Common Questions about the American Data Privacy and Protection Act
The draft American Data Privacy and Protection Act (ADPPA) is a landmark data privacy bill that is being considered by the US congress. If ADPPA becomes law, it will have a significant impact on business that operate in the US. While it's being considered, it's worth taking a closer look at its provisions, and giving thought to how this might impact your business if it goes into effect.
Here are a few common questions that businesses are asking about ADPPA:
The draft American Data Privacy and Protection Act is a data privacy law that applies to organizations operating in the United States. This includes nearly any organization that collects, processes, or transfers covered data (PII) subject to FTC oversight, as well as nonprofit organizations and common telecom carriers. It also includes data brokers, or “third-party collecting entities” that make most of their revenues by buying and selling PII.
When, or whether, the ADPPA will go into effect remains to be seen. The Senate could pass the ADPPA and send it to the White House for final approval before the end of 2022.
The ADPPA, if passed, will be enforced by the US Federal Trade Commission (FTC). The FTC will deem violations of the ADPPA to be unfair or deceptive acts and will have the power to fine violators of the ADPPA up to $46,000 in 2022 (this number is adjusted for inflation each year).
If your company operates in the US and handles the PII of US residents, ADPPA is likely to affect you. The best way to prepare for ADPPA is to make sure that you’re handling sensitive data in compliance with other, existing data protection laws like CCPA and GDPR by following privacy by principles: data minimization, securing sensitive data from theft or misuse, etc. You can also reduce your risk of data breaches as a benefit of preparing for the possible passage of the ADPPA.
Yes. Because the US Senate has not passed the bill and sent it on to the White House for approval, it’s subject to further change. In fact, the ADPPA is currently undergoing active review and discussion.
No. The current draft ADPPA bill doesn’t include provisions for up-front certification.
The Big Picture on Data Privacy
Regardless of whether the ADPPA becomes US law, there is a growing movement at the state and federal level – not to mention globally – to strengthen regulations around sensitive data. This movement is likely to translate into a federal data privacy law at some point.
In the meantime, companies across the globe that do business in the EU are grappling with how best to comply with GDPR, which has many provisions in common with ADPPA. And US companies are considering how to comply with various state-level data privacy laws, like California’s CCPA and CPRA.
To learn more about the history of data privacy laws and what to expect in the future, see: A Brief History of Data Privacy, and What Lies Ahead. Still have questions? Contact us to learn more.