ADPPA will still apply to you even if the CCPA/CPRA, CTDPA, or other privacy regulations do not. It will also have an impact on businesses outside the US that target the American consumer market. The sooner you are ready, the better off your business will be if the proposed legislation becomes law.
Although the American Data Privacy and Protection Act (ADPPA) is still trying to make its way through the maze of US federal laws, you should be aware of it. ADPPA would apply to all businesses, no matter how big or small they are, unlike the consumer laws of the US states.
That being said, ADPPA will still apply to you even if the CCPA/CPRA, CTDPA, or other privacy regulations do not. It will also have an impact on businesses outside the US that target the American consumer market.
The sooner you are ready, the better off your business will be if the proposed legislation becomes law.
Explore more privacy compliance insights and best practices
ADPPA requires "covered entities," a catch-all term for any entity subject to the FTC Act, to minimize the amount of "covered data" they collect, process, and transfer. ADPPA defines covered data as "information that identifies or is linked or reasonably linkable to an individual or a device that identifies or is linked or reasonably linkable to one or more individuals, including derived data and unique identifiers." Based on this, covered data is similar in definition to the GDPR’s “personal data.”
Simply put, covered data is any information that can be used to identify a person or a device that can be linked to a person. In practice, covered data could be as simple as government ID numbers or Social Security numbers (SSNs) in private communications, or any information about people under 17 years old. Aside from obvious personal information, this law will also cover data like IP addresses or digital fingerprints.
But ADPPA doesn't cover all of the personal information out there. The following kinds of information are left out: de-identified data, employee data, and any other publicly available information.
The scope of ADPPA extends to include any and all identifying information.
ADPPA probably applies to your business if you are a US company or a non-US company with US users.
Those who handle personal information in any way, including collection, processing, or transfer, fall under ADPPA's jurisdiction, as well as those who:
Brand owners and trademark licensors are also subject to the ADPPA.
The ADPPA covers more people and organizations than the CCPA, CPA, VCDPA, and other state and federal privacy statutes in the United States. The law applies to anyone, regardless of size, who handles personal data.
For businesses that handle massive volumes of data, however, the ADPPA imposes new obligations. These organizations, known as "large data holders," must perform data privacy impact assessments on their algorithms and provide evidence to authorities that they have implemented strict internal controls over data processing.
Aside from these businesses, ADPPA also applies to service providers and third-party collecting entities.
A service provider is a business that processes user data on your company's behalf.
Your business' service provider is the company that runs the plugin you use to remember your users' language preferences. Google Analytics and Hotjar, two popular online analytics tools, are examples of service providers. Meta is your service provider if you make use of Meta Pixels.
According to the law, only an entity with which your company has an established business relationship can be considered a service provider. This signifies that we are excluding subprocessors from the definition.
Therefore, if you use Hotjar, they are your service provider but the companies responsible for delivering Hotjar's services to you are not your service providers.
According to the law, this is what data brokers are. ADPPA classifies businesses who collect and supply data to other businesses as "third-party collecting entities" if they satisfy any of the following criteria:
ADPPA creates obligations for all businesses, but the requirements depend on the business size. These are the general requirements for small businesses, larger-than-small businesses, and large data holders:
Data minimization. Each business will have to process only the minimum amount of data for a specific purpose.
Loyalty duty pricing. No business can change its pricing for users who have waived their privacy rights.
Privacy by design. It means designing products and services to use as little data as possible and protecting consumers’ privacy.
Appointment of a privacy officer. Businesses must designate a person to take care of the company’s data privacy practices.
Privacy Impact Assessments. Some businesses have to do assessments to figure out what steps they need to take to keep data safe.
Data security measures. The scope of the data security measures depends on the business size, the volume of data processing, and other circumstances. All businesses need to have some procedures in place and train employees properly.
Special regime of children’s data. Children won't be able to see ads that are made just for them, and their information won't be given to service providers without their parents' permission.
No algorithm discrimination. A business can't collect, process, or send data in a way that is unfair because of race, color, religion, national origin, gender, sexual orientation, or disability.
Special regime of the processing of some data categories, including the following:
Some of these requirements won’t apply to small businesses.
A business is considered a small business if it has met all of the following criteria in the past three years:
If your business meets these requirements, you won’t have to comply with the duty to:
ADPPA grants users the following rights:
ADPPA requires each privacy policy to contain a minimum of the following information:
The privacy policy must be written in your users' language and be easily understandable.
If you want to process the collected information for other purposes and you make changes to the privacy policy, you need to request consent from the users.
The law gives the Attorney General of each state and the Federal Trade Commission the power to enforce the law to the extent that they are already able to do so.
This means that they can take action against violations of this law in the same way they would enforce any other law.
Individuals can bring civil actions, including class actions, against any entity that has violated their rights under the law. However, individuals have to submit a notice to cure the company. The company has 45 days to cure the alleged violation. If the violations have been cured, the courts can dismiss the civil action.
However, ADPPA does not prescribe any penalties for violations of the law. It refers to the Federal Trade Commission Act, where the penalties range between $40K and $50K.
The ADPPA has not been passed into law yet. We have yet to see if it gets passed or amended and when the enforcement will begin.
Secure Privacy keeps a close eye on the process and will make sure your business is compliant as soon as it starts putting obligations on your business.
Schedule a call to learn more
