All-in-one Risk Management Platform

ADPPA Preview

The ADPPA, a potential federal data privacy law, could significantly impact US organizations that use or collect private data
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Join thousands of companies who build trust with Accountable.

ADPPA Preview (A Bipartisan U.S. Data Security Bill Makes it Out of Committee)

As an organization that manages and revolves around compliance with data security legislation, we at Accountable HQ are always paying close attention to any moves for a potential national US data privacy legislation. 

Recently, a new bill titled “the American Data Privacy and Protection Act”, or ADPPA, was just successfully passed by the U.S. House Committee on Energy and Commerce. By making it out of committee, that means it will be presented in front of the entire House in the coming days or weeks–- which is the farthest a potential federal-level data privacy legislation has ever made it in the United States. To put it simply, this is a bit of a big deal. 

In this guide, we’ll explore what the ADPPA is, what the bill includes at this point, and what it would mean for US organizations if it is eventually passed into law.

What does the ADPPA Include?

Recent bipartisan legislation announced by congressional leaders would create the first comprehensive federal privacy law in the country if it were to be passed. The American Data Privacy and Protection Act (ADPPA) would grant Americans a variety of rights relating to the data that is kept on them, including the ability to view, update, and delete such data as well as the right to stop certain uses of it without permission. As a result, businesses operating in a wide range of industries would be subject to significant new requirements pertaining to the information they gather on the clients they serve.

The ADPPA is similar to comprehensive state privacy laws that have recently been passed, such as the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), in many ways. It also incorporates some of the rules established by the Health Insurance Portability and Accountability Act, the country's health privacy law (HIPAA). The General Data Protection Regulation (GDPR), which governs privacy in Europe, is the American counterpart of those regulations, but it also goes much further than they do in many ways.

Among the provisions of the bill are:

  • Raising the current limit of 13 years set by the Children's Online Privacy Protection Act for the age at which children's data can be gathered and utilized for behavioral advertising online to 17 years old.
  • Preventing the adoption of any future state-level legislation that would enhance online data security while maintaining Illinois' Biometric Information Privacy Act, a crucial state regulation that recently led to a ban on the use of Clearview AI's enormous facial surveillance database across the country.
  • Limiting the types of information that may be gathered about users online and sent to outside AdTech firms for use in behavioral advertising. Additionally, it would allow consumers to completely decline to receive such advertisements.

Key Terms Under ADPPA

It helps to understand a few key terms when trying to understand what ADPPA actually entails:

  • Covered Entities - A covered entity is a business, organization, individual, or other entity that is subject to the regulations that the ADPPA sets forth.
  • Service Providers - A service provider is a person or organization who collects, processes, or transfers protected information at the direction of or on behalf of a protected entity and that accepts protected information from or on behalf of a protected entity in accordance with a signed agreement.
  • Opt-Out Mechanisms - Such mechanisms are various ways to make it possible for consumers to opt-in or out of letting an organization collect or use their data.
  • Consumer Data Rights - Individuals would have a variety of rights in relation to the information that covered entities have about them under the ADPPA. Numerous of these  rights are comparable to those guaranteed to people by the GDPR, HIPAA, and extensive state privacy laws.
“Saved our business.”
"Easy to use!"
"Accountable is a no brainer."

Get started with Accountable today.

The modern platform to manage risk and build trust across privacy, security, and compliance.
Get Started Today
Join over 17,000 companies who trust Accountable.

What Kind of Data Does the Bill Apply To?

There is a wide range of data that would be covered under the ADPPA if it were to be put into law.

Covered Data

Inferences drawn only from independent sources of publicly accessible data that do not reveal sensitive covered data with regard to a person are now excluded from the definition of covered data. The recent judgment of the California Attorney General, which said that conclusions made from information that is publicly available must be released in response to an access request, may have served as the impetus for this modification.

Sensitive Covered Data

The definition of "sensitive covered data" has changed in a number of ways, including the removal of information revealing a person's race, ethnicity, national origin, religion, or union membership or nonunion status in a way that is inconsistent with the person's reasonable expectation regarding disclosure of such information. Although the criterion that the covered entity must be aware that the individual is under the age of 17 has been included, the definition still covers information from individuals under the age of 17.

Biometric Data

The term "biometric data" now more closely resembles the phrase "data" as used in the Connecticut Data Privacy Act. In particular, a digital or physical image, an audio or video recording, or data derived from a digital or physical photograph, an audio or video recording, or a video recording that cannot be used to identify a specific person are not considered to constitute biometric data.

Who Would It Apply To?

The ADPPA would require a number of entities to become compliant with the potential new law, including covered entities and service providers that deal with sensitive data.

Covered Entity

Entities "operating in a non-commercial context" are not included in the definition of a covered entity. Additionally, the definition did away with the "common branding" terminology used in the CCPA and CPRA. Governmental agencies, as well as people or organizations operating on their behalf, now have new exemptions.

Service Providers

As mentioned earlier, this new potential law would affect service providers. Service providers are any entities that use or process covered data on behalf of a covered entity under the ADPPA. Service providers are often data processing software vendors.


It is worth noting, especially for our clients, that as the ADPPA is written now, all organizations or individuals who have achieved and maintained HIPAA compliance will also be in compliance with ADPPA. The legislation specifically states that HIPAA compliance will supersede ADPPA compliance. This makes now a great time to assure you’ve ensured your HIPAA compliance so that you are completely covered if this bill does become law. 

Duty of Loyalty

The ADPPA's Section 101 specifies that covered organizations are prohibited from collecting, processing, or transferring protected data unless such actions are deemed to be proportional to specifically stated activities and reasonably necessary. There are currently twelve permitted purposes listed in the provision. Unless an exemption applies, some processing operations are prohibited under Section 102. Sensitive covered data is processed in a variety of ways as part of those processing operations, and sensitive covered data is also sent to other parties.

What Happens Next?

The ADPPA is still being worked on, and it remains unknown how well it will do in the Senate. Despite all the optimism over whether this draft bill and the procedure leading up to it may become law, a number of possible obstacles were brought to light during the most recent session. Each of the eight witnesses described changes they would make to the draft's different elements. These criticisms highlight the flaws in the proposal, but they also show the reality of the continuous stakeholder process that lawmakers are engaged in, despite the bipartisan draft's origins in consultations. 

We will continue to monitor the progress of this bill as it journeys its way through the US government. We will post any and all updates that are released regarding progress or edits to the ADPPA as we have detailed it. 

Like what you see?  Learn more below

The ADPPA, a potential federal data privacy law, could significantly impact US organizations that use or collect private data
How to Respond to a Breach or Cyberattack
CMIA (California Confidentiality of Medical Information Act)
What is a HIPAA Compliance Checklist?
Ten Common HIPAA Compliance Mistakes and Effective Strategies for Mitigation
Safeguarding Your Business: Preventing a Data Incident
What is Personal Data under the GDPR?
Streamlining the Employee Off-boarding Process
Traits and Responsibilities of a GDPR Data Controller
ISO 27001 vs HIPAA
Complying with Texas HB300
Contractors Under CCPA/CPRA
Why was the CCPA Introduced?
HIPAA IT Compliance Checklist
How to Secure Your Company's Email Communication: Best Practices and Strategies
Complying with ISO 27001: Strategies and Best Practices
GDPR Compliance for Startups
What is Personal Information Under the CPRA?
Steps to Ensure Operational Resilience
The CCPA Do Not Sell Requirement
Am I a Data Controller or Data Processor?
Service Providers Under CCPA/CPRA
Why Security Does Not Equal Data Privacy
What Does PHI Stand For?
Common GDPR Compliance Mistakes & Pain Points
"Likely to Result in Risk" Under GDPR
Key Elements of a Data Processing Agreement
What Is a Data Processor?
What is a Business Associate Subcontractor?
What You Need To Know About Browser Cookies
How Long Should You Retain Personal Data?
Operational Risk Management
ADPPA Preview
What is a Data Controller?
Data Protection Impact Assessments (DPIAs)
The Importance of Monitoring External Data Breaches
Fraud Risk Factors
Security Awareness Training
5 Steps to Creating a Vendor Management Process
The 18 PHI Identifiers
Notice of Privacy Practices under HIPAA
Data Subject Access Requests
What is a HIPAA Lawyer?
What You Need to Know About Data Encryption
ISO 27001
Types of Financial Risk
SOC 2 Compliance Mistakes
Data Disaster Recovery Plan
The Truth about Data Security
Business Continuity Plans
Security Risk Assessment Overview
How To Comply With the HIPAA Security Rule
How To Ensure GDPR Compliance
The Complete Guide to PCI Compliance
Data Governance in Healthcare
Why is Personal Data Valuable?
8 Steps To Establish a Risk Management Framework
How To Prevent a Former Employee From Becoming a Security Risk
Vendor Risk Management
4 PCI DSS Compliance Levels
The Difference Between DoS and DDoS Attacks
Internet of Things (IoT) Security
Compliance as a Competitive Advantage
SOC 2 Compliance
Opt-In vs. Opt-Out Data Rights
Five Principles of Risk Management
5 Habits of an Effective Privacy Officer
Principles of Data Governance
Data Protection Officer vs. HIPAA Privacy Officer
Personally Identifiable Information (PII)