The American Data Privacy and Protection Act (“ADPPA”), the most recent proposed federal privacy law, is gaining support. In late July 2022, the House Committee on Energy and Commerce decided to send the bill to the House.  In either the House or the Senate, this is the first time a comprehensive privacy law will be put up for a full chamber vote. 
This article’s goal is to highlight a few ADPPA standards that could force businesses to improve or adjust their data privacy strategies. If the ADPPA materialises, we should know later this year, and companies will be better prepared if they are aware of the potential consequences.
Executive Responsibility Section 301. A major data holder is one that processes the covered data of 5 million people and generates $250 million in income. The Federal Trade Commission (“FTC”) will require large data holders to certify on an annual basis that their organisation maintains internal controls that are reasonably designed to comply with the ADPPA as well as internal reporting structures that guarantee the certifying executive officer is involved in and accountable for the decisions that have an impact on compliance by the large data holder.
Analysis: If the major data holder has an internal audit function, we predict that this function will play a significant role in assessing the organization’s privacy programme. The annual audit plan for their internal audit will include a section on data privacy. Most major data holders will probably rely on third party evaluations to assist the yearly certification process in cooperation with the internal audit function.
Organizations must “dispose of covered data in accordance with a retention schedule that shall require the deletion of covered data when such data is required to be deleted by law or is no longer necessary for the purpose for which the data was collected,” according to Section 208 of the Data Security and Protection of Covered Data Act.
Analysis: Prior sovereign privacy laws stress the significance of erasing personal data when it is no longer required to fulfil the purpose for which it was gathered. Examples are the General Data Protection Regulation (“GDPR”) and California Privacy Rights Act (“CPRA”). However, neither the GDPR nor the CPRA make it clear that covered data should be deleted in accordance with a “retention timetable.” To be in compliance with the ADPPA, organisations must modernise their retention schedules and operationalize such record retention and data dispositioning operations.
Analysis: This requires no further justification. For organisations focusing on the privacy principle of openness and streamlining the overall goal of their privacy programme, we think this is a positive step forward for the customer as well.
Privacy by Design – Policies, Practices, and Procedures, Section 103 “A covered entity and a service provider shall establish, implement, and maintain reasonable policies, practises, and procedures that…mitigate privacy risks, including substantial privacy risks, related to the products and services of the covered entity or the service provider, including in the design, development, and implementation of such policies, practises, and procedures.” As part of their GDPR/CCPA/CPRA modernization efforts, we have already assisted numerous clients with this. However, the language addressing these Privacy by Design standards in those earlier rules was less precise than what we find in the ADDPA.
Other important components of the ADPPA include:
Privacy effect analyses are covered by: Impact evaluations were largely inspired by the GDPR, and comparable requirements are found in the majority of US State laws that will take effect in 2023. As a result, businesses ought to be well along in creating a repeatable PIA procedure.
Permissible Purposes: In the “Permissible Purposes” section of the ADPPA, a list of the reasons for which a covered entity may gather, use, or transfer covered data is provided. This list of permissible purposes closely resembles the legal justifications for processing that are found in the GDPR. For instance, the ADPPA permits the collection of data for the following purposes: to complete a transaction, to fulfil a legal requirement, and to carry out scientific study. The ADPPA list continues with items for conducting a product recall and completing a warranty.
Analysis: Under the ADPPA, we will likely need to give each record in a U.S.-centric data inventory a permissible purpose. This is similar to how privacy professionals previously developed records of processing activities in accordance with GDPR Article 30, whereby a legal basis is assigned to each processing activity. We may picture a situation in which regulators want such data as a part of an enforcement action.
Sec. 208. Data Protection and Security: The ADPPA is more detailed about what should be in a security programme than previous data privacy rules. For instance, the ADPPA specifies procedures for identifying vulnerabilities, taking preventive and corrective measures, and reviewing the effectiveness of those measures.
The ADPPA’s passage would inspire us since it would give our clients a uniform set of guidelines to follow. If the ADPPA is passed, enterprises can concentrate on higher-level tasks like creating procedures to erase personal information at scale rather than trying to comply with the requirements of each incremental new state law. Although these systems demand significant effort, they are among the few that can actually improve both privacy and cyber risk.