The American Data Privacy and Protection Act (“ADPPA”), the most recent proposed federal privacy law, is gaining support. In late July 2022, the House Committee on Energy and Commerce decided to send the bill to the House. [1] In either the House or the Senate, this is the first time a comprehensive privacy law will be put up for a full chamber vote. [2]

This article’s goal is to highlight a few ADPPA standards that could force businesses to improve or adjust their data privacy strategies. If the ADPPA materialises, we should know later this year, and companies will be better prepared if they are aware of the potential consequences.

Executive Responsibility Section 301. A major data holder is one that processes the covered data of 5 million people and generates $250 million in income. The Federal Trade Commission (“FTC”) will require large data holders to certify on an annual basis that their organisation maintains internal controls that are reasonably designed to comply with the ADPPA as well as internal reporting structures that guarantee the certifying executive officer is involved in and accountable for the decisions that have an impact on compliance by the large data holder.

Analysis: If the major data holder has an internal audit function, we predict that this function will play a significant role in assessing the organization’s privacy programme. The annual audit plan for their internal audit will include a section on data privacy. Most major data holders will probably rely on third party evaluations to assist the yearly certification process in cooperation with the internal audit function.

Organizations must “dispose of covered data in accordance with a retention schedule that shall require the deletion of covered data when such data is required to be deleted by law or is no longer necessary for the purpose for which the data was collected,” according to Section 208 of the Data Security and Protection of Covered Data Act.

Analysis: Prior sovereign privacy laws stress the significance of erasing personal data when it is no longer required to fulfil the purpose for which it was gathered. Examples are the General Data Protection Regulation (“GDPR”) and California Privacy Rights Act (“CPRA”). However, neither the GDPR nor the CPRA make it clear that covered data should be deleted in accordance with a “retention timetable.” To be in compliance with the ADPPA, organisations must modernise their retention schedules and operationalize such record retention and data dispositioning operations.

Transparency: Section 202 outlines a number of standards for the content, clarity, and subsequent modification notification process of the privacy policy.

Detailed Privacy Policy Content “The length of time the covered entity or service provider intends to retain each category of covered data, including sensitive covered data, or, if it is not possible to identify that timeframe, the criteria used to determine the length of time the covered entity or service provider intends to retain categories of covered data,” must be stated in the covered entity’s or service provider’s privacy policy.

Analysis: The CPRA uses similar phrasing, which has prompted several major brands to concentrate on mass-data deletion. The California Consumer Privacy Act (CCPA), which compelled businesses to include charts in their privacy policies outlining the categories of personal information collected, the business purpose for each category of collection, and whether it is sold, also includes categorical requirements that are apparent in other language in Section 202 related to the contents of a privacy policy. It is interesting to notice that the ADPPA implies firms should be erasing data by coupling the word “retention schedule” with the retention period privacy policy disclosure requirements. Given the lack of advancement in this area by many organisations and the challenge of putting in place an effective records management programme, compliance in this area may be simple.

Notification of Privacy Policy Changes: “With regard to any prospectively collected covered data, if a covered entity makes a material change to its privacy policies or practises, it is required to notify each individual affected by the change before putting the change into effect and to give them a reasonable opportunity to withdraw their consent.

Additionally, starting from the day this Act was enacted, each significant data holder must keep copies of earlier iterations of its privacy policy for at least ten years and post them online. Such big data holder shall maintain a log indicating the date and substance of each material modification to its privacy policy over the preceding ten years and shall make such log publicly available, in a manner that is clear, noticeable, and easily accessible.”

Analysis: These needs can be implemented in a fairly simple manner. An firm could, for instance, email its clientele to inform them of privacy policy changes. Similar to how current privacy policies can keep track of and link to previous privacy policies. Given that this language is absent from the CCPA or GDPR, we have highlighted it.

Clarity: A large data holder that is a covered entity “shall provide a short form notice of its covered data practises in a manner that is— no more than 500 words in length,” in addition to the privacy policy requirements in section 202 (which have a long list of requirements similar to those in the GDPR and CCPA).

Analysis: This requires no further justification. For organisations focusing on the privacy principle of openness and streamlining the overall goal of their privacy programme, we think this is a positive step forward for the customer as well.

Privacy by Design – Policies, Practices, and Procedures, Section 103 “A covered entity and a service provider shall establish, implement, and maintain reasonable policies, practises, and procedures that…mitigate privacy risks, including substantial privacy risks, related to the products and services of the covered entity or the service provider, including in the design, development, and implementation of such policies, practises, and procedures.” As part of their GDPR/CCPA/CPRA modernization efforts, we have already assisted numerous clients with this. However, the language addressing these Privacy by Design standards in those earlier rules was less precise than what we find in the ADDPA.

Other important components of the ADPPA include:

Privacy effect analyses are covered by: Impact evaluations were largely inspired by the GDPR, and comparable requirements are found in the majority of US State laws that will take effect in 2023. As a result, businesses ought to be well along in creating a repeatable PIA procedure.

Permissible Purposes: In the “Permissible Purposes” section of the ADPPA, a list of the reasons for which a covered entity may gather, use, or transfer covered data is provided. This list of permissible purposes closely resembles the legal justifications for processing that are found in the GDPR. For instance, the ADPPA permits the collection of data for the following purposes: to complete a transaction, to fulfil a legal requirement, and to carry out scientific study. The ADPPA list continues with items for conducting a product recall and completing a warranty.

Analysis: Under the ADPPA, we will likely need to give each record in a U.S.-centric data inventory a permissible purpose. This is similar to how privacy professionals previously developed records of processing activities in accordance with GDPR Article 30, whereby a legal basis is assigned to each processing activity. We may picture a situation in which regulators want such data as a part of an enforcement action.

Sec. 208. Data Protection and Security: The ADPPA is more detailed about what should be in a security programme than previous data privacy rules. For instance, the ADPPA specifies procedures for identifying vulnerabilities, taking preventive and corrective measures, and reviewing the effectiveness of those measures.

The ADPPA’s passage would inspire us since it would give our clients a uniform set of guidelines to follow. If the ADPPA is passed, enterprises can concentrate on higher level tasks like creating procedures to erase personal information at scale rather than trying to comply with the requirements in each incremental new state law. Although these systems demand significant effort, they are among the few that can actually improve both privacy and cyber risk.