right of action for compensatory damages, injunctive relief and attorney fees. However, plaintiffs have to notify the FTC and their state attorney general of their intent to file suit before they do so. At that point, both the FTC and state AG have 60 days to determine whether they plan to intervene in the lawsuit.
As the bill leaves the committee and moves through the House and Senate, protections and standards may change—but it’s safe to say that businesses collecting American consumer data will need to ensure compliance if the law passes.
Discover SixFifty’s privacy solutions
Keeping track of the latest global privacy developments is a massive undertaking. Fortunately, SixFifty offers comprehensive privacy solutions to save your company time and money. Our privacy tools pair AI technology with legal expertise, so you can create custom privacy policies for every applicable territory.
If the American Data Privacy and Protection Act passes, we’ll help your business stay compliant. All you have to do is answer a few questions, download your custom policy and have your lawyers review.
Interested in learning more? Schedule a free demo with SixFifty today!