On this page
- 1. What is the American Data Privacy and Protection Act (ADPPA)?
- 2. Who Does the American Data Privacy and Protection Act (ADPPA) Apply to?
- 2.1. What is 'Covered Data'?
- 3. What Does the American Data Privacy and Protection Act (ADPPA) Require?
- 3.1. Data Minimization
- 3.2. Loyalty Duties
- 3.3. Privacy By Design
- 3.4. Loyalty to Individuals With Respect to Pricing
- 4. How to Comply With the American Data Privacy and Protection Act (ADPPA)
- 4.1. Maintain a Privacy Policy
- 4.1.1. Privacy Policy Rules for Large Data Holders
- 4.2. Provide Users With a Method of Accessing Their Data
- 4.3. Let Users Know How They Can Opt Out
- 4.4. Don't Collect Minors' Data
- 4.5. Designate Privacy and Data Security Officers
- 5. How to Write a Privacy Policy that Complies with the American Data Privacy and Protection Act (ADPPA)
- 5.1. What Data You Collect
- 5.2. Why You Collect Data
- 5.3. Who You Share Data With
- 5.4. Users' Rights
- 5.5. How You Keep Data Safe
- 5.6. Contact Information
- 6. Penalties for Not Complying With the American Data Privacy and Protection Act (ADPPA)
- 7. Summary
While many U.S. state laws provide privacy protection for the residents of the relevant state, the American Data Privacy and Protection Act (ADPPA) is a bipartisan bill that is set to become the first comprehensive federal privacy legislation that protects the privacy of all U.S. consumers.
This article will explain what the ADPPA is, who it applies to, what it requires, steps you can take to comply with the ADPPA, and how to write an ADPPA-compliant Privacy Policy, as well as what penalties businesses can face for non-compliance.
Our Privacy Policy Generator makes it easy to create a Privacy Policy for your business. Just follow these steps:
-
At Step 1, select the Website option or App option or both.
-
Answer some questions about your website or app.
-
Answer some questions about your business.
-
Enter the email address where you'd like the Privacy Policy delivered and click "Generate."
You'll be able to instantly access and download your new Privacy Policy.
What is the American Data Privacy and Protection Act (ADPPA)?
The ADPPA is a U.S. federal data privacy bill that is designed to protect consumers' personal data. It gives U.S. consumers privacy rights concerning the use of their personal data and relies on an oversight system that allows for its effective enforcement.
If passed, the ADPPA will preempt any similar state laws. This means that the Federal Trade Commission (FTC) - the ADPPA's enforcement agency - would be responsible for penalizing any businesses that break a rule that is shared by both a state and the ADPPA.
For example, the ADPPA requires businesses to maintain a clearly written and easily accessible Privacy Policy on their websites, while the California Consumer Protection Act (CCPA) requires businesses to inform consumers of their privacy rights either via a Privacy Policy or by posting the information elsewhere on their website. If a business that caters to California residents fails to maintain a Privacy Policy, it would then be up to the FTC - not the California Attorney General - to enforce the law.
Who Does the American Data Privacy and Protection Act (ADPPA) Apply to?
The ADPPA applies to what it defines as "covered entities," which includes any entity or individual that collects and processes covered data, either directly, or on behalf of another organization:
According to the Exclusions section of the bill, government agencies are not required to comply with the ADPPA:
What is 'Covered Data'?
Covered data is any information or device that can be used to identify an individual, either on its own or in combination with other information or devices. Data that has been de-identified (meaning it has had personal information removed), employee information, or information that is publicly available is not included under the ADPPA's definition of covered data.
Sensitive covered data is a special category of covered data that includes personal information that is not made publicly available, such as:
- Social security, driver's license, and passport numbers
- Personal health or financial information
- Biometric data, such as fingerprints or voice or retinal scans
- Exact geolocation information
- Private communication information concerning emails, text or direct messages, phone calls, and voicemails
What Does the American Data Privacy and Protection Act (ADPPA) Require?
The ADPPA requires that covered entities follow its rules in four different areas:
- Data minimization
- Loyalty duties
- Privacy By Design
- Loyalty to individuals with respect to pricing
Let's look at each in further detail.
Data Minimization
The ADPPA requires businesses to only collect that information which is essential to providing a service or product or communicating with individuals, or for any number of "permissible purposes."
This is referred to as data minimization:
Permissible purposes for collecting, processing or transferring data includes the following:
- Completing transactions
- Performing system maintenance
- Conducting research
- Fixing bugs
- Protecting users from spam, fraud, harassment, and security risks
- Authenticating users
- Fulfilling warranties
- Complying with legal obligations
Loyalty Duties
Loyalty duties consist of a list of data practices which the ADPPA prohibits. Except in certain situations, these data practices include collecting or transferring sensitive personal information to a third party, and collecting, processing, or transferring users' personal internet browsing history:
Privacy By Design
The ADPPA requires covered entities to take special care with minors' privacy, take steps to reduce privacy risks in general, and comply with all applicable privacy laws. This is referred to as Privacy By Design, and is a common best practice.
Loyalty to Individuals With Respect to Pricing
This section of the ADPPA lets covered entities know that they cannot provide consumers with conditional services or prices:
Next let's look at some of the key things you can do - or must do - to comply with the ADPPA if it applies to you. Here are some of our top tips for compliance.
How to Comply With the American Data Privacy and Protection Act (ADPPA)
First and foremost, you should make sure that your business has a Privacy Policy made publicly available on your website. If you are a large data holder, you should keep a short-form Privacy Policy of under 500 words on your website that summarizes your full policy in a concise, clear way.
In addition, all businesses should give users a way to access, edit, or delete their personal information, as well as let users know how they can opt-out of having their personal information processed, transferred, or shared.
You will also need to have a process in place to help ensure that you do not collect any covered data from users under the age of 17.
Here's more detailed information about these key aspects of compliance.
Maintain a Privacy Policy
The ADPPA requires covered entities and service providers to maintain a Privacy Policy on their websites that specifically includes information about:
- What kind of data they collect or process and why
- Who they share data with
- How long they retain the data they collect or process
- How users can exercise their rights as outlined in the act
- What kind of security practices they use
- The effective date of the Privacy Policy
- Whether the data they collect is transferred to or processed or shared in China, Iran, North Korea, or Russia
- How to contact them
Here's how the ADPPA summarizes this requirement:
Privacy Policy Rules for Large Data Holders
Large data holders are defined as covered entities or service providers that make $250 million or more each year and collect, process, or transfer the personal data of more than 5 million individuals or devices and the sensitive covered data of more than 200,000 individuals or devices.
In addition, large data holders need to make sure to keep published, easily accessible copies of all of their Privacy Policies for the previous 10 years available on their websites.
They also need to provide short-form notices to their consumers that:
- Are clearly written
- Are easily accessible
- Include information about data practices that consumers might not expect
- Include information about sensitive covered data practices
- Are less than 500 words long
You should make sure that you maintain a regularly updated Privacy Policy that reflects any new privacy laws or changes made to existing privacy legislation.
Provide Users With a Method of Accessing Their Data
You should give users a simple and convenient way to access, edit, or delete the information you collect from them.
One way to do this is by including instructions within your Privacy Policy, as Earthley does in the Accessing and Correcting Your Information clause of its Privacy Policy:
Let Users Know How They Can Opt Out
You should let users know how they can opt out of the processing and transferring of their personal information, as well as give them the option to decline targeted advertising.
Hasbro's Privacy Policy contains a clause about information choices that lets users know how they can review or update their stored personal information or make a data deletion request. It also informs users how they can adjust their cookies preferences and opt out of promotional communications:
Don't Collect Minors' Data
The ADPPA requires organizations to follow the Childrens' Online Privacy Protection Rule (COPPA), which has specific requirements that businesses must meet whenever they collect personal information from children:
Designate Privacy and Data Security Officers
The ADPPA requires covered entities to designate a privacy officer and a data security officer whose jobs are to create and implement data and privacy protection programs in order to ensure compliance with its rules:
Now we'll turn to the Privacy Policy requirement and look at how to create your own compliant Privacy Policy.
How to Write a Privacy Policy that Complies with the American Data Privacy and Protection Act (ADPPA)
One of the best ways you can ensure ADPPA compliance is to keep a comprehensive, clearly written, and regularly updated Privacy Policy on your website. There are a few essential clauses that your Privacy Policy must include in order to be ADPPA-compliant, which we will look at below.
Your Privacy Policy will also need to include an effective date, be provided in the language(s) that your consumers speak, and be easily accessible to any users with disabilities.
Finally, you will need to make sure that you keep your Privacy Policy updated and make users aware of any changes that you make to your Privacy Policy.
What Data You Collect
In order to comply with the ADPPA, you need to make sure that your Privacy Policy contains information about the kinds of data you collect.
Yeti's Privacy Policy lets users know what types of information it collects about them:
Be as detailed as possible in this clause. If you collect a lot of data, consider breaking the clause down even further into sections that address information collected automatically, information the users give to you voluntarily, or information collected via cookies.
You should let users know how long you keep their data, and what you do with it once it has fulfilled its purposes.
Why You Collect Data
Your Privacy Policy needs to describe the reasons why you collect users' personal data. In essence, this will be information about how you use the data, or for what purposes.
Here's how Clorox describes what it does with the data it collects in its How We Use and Process Information clause:
Who You Share Data With
You should clearly identify any third parties or service providers that you share the data you collect with. Most businesses give the category of third parties, such as payment processors or analytics programs. However, some give specific names of third parties as well as links to the other party's user agreements or Privacy Policy.
Here's how Clorox presents this information:
Under the ADPPA, you will also need to disclose whether you share the information you collect with China, Iran, North Korea, or Russia.
Users' Rights
To stay compliant with the ADPPA, you will need to inform users what their privacy rights are under the act. These rights include a number of rights commonly granted by other privacy laws, including the right to access the information the company holds about the user, to correct inaccurate information, and to opt out of having your data sold.
Starbucks' Privacy Statement details its users' rights under its Your Choices and Rights clause:
How You Keep Data Safe
You will need to make sure that your Privacy Policy contains information about the security processes you use to keep the data you collect safe. You don't have to specifically detail the exact processes and procedures you have in place, but you should at a minimum make mention that you in fact do take such steps and have such processes and procedures in place.
Target's Privacy Policy lets users know that it takes measures to keep the data it collects or transmits safe, and that it does not purposefully collect information from children under the age of 13:
Contact Information
You should give people at least one way to get in contact with you should they have any questions, concerns, or requests concerning their data, and these contact methods should be disclosed within your Privacy Policy.
The Questions, Feedback, and Metrics section of Nike's Privacy Policy provides users with a link to its Webform, its Consumer Services phone number, the address to its Privacy Office, and an email specifically for privacy-related concerns:
Make sure you display your Privacy Policy somewhere easy to locate, such as in your website footer. You can also place it near areas where you collect personal information, such as near a contact form or account login area.
Use an "I Agree" checkbox to get users to agree to your privacy terms for added security and compliance.
Penalties for Not Complying With the American Data Privacy and Protection Act (ADPPA)
The FTC can penalize businesses that don't comply with the ADPPA with fines of up to $46,517 per violation.
The FTC will be the agency responsible for enforcing the ADPPA through a new bureau created specifically for the purpose of enforcing the Act. The Bureau of Privacy can penalize non-compliant businesses by fining them under the Federal Trade Commission Act.
Summary
The ADPPA is federal privacy legislation that is designed to protect U.S. consumers' privacy and personal data.
The ADPPA applies to what it defines as "covered entities," which includes any organization, individual, or third party that collects, processes, or transfers U.S. consumers' personal information.
Covered data is any information that can be used on its own or with other pieces of information to identify an individual. Sensitive covered data is private personal information such as social security numbers, health data, and credit or debit card numbers.
The ADPPA requires that covered entities follow its rules pertaining to:
- Data minimization
- Loyalty duties
- Privacy By Design
In order to comply with the ADPPA, you should make sure that you maintain a clearly written and regularly updated Privacy Policy on your website. You should give users a way to access, edit, and delete their data, and let users know how they can opt-out of the processing, transferring, and sharing of their data. Make sure to avoid intentionally collecting minors' data. Also make sure that your company has a designated privacy officer and data security officer.
Your ADPPA-compliant Privacy Policy should include the following information:
- What kinds of data you collect
- What you do with the information you collect
- What third parties you share data with
- How you keep the information you collect safe
- What users' privacy rights are
- How to contact you
Failure to comply with the ADPPA can result in fines of up to $46,517 per violation.