American Data Privacy and Protection Act (ADPPA)

While many U.S. state laws provide privacy protection for the residents of the relevant state, the American Data Privacy and Protection Act (ADPPA) is a bipartisan bill that is set to become the first comprehensive federal privacy legislation that protects the privacy of all U.S. consumers.

This article will explain what the ADPPA is, who it applies to, what it requires, steps you can take to comply with the ADPPA, and how to write an ADPPA-compliant Privacy Policy, as well as what penalties businesses can face for non-compliance.

What is the American Data Privacy and Protection Act (ADPPA)?

The ADPPA is a U.S. federal data privacy bill that is designed to protect consumers' personal data. It gives U.S. consumers privacy rights concerning the use of their personal data and relies on an oversight system that allows for its effective enforcement.

How Will the American Data Privacy and Protection Act (ADPPA) Affect U.S. State Laws?

If passed, the ADPPA will preempt any similar state laws. This means that the Federal Trade Commission (FTC) - the ADPPA's enforcement agency - would be responsible for penalizing any businesses that break a rule that is shared by both a state and the ADPPA.

For example, the ADPPA requires businesses to maintain a clearly written and easily accessible Privacy Policy on their websites, while the California Consumer Protection Act (CCPA) requires businesses to inform consumers of their privacy rights either via a Privacy Policy or by posting the information elsewhere on their website. If a business that caters to California residents fails to maintain a Privacy Policy, it would then be up to the FTC - not the California Attorney General - to enforce the law.

Who Does the American Data Privacy and Protection Act (ADPPA) Apply to?

The ADPPA applies to what it defines as "covered entities," which includes any entity or individual that collects and processes covered data, either directly, or on behalf of another organization:

Who Does the American Data Privacy and Protection Act (ADPPA) Not Apply to?

According to the Exclusions section of the bill, government agencies are not required to comply with the ADPPA:

Do Small Businesses Have to Comply With the American Data Privacy and Protection Act (ADPPA) Grant?

Small businesses are exempt from some requirements of the American ADPPA but not from everything.

A "small business" under the American ADPPA is one that meets the following requirements:

• Makes $41,000,000 or less in average gross annual revenue
• Collects or processes data from 200,000 or less individuals each year, and
• 50% or less of its total annual revenue comes from transferring data

Small businesses who meet these thresholds are exempt with complying with the following sections:

• Section 203 (a) 4 - Paragraphs (1), (2), and (3) as well as (5), (6), and (7)
• Section 208 (b)
• Section 301 (c)
• Optionally: Section 203 (a)(2)

What is 'Covered Data' Under the American Data Privacy and Protection Act (ADPPA)?

Covered data is any information or device that can be used to identify an individual, either on its own or in combination with other information or devices.

Data that has been de-identified (meaning it has had personal information removed), employee information, or information that is publicly available is not included under the ADPPA's definition of covered data.

What is 'Sensitive Covered Data' Under the American Data Privacy and Protection Act (ADPPA)?

Sensitive covered data is a special category of covered data that includes personal information that is not made publicly available, such as:

• Social security, driver's license, and passport numbers
• Personal health or financial information
• Biometric data, such as fingerprints or voice or retinal scans
• Exact geolocation information
• Private communication information concerning emails, text or direct messages, phone calls, and voicemails

What User Rights Does the American Data Privacy and Protection Act (ADPPA) Grant?

Users are given the following rights under the American ADPPA:

• Right to awareness
• Right to transparency
• Right to access, correct, delete and request
• Right to consent and object
• Right to data protection for minors

What the American Data Privacy and Protection Act (ADPPA) Requires and How to Comply?

The ADPPA requires that covered entities follow its rules in the following areas:

1. Data minimization
2. Loyalty duties
3. Privacy By Design
4. Loyalty to individuals regarding pricing
5. Privacy Policy/notice requirements
6. Metrics reporting for large data holders
7. Third party entities that collect data
8. User rights and algorithms
9. Data security
10. Protections for small businesses
11. Opt-out mechanisms

Let's look at these in further detail.

Engage in Data Minimization

The ADPPA requires businesses to only collect that information which is essential to providing a service or product or communicating with individuals, or for any number of "permissible purposes."

This is referred to as data minimization:

Permissible purposes for collecting, processing or transferring data includes the following:

• Initiating, managing and/or completing a transaction as part of fulfililng an order
• Performing system maintenance and diagnostics processes
• Maintaining, repairing, developing or enhancing your products or services
• Conducting research or analyics to improve your products or services
• Performing management of your inventory or networks
• Protecting users from spam
• Repairing and debugging your system to improve functionality of your products or services
• Authenticating your users
• Fulfilling warranties
• Preventing or responding to illegal activities such as fraud, harassment, and general security incidents
• Complying with legal obligations
• Preventing the risk of harm and serious injury
• Conducting research
• Communicating with users in a way they would reasonably expect (not advertising or marketing)
• Ensuring your data is secure

Be Aware of Loyalty Duties Requirements

Loyalty duties consist of a list of data practices which the ADPPA prohibits.

Except in certain situations, these data practices include collecting or transferring sensitive personal information to a third party, and collecting, processing, or transferring users' personal internet browsing history:

The following limits are placed:

• Social Security numbers cannot be collected, processed or transferred
• Sensitive data cannot be collected, processed or transferred unless it's strictly necessary
• Sensitive data cnnot be transferred to a third party unless affirmative consent to do so has been obtained, or if the transfer is legally necessary
• Broadcast television services, cable services, and other video programming services cannot transfer personal data to an unaffiliated third party without first obtaining affirmative consent to do so

Practice Privacy By Design

The ADPPA requires covered entities to take special care with minors' privacy, take steps to reduce privacy risks in general, and comply with all applicable privacy laws.

This is referred to as Privacy By Design, and is a common best practice.

Don't Discriminate Against Individuals With Respect to Pricing

This section of the ADPPA lets covered entities know that they cannot punish consumers with conditional services or prices for exercising their granted rights:

However, businesses are allowed to do the following:

• Offer a different set of goods or prices to users to voluntarily participate in a form of a loyalty program
• Offer financial incentives to users for participating in market research
• Offer different types of functionality or pricing when users exercise privacy rights
• Decline to offer a product or service if that product or service requires data collection to provide

Comply With Privacy Policy/Notice Requirements

The ADPPA requires covered entities and service providers to maintain a publicly-available Privacy Policy on their websites that specifically includes information about:

• What kind of data they collect or process and why
• Who they share data with
• How long they retain the data they collect or process
• How users can exercise their rights as outlined in the act
• What kind of security practices they use
• The effective date of the Privacy Policy
• Whether the data they collect is transferred to or processed or shared in China, Iran, North Korea, or Russia
• How to contact them

Here's how the ADPPA summarizes this requirement:

Privacy Policy Rules for Large Data Holders

Large data holders are defined as covered entities or service providers that make $250 million or more each year and collect, process, or transfer the personal data of more than 5 million individuals or devices and the sensitive covered data of more than 200,000 individuals or devices.

In addition, large data holders need to make sure to keep published, easily accessible copies of all of their Privacy Policies for the previous 10 years available on their websites.

They also need to provide short-form notices to their consumers that:

• Are less than 500 words long
• Are clearly written
• Are easily accessible
• Include information about data practices that consumers might not expect
• Include information about sensitive covered data practices

You should make sure that you maintain a regularly updated Privacy Policy that reflects any new privacy laws or changes made to existing privacy legislation.

Comply With Large Data Holders and Metrics Reporting

If you qualify as a large data holder, you must compile the following data for each prior calendar year and have it ready to review if called upon:

• The number of verified access requests you received
• The number of deletion requests you received
• The number of requests received to opt out of targeting advertising
• The number of total requests you both complied with and denied
• Either the mean or median number of days that it took you to respond to requests you received

Follow Third Party Notice and Registration Requirements

If you're a third party that collects data, you are required to post a notice and complete a registration.

Your notice must be clear and posted accessibly on your website and/or mobile app, and it must do the following:

• Let individuals know that you are a third party collecting entity
• Provide a link to the Commission's website
• Be accessible to people with disabilities

If you collected data of more than 5,000 individuals in the preceeding calendar year, you'll need to complete an annual registration before January 31 of the following calendar year.

Comply With the Covered Algorithm Impact Assessment Requirement

If you're a large data holder who uses a covered algorithm that may cause a potential risk of harm, you must conduct an impact assessment.

A covered algorithm as defined by the American ADPPA is a computational process that uses machine learning, AI or other similar techniques to make decisions and determinations using data.

Your impact assessment will need to disclose the following points of information:

• A detailed description of what data the covered algorithm uses
• What the purpose and proposed uses of the covered algorithm is exactly
• A general description of what outputs the covered algorithm produces
• Your assessment of how necessary and proportionate the use of the covered algorithm is in relation to the purpose you stated for it
• What steps you will take to mitigate any potential harms that may arise from using the covered algorithm

Provide Users With a Method of Accessing Their Data

You should give users a simple and convenient way to access, edit, or delete the information you collect from them.

One way to do this is by including instructions within your Privacy Policy, as Earthley does in the Accessing and Correcting Your Information clause of its Privacy Policy:

Have Security Procedures and Protections in Place

You'll need to implement, establish and maintain security procedures to help ensure data is kept safe. These procedures must be administrative, technical and physical in nature to protect data at all stages.

Designate Privacy and Data Security Officers

The ADPPA requires covered entities to designate a privacy officer and a data security officer whose jobs are to create and implement data and privacy protection programs in order to ensure compliance with its rules:

Provide a Centralized Opt-Out Method

You should let users know how they can opt out of the processing and transferring of their personal information, as well as give them the option to decline targeted advertising.

You will need to create a centralized opt-out method that meets the following guidelines:

• Informs users about the option to opt out
• Is user-friendly and easy to use to opt out
• Be accessible to people with disabilities and in a variety of languages when applicable

Hasbro's Privacy Policy contains a clause about information choices that lets users know how they can review or update their stored personal information or make a data deletion request. It also informs users how they can adjust their cookies preferences and opt out of promotional communications:

Don't Collect Minors' Data

The ADPPA requires organizations to follow the Childrens' Online Privacy Protection Rule (COPPA), which has specific requirements that businesses must meet whenever they collect personal information from children:

Now we'll turn to the Privacy Policy requirement and look at how to create your own compliant Privacy Policy.

How to Write a Privacy Policy that Complies with the American Data Privacy and Protection Act (ADPPA)

One of the best ways you can ensure ADPPA compliance is to keep a comprehensive, clearly written, and regularly updated Privacy Policy on your website. There are a few essential clauses that your Privacy Policy must include in order to be ADPPA-compliant, which we will look at below.

Your Privacy Policy will also need to include an effective date, be provided in the language(s) that your consumers speak, and be easily accessible to any users with disabilities.

Finally, you will need to make sure that you keep your Privacy Policy updated and make users aware of any changes that you make to your Privacy Policy.

What Data You Collect

In order to comply with the ADPPA, you need to make sure that your Privacy Policy contains information about the kinds of data you collect.

Yeti's Privacy Policy lets users know what types of information it collects about them:

Be as detailed as possible in this clause. If you collect a lot of data, consider breaking the clause down even further into sections that address information collected automatically, information the users give to you voluntarily, or information collected via cookies.

You should let users know how long you keep their data, and what you do with it once it has fulfilled its purposes.

Why You Collect Data

Your Privacy Policy needs to describe the reasons why you collect users' personal data. In essence, this will be information about how you use the data, or for what purposes.

Here's how Clorox describes what it does with the data it collects in its How We Use and Process Information clause:

Who You Share Data With

You should clearly identify any third parties or service providers that you share the data you collect with. Most businesses give the category of third parties, such as payment processors or analytics programs. However, some give specific names of third parties as well as links to the other party's user agreements or Privacy Policy.

Here's how Clorox presents this information:

Under the ADPPA, you will also need to disclose whether you share the information you collect with China, Iran, North Korea, or Russia.

Users' Rights

To stay compliant with the ADPPA, you will need to inform users what their privacy rights are under the act. These rights include a number of rights commonly granted by other privacy laws, including the right to access the information the company holds about the user, to correct inaccurate information, and to opt out of having your data sold.

Starbucks' Privacy Statement details its users' rights under its Your Choices and Rights clause:

How You Keep Data Safe

You will need to make sure that your Privacy Policy contains information about the security processes you use to keep the data you collect safe. You don't have to specifically detail the exact processes and procedures you have in place, but you should at a minimum make mention that you in fact do take such steps and have such processes and procedures in place.

Target's Privacy Policy lets users know that it takes measures to keep the data it collects or transmits safe, and that it does not purposefully collect information from children under the age of 13:

Contact Information

You should give people at least one way to get in contact with you should they have any questions, concerns, or requests concerning their data, and these contact methods should be disclosed within your Privacy Policy.

The Questions, Feedback, and Metrics section of Nike's Privacy Policy provides users with a link to its Webform, its Consumer Services phone number, the address to its Privacy Office, and an email specifically for privacy-related concerns:

Make sure you display your Privacy Policy somewhere easy to locate, such as in your website footer. You can also place it near areas where you collect personal information, such as near a contact form or account login area.

Use an "I Agree" checkbox to get users to agree to your privacy terms for added security and compliance.

Penalties for Not Complying With the American Data Privacy and Protection Act (ADPPA)

The FTC will be the agency responsible for enforcing the ADPPA through a new bureau created specifically for the purpose of enforcing the Act. The Bureau of Privacy can penalize non-compliant businesses by fining them under the Federal Trade Commission Act.

Summary

The ADPPA is federal privacy legislation that is designed to protect U.S. consumers' privacy and personal data.

The ADPPA applies to what it defines as "covered entities," which includes any organization, individual, or third party that collects, processes, or transfers U.S. consumers' personal information.

Covered data is any information that can be used on its own or with other pieces of information to identify an individual. Sensitive covered data is private personal information such as social security numbers, health data, and credit or debit card numbers.

The ADPPA requires that covered entities follow its rules pertaining to:

• Data minimization
• Loyalty duties
• Privacy By Design

In order to comply with the ADPPA, you should make sure that you maintain a clearly written and regularly updated Privacy Policy on your website. You should give users a way to access, edit, and delete their data, and let users know how they can opt-out of the processing, transferring, and sharing of their data. Make sure to avoid intentionally collecting minors' data. Also make sure that your company has a designated privacy officer and data security officer.

Your ADPPA-compliant Privacy Policy should include the following information:

• What kinds of data you collect
• What you do with the information you collect
• What third parties you share data with
• How you keep the information you collect safe
• What users' privacy rights are
• How to contact you