The American Data Privacy Protection Act bill, also known as the ADPPA bill, is one of the latest federal privacy bills that could impact businesses and consumers in the US. The goal of the act is to provide users of digital and online services with a foundational right to privacy that’s enforced by federal standards.

As a business owner, it’s important to have a comprehensive understanding of the ADPPA bill in order to prepare for the potential consequences.

What is the ADPPA Bill?

The ADPPA is a data privacy bill that was brought to the US congress with the aim of developing a national data security and privacy framework that protects consumers from exploitation. HR 8152, describes its purpose as follows: “to provide consumers with foundational data privacy rights, create strong oversight mechanisms, and establish meaningful enforcement.”

This new bill would guarantee the rights of all American citizens on a number of base principles which include data minimization, individual data ownership, as well as the private right of action. The evaluation of whether a business’s internal operations abide by the ADPPA would be your responsibility to ensure.

Has the ADPPA Bill Gone Into Effect Yet?

No, the ADPPA bill was introduced to the House of Representatives on June 21, 2022, and it was amended on December 30, 2022, but has not yet been passed. With the absence of a federal law protecting the privacy and security of consumers’ data, the ADPPA would be the first nationwide data privacy law of its size.

What Data is Included in the ADPPA Bill?

The ADPPA bill would require businesses to minimize the amount of “covered data” that they collect and maintain from users and consumers of their digital products and services. The term “covered data” refers to any information that can be used to identify a person or a device linked to the customer.

This includes basic identity information such as a person’s Social Security Number and Government-issued ID number in addition to any type of identifiable information about minors. As for devices, “covered data” also includes the storage of digital fingerprints, such as a user’s IP address or the type of device or software they’re using.

However, the ADPPA bill’s proposed protections would be limited to consumers and users and wouldn’t apply to employee data or public record information. This also includes the de-identified data exemption. The ADPPA bill would allow a company that collects personally identifiable data to share “anonymized” data with third parties that would then have little trouble de-anonymizing.

How Will the ADPPA Affect Businesses?

If passed, the ADPPA bill would primarily affect businesses and organizations that regularly collect, process, or transfer personal user information. It would operate similarly to other comprehensive state privacy laws, including the California Consumer Privacy Act (CCPA), The Consumer Protection Act (CPA), and the Virginia Consumer Data Protection Act (CSDPA). However, it also applies to a wider range of consumers and businesses.

Generally, the ADPPA would most affect large data holders or companies with a business model that relies on the transferring, processing, or handling of substantial amounts of user data. This also would apply to third-party service providers and collectors.

Any business that fits this characterization would be required to perform and pass regular data privacy and security assessments on their algorithms and storage arrays. The results of these tests could be used as evidence to authorities to prove that your business has all the mandated internal control over data processing and storage. 

1. Data Minimization

Data minimization is one of the key requirements of the ADPPA bill. It requires covered entities to minimize the amount of personal user data they collect in the first place. This means reshaping their processes to only ask for and collect the data that’s absolutely necessary for their work operations, fully excluding personal data.

2. Loyalty Duty Pricing

The ADPPA bill requires companies to offer their services and products at the same rate to all consumers, regardless of whether they agree to the collection, processing, or transfer of their personal data. This is referred to as “loyalty duty pricing” and it aims to prevent companies from exploiting consumers.

3. Privacy by Design

The bill mandates that businesses implement “privacy by design” which means that privacy must be considered during the early stages of the design and development of new digital products and services. This ensures businesses are taking user privacy into account and are less likely to build something compromising.

4. Privacy Officer

Knowledgeable and experienced privacy authorities must become a part of the business in order to oversee and verify all data protection activities. They’re responsible for ensuring your business complies with the ADPPA’s requirements and that all the necessary internal controls are implemented and regularly assessed.

5. Privacy Impact Assessments

Under the ADPPA bill, large data holders are required to regularly conduct Privacy Impact Assessments (PIAs) on their data processing and storage algorithms. A PIA is a comprehensive review of the privacy risks associated with specific data processing activities. It also tests the measures put in place to mitigate those risks.

The purpose of the PIA is to ensure that the privacy rights of individuals are protected and to promote transparency in data processing activities. They also must be conducted before any new data processing activities are implemented.

6. Increased Security Measures

In addition to privacy, the ADPPA bill requires businesses to implement strong security measures to protect personal data from unauthorized access, theft, or other malicious activities. This includes the implementation of access control, advanced network security, encryption, and regular monitoring and testing of security systems.

Businesses must also prove that they’re prepared to quickly respond to security incidents, and take steps to prevent them from happening again in the future.

7. Governance of Children’s Data

The ADPPA bill dedicates special provisions to the protection of data belonging to minors. Businesses that collect, process, or transfer the personal data of individuals under the age of 18 must implement age verification mechanisms in order to obtain parental consent before collecting any data.

Furthermore, they must also provide clear and concise privacy policies that explain how the data of children will be used and protected.

8. No Algorithm Discrimination

Under the ADPPA, businesses are required to provide proof that their algorithms are not discriminatory against users based on race, ethnicity, gender, sexual orientation, or any other protected characteristic.

They must also implement measures to prevent the abuse of data processing algorithms that may lead to discrimination, providing evidence to authorities that their algorithms have been audited and tested to ensure that they do not discriminate.

Consumer Rights Under the ADPPA Bill

The ADPPA bill was proposed in order to provide a number of rights to users and consumers. The act would give consumers the right to know what data is being collected about them and what it’s being used for, as well as the right to access that data. Under the ADPPA, companies would need to be fully transparent whenever users inquire about their personal data and information.

Consumers also have the right to correct their personal data and fix inaccuracies. This ensures no data being processed, transferred, or kept about a user is outdated or incorrect.

In addition, consumers have the right to deletion of their personal data. They can request that companies delete all traces of their data if it’s no longer needed. This is important for protecting consumers’ privacy, allowing them to control the use and retention of their personal data.

Consumers also have the right to data portability, which means that they can take their data with them when they move from one service provider to another. This helps to ensure that they’re able to keep their data up to date and maintain control over the whereabouts of their personal information.

They have the right to consent and object to how their data is being collected, as well as whether it’s being shared with third-party entities without their explicit consent. The ADPPA bill also ensures consumers the right to opt out of data transfers that aren’t necessary to the services they’re provided.

Finally, they have the right to opt out of targeted advertisements without having their access to the digital product or service negatively impacted.

Who Would Enforce the ADPPA?

If passed, the ADPPA regulations will be enforced by the Federal Trade Commission (FTC), which has the authority to take legal action against companies that violate the act. In addition to fines and injunctive relief, the FTC also enables individual users and consumers to file private lawsuits against companies that violated their data privacy and security rights.

What Are the Penalties?

Companies and businesses that violate the ADPPA face penalties imposed by the FTC that range between $40,000 and $50,000. While an exact response to violations isn’t written in the bill, the FTC still has the right to enforce the appropriate punishment.

Rixon Helps Businesses Comply With the ADPPA Bill

Rixon Technology is a provider of advanced data security and privacy solutions to companies handling sensitive user information. Using our vaultless tokenization technology alongside our valuable expertise, we can help you navigate the landscape of data privacy and security regulations.

We offer vaultless tokenization solutions tailored to specific industries: 

Book a demo with Rixon today and start your free trial.