Last year, the public got a glimpse into the future of US privacy legislation with the American Data Privacy and Protection Act (ADPPA). The bipartisan act would have created a robust nationwide regulation for protecting individual data privacy.
Although the act unfortunately didn’t become a law, it does give us insights into what we might expect from federal lawmakers on the topic of data privacy in upcoming sessions of Congress. In this post, we’ll unravel the proposed legislation, explaining what it would have covered, how it compares to the EU’s laws, and what the future of US data privacy regulations might look like.
Introduced in 2022, the American Data Privacy and Protection Act, or H.R. 8152, was a piece of legislation designed to create a comprehensive data privacy regulation around the use, sharing, and collection of personal data.
The act had bipartisan support, with both Democratic and Republican members of the House Energy and Commerce Committee voting to advance it to the full House of Representatives. It also contained compromises on two previous roadblocks to a national privacy framework: the preemption of state privacy laws and the private right of action.
Unfortunately, the bill failed to advance to the House or Senate floors in the 2022 Congress. Some congresspeople — including Committee on Energy and Commerce Chair Cathy McMorris Rodgers (R-WA) — are continuing to update the draft legislation in the hopes that it will eventually pass, but it still lacks enough support in its current form to be voted into law
The ADPPA contains many familiar provisions on consumer protections and rights. Much like the GDPR, it would have given individuals the right to access, correct, and delete their personal data. It also would have required universal opt-out mechanisms and “do not collect” mechanisms, strengthening people’s ability to control what companies do with their data.
Here are some of the ADPPA’s other key requirements:
There are also a few unusual provisions, including algorithmic transparency, in which large companies must conduct algorithmic impact assessments and mitigate potential harms from their algorithms, and executive responsibility, in which the company’s leadership must personally certify its compliance with the act. Taken together, these requirements and provisions would have given Americans vastly more control over their personal data.
The privacy bill would apply to most organizations that process personal data, including nonprofits. Some covered entities, such as large data holders and certain service providers, would face additional requirements.
Had it passed, the American Data Privacy and Protection Act would have preempted the hodgepodge of state laws that currently exists. No state would have been permitted to enforce provisions that also existed in the ADPPA, effectively subsuming most privacy regulations on the books. However, the law would have allowed for three new means of enforcement: by a new Bureau of Privacy at the FTC, by state attorneys general, and, in some cases, by individuals via independent lawsuits (i.e., private right of action).
Unlike the European Union, which has the General Data Protection Regulation (GDPR), the US lacks a single, overarching data privacy law. Instead, it relies on a patchwork of state laws and sector-specific regulations, such as the Health Insurance Portability and Accountability Act (HIPAA) for healthcare and the Gramm-Leach-Bliley Act for financial services.
The ADPPA would have changed the landscape, clearing up the widespread confusion and inconsistency in how personal data is protected across various American industries and jurisdictions. Many of its provisions are similar to the GDPR, making it likely that EU-US data transfers could proceed with less scrutiny and fewer lawsuits.
To remedy the lack of comprehensive federal legislation around consumer data privacy, nearly a dozen states have passed or are drafting their own data protection laws. Here’s an overview of several of the most notable regulations.
Many people wonder whether there’s a new US data privacy law on the horizon. Unfortunately, the short answer is no.
First, it’s unlikely that a brand new piece of data protection legislation will be proposed in 2023. Instead of data privacy, lawmakers have chosen to focus this term on tech issues like foreign ownership of TikTok, the Google monopoly trial, and potential regulations for AI technologies.
Second, the preemption of existing data privacy laws remains a major obstacle in reviving the ADPPA. States with more stringent privacy protections than the ADPPA (e.g., California) would see their consumer protections weakened, and some senators have said they will not vote for the bill on those grounds.
Still, it doesn’t seem impossible that the American Data Privacy and Protection Act might pass in another form in the next few years. Many legislators are in agreement that data privacy remains a pressing issue, and the ever-rising threat of data breaches gives the matter some urgency. In the meantime, we have to look to state data protection regulations to guide the way forward.
We’re likely several years away from comprehensive national data protection regulations, but it still pays to be prepared. Even if your business isn’t already bound by state privacy laws or the GDPR, the regulatory landscape continues to change rapidly. What can your company do to prepare?
Conduct thorough data audits. First, it’s crucial that you understand where your data is stored and how sensitive it is. Research has found that 50% of companies likely don’t know where all their data resides. To avoid being in that 50%, it’s important to gain a comprehensive understanding of your data and learn whether it will be governed by one or more data privacy regulations.
Implement privacy by design. Next, it’s a good idea to implement privacy by design: a framework that proactively integrates data privacy into your company’s systems, services, and overall culture. Keeping privacy by design at the forefront of your operations can help ensure that you don’t have to later backtrack when a new data privacy law is passed or amended.
Adopt data minimization. A crucial step in safeguarding the sensitive information of customers and clients, data minimization can significantly reduce the risk of data breaches and the exposure of personal information. This principle requires organizations to collect only the minimum amount of data necessary to fulfill their core objectives. While it may be challenging, embracing data minimization can help simplify data management, cut storage costs, build customer trust, and support compliance with existing data protection regulations like the GDPR and CCPA.
Choose strong data privacy and security solutions. The ShardSecure platform provides advanced data privacy, security, and resilience for easier compliance with data protection regulations. Our technology offers an innovative approach to file-level encryption, separating data from infrastructure owner and admin access and protecting sensitive data from third parties. ShardSecure also meets the European Data Protection Board’s requirements as a supplemental technology to enable cross-border data transfers under the GDPR.
To learn more about the ShardSecure platform and how it can benefit your company’s data privacy and protection efforts, visit our resources page.
Revised American Data Privacy and Protection Act Due to be Released | The HIPAA Journal
American Data Privacy and Protection Act Fact Sheet | EPIC
Overview of the American Data Privacy and Protection Act, H.R. 8152 | Congressional Research Service
American Data Privacy and Protection Act Draft Legislation Section by Section Summary | senate.gov
The Virginia Consumer Data Protection Act | Virginia Office of the Attorney General
More Than 40% of Companies Don’t Know Where Their Data Is Stored | Lepide