Understanding the American Data Privacy and Protection Act

Last year, the public got a glimpse into the future of US privacy legislation with the American Data Privacy and Protection Act (ADPPA). The bipartisan act would have created a robust nationwide regulation for protecting individual data privacy.

Although the act unfortunately didn’t become a law, it does give us insights into what we might expect from federal lawmakers on the topic of data privacy in upcoming sessions of Congress. In this post, we’ll unravel the proposed legislation, explaining what it would have covered, how it compares to the EU’s laws, and what the future of US data privacy regulations might look like.

What is the American Data Privacy and Protection Act?

Introduced in 2022, the American Data Privacy and Protection Act, or H.R. 8152, was a piece of legislation designed to create a comprehensive data privacy regulation around the use, sharing, and collection of personal data.

The act had bipartisan support, with both Democratic and Republican members of the House Energy and Commerce Committee voting to advance it to the full House of Representatives. It also contained compromises on two previous roadblocks to a national privacy framework: the preemption of state privacy laws and the private right of action.

Unfortunately, the bill failed to advance to the House or Senate floors in the 2022 Congress. Some congresspeople — including Committee on Energy and Commerce Chair Cathy McMorris Rodgers (R-WA) — are continuing to update the draft legislation in the hopes that it will eventually pass, but it still lacks enough support in its current form to be voted into law

Key provisions of the American Data Privacy and Protection Act

The ADPPA contains many familiar provisions on consumer protections and rights. Much like the GDPR, it would have given individuals the right to access, correct, and delete their personal data. It also would have required universal opt-out mechanisms and “do not collect” mechanisms, strengthening people’s ability to control what companies do with their data.

Here are some of the ADPPA’s other key requirements:

Strict restrictions on the use of sensitive data, heightening protections for categories of data like biometrics, geolocation, financial account numbers, private communications, and more.
Data minimization, requiring companies to limit the processing of personal data to only what is reasonably necessary and proportionate.
Civil rights in online spaces, prohibiting data processing that leads to undue discrimination on the basis of race, color, religion, national origin, sex, or disability.
Protections for children and teens, eliminating targeted advertising to minors younger than 17.
Data brokerage registration, requiring third-party data brokers to join a national registry created by the Federal Trade Commission.
Manipulative design restrictions, prohibiting misleading methods of obtaining consent (e.g., dark patterns).
Data security, requiring organizations to adopt robust data security practices.
Transparency, requiring covered entities to disclose the type of data they collect, what they use it for, how long they retain it, and more.

There are also a few unusual provisions, including algorithmic transparency, in which large companies must conduct algorithmic impact assessments and mitigate potential harms from their algorithms, and executive responsibility, in which the company’s leadership must personally certify its compliance with the act. Taken together, these requirements and provisions would have given Americans vastly more control over their personal data.

The scope of the ADPPA

The privacy bill would apply to most organizations that process personal data, including nonprofits. Some covered entities, such as large data holders and certain service providers, would face additional requirements.

Had it passed, the American Data Privacy and Protection Act would have preempted the hodgepodge of state laws that currently exists. No state would have been permitted to enforce provisions that also existed in the ADPPA, effectively subsuming most privacy regulations on the books. However, the law would have allowed for three new means of enforcement: by a new Bureau of Privacy at the FTC, by state attorneys general, and, in some cases, by individuals via independent lawsuits (i.e., private right of action).

The ADPPA vs. the GDPR

Unlike the European Union, which has the General Data Protection Regulation (GDPR), the US lacks a single, overarching data privacy law. Instead, it relies on a patchwork of state laws and sector-specific regulations, such as the Health Insurance Portability and Accountability Act (HIPAA) for healthcare and the Gramm-Leach-Bliley Act for financial services.

The ADPPA would have changed the landscape, clearing up the widespread confusion and inconsistency in how personal data is protected across various American industries and jurisdictions. Many of its provisions are similar to the GDPR, making it likely that EU-US data transfers could proceed with less scrutiny and fewer lawsuits.

The ADPPA vs. state data privacy laws

To remedy the lack of comprehensive federal legislation around consumer data privacy, nearly a dozen states have passed or are drafting their own data protection laws. Here’s an overview of several of the most notable regulations.

California: The California Consumer Privacy Act (CCPA), the nation’s first state-level data privacy law, is at the vanguard of personal data protection. Two years after it was passed, it was strengthened by the California Privacy Rights Act (CPRA) to include even more consumer rights.
Colorado: The Colorado Privacy Act (CPA) protects personal data. Although it largely resembles other state data protection laws, it sets its criteria based not on a business’s annual revenue but rather on how much data processing that business performs.
Florida: The Florida Digital Bill of Rights is distinct in its narrow scope (it only applies to data processed by a small number of tech giants) and its political requirements for search engine transparency.
Virginia: The Virginia Consumer Data Protection Act (VCDPA) is the second state data privacy law in the country. It offers an alternative model to California’s, granting more exemptions and removing the private right of action.

The future of US data privacy legislation

Many people wonder whether there’s a new US data privacy law on the horizon. Unfortunately, the short answer is no.

First, it’s unlikely that a brand new piece of data protection legislation will be proposed in 2023. Instead of data privacy, lawmakers have chosen to focus this term on tech issues like foreign ownership of TikTok, the Google monopoly trial, and potential regulations for AI technologies.

Second, the preemption of existing data privacy laws remains a major obstacle in reviving the ADPPA. States with more stringent privacy protections than the ADPPA (e.g., California) would see their consumer protections weakened, and some senators have said they will not vote for the bill on those grounds.

Still, it doesn’t seem impossible that the American Data Privacy and Protection Act might pass in another form in the next few years. Many legislators are in agreement that data privacy remains a pressing issue, and the ever-rising threat of data breaches gives the matter some urgency. In the meantime, we have to look to state data protection regulations to guide the way forward.

How should companies approach data protection in the absence of a federal law?

We’re likely several years away from comprehensive national data protection regulations, but it still pays to be prepared. Even if your business isn’t already bound by state privacy laws or the GDPR, the regulatory landscape continues to change rapidly. What can your company do to prepare?

Conduct thorough data audits. First, it’s crucial that you understand where your data is stored and how sensitive it is. Research has found that 50% of companies likely don’t know where all their data resides. To avoid being in that 50%, it’s important to gain a comprehensive understanding of your data and learn whether it will be governed by one or more data privacy regulations.

Implement privacy by design. Next, it’s a good idea to implement privacy by design: a framework that proactively integrates data privacy into your company’s systems, services, and overall culture. Keeping privacy by design at the forefront of your operations can help ensure that you don’t have to later backtrack when a new data privacy law is passed or amended.

Adopt data minimization. A crucial step in safeguarding the sensitive information of customers and clients, data minimization can significantly reduce the risk of data breaches and the exposure of personal information. This principle requires organizations to collect only the minimum amount of data necessary to fulfill their core objectives. While it may be challenging, embracing data minimization can help simplify data management, cut storage costs, build customer trust, and support compliance with existing data protection regulations like the GDPR and CCPA.

Choose strong data privacy and security solutions. The ShardSecure platform provides advanced data privacy, security, and resilience for easier compliance with data protection regulations. Our technology offers an innovative approach to file-level encryption, separating data from infrastructure owner and admin access and protecting sensitive data from third parties. ShardSecure also meets the European Data Protection Board’s requirements as a supplemental technology to enable cross-border data transfers under the GDPR.

To learn more about the ShardSecure platform and how it can benefit your company’s data privacy and protection efforts, visit our resources page.