The proposed U.S. Federal Privacy Law ADPPA was introduced in the U.S. House of Representatives on June 3rd 2022. This represents the first time federal data privacy legislation in the United States has progressed to a full chamber vote.
The progression of the American Data Privacy and Protection Act (ADPPA) marks a significant milestone along its journey to full enactment, as both sides of the house are primarily in favour of the ADPPA introduction. The only delay on the horizon is the mid-term elections in November. But a number of the house representatives are hopeful that the law can pass in full before we say our farewells to 2022.
The aim of the ADPPA is much like the GDPR back in 2018, whose main aim was to harmonize the GDPR across all 28 member states. The ADPPA has the same aspirations across its fifty states
In the absence of federal law, the onus has been on U.S. states to introduce data privacy laws. At the time of writing, five U.S. states have passed comprehensive data protection laws, California, Connecticut, Utah, Virginia, and Colorado. Many other states have privacy law bills progressing, albeit on a lengthy multi-stop journey, leaving many Small, Medium Businesses (SMB) in limbo. In our experience, the SMB sector gets hit the hardest as they do not have the resources to plan and execute an organizational privacy compliance strategy.
If the federal ADPPA passes into law, it will provide all businesses in all sectors ample instruction on how to introduce and meet the new law. The ADPPA will almost certainly follow other global laws and introduce a 12-month grace period to meet the compliance criteria.
Put Your Previous Privacy Efforts to Good Use
Many U.S. organizations with global operations that reach out worldwide have implemented compliance programs for the EU GDPR, UK GDPR, and Singapore PDPA, to name a few. As the ADPPA is based primarily on the GDPR, they must ensure they put those policies and frameworks to good use to eliminate duplication of effort when meeting the requirements of the new federal law.
Let’s take a look under the hood of the proposed ADPPA law as it stacks up with the EU / UK GDPR
At a high level, the GDPR principles of Transparency, Data Minimization, Necessity and Purpose are adopted are adpted by the new ADPPA Law.
Changes in Definitions
Some main definition differences are easy to recognize
- Personal Data is defined as “Covered Data.”
- Data Controller is defined as a “Covered Entity.”
- Data Processor is defined as a “Service Provider.”
- Special Categories of personal data are defined as “Sensitive Covered Data.”
- Data Subjects are defined as “Individuals.”
There are several marked differences in the application of the ADPPA
Covered Data under the ADPPA excludes employee data and data already in the public domain.
The term Individuals only covers U.S. Citizens
Covered Entities do not include federal, state or government bodies.
The ADPPA includes additional categories of Sensitive covered data which not mentioned in the GDPR, namely government-issued identifiers, Passports, Drivers Licenses etc., financial account numbers, precise geolocation tracking, private communications and information relating to children under the age of 17
Covered Entities and Service Providers classed as large data holders will have additional obligations applied to them, whereas small-medium organizations will be exempt from certain obligations under the ADPPA.
Individuals’ rights under the ADPPA are not as strong as the rights under the GDPR
Fines and Penalties
There are no Federal Fines or penalties as each state will enforce the ADPPA by the state attorney general introducing civil actions against the company at fault. Organizations could still be subject to pay substantial damages for breaching the ADPPA.
Getting expert advice can save your budget 1,000’s Dollars of resource costs