Tag: American Data Privacy and Protection Act

For US-Congress, privacy is top of mind

3. March 2023

The lack of comprehensive federal privacy legislation in the United States continues to be a cause of concern for many, as consumers and industry struggle with the growing patchwork of state laws. With the rise of data breaches, hacking, and other cyber threats, individuals are rightly concerned about the security and privacy of their personal information. As a result, lawmakers in the United States have introduced several data protection bills that could get a second look in Congress.

Several data protection bills

The “Health Data Use and Privacy Commission Act”, sponsored by Senator Bill Cassidy, aims to establish a blue-ribbon panel to recommend changes to health privacy laws. This bill seeks to address the growing concerns about the collection, use, and dissemination of personal health data. The panel would be tasked with evaluating current laws and regulations, identifying gaps and weaknesses, and recommending changes to ensure that individuals’ health data is adequately protected.

The “My Body, My Data Act” would create a new national standard to protect personal reproductive health data. By minimizing the personal reproductive health data that is collected and retained, the bill would prevent this information from being disclosed or misused.

The “Data Care Act” would require websites, apps, and other online providers to take responsible steps to safeguard personal information and stop the misuse of users’ data. This bill seeks to hold companies accountable for their data practices and prevent them from using personal data in ways that could lead to harm. It would require companies to take reasonable steps to safeguard personal data and to disclose how they use and share consumer data.

A national data protection framework remains the main goal

The “American Data Privacy and Protection Act” (ADPPA) was proposed last year, and while it failed to make it to the House floor, it remains the preferred framework for addressing current regulatory shortcomings. The latest Congressional hearing dedicated to privacy, hosted by the House Committee on Energy and Commerce’s new Subcommittee on Innovation, Data and Commerce, discussed the need for comprehensive federal legislation and confirmed that the ADPPA is the only framework being considered at this time.

The hearing also highlighted the industry benefits of a national standard, particularly for small and medium-sized businesses, who are struggling to keep up with the growing state privacy law patchwork. Federal preemption remains a point of contention in ADPPA talks, with several states rejecting proposed preemption last year, most notably California.

The subcommittee also focused on the need to regulate the growing data broker industry, which was characterized as a “multibillion-dollar economy selling consumers’ data with virtually no restrictions or oversight.” The ADPPA carries important provisions on broker disclosure and user opt-out obligations, which are designed to increase transparency and give consumers greater control over their data.

Outlook

The lack of comprehensive federal privacy legislation in the United States continues to be a concern for consumers and industry. As technology continues to advance and new threats emerge, it is essential that lawmakers in the United States take proactive steps to ensure that individuals’ rights to privacy are protected. By passing these bills, Congress can help to establish a framework for data protection that will safeguard individuals’ personal information and prevent abuses of data use. Until now, data protection in the United States has primarily been at the top of the agenda at the state level. California, Colorado, Connecticut, Virginia, and Utah have recently enacted comprehensive data privacy laws. The ADPPA remains the preferred framework for addressing current regulatory incompletion, and there are growing calls for a national standard to avoid the problems that arise with a growing state privacy law patchwork. While federal preemption remains a point of contention, there are hopes that new Republican leadership could bring better odds of the ADPPA making it to the floor in 2023.

U.S. lawmakers unveil bipartisan Data Privacy and Protection Act

30. June 2022

In early June, three of the four chairmen of the U.S. congressional committees responsible for data privacy submitted a drafted American Data Privacy and Protection Act (ADPPA) for consideration. If passed, it would override certain recently enacted privacy laws in some U.S. states.

The draft includes elements of the California Consumer Privacy Act and the European General Data Protection Regulation.

States led the way

Until now, data protection in the United States has primarily been at the top of the agenda at the state level. California, Colorado, Connecticut, Virginia and Utah have recently enacted comprehensive data privacy laws. This year alone, more than 100 privacy bills have already been introduced in the states.  Although not all of these were adopted, the proliferation of state laws and their varying regulatory requirements has led to increasing calls for the adoption of a federal privacy law. A unified federal law, if passed, would provide much-needed clarity to entities and businesses and, ideally, would also stem the tide of class action and other privacy lawsuits brought under various state laws.

Affected Entities

The ADPPA broadly applies (with exceptions) to organizations operating in the United States that collect, process, or transfer personal information and fall into one of the following categories:

  • Subject to the Federal Trade Commission Act
  • Nonprofit organizations
  • So-called Common Carriers, subject to Title II of the Communications Act of 1934

Requirements of the ADPPA (not final)

  • Limit data collection and processing to that which is reasonably necessary
  • Compliance with public and internal privacy regulations
  • Granting consumer rights such as access, correction, and deletion
  • Appeal options
  • Obtaining consent before collecting or processing sensitive data, e.g. geolocation, genetic and biometric information, and browsing history
  • Appointment of a data protection officer
  • Providing evidence that adequate safeguards are in place
  • Registration of data brokers with the Federal Trade Commission (FTC)
  • FTC will establish and maintain a searchable, centralized online public registry of all registered data traders, as well as a “Do Not Collect” registry that will allow individuals to request all data traders to delete their data within 30 days
  • Entities shall not collect, process, or transfer collected data in a manner that discriminates on the basis of race, color, religion, national origin, sex, sexual orientation, or disability
  • Implement appropriate administrative, technical, and physical data security practices and procedures to protect covered data from unauthorized access and disclosure

Outcome still uncertain

Shortly after a draft of the ADPPA was released, privacy organizations, civil liberties groups, and businesses spoke out, taking sides for and against the law.

As the legislative session draws to a close, the prospects for ADPPA’s adoption remain uncertain. Strong disagreement remains among key stakeholders on important aspects of the proposed legislation. However, there is consensus that the United States is in dire need of a federal privacy law. Thus, passage of such legislation is quite likely in the foreseeable future.