The American Data Privacy and Protection Act (H.R. 8152) (ADPPA) is proposed federal consumer data protection legislation. The House Committee on Energy and Commerce overwhelmingly passed ADPPA and the bill is currently pending a House floor vote.
ADPPA is a law that's core components are analogous to the emerging state laws governing personal information, such as California, Colorado, Connecticut, Utah, and Virginia. ADPPA uses the term “covered data” and defines it as as information that “identifies or is linked or reasonably linkable, alone or in combination with other information, to an individual or device that identifies or is linked or is reasonably linked to an individual, and may include derived data and unique persistent identifiers.” ADPAA notably expressly includes IP addresses within its definition of persistent identifiers.
The similarities with other consumer data protection laws include requiring companies to provide notice to consumers prior processing personal information and providing them the opportunity to opt out. The ADPPA also provides a number of now familiar rights to consumers. These include the right to access, correct, delete, and port personal; and, the right to object to the sharing of their personal information, as well processing it for targeted advertising. Like other consumer data protection laws, ADPPA also provides enhanced protections for what is classified as “sensitive” personal information.
The ADPPA, like the emerging state laws, prohibits dark patterns in user interfaces that impede the consumer’s choice of their privacy preferences, and also requires covered entities to provide a “centralized opt-out choice.” The ADPPA also contemplates the introduction of a “unified opt-out mechanism” that will allow consumers to globally opt-out of entities processing their personal information.
Other notable features of the ADPPA include the requirement of third-parties to register, and allowing consumers to globally exercise their data subject rights with these third-parties and opting-out of the third-parties processing their personal information.
Notably, the ADPPA in some ways may provide consumers stricter protections. For example, before a “large data holder” can collect and process, in addition to the privacy policy, ADPPA expressly requires that the holder provide a digestible “short-form notice” that conveys prescribed information to consumers to help ensure that the consumer understands the holder’s processing activities.
The ADPPA is a tremendous advancement of consumer data protection rights that rivals and exceeds those offered by the state laws. And in some cases, particularly with respect to the requirements around third-parties participating in a registry that is subject to global privacy controls, the ADPPA provides more practicable controls around managing third-party data brokers than even the General Data Protection Regulation.
A critical feature of the ADPPA is its flexible approach to the issue of preemption. The ADPPA does not seek to override consumer data protection laws in all areas, and allows state laws to exceed the ADPPA protections in almost twenty areas. Furthermore, the ADPPA allows the newly formed California Privacy Protection Agency “to enforce” the ADPPA, “in the same manner it would otherwise enforce the California Consumer Privacy Act.”
The ADPPA thus robustly fills the vacuum of consumer data protection laws, extending the right to privacy to all Americans without undermining the enacted state laws.
The concern, of course, is the impact that it may have on the viability of data companies that employ thousands of Americans to support a digital ad industry that some value at over $450B. Having said that, the GDPR has not prevented the industry from continuing to flourish in Europe, and there is no reason why it cannot similarly flourish in the United States. The industry just will have to do so more responsibly.
Passage of the ADPPA is far from a foregone conclusion. Democrats in California have opposed arguing the preemption provisions are too broad and would dilute the protections offered by the CCPA. They, however, have not explained what about the ADPPA actually serves under the CCPA and other state laws, particularly in light of the ADPPA’s balanced approach to preemption. The opposition may in fact not be due to the perceived weakness of the ADPPA. Rather, that may just be a pretext for opposition to its passage due to the ADPPA imposing meaningful restrictions on technology companies who wield tremendous influence over California politicians. In any event, expect a tough road ahead for the ADPPA to pass the House and then Senate and get signed into law.
The ADPPA seems like a good thing to me. I liked your point that it has not blocked the digital ad industry in Europe so there is no reason it would block America much more. What I am most interested in from this is how exactly the California Privacy Protection Agency is to "enforce" the ADPPA. By auditing companies that store data? How efficient would that be? This feels like it could be a hard issue to enforce once implemented.
ReplyDeleteHi Lindsay! I think you bring up a great point about reinforcement. I would also be interested in learning about how the California Privacy Protection Agency would enforce. I briefly read an FAQ on the CPPA website and it was vague about enforcement.
DeleteThis comment has been removed by the author.
DeleteHi Lindsay, Yes that is the main issue that California has been having, which is why the bill has not been passed yet.
DeleteI also agree with Lindsay, in that is very difficult for such legislation to be implemented due to the constraint's government agencies have on personal data.
DeleteGreat post Jaskehar! The ADPPA is definitely a step in the right direction in terms of impactful legislation that can impact a user's privacy. I think in terms of accountability, it makes specific organizations more responsible and transparent in how they handle their consumer's data, and thus can lead to improved privacy for their own users. However, I do feel like, as Jaskehar mentioned, the vagueness of the bill, and the lack of specifications imposed onto companies, can only alleviate surface level privacy concerns.
ReplyDeleteIt is the main issue why the Bill has not been passed yet. The preemption is the problem California is having.
DeleteThanks Jaskehar for posting! I didn't know about the ADPPA before this post and I'm glad that public leaders are taking some action to protect privacy online. I think that ADPPA is by far the most comprehensive federal online privacy protection we've seen yet. I would be interested, though, to learn more about the internal mechanisms of the ADPPA. Are there accountability and transparency measure for the ADPPA itself? For instance, would violations of the ADPPA be accessible to the public?
ReplyDeleteI am not sure yet how that would be handled I will try to see if I can get you an answer, but the law is still being decided on so it is hard. Sorry for that!
DeleteHey Hannah! It certainly is a very comprehensive bill, but I still see it being too vague in terms of addressing all of the intended problems it hopes to alleviate.
DeleteIt's great to see this act give more control to consumers on how their data is used and whether they would like to opt out. I do wonder how this would affect the digital ad industry and what they would do if this act passes. I feel like there would be a lot of advertisers trying to find loopholes or sketchy ways to get around restrictions, but for those who want to be more responsible and respectful to the law, I'm curious to see what they would do. I'm also curious on how many consumers would opt out of data collection features and how many actually like having personalized ads (I personally don't mind them).
ReplyDeleteHi Andrew! I also wonder how the digital ad industry would be affecting is the ADPPA were to pass. I think that advertisers have gotten very used to being able to access whatever data they could want, and they aren't going to like having to work around restrictions. Though, like Jaskehar points out, the industry has survived in Europe despite restrictions. I would be interested in seeing how the different cultures affect this. I get the sense that many Americans are either unaware of how invasive personalized advertising is, or they don't care because they prefer the convenience. I wonder how many people would opt-in to sharing information if it was phrased as being for their benefit.
DeleteI think with any legislation, it is difficult to address all possible loopholes or contingencies companies can bypass, and as we mentioned earlier it is even harder to stay up to date with the way companies are collecting data, so do you think it would be better if it was more of a societal or contractual agreement as opposed to a legislative one, that companies respect their user's data, a.k.a being ethical in business?
DeleteI also was unaware of the ADPPA before reading this post but I am glad that there has been some steps taken towards federal online privacy protection. I would like to know more of the specifics of how the law would work it it were to pass, such as how it would be enforced, and how people would be made aware of it/ how they would give consent. If a person has already granted implicit consent for a company to gather their data and this bill passes, would the company need to get explicit consent? Would this law work exactly like the European "right to forget", or would it function differently?
ReplyDeleteI believe it differs because in this instance, the ADPPA acts as a protective or preventative measure for privacy in data, whereas right to forget laws act more as a treatment than a vaccine for privacy.
DeleteThis is definitely a beneficial law that I think has a lot of potential to protect consumer privacy and lays a good foundation for the future of technology. I'd like to know even more about the details of what it covers and how it affects consumers and businesses alike. What kind of things are in place to ensure third parties and hackers will face consequences or aren't able to access information in the first place?
ReplyDeleteI think there are amendments that the house can pass, if such events do occur, to make sure the bill is still a viable option in addressing all concerns.
DeleteThe states can add onto the laws given by the federal government.
DeleteThe ADPPA seems like the right step forward with personal information. I was previously unaware of its existence, but should it be passed into law, individuals with have a large base to work with in order to guarantee the protection and proper usage of their information. The selling of information and online tracking has always been horrifying to me, and I'd like to see a legal prevention from getting ads about things I was talking about just the day before.
ReplyDeleteI definitely agree, I hope in the future the problem of online tracking becomes more discussed, and hopefully addressed through not only means such as the ADPPA but others as well.
DeleteI was also pretty unfamiliar with ADPPA before reading this post. I am glad lawmakers are taking steps to be proactive in protecting a citizen's datas from these private companies' profit interests. However, like most federal US legislation, it will take a lot of time before this bill will be able to be passed and advance these protections into law. Further more, with the time it will take to pass the bill (after going through all the levels of government and working through amendments), will new privacy concerns present themselves that the bill will lack coverage on? Everyday more companies and uses for data will grow, and with the slow legislation time, I fear these bills will be less proactive in protecting data and privacy and rather reactive in responding to situations that arise when these companies are found out to be misusing data.
ReplyDeleteStates will be allowed to add onto these laws. The only requirement will be that the states adhere to the bill.
DeleteSimilar to our other classmates I was unaware of ADPPA before this post. I also am glad that there are steps being taken to ensure online privacy, as I am beginning to feel more and more that it is needed throughout this course. I think that consent needs to be brought into the digital sphere and that there needs to be a way for people to opt out of sharing information, and I think the ADPPA is a good start for that.
ReplyDeleteSomething that caught my eye was the inclusion of IP addresses as identifiable information. Almost every site I can think of has a reason to want to store or keep track of IP addresses, and its probably one of the easiest identifiers on the web. Due to the nature of the internet every single site you visit has access to it, and with it your general location, alone its pretty useless but in combination with other data it can be a powerful tracking tool.
ReplyDeleteAdvertising is a huge industry in America. I agree with the point you make about how the businesses will end up adapting to these new regulations, but regardless of this these huge advertising firms will lobby against them. It seems like data privacy is popular on both sides of politics so maybe that will lead to a law like this being passed.
ReplyDelete