The American Data Privacy and Protection Act (ADPPA): what to expect

We are excited to bring Transform 2022 back in-person July 19 and virtually July 20 – 28. Join AI and data leaders for insightful talks and exciting networking opportunities. Register today!

Ever since the bipartisan draft bill of the American Data Privacy and Protection Act (ADPPA) was released earlier this month, there’s been lots of speculation about the impact new data privacy requirements would have on enterprises in the US and beyond. 

One of the most significant changes would be that organizations or “covered entities,” would need to minimize the data they collect, process and transfer “covered data,” which the ADPPA defines as “information identifying, linked, or reasonably linkable to an individual.” 

In practice, covered data could be as simple as government ID numbers or Social Security Numbers (SSNs) to private communications, or any information related to data subjects under 17. 

What would the ADPPA mean for enterprises? 

Much like the General Data Protection Regulation (GDPR), the ADPPA would impose new data protection requirements on enterprises, forcing them to implement new policies to protect covered data from access by unauthorized individuals. 

Event

Transform 2022

Join us at the leading event on applied AI for enterprise business and technology decision makers in-person July 19 and virtually from July 20-28.

“The ADPPA, if enacted, is a pretty big deal – it would represent a much needed step for both individual privacy rights and how enterprises collaborate in the world’s largest digital ecosystem,” said Cerified Information Systems Security Professional (CISSP) and head of Security and Privacy from integrate.ai, Victor Platt. 

Although, the ADPPA could raise significant data protection liabilities, as the definition of covered data is expansive, and there’s a lot of data that can potentially link to an individual or a device. 

As Platt explains, “it codifies a broad definition of covered data and high bars for consent, purpose limitation, and opt-out, high level inscrutable privacy policies will no longer be enough and things you think are not PII today, like unique IDs, will be in the future.” 

In addition, Platt also notes that enterprises will be obligated to demonstrate how they minimize what data they collect, how they protect it, and ensure that transfers of covered data to third parties are subject to opt-outs and enhanced requirements. 

How the ADPPA could protect individual’s data  

On the other side of the coin, the ADPPA would also grant individuals new data privacy rights over their data. 

For instance, “the bill would provide individuals across the United States extensive rights to correct, delete, access, and port personal data,” said Morrison Foerster partner and co-chair of the firm’s Global Risk and Crisis Management group, Alex Iftimie. 

At the same time, it would also give individuals the right to pursue civil action against violations. 

“One of the controversial aspects of this bill is that it offers U.S. residents a private right of action against covered entities for violations – which will allow private parties to enforce provisions of the law via civil litigation,” Iftimie said. 

More broadly, the Federal Trade Commission (FTC) would also be responsible for enforcing penalties on non-compliant organizations. When considering how broad the law is at least in the current draft, the FTC would have lots of opportunities to make judgements on what constitutes a violation and what doesn’t. 

How enterprises can prepare 

While the ADPPA is just a bill, and would require bipartisan agreement to pass, it’s important for enterprises to consider what controls they’d need to meet these potential data protection obligations. 

Out of the new capabilities that would be required, fundamentally, enterprises would need to know how much data was proportional to collect about individuals, and ensure they have a process to minimize its collection, so they can limit it to that which is reasonably necessary. 

Likewise, organizations would also need to prepare to deactivate targeted advertisements, and offer children or minors greater data protection support to ensure their data stays protected.

For now, enterprises will have to wait and see, and as Iftimie points out, it could be quite some time before a decision is made, particularly with congress in recess for most of August and midterm elections beginning in fall. 

VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Learn more about membership.

Source: Read Full Article