For those of us waiting for a national data privacy law — and those numbers might be rising — there’s good news. The U.S. House Energy and Commerce Committee recently amended and passed HR 8152, the American Data Privacy and Protection Act (ADPPA). This legislation has already made it further than any other federal privacy law and faster than many expected.
Now comes the hard part.
The ADPPA would govern how organizations across all industries treat consumer data, specifically information that can be used to identify individual citizens. It would create a comprehensive federal privacy framework to protect personally identifiable information (PII) from misuse, increase data security requirements, and give consumers more say about how their PII is collected, handled, sold and disposed of. If it passes, enforcement would be handled by the Federal Trade Commission (FTC) and, in civil actions, by state Attorney Generals.
Most importantly, it will guarantee individuals’ various rights, including the right to access and review their PII held by an organization, the right to fix incorrect data, and the right to have their PII erased (if no regulatory or legal requirement overrides the deletion), and the right to receive a portable copy of all of their PII. Additionally, the ADPPA will require citizen consent to collect, process, and transfer PII. These rights follow those granted by state-level laws in California, Colorado, Utah, Virginia and Connecticut laws.
So what’s the problem? Well, some provisions might become giant obstacles.
The duty of loyalty would impose specific responsibilities on organizations that collect PII. This is a form of data fiduciary that obligates the data collection organization to ensure no substantive harm comes to the data subject from the data collector or aggregator’s use of their data.
Private right of action enables individuals to sue data collectors and processors in federal court for damages, injunctions, litigation costs, and attorney’s fees for a data breach, data misuse, and not reporting on or deleting PII when requested. This is also in California’s CCPA) but nowhere else. In my ongoing conversations with state lawmakers, several have told me that in their states, a bill with such a provision would never pass.
Preemption refers to the ADPPA superseding or overriding all current and future state privacy bills and laws. Many businesses like this provision because it avoids the complications of minor differences between state laws, but in this, California doesn’t like the idea of preempting CCPA and its successor CPRA. The state wants an exemption.
These are the big problems, but some smaller issues may be thorny as well.
Data deletion: Unlike state privacy laws, ADPPA states that data disposal means destroying, erasing, or otherwise modifying PII to make it permanently unreadable, indecipherable, and unrecoverable (just like in Canada). This would require software vendors and cloud data management suppliers to add this capability to their solutions. Let’s not think this would be easy.
Data security: ADPPA, state privacy laws and Canada’s C-27 bill all use the same language around data collectors’ responsibilities — they call for “reasonable security” practices to ensure PII is adequately protected. This is not prescriptive enough — we need more specific language to set a base security capability. Maybe it should be: “All PII shall be encrypted while in transit and at rest.” There is some legal reasoning behind “reasonable security,” but those of us in the compliance industry for a while have seen the potential for subjectivity and wiggle room.
Bottom line: I understand the concern around federal overreach, but the circumstances here call for a national standard. Without a superseding federal privacy law, and with every state putting its own flavor into place, companies face a business environment in which they must track and ensure compliance with 50 slightly different privacy laws. This will take a huge toll on time and resources, and even the best technology might not be able to adequately balance routine operations with conflicting regulations.
No comprehensive federal data privacy bill will satisfy every constituency in every state, and I acknowledge the challenges in ADPPA. However, after studying the proposed legislation, I believe it would simplify and, therefore, lower the cost of complying with U.S. privacy law. It needs to be debated and passed — and the sooner that happens, the better it will be for the nation.