Written by: Max Greene
Background
In an era where the influence of technology continues to rapidly expand, the protection of our personal data has become a pressing concern, and legislators and regulators in the U.S. and abroad are scrambling to meet the challenge. Modeled upon the Organization for Economic Co-operation and Development (OECD) privacy principles, the EU/EEA General Data Protection Regulation (GDRP) and state laws such as the California Consumer Privacy Act (CCPA) are the leading bellwethers. The challenge in the United States is there is currently not one overarching standard, leaving each state to craft their own regulations. Therefore, multi-state compliance is challenging and cumbersome for companies that do business across the country.
However, there is hope as Federal lawmakers in the United States have proposed the American Data Privacy and Protection Act (ADPPA). This legislation aims to safeguard individuals’ private information, and establish stricter regulations around data collection, usage, and sharing. In July 2022, the American Data Privacy and Protection Act (ADPPA) became the first federal online privacy bill to pass the committee and did so with near unanimity. Nevertheless, the bill has not yet been introduced in the Senate and may have reached a standstill in the House.
With that being said, a new draft of ADPPA is expected imminently. The Committee on Energy and Commerce Chair, Cathy McMorris Rodgers (R-WA), is reportedly penning the last few updates to the bill, which is believed to incorporate significant changes. In this blog post, we will delve into the intricacies of the ADPPA in its current state to understand its significance and potential implications.
Understanding the ADPPA
The American Data Privacy and Protection Act seeks to establish a comprehensive framework for the protection of consumer data. It aims to provide individuals with greater control over their personal information and increase transparency regarding data handling practices. The legislation outlines key provisions to address the growing concerns surrounding data privacy, such as:
- Enhanced rights for individuals: The ADPPA empowers individuals to have more control over their personal data. It grants the right to access, correct, and delete their information held by companies, reinforcing the notion of data ownership.
- Stricter consent requirements: The act focuses on strengthening consent requirements by ensuring that companies obtain explicit and informed consent from individuals before collecting or processing their data. This provision aims to prevent the overly broad collection of personal information without the users’ knowledge.
- Limitations on data sharing: The ADPPA aims to minimize the unauthorized sharing and sale of personal data. It places stringent restrictions on transferring or selling personal information to third parties without explicit consent, thus curbing the current prevalence of data brokerage.
- Data security requirements: By recognizing the importance of robust cybersecurity measures, the ADPPA emphasizes the need for companies to implement data protection safeguards. Businesses are required to adopt reasonable security measures to protect individuals’ personal information from unauthorized access or breaches.
- Transparency and accountability: The legislation strives to promote transparency and accountability among organizations handling personal data. It mandates regular disclosures of data practices, including the types of data collected, processing purposes, and third-party Companies failing to adhere to these standards can face penalties and legal action.
Benefits and Challenges
The ADPPA offers various benefits with notable positive implications for individuals and corporations alike, including:
- Enhanced data privacy: The act strengthens consumers’ data privacy rights, enabling them to exercise greater control over their personal information and mitigate risks associated with data breaches or unauthorized usage.
- Improved transparency: By emphasizing transparency requirements, the ADPPA aids in building trust between consumers and organizations, increasing their confidence in data sharing practices.
- Global standardization: The ADPPA will aid in bridging the gap between global data privacy regulations as other countries continue to adopt similar frameworks. This harmonization may aid in simplifying compliance for multinational businesses and establish a consistent level of protection globally.
On the other hand, implementing the ADPPA also poses several challenges, including:
- Federal vs State: One of the main concerns of the ADPPA is what it will mean for states that have already enacted or have a current proposed legislation. Currently, nine states, including California, Virginia, Connecticut, Colorado, Utah, Iowa, Indiana, Tennessee, and Montana have comprehensive data privacy laws in place. During the 2022-2023 legislative cycle, 16 states introduced privacy bills that address a range of data and privacy issues, such as protecting biometric identifiers and health data. Some of these state laws may be stricter or far more lenient than what the ADPPA has proposed, which may cause confusion and introduce murky waters for businesses operating in multiple states.
- Compliance complexity: The act may impose significant compliance burdens on businesses, particularly smaller enterprises with limited resources. Ensuring adherence to the legislation’s strict requirements could lead to increased costs and potential disruptions to daily operations.
- Balancing innovation and regulation: While the ADPPA aims to protect personal data, striking a balance between data privacy and fostering innovation can be challenging. Stricter regulations might inadvertently hinder advancements in areas such as artificial intelligence and data-driven technologies.
Additional Regulations to Consider
Other regulations that have been introduced in a similar vein could soon come to fruition. The Data Privacy Act of 2023 aims to modernize the Gramm-Leach-Bliley Act to better align with rapidly evolving technology. The bill calls for improvements surrounding the privacy and security of personal information held by financial institutions nationwide, and would grant individuals controls for limiting the collection of their information.
Additionally, the UPHOLD Privacy Act of 2023 aims to prevent the use of personally identifiable health data (PHI) for commercial advertising. Similar to the ADPPA, it would provide enhanced rights, stricter consent requirements, and limitations on data sharing with the goal of placing restrictions on companies using personal health information without user consent and ban the sale of precise location data. The introduction of these regulations only underscores the need for uniformity.
Conclusion
The American Data Privacy and Protection Act (ADPPA) represents a significant step towards strengthening individuals’ data privacy rights and establishing a more unified and comprehensive framework for data protection in the United States. By enhancing transparency, reinforcing consent requirements, and imposing stricter accountability measures, the ADPPA aims to safeguard personal information in the digital age.
While the legislation brings numerous benefits for individuals and businesses, challenges related to compliance complexity and innovation also needs to be considered. As the ADPPA progresses in its legislative journey, it is crucial to strike a balance between protecting personal data and fostering responsible data-based innovation. If you have any questions regarding ADPPA or its implications, please reach out to a member of Wolf’s Advisory team.
