The ADPPA: What Is It and What’s New?

Welcome to Red Clover Advisors Newsletter - where we share best practices and strategies that help simplify data privacy so that your business can go beyond compliance, build trust with customers, and gain a competitive edge.?

Before we get started, check out our weekly?She Said Privacy/He Said Security Podcast , where we dive into a new way of working with data and discuss privacy-friendly strategies. You’ll hear about the latest developments in privacy law, deep dives into privacy topics and industry best practices.?

?What’s Happening Now:?

On July 20th, the American Data Privacy and Protection Act (ADPPA) was voted out of committee in the House, setting up the stage for the full House to determine its future. For those following the bill’s progress,?Washington Post writer Christiano Lima provided a good list ?of the changes made since the last draft was released to the public earlier this summer. This week, we are going to dive into some of those changes, the broader implications of the bill, and what it all means for your business.

The ADPPA: What Is It and What’s New?

The ADPPA is a new attempt by Congress to try to bring some federal structure to the American data privacy protection scene, which is currently a hodgepodge of state laws, such as California’s CCPA/CPRA. For those unfamiliar, let’s take a moment to summarize the ADPPA. In keeping with the American tradition of individualism, this bill diverges from the current trend of a consent-based privacy structure, and towards a data minimalization one.

Data minimalization is the concept that a company cannot collect any more data than they reasonably need, as defined by statute. Contrast this with a consent-based structure, which works under the assumption that collection is generally allowed, so long as the user consents to it. The bill currently provides for 17 purposes where collecting data is deemed necessary and permitted. Critically, this includes targeted advertising, albeit a far more limited form of the practice as compared to the virtual free-for-all that is the current federal landscape. Targeting ads towards minors and those using “sensitive covered data” (which includes health, financial, precise geolocation, sexual behavior, biometric, and racial data, among other types) would be banned.

Importantly “sensitive covered data” includes “information identifying an individual’s online activities over time and across third-party websites or online services”, which means that the various ways in which companies track users across the web (and off their specific websites) would be curtailed or eliminated. Additionally, users would be allowed to opt-out of targeted advertisements (requiring more consumer-friendly language than other major laws) and appoints the FTC to create a universal opt-out standard. Notably, it also includes a preemption provision, leading to opposition from chiefly Californian lawmakers, as well as a limited private right of action. The bill also specifically targets large social media companies and large data holders with stricter compliance requirements.

What are the Broad Implications of the Law and What Does It Mean for your Business?

This law would fundamentally change the American data privacy landscape. For one, it would partly do away with the patchwork of state laws and offer companies a clear and comprehensive path towards compliance. However, it would also drastically alter the way that online advertising works, shifting the industry away from hyper targeting users and into a model where users have more control over their data and over what type of advertisements they see, as opposed to what companies/advertisers would like them to see. For even mid-sized companies (+15 employees), the bill requires that a data privacy and security officer be appointed.

For all companies, biennial impact assessments would be required, certainly a burden for those companies unfamiliar with the practice. These are just some of the many implications that such a law would have. Regarding the impact on your business, no matter your size, you will be affected, and will need to implement new practices and procedures. The draft requirements differ somewhat significantly from the GDPR and various US state laws and will likely require serious examination and shifts in your data privacy practices as the we get closer to a clear picture of the final law.

The ADPPA Faces Backlash from Those Who Want More:

The ADPPA has more bi-partisan support than any previous attempt at a modern federal data privacy law. However, it faces an uphill battle among some key players, chiefly U.S. Senate Committee on Commerce, Science, and Transportation Chair Maria Cantwell, D-Wash., who called the bill “weak.” Her largest concern is the proposed two-year statute of limitations for the private right of action. Senator Cantwell’s role as Committee chair means that her views play an outsized role on the future of the bill. She is not alone in her opposition, California Representative Anna Eshoo voted against the bill leaving committee in the House,?stating , “I recognize that this law would be an improvement for much of the country… but I can’t say the same for my constituents and all Californians.” California Governor Gavin Newsome also?objected ?to the bill, due to its preemption of California law. He has been joined by 10 state attorneys general who take?issue ?with preemption. While a meaningful step towards a federal data privacy structure, there is no guarantee that the bill becomes law as written.

The T-Mobile Bill Is $500 Million

T-Mobile has settled a class action suit stemming from a 2021 data breach of sensitive consumer information. After 76.6 million customers had sensitive data exposed, data including names, social security numbers, and driver’s license data, the company has agreed to pay $350 million to customers, and to spend $150 million on cyber security efforts. Although no one is every truly safe from cyber-attacks, this is a reminder that the cost of a breach can be enormous, and cybersecurity measures are almost always cheaper than resolving the aftermath of an attack.

India’s Data Protection Bill Delayed, Coming in a Few Months Per IT Minister

According to the Indian Union Minister of State for Electronics and Information Technology, Rajeev Chandrasekhar, the proposed Indian Data Protection Bill will be delayed a couple of months, as the government seeks to finalize and clarify the “dos and don’ts for companies.” He was clear that the bill is not intended to cover privacy, only data protection, with the goal of defining how companies will go about collecting data. Key discussed elements include the requirement that social media companies must provide information on the “originator” of messages online. Hopefully we will have some clarity before the end of the year on how the data protection landscape in India is changing.

• How data compliant is your business? Take the quiz!?
• Listen to episodes of She Said Privacy/He Said Security!?