October 11, 2022

A Complete Guide to the New US Federal Data Privacy Bill (ADPPA) and What It Means for Businesses

ADPPA will still apply to you even if the CCPA/CPRA, CTDPA, or other privacy regulations do not. It will also have an impact on businesses outside the US that target the American consumer market. The sooner you are ready, the better off your business will be if the proposed legislation becomes law.

Although the American Data Privacy and Protection Act (ADPPA) is still trying to make its way through the maze of US federal laws, you should be aware of it. ADPPA would apply to all businesses, no matter how big or small they are, unlike the consumer laws of the US states. 

That being said, ADPPA will still apply to you even if the CCPA/CPRA, CTDPA, or other privacy regulations do not. It will also have an impact on businesses outside the US that target the American consumer market. 

The sooner you are ready, the better off your business will be if the proposed legislation becomes law.

Personal Data, or Covered Data

ADPPA requires "covered entities," a catch-all term for any entity subject to the FTC Act, to minimize the amount of "covered data" they collect, process, and transfer. ADPPA defines covered data as "information that identifies or is linked or reasonably linkable to an individual or a device that identifies or is linked or reasonably linkable to one or more individuals, including derived data and unique identifiers." Based on this, covered data is similar in definition to the GDPR’s “personal data.”

Simply put, covered data is any information that can be used to identify a person or a device that can be linked to a person. In practice, covered data could be as simple as government ID numbers or Social Security numbers (SSNs) in private communications, or any information about people under 17 years old. Aside from obvious personal information, this law will also cover data like IP addresses or digital fingerprints. 

But ADPPA doesn't cover all of the personal information out there. The following kinds of information are left out: de-identified data, employee data, and any other publicly available information.

The scope of ADPPA extends to include any and all identifying information.

Does ADPPA Apply to My Business?

ADPPA probably applies to your business if you are a US company or a non-US company with US users. 

Those who handle personal information in any way, including collection, processing, or transfer, fall under ADPPA's jurisdiction, as well as those who: 

  • engage in commercial activity (with the exception of banks, insurers, and others governed by different regulations, as specified by the FTC Act); 
  • provide telecommunications services (a "common carrier" as that term is used in Title II of the Communications Act of 1934); or, 
  • a non-profit organization.

Brand owners and trademark licensors are also subject to the ADPPA. 

The ADPPA covers more people and organizations than the CCPA, CPA, VCDPA, and other state and federal privacy statutes in the United States. The law applies to anyone, regardless of size, who handles personal data. 

For businesses that handle massive volumes of data, however, the ADPPA imposes new obligations. These organizations, known as "large data holders," must perform data privacy impact assessments on their algorithms and provide evidence to authorities that they have implemented strict internal controls over data processing. 

Aside from these businesses, ADPPA also applies to service providers and third-party collecting entities. 

What Is a Service Provider under the ADPPA?

A service provider is a business that processes user data on your company's behalf. 

Your business' service provider is the company that runs the plugin you use to remember your users' language preferences. Google Analytics and Hotjar, two popular online analytics tools, are examples of service providers. Meta is your service provider if you make use of Meta Pixels. 

According to the law, only an entity with which your company has an established business relationship can be considered a service provider. This signifies that we are excluding subprocessors from the definition. 

Therefore, if you use Hotjar, they are your service provider but the companies responsible for delivering Hotjar's services to you are not your service providers. 

What Is a Third-Party Collecting Entity under the ADPPA?

According to the law, this is what data brokers are. ADPPA classifies businesses who collect and supply data to other businesses as "third-party collecting entities" if they satisfy any of the following criteria: 

  • They make more than half its revenue from data collecting, or,
  • They have either collected or transferred the personal data of more than 5 million people to other businesses.

What Does ADPPA Require from Businesses?

ADPPA creates obligations for all businesses, but the requirements depend on the business size. These are the general requirements for small businesses, larger-than-small businesses, and large data holders:

Data minimization. Each business will have to process only the minimum amount of data for a specific purpose.

Loyalty duty pricing. No business can change its pricing for users who have waived their privacy rights.

Privacy by design. It means designing products and services to use as little data as possible and protecting consumers’ privacy.

Appointment of a privacy officer. Businesses must designate a person to take care of the company’s data privacy practices.

Privacy Impact Assessments. Some businesses have to do assessments to figure out what steps they need to take to keep data safe.

Data security measures. The scope of the data security measures depends on the business size, the volume of data processing, and other circumstances. All businesses need to have some procedures in place and train employees properly.

Special regime of children’s data. Children won't be able to see ads that are made just for them, and their information won't be given to service providers without their parents' permission.

No algorithm discrimination. A business can't collect, process, or send data in a way that is unfair because of race, color, religion, national origin, gender, sexual orientation, or disability.

Special regime of the processing of some data categories, including the following:

  • The Social Security Number
  • Geolocation
  • Intimate images
  • Passwords
  • Biometrical or genetic information
  • Browsing history, and,
  • Physical activity information

Some of these requirements won’t apply to small businesses.

ADPPA Exceptions for Small Businesses

A business is considered a small business if it has met all of the following criteria in the past three years:

  • They have an annual gross revenue of less than $41 million.
  • They process no more than 100,000 individuals' data, excluding payment data.
  • They are not data brokers.

If your business meets these requirements, you won’t have to comply with the duty to:

  • Respond to right-to-portability requests.
  • Implement data security measures, except for the deletion of redundant data.
  • Designate a privacy and data security officer.
  • Comply with the right to correct requests by choice, but you can delete the inaccurate data if you want.

What Are ADPPA Consumer Rights?

ADPPA grants users the following rights:

  • Right to know. Companies need to inform consumers about their privacy practices. It shall be done through a privacy policy whose content is also prescribed by law. Large data holders must show an additional short privacy notice to their privacy policy.
  • Right to access. Users can request access to their own data, and you have to allow them access.
  • Right to correction. If the user requests you to correct their data, you comply with the request.
  • Right to deletion. The consumer privacy laws of the US states already grant deletion rights to consumers, but ADPPA grants are to all US residents.
  • Right to portability. Users can obtain a copy of their data from one company and take it to another one.
  • Right to consent and objection. Companies must obtain express consent for the processing of only sensitive personal data. Any user can say they don't want their personal information, even if it's not sensitive, to be used.
  • Right to opt-out of data transfer. If users do not want their data transferred to a specific service provider, they may object to it, and you’ll need to comply. For example, someone might not want you to send their information to Facebook, and you'll have to respect that.
  • Right to opt-out of targeted advertising. If the user requests so, you must not show them any more targeted ads.

What Is an ADPPA Privacy Policy?

ADPPA requires each privacy policy to contain a minimum of the following information:

  • Details of the business that processed personal data
  • Categories of data processed
  • Processing purposes
  • Data transfers abroad, if any
  • Data retention periods
  • Information on consumer rights and how to exercise them
  • A general description of data security practices
  • Whether or not the data is transferred, processed, or made available to persons or entities in China, Iran, Russia, or North Korea.

The privacy policy must be written in your users' language and be easily understandable.

If you want to process the collected information for other purposes and you make changes to the privacy policy, you need to request consent from the users.

Who Enforces ADPPA and What Are the Penalties?

The law gives the Attorney General of each state and the Federal Trade Commission the power to enforce the law to the extent that they are already able to do so.

This means that they can take action against violations of this law in the same way they would enforce any other law.

Individuals can bring civil actions, including class actions, against any entity that has violated their rights under the law. However, individuals have to submit a notice to cure the company. The company has 45 days to cure the alleged violation. If the violations have been cured, the courts can dismiss the civil action.

However, ADPPA does not prescribe any penalties for violations of the law. It refers to the Federal Trade Commission Act, where the penalties range between $40K and $50K.

When Does the ADPPA Enforcement Begin?

The ADPPA has not been passed into law yet. We have yet to see if it gets passed or amended and when the enforcement will begin.

Secure Privacy keeps a close eye on the process and will make sure your business is compliant as soon as it starts putting obligations on your business.