Data privacy in the US is largely a legal vacuum. Although there is limited protection of medical and financial data, the cradle of the world’s largest technology companies, such as Apple, Amazon, Google and Meta (Facebook), there is no comprehensive federal data privacy law. That leaves US citizens with the bare minimum data privacy protection compared to citizens of other nations. But that may change.
With rare bipartisan support, US Data Protection and Privacy Act left the Committee on Energy and Commerce of the House of Representatives of the US Congress by a vote of 53-2 On July 20, 2022, the bill still needs to be passed by the full House of Representatives and the Senate, and negotiations are ongoing. Given the Biden administration responsible data practices strategyWhite House support is likely if a version of the bill passes.
As a legal scholar and attorney who studies and practices data privacy technology and law, I have been closely following the act known as ADPPA. If passed, it would significantly change US data privacy law.
The ADPPA fills a data privacy void, provides federal preemption to certain state data privacy laws, allows individuals to sue for violations, and significantly changes the enforcement of data privacy laws. Like all big changes, ADPPA gets mixed reviews mass media, scientistsand enterprises. But many see the bill as a triumph for data privacy in the US, providing a needed national standard for data practices.
Who and what will regulate the ADPPA?
The ADPPA will apply to “covered” entities, meaning any entity that collects, processes or transfers covered data, including non-profit organizations and sole proprietors. It also regulates mobile phone communications and Internet service providers, among others common carrierswith potentially related to changes in federal communications regulations. This does not apply to government agencies.
The ADPPA defines “covered” data as any information or device that identifies or can reasonably be linked to an individual. It also protects biometric data, genetic data and geolocation information.
The bill excludes three categories of big data: de-identified data, employee data and publicly available information. The latter category includes social media accounts with privacy settings open for public viewing. For now research repeatedly showed de-identified data can be easily re-identifiedThe ADPPA attempts to address this by requiring covered entities to take “reasonable technical, administrative, and physical measures to ensure that information is never used to re-identify an individual or device.”
How ADPPA protects your data
The law requires that data collection be as small as possible. The bill allows covered entities to collect, use, or share an individual’s data only if reasonably necessary and proportionate to the product or service requested by the individual or to respond to a communication initiated by the individual. This allows data to be collected for authentication, security incidents, preventing illegal activity or serious harm to individuals, and complying with legal obligations.
People will have access rights and some control over their data. The ADPPA gives users the right to correct inaccuracies and potentially delete their data held by covered entities.
The bill authorizes the collection of data as part of research for the public good. This allows data to be collected for peer-reviewed or public interest research, such as testing whether a website is unlawfully discriminatory. This is important for researchers who might otherwise violate the site’s terms of service or hacking laws.
The ADPPA also has a provision which solves the problem of service based on consent-those pesky “I agree” boxes that force people to accept a bunch of legal terms. If you click one of these boxes, you are contractually waiving your privacy rights as a condition of simply using the service, visiting the website, or purchasing a product. The bill would not allow covered entities to use contract law to circumvent the bill’s protections.