What is the American Data Privacy and Protection Act?

The purpose of the ADPPA is to give Americans greater control over their data and to strengthen the nation’s privacy and data security protections. The ADPPA is modeled after the European Union General Data Protection Regulation (GDPR), a comprehensive data privacy and security scheme launched in 2016. Details of the American Data Privacy and Protection Act are provided below.

American Data Privacy and Protection Act: Filling in the Gaps

The GDPR provides comprehensive consumer privacy protection by giving consumers specific rights concerning their data. 

These rights include:

• The right to be informed. Consumers have the right to be informed about the collection and use of their personal data.  
• A right of access. Consumers have the right to view and request copies of their personal data.
• The right to rectification. Consumers have the right to request inaccurate or outdated personal information be updated or corrected.
• The right to be forgotten (also known as the right to erasure). Consumers have the right to request that their personal data be deleted.   
• The right to data portability. Consumers have the right to ask for their data to be transferred to another data controller or provided to them. The data must be provided in a machine-readable electronic format.
• The right to restrict processing. Consumers have the right to request the restriction or suppression of their personal data.
• The right to withdraw consent. Consumers have the right to withdraw previously given consent to process their personal data.
• The right to object. Consumers have the right to object to the processing of their personal data.
• The right to object to automated processing. Consumers have the right to object to decisions being made with their data solely based on automated decision-making or profiling.

American Data Privacy and Protection Act: Specific Consumer Rights

Title 2 of the American Data Privacy and Protection Act gives consumers a number of equivalent rights. 

These rights include:

• The right to transparency. Entities must make publicly available, in a clear, conspicuous, and readily accessible manner, a privacy policy that provides a detailed and accurate representation of the entity’s data collection, processing, and transfer activities.
• The right to individual data ownership and control. Entities must give consumers the right to access specific data in a human-readable format (that can be understood and downloaded from the Internet). The specific data includes data that is collected, processed, or transferred by the regulated entity or any service provider of the regulated entity.
• The right to consent and object. The American Data Privacy and Protection Act requires that individuals give express affirmative consent to regulated entities before those entities collect or process their sensitive data or transfer that data to a third party.
• The right to data protection for children and minors. The American Data Privacy and Protection Act prohibits an entity from engaging in targeted advertising to an individual under the age of 17 if the entity knows that the individual is under the age of 17.
• The right to data security. Entities must establish, implement, and maintain reasonable administrative, technical, and physical data security practices and procedures to protect and secure data against unauthorized access and acquisition.

American Data Privacy and Protection Act: Digital Privacy Protection

The American Data Privacy and Protection Act places limits on Big Tech. The bill limits the transfer of precise geolocation information, browsing history, and physical activity information collected from a smartphone or wearable device. HIPAA does not protect this data, nor is the data protected by FTC regulation. 

The Federal Trade Commission (FTC) plays a mere educational role with respect to geolocation information collection and other sensitive data collection. In other words, the FTC website will tell you that geolocation collection information implicates privacy concerns and may be bad, but there is no law against the practice. The American Data Privacy and Protection Act would actually regulate the “bad” practices instead of just describing them and explaining how bad they can be.

The bill also contains an anti-coercion provision. Under the law, consumers cannot be forced to waive their privacy rights to receive a service or product. Nor can service providers set the price of a product based on an individual’s agreement to waive any privacy rights. In other words, consumers cannot be made to pay extra for the “privilege” of simply not having their data privacy rights violated.

American Data Privacy and Protection Act: The HIPAA Connection

Under the American Data Privacy and Protection Act, organizations that are compliant with HIPAA are automatically deemed to be compliant with the ADPPA’s provisions regarding the protection of PHI. Being compliant with HIPAA, though, offers no protection for entities that HIPAA does not cover.  One of the very purposes of the ADPPA is to regulate non-HIPAA entities that process, collect, or transfer healthcare data. If these entities violate the ADPPA, they may face an FDA or state attorney general enforcement action. They may also be on the receiving end of a lawsuit ($$) filed by an individual alleging an ADPPA violation.