American Data Privacy and Protection Act (ADPPA)

While many U.S. state laws provide privacy protection for the residents of the relevant state, the American Data Privacy and Protection Act (ADPPA) is a bipartisan bill that is set to become the first comprehensive federal privacy legislation that protects the privacy of all U.S. consumers.

This article will explain what the ADPPA is, who it applies to, what it requires, steps you can take to comply with the ADPPA, and how to write an ADPPA-compliant Privacy Policy, as well as what penalties businesses can face for non-compliance.

What is the American Data Privacy and Protection Act (ADPPA)?

The ADPPA is a U.S. federal data privacy bill that is designed to protect consumers' personal data. It gives U.S. consumers privacy rights concerning the use of their personal data and relies on an oversight system that allows for its effective enforcement.

If passed, the ADPPA will preempt any similar state laws. This means that the Federal Trade Commission (FTC) - the ADPPA's enforcement agency - would be responsible for penalizing any businesses that break a rule that is shared by both a state and the ADPPA.

For example, the ADPPA requires businesses to maintain a clearly written and easily accessible Privacy Policy on their websites, while the California Consumer Protection Act (CCPA) requires businesses to inform consumers of their privacy rights either via a Privacy Policy or by posting the information elsewhere on their website. If a business that caters to California residents fails to maintain a Privacy Policy, it would then be up to the FTC - not the California Attorney General - to enforce the law.

Who Does the American Data Privacy and Protection Act (ADPPA) Apply to?

The ADPPA applies to what it defines as "covered entities," which includes any entity or individual that collects and processes covered data, either directly, or on behalf of another organization:

Congress Gov ADPPA text: Definition of Covered Entity

According to the Exclusions section of the bill, government agencies are not required to comply with the ADPPA:

Congress Gov ADPPA text: Exclusions section

What is 'Covered Data'?

Covered data is any information or device that can be used to identify an individual, either on its own or in combination with other information or devices. Data that has been de-identified (meaning it has had personal information removed), employee information, or information that is publicly available is not included under the ADPPA's definition of covered data.

Sensitive covered data is a special category of covered data that includes personal information that is not made publicly available, such as:

Social security, driver's license, and passport numbers
Personal health or financial information
Biometric data, such as fingerprints or voice or retinal scans
Exact geolocation information
Private communication information concerning emails, text or direct messages, phone calls, and voicemails

What Does the American Data Privacy and Protection Act (ADPPA) Require?

The ADPPA requires that covered entities follow its rules in four different areas:

Data minimization
Loyalty duties
Privacy By Design
Loyalty to individuals with respect to pricing

Let's look at each in further detail.

Data Minimization

The ADPPA requires businesses to only collect that information which is essential to providing a service or product or communicating with individuals, or for any number of "permissible purposes."

This is referred to as data minimization:

Congress Gov ADPPA text: Data Minimization section

Permissible purposes for collecting, processing or transferring data includes the following:

Completing transactions
Performing system maintenance
Conducting research
Fixing bugs
Protecting users from spam, fraud, harassment, and security risks
Authenticating users
Fulfilling warranties
Complying with legal obligations

Loyalty Duties

Loyalty duties consist of a list of data practices which the ADPPA prohibits. Except in certain situations, these data practices include collecting or transferring sensitive personal information to a third party, and collecting, processing, or transferring users' personal internet browsing history:

Congress Gov ADPPA text: Loyalty Duties section

Privacy By Design

The ADPPA requires covered entities to take special care with minors' privacy, take steps to reduce privacy risks in general, and comply with all applicable privacy laws. This is referred to as Privacy By Design, and is a common best practice.

Congress Gov ADPPA text: Privacy By Design section

Loyalty to Individuals With Respect to Pricing

This section of the ADPPA lets covered entities know that they cannot provide consumers with conditional services or prices:

Congress Gov ADPPA text: Loyalty to Individuals With Respect to Pricing section

Next let's look at some of the key things you can do - or must do - to comply with the ADPPA if it applies to you. Here are some of our top tips for compliance.

How to Comply With the American Data Privacy and Protection Act (ADPPA)

First and foremost, you should make sure that your business has a Privacy Policy made publicly available on your website. If you are a large data holder, you should keep a short-form Privacy Policy of under 500 words on your website that summarizes your full policy in a concise, clear way.

In addition, all businesses should give users a way to access, edit, or delete their personal information, as well as let users know how they can opt-out of having their personal information processed, transferred, or shared.

You will also need to have a process in place to help ensure that you do not collect any covered data from users under the age of 17.

Here's more detailed information about these key aspects of compliance.

Maintain a Privacy Policy

The ADPPA requires covered entities and service providers to maintain a Privacy Policy on their websites that specifically includes information about:

What kind of data they collect or process and why
Who they share data with
How long they retain the data they collect or process
How users can exercise their rights as outlined in the act
What kind of security practices they use
The effective date of the Privacy Policy
Whether the data they collect is transferred to or processed or shared in China, Iran, North Korea, or Russia
How to contact them

Here's how the ADPPA summarizes this requirement:

Congress Gov ADPPA text: Content of Privacy Policy section

Privacy Policy Rules for Large Data Holders

Large data holders are defined as covered entities or service providers that make $250 million or more each year and collect, process, or transfer the personal data of more than 5 million individuals or devices and the sensitive covered data of more than 200,000 individuals or devices.

In addition, large data holders need to make sure to keep published, easily accessible copies of all of their Privacy Policies for the previous 10 years available on their websites.

They also need to provide short-form notices to their consumers that:

Are clearly written
Are easily accessible
Include information about data practices that consumers might not expect
Include information about sensitive covered data practices
Are less than 500 words long

You should make sure that you maintain a regularly updated Privacy Policy that reflects any new privacy laws or changes made to existing privacy legislation.

Provide Users With a Method of Accessing Their Data

You should give users a simple and convenient way to access, edit, or delete the information you collect from them.

One way to do this is by including instructions within your Privacy Policy, as Earthley does in the Accessing and Correcting Your Information clause of its Privacy Policy:

Earthley Privacy Policy: Accessing and Correcting Your Information clause

Let Users Know How They Can Opt Out

You should let users know how they can opt out of the processing and transferring of their personal information, as well as give them the option to decline targeted advertising.

Hasbro's Privacy Policy contains a clause about information choices that lets users know how they can review or update their stored personal information or make a data deletion request. It also informs users how they can adjust their cookies preferences and opt out of promotional communications:

Hasbro Privacy Policy: What are my information choices clause

Don't Collect Minors' Data

The ADPPA requires organizations to follow the Childrens' Online Privacy Protection Rule (COPPA), which has specific requirements that businesses must meet whenever they collect personal information from children:

Congress Gov ADPPA text: COPPA section

Designate Privacy and Data Security Officers

The ADPPA requires covered entities to designate a privacy officer and a data security officer whose jobs are to create and implement data and privacy protection programs in order to ensure compliance with its rules:

Congress Gov ADPPA text: Designation of Privacy and Data Security Officer section

Now we'll turn to the Privacy Policy requirement and look at how to create your own compliant Privacy Policy.

How to Write a Privacy Policy that Complies with the American Data Privacy and Protection Act (ADPPA)

One of the best ways you can ensure ADPPA compliance is to keep a comprehensive, clearly written, and regularly updated Privacy Policy on your website. There are a few essential clauses that your Privacy Policy must include in order to be ADPPA-compliant, which we will look at below.

Your Privacy Policy will also need to include an effective date, be provided in the language(s) that your consumers speak, and be easily accessible to any users with disabilities.

Finally, you will need to make sure that you keep your Privacy Policy updated and make users aware of any changes that you make to your Privacy Policy.

What Data You Collect

In order to comply with the ADPPA, you need to make sure that your Privacy Policy contains information about the kinds of data you collect.

Yeti's Privacy Policy lets users know what types of information it collects about them:

Yeti Privacy Policy: Information we collect about you and how we collect it clause

Be as detailed as possible in this clause. If you collect a lot of data, consider breaking the clause down even further into sections that address information collected automatically, information the users give to you voluntarily, or information collected via cookies.

You should let users know how long you keep their data, and what you do with it once it has fulfilled its purposes.

Why You Collect Data

Your Privacy Policy needs to describe the reasons why you collect users' personal data. In essence, this will be information about how you use the data, or for what purposes.

Here's how Clorox describes what it does with the data it collects in its How We Use and Process Information clause:

Clorox Privacy Policy: How We Use and Process Information clause excerpt

Who You Share Data With

You should clearly identify any third parties or service providers that you share the data you collect with. Most businesses give the category of third parties, such as payment processors or analytics programs. However, some give specific names of third parties as well as links to the other party's user agreements or Privacy Policy.

Here's how Clorox presents this information:

Under the ADPPA, you will also need to disclose whether you share the information you collect with China, Iran, North Korea, or Russia.

Users' Rights

To stay compliant with the ADPPA, you will need to inform users what their privacy rights are under the act. These rights include a number of rights commonly granted by other privacy laws, including the right to access the information the company holds about the user, to correct inaccurate information, and to opt out of having your data sold.

Starbucks' Privacy Statement details its users' rights under its Your Choices and Rights clause:

Starbucks Privacy Statement: Your Rights clause excerpt

How You Keep Data Safe

You will need to make sure that your Privacy Policy contains information about the security processes you use to keep the data you collect safe. You don't have to specifically detail the exact processes and procedures you have in place, but you should at a minimum make mention that you in fact do take such steps and have such processes and procedures in place.

Target's Privacy Policy lets users know that it takes measures to keep the data it collects or transmits safe, and that it does not purposefully collect information from children under the age of 13:

Target Privacy Policy: How is Your Personal Information Protected clause

Contact Information

You should give people at least one way to get in contact with you should they have any questions, concerns, or requests concerning their data, and these contact methods should be disclosed within your Privacy Policy.

The Questions, Feedback, and Metrics section of Nike's Privacy Policy provides users with a link to its Webform, its Consumer Services phone number, the address to its Privacy Office, and an email specifically for privacy-related concerns:

Nike Privacy Policy: Contact clause

Make sure you display your Privacy Policy somewhere easy to locate, such as in your website footer. You can also place it near areas where you collect personal information, such as near a contact form or account login area.

Use an "I Agree" checkbox to get users to agree to your privacy terms for added security and compliance.

Penalties for Not Complying With the American Data Privacy and Protection Act (ADPPA)

The FTC can penalize businesses that don't comply with the ADPPA with fines of up to $46,517 per violation.

The FTC will be the agency responsible for enforcing the ADPPA through a new bureau created specifically for the purpose of enforcing the Act. The Bureau of Privacy can penalize non-compliant businesses by fining them under the Federal Trade Commission Act.

Congress Gov ADPPA text: Privileges and Immunities section

Summary

The ADPPA is federal privacy legislation that is designed to protect U.S. consumers' privacy and personal data.

The ADPPA applies to what it defines as "covered entities," which includes any organization, individual, or third party that collects, processes, or transfers U.S. consumers' personal information.

Covered data is any information that can be used on its own or with other pieces of information to identify an individual. Sensitive covered data is private personal information such as social security numbers, health data, and credit or debit card numbers.

The ADPPA requires that covered entities follow its rules pertaining to:

Data minimization
Loyalty duties
Privacy By Design

In order to comply with the ADPPA, you should make sure that you maintain a clearly written and regularly updated Privacy Policy on your website. You should give users a way to access, edit, and delete their data, and let users know how they can opt-out of the processing, transferring, and sharing of their data. Make sure to avoid intentionally collecting minors' data. Also make sure that your company has a designated privacy officer and data security officer.

Your ADPPA-compliant Privacy Policy should include the following information:

What kinds of data you collect
What you do with the information you collect
What third parties you share data with
How you keep the information you collect safe
What users' privacy rights are
How to contact you

Failure to comply with the ADPPA can result in fines of up to $46,517 per violation.