While many U.S. state laws provide privacy protection for the residents of the relevant state, the American Data Privacy and Protection Act (ADPPA) is a bipartisan bill that is set to become the first comprehensive federal privacy legislation that protects the privacy of all U.S. consumers.
At Step 1, select the Website option or App option or both.
Answer some questions about your website or app.
Answer some questions about your business.
- 1. What is the American Data Privacy and Protection Act (ADPPA)?
- 2. How Will the American Data Privacy and Protection Act (ADPPA) Affect U.S. State Laws?
- 3. Who Does the American Data Privacy and Protection Act (ADPPA) Apply to?
- 4. Who Does the American Data Privacy and Protection Act (ADPPA) Not Apply to?
- 5. Do Small Businesses Have to Comply With the American Data Privacy and Protection Act (ADPPA) Grant?
- 6. What is 'Covered Data' Under the American Data Privacy and Protection Act (ADPPA)?
- 6.1. What is 'Sensitive Covered Data' Under the American Data Privacy and Protection Act (ADPPA)?
- 7. What User Rights Does the American Data Privacy and Protection Act (ADPPA) Grant?
- 8. What the American Data Privacy and Protection Act (ADPPA) Requires and How to Comply?
- 8.1. Engage in Data Minimization
- 8.2. Be Aware of Loyalty Duties Requirements
- 8.3. Practice Privacy By Design
- 8.4. Don't Discriminate Against Individuals With Respect to Pricing
- 8.6. Comply With Large Data Holders and Metrics Reporting
- 8.7. Follow Third Party Notice and Registration Requirements
- 8.8. Comply With the Covered Algorithm Impact Assessment Requirement
- 8.9. Provide Users With a Method of Accessing Their Data
- 8.10. Have Security Procedures and Protections in Place
- 8.10.1. Designate Privacy and Data Security Officers
- 8.11. Provide a Centralized Opt-Out Method
- 8.12. Don't Collect Minors' Data
- 9.1. What Data You Collect
- 9.2. Why You Collect Data
- 9.3. Who You Share Data With
- 9.4. Users' Rights
- 9.5. How You Keep Data Safe
- 9.6. Contact Information
- 10. Penalties for Not Complying With the American Data Privacy and Protection Act (ADPPA)
- 11. Summary
What is the American Data Privacy and Protection Act (ADPPA)?
The ADPPA is a U.S. federal data privacy bill that is designed to protect consumers' personal data. It gives U.S. consumers privacy rights concerning the use of their personal data and relies on an oversight system that allows for its effective enforcement.
How Will the American Data Privacy and Protection Act (ADPPA) Affect U.S. State Laws?
If passed, the ADPPA will preempt any similar state laws. This means that the Federal Trade Commission (FTC) - the ADPPA's enforcement agency - would be responsible for penalizing any businesses that break a rule that is shared by both a state and the ADPPA.
Who Does the American Data Privacy and Protection Act (ADPPA) Apply to?
The ADPPA applies to what it defines as "covered entities," which includes any entity or individual that collects and processes covered data, either directly, or on behalf of another organization:
Who Does the American Data Privacy and Protection Act (ADPPA) Not Apply to?
According to the Exclusions section of the bill, government agencies are not required to comply with the ADPPA:
Do Small Businesses Have to Comply With the American Data Privacy and Protection Act (ADPPA) Grant?
Small businesses are exempt from some requirements of the American ADPPA but not from everything.
A "small business" under the American ADPPA is one that meets the following requirements:
- Makes $41,000,000 or less in average gross annual revenue
- Collects or processes data from 200,000 or less individuals each year, and
- 50% or less of its total annual revenue comes from transferring data
Small businesses who meet these thresholds are exempt with complying with the following sections:
- Section 203 (a) 4 - Paragraphs (1), (2), and (3) as well as (5), (6), and (7)
- Section 208 (b)
- Section 301 (c)
- Optionally: Section 203 (a)(2)
What is 'Covered Data' Under the American Data Privacy and Protection Act (ADPPA)?
Covered data is any information or device that can be used to identify an individual, either on its own or in combination with other information or devices.
Data that has been de-identified (meaning it has had personal information removed), employee information, or information that is publicly available is not included under the ADPPA's definition of covered data.
What is 'Sensitive Covered Data' Under the American Data Privacy and Protection Act (ADPPA)?
Sensitive covered data is a special category of covered data that includes personal information that is not made publicly available, such as:
- Social security, driver's license, and passport numbers
- Personal health or financial information
- Biometric data, such as fingerprints or voice or retinal scans
- Exact geolocation information
- Private communication information concerning emails, text or direct messages, phone calls, and voicemails
What User Rights Does the American Data Privacy and Protection Act (ADPPA) Grant?
Users are given the following rights under the American ADPPA:
- Right to awareness
- Right to transparency
- Right to access, correct, delete and request
- Right to consent and object
- Right to data protection for minors
What the American Data Privacy and Protection Act (ADPPA) Requires and How to Comply?
The ADPPA requires that covered entities follow its rules in the following areas:
- Data minimization
- Loyalty duties
- Privacy By Design
- Loyalty to individuals regarding pricing
- Metrics reporting for large data holders
- Third party entities that collect data
- User rights and algorithms
- Data security
- Protections for small businesses
- Opt-out mechanisms
Let's look at these in further detail.
Engage in Data Minimization
The ADPPA requires businesses to only collect that information which is essential to providing a service or product or communicating with individuals, or for any number of "permissible purposes."
This is referred to as data minimization:
Permissible purposes for collecting, processing or transferring data includes the following:
- Initiating, managing and/or completing a transaction as part of fulfililng an order
- Performing system maintenance and diagnostics processes
- Maintaining, repairing, developing or enhancing your products or services
- Conducting research or analyics to improve your products or services
- Performing management of your inventory or networks
- Protecting users from spam
- Repairing and debugging your system to improve functionality of your products or services
- Authenticating your users
- Fulfilling warranties
- Preventing or responding to illegal activities such as fraud, harassment, and general security incidents
- Complying with legal obligations
- Preventing the risk of harm and serious injury
- Conducting research
- Communicating with users in a way they would reasonably expect (not advertising or marketing)
- Ensuring your data is secure
Be Aware of Loyalty Duties Requirements
Loyalty duties consist of a list of data practices which the ADPPA prohibits.
Except in certain situations, these data practices include collecting or transferring sensitive personal information to a third party, and collecting, processing, or transferring users' personal internet browsing history:
The following limits are placed:
- Social Security numbers cannot be collected, processed or transferred
- Sensitive data cannot be collected, processed or transferred unless it's strictly necessary
- Sensitive data cnnot be transferred to a third party unless affirmative consent to do so has been obtained, or if the transfer is legally necessary
- Broadcast television services, cable services, and other video programming services cannot transfer personal data to an unaffiliated third party without first obtaining affirmative consent to do so
Practice Privacy By Design
The ADPPA requires covered entities to take special care with minors' privacy, take steps to reduce privacy risks in general, and comply with all applicable privacy laws.
This is referred to as Privacy By Design, and is a common best practice.
Don't Discriminate Against Individuals With Respect to Pricing
This section of the ADPPA lets covered entities know that they cannot punish consumers with conditional services or prices for exercising their granted rights:
However, businesses are allowed to do the following:
- Offer a different set of goods or prices to users to voluntarily participate in a form of a loyalty program
- Offer financial incentives to users for participating in market research
- Offer different types of functionality or pricing when users exercise privacy rights
- Decline to offer a product or service if that product or service requires data collection to provide
- What kind of data they collect or process and why
- Who they share data with
- How long they retain the data they collect or process
- How users can exercise their rights as outlined in the act
- What kind of security practices they use
- Whether the data they collect is transferred to or processed or shared in China, Iran, North Korea, or Russia
- How to contact them
Here's how the ADPPA summarizes this requirement:
Large data holders are defined as covered entities or service providers that make $250 million or more each year and collect, process, or transfer the personal data of more than 5 million individuals or devices and the sensitive covered data of more than 200,000 individuals or devices.
In addition, large data holders need to make sure to keep published, easily accessible copies of all of their Privacy Policies for the previous 10 years available on their websites.
They also need to provide short-form notices to their consumers that:
- Are less than 500 words long
- Are clearly written
- Are easily accessible
- Include information about data practices that consumers might not expect
- Include information about sensitive covered data practices
Comply With Large Data Holders and Metrics Reporting
If you qualify as a large data holder, you must compile the following data for each prior calendar year and have it ready to review if called upon:
- The number of verified access requests you received
- The number of deletion requests you received
- The number of requests received to opt out of targeting advertising
- The number of total requests you both complied with and denied
- Either the mean or median number of days that it took you to respond to requests you received
Follow Third Party Notice and Registration Requirements
If you're a third party that collects data, you are required to post a notice and complete a registration.
Your notice must be clear and posted accessibly on your website and/or mobile app, and it must do the following:
- Let individuals know that you are a third party collecting entity
- Provide a link to the Commission's website
- Be accessible to people with disabilities
If you collected data of more than 5,000 individuals in the preceeding calendar year, you'll need to complete an annual registration before January 31 of the following calendar year.
Comply With the Covered Algorithm Impact Assessment Requirement
If you're a large data holder who uses a covered algorithm that may cause a potential risk of harm, you must conduct an impact assessment.
A covered algorithm as defined by the American ADPPA is a computational process that uses machine learning, AI or other similar techniques to make decisions and determinations using data.
Your impact assessment will need to disclose the following points of information:
- A detailed description of what data the covered algorithm uses
- What the purpose and proposed uses of the covered algorithm is exactly
- A general description of what outputs the covered algorithm produces
- Your assessment of how necessary and proportionate the use of the covered algorithm is in relation to the purpose you stated for it
- What steps you will take to mitigate any potential harms that may arise from using the covered algorithm
Provide Users With a Method of Accessing Their Data
You should give users a simple and convenient way to access, edit, or delete the information you collect from them.
Have Security Procedures and Protections in Place
You'll need to implement, establish and maintain security procedures to help ensure data is kept safe. These procedures must be administrative, technical and physical in nature to protect data at all stages.
Designate Privacy and Data Security Officers
The ADPPA requires covered entities to designate a privacy officer and a data security officer whose jobs are to create and implement data and privacy protection programs in order to ensure compliance with its rules:
Provide a Centralized Opt-Out Method
You should let users know how they can opt out of the processing and transferring of their personal information, as well as give them the option to decline targeted advertising.
You will need to create a centralized opt-out method that meets the following guidelines:
- Informs users about the option to opt out
- Is user-friendly and easy to use to opt out
- Be accessible to people with disabilities and in a variety of languages when applicable
Don't Collect Minors' Data
The ADPPA requires organizations to follow the Childrens' Online Privacy Protection Rule (COPPA), which has specific requirements that businesses must meet whenever they collect personal information from children:
What Data You Collect
Be as detailed as possible in this clause. If you collect a lot of data, consider breaking the clause down even further into sections that address information collected automatically, information the users give to you voluntarily, or information collected via cookies.
You should let users know how long you keep their data, and what you do with it once it has fulfilled its purposes.
Why You Collect Data
Here's how Clorox describes what it does with the data it collects in its How We Use and Process Information clause:
Who You Share Data With
Here's how Clorox presents this information:
Under the ADPPA, you will also need to disclose whether you share the information you collect with China, Iran, North Korea, or Russia.
To stay compliant with the ADPPA, you will need to inform users what their privacy rights are under the act. These rights include a number of rights commonly granted by other privacy laws, including the right to access the information the company holds about the user, to correct inaccurate information, and to opt out of having your data sold.
Starbucks' Privacy Statement details its users' rights under its Your Choices and Rights clause:
How You Keep Data Safe
Use an "I Agree" checkbox to get users to agree to your privacy terms for added security and compliance.
Penalties for Not Complying With the American Data Privacy and Protection Act (ADPPA)
The FTC will be the agency responsible for enforcing the ADPPA through a new bureau created specifically for the purpose of enforcing the Act. The Bureau of Privacy can penalize non-compliant businesses by fining them under the Federal Trade Commission Act.
The ADPPA is federal privacy legislation that is designed to protect U.S. consumers' privacy and personal data.
The ADPPA applies to what it defines as "covered entities," which includes any organization, individual, or third party that collects, processes, or transfers U.S. consumers' personal information.
Covered data is any information that can be used on its own or with other pieces of information to identify an individual. Sensitive covered data is private personal information such as social security numbers, health data, and credit or debit card numbers.
The ADPPA requires that covered entities follow its rules pertaining to:
- Data minimization
- Loyalty duties
- Privacy By Design
- What kinds of data you collect
- What you do with the information you collect
- What third parties you share data with
- How you keep the information you collect safe
- What users' privacy rights are
- How to contact you