As an organization that manages and revolves around compliance with data security legislation, we at Accountable HQ are always paying close attention to any moves for a potential national US data privacy legislation.
Recently, a new bill titled “the American Data Privacy and Protection Act”, or ADPPA, was just successfully passed by the U.S. House Committee on Energy and Commerce. By making it out of committee, that means it will be presented in front of the entire House in the coming days or weeks–- which is the farthest a potential federal-level data privacy legislation has ever made it in the United States. To put it simply, this is a bit of a big deal.
In this guide, we’ll explore what the ADPPA is, what the bill includes at this point, and what it would mean for US organizations if it is eventually passed into law.
Recent bipartisan legislation announced by congressional leaders would create the first comprehensive federal privacy law in the country if it were to be passed. The American Data Privacy and Protection Act (ADPPA) would grant Americans a variety of rights relating to the data that is kept on them, including the ability to view, update, and delete such data as well as the right to stop certain uses of it without permission. As a result, businesses operating in a wide range of industries would be subject to significant new requirements pertaining to the information they gather on the clients they serve.
The ADPPA is similar to comprehensive state privacy laws that have recently been passed, such as the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), in many ways. It also incorporates some of the rules established by the Health Insurance Portability and Accountability Act, the country's health privacy law (HIPAA). The General Data Protection Regulation (GDPR), which governs privacy in Europe, is the American counterpart of those regulations, but it also goes much further than they do in many ways.
Among the provisions of the bill are:
It helps to understand a few key terms when trying to understand what ADPPA actually entails:
There is a wide range of data that would be covered under the ADPPA if it were to be put into law.
Inferences drawn only from independent sources of publicly accessible data that do not reveal sensitive covered data with regard to a person are now excluded from the definition of covered data. The recent judgment of the California Attorney General, which said that conclusions made from information that is publicly available must be released in response to an access request, may have served as the impetus for this modification.
The definition of "sensitive covered data" has changed in a number of ways, including the removal of information revealing a person's race, ethnicity, national origin, religion, or union membership or nonunion status in a way that is inconsistent with the person's reasonable expectation regarding disclosure of such information. Although the criterion that the covered entity must be aware that the individual is under the age of 17 has been included, the definition still covers information from individuals under the age of 17.
The term "biometric data" now more closely resembles the phrase "data" as used in the Connecticut Data Privacy Act. In particular, a digital or physical image, an audio or video recording, or data derived from a digital or physical photograph, an audio or video recording, or a video recording that cannot be used to identify a specific person are not considered to constitute biometric data.
The ADPPA would require a number of entities to become compliant with the potential new law, including covered entities and service providers that deal with sensitive data.
Entities "operating in a non-commercial context" are not included in the definition of a covered entity. Additionally, the definition did away with the "common branding" terminology used in the CCPA and CPRA. Governmental agencies, as well as people or organizations operating on their behalf, now have new exemptions.
As mentioned earlier, this new potential law would affect service providers. Service providers are any entities that use or process covered data on behalf of a covered entity under the ADPPA. Service providers are often data processing software vendors.
It is worth noting, especially for our clients, that as the ADPPA is written now, all organizations or individuals who have achieved and maintained HIPAA compliance will also be in compliance with ADPPA. The legislation specifically states that HIPAA compliance will supersede ADPPA compliance. This makes now a great time to assure you’ve ensured your HIPAA compliance so that you are completely covered if this bill does become law.
The ADPPA's Section 101 specifies that covered organizations are prohibited from collecting, processing, or transferring protected data unless such actions are deemed to be proportional to specifically stated activities and reasonably necessary. There are currently twelve permitted purposes listed in the provision. Unless an exemption applies, some processing operations are prohibited under Section 102. Sensitive covered data is processed in a variety of ways as part of those processing operations, and sensitive covered data is also sent to other parties.
The ADPPA is still being worked on, and it remains unknown how well it will do in the Senate. Despite all the optimism over whether this draft bill and the procedure leading up to it may become law, a number of possible obstacles were brought to light during the most recent session. Each of the eight witnesses described changes they would make to the draft's different elements. These criticisms highlight the flaws in the proposal, but they also show the reality of the continuous stakeholder process that lawmakers are engaged in, despite the bipartisan draft's origins in consultations.
We will continue to monitor the progress of this bill as it journeys its way through the US government. We will post any and all updates that are released regarding progress or edits to the ADPPA as we have detailed it.