How will ADPPA affect you?

Companies and organisations that collect or use data from US citizens and residents need to be aware of the ADPPA and the impact this new legislation may have on their business. 

Businesses that have already taken steps to comply with the GDPR will not be able to rely on their current practices to ensure they also comply with the ADPPA. We have outlined below the similarities and differences and a few of the areas that business should consider more closely.

Global impact

Most businesses operate globally and, depending on how they collect and handle data, may be governed by several different privacy laws that apply in different jurisdictions, so it is important to understand the impact of both the ADPPA and the GDPR.

After on-going negotiations and compromises, the ADPPA received almost unanimous support in the U.S. House of Representatives Committee on Energy and Commerce. This means that the ADPPA will continue to be negotiated on the House Floor, and if it passes, it will go to the Senate for review. 

Setting a minimum national standard

If the ADDPA comes into force as it stands today it will:

• provide privacy safeguards to US citizens and individuals residing in the US; and
• give businesses certainty around their obligations as they will need to meet the minimum national standards set by the ADDPA and also comply with the requirements of any state legislation that applies to it.

This will be a critical transition in how data and privacy is protected and governed in the US by creating a national minimum standard of protection. The existing privacy regime in the US is predominately regulated by a patchwork of state regulations, for instance, California has passed the California Privacy Rights Act of 2020 ('CPRA') and California Consumer Privacy Act of 2018 ('CCPA') to provide protection to its state's residents.

Who does the ADPPA cover?

The ADPPA imposes requirements on any entity that collects, processes, or transfers personal information, referred to as 'covered data' in the ADPPA, and is subject to the Federal Trade Commission's ('FTC') jurisdiction (covered entity). This includes corporations, non-profits, and telecommunications companies operating in the US.

We note that 'covered data' under ADPPA only protects the data of US residents. This means that the ADPPA has not addressed the privacy shield challenged in the Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('the Schrems II Case') relating to data transfers between the US and the EU.

Key similarities between the ADPPA and the GDPR

The ADPPA has similarities to the GDPR including:

• General principles of transparency, necessity, and proportionality in data processing.
• Data minimisation principle. The GDPR mandates that personal data shall be 'adequate, relevant and limited to what is necessary' for the purposes that it is being processed. The ADPPA echoes this by mandating that entities can only acquire personal data that is 'reasonably necessary, proportionate and limited' to the user and their data.
• The broad scope of data covered under ADPPA aligns with the GDPR's definition of personal data which it covers. However, the scope of ADPPA's 'covered data' has faced criticism for having 'no teeth' as multiple exclusions can be applied.
• The ADPPA creates a basis for basic consumer data rights, including access data requests, data portability, and an opt-in and opt-out clause for sensitive and non-sensitive personal information – a framework first seen in the GDPR. The GDPR requires that consent be 'freely given, specific, informed, and unambiguous' or otherwise deemed as being an affirmative action. The ADPPA has established off the back of the GDPR that consent must have affirmative action.
• The ADPPA introduces 'sensitive covered data' which attracts stronger obligations and compliance documents to produce which is similar to the GDPR's special categories of personal data. The content covered in these respective definitions do differ and are discussed below.
• The ADPPA also brings in regulations to protect children and minors from online harm, similar to the framework from the GDPR which protects children under the age of 16 from having their data processed by entities. Under the GDPR, the processing of data of which is directly related to the children under the age of 16 is deemed unlawful. In response to the challenge of protecting young people, the ADPPA creates a Youth Privacy and Marketing Division within the FTC.

Key differences between the ADPPA and the GDPR

Below are a few of the differences between the ADPPA and the GDPR:

• Definitions in the ADPPA have limited effectiveness due to restrictive scope of when it applies and what is excluded compared to GDPR regime, for instance:
  • 'Covered data' has many exclusions, it does not have the same broad scope as the GDPR's definition of personal data. Exclusions include de-identified data, employee data, and publicly available data (and inferences drawn from this information).
  • 'Individuals' only covers US residents. Whereas the GDPR's comparable 'data subjects' has extraterritorial applicability.
  • 'Covered entity' does not include government bodies at either federal or state level.
• The ADPPA's 'sensitive covered information' protects a wider range of data categories including exact geolocation, calendar information, financial account numbers, and government issued identifiers.
• While ADPPA introduces rights to access, delete, and correct personal information, there are more exclusions that covered entities can rely on to not fulfil these requests when compared to the GDPR's data subject rights.
• The ADPPA is intended to be enforced on a State level through the Attorney General bringing an action, as opposed to a designated agency. It does not define any specific fines for if a breach is made out.
• The ADPPA introduces a small business exemption from some obligations, such as assessing vulnerabilities and designating a privacy and data security officer.
• Organisations that are affiliated with other organisations or in the same corporate group are not seen as 'third parties'. Whereas the GDPR treats these types of organisations separate entities. Data transfers under the ADPA are excluded from the compliance requirements that would be attracted under the GDPR.

Do you need to take any action?

It will be important for all businesses and organisations to monitor the ADPPA to see if it passes and if any changes are made to it before it is passed. 

Businesses should also ensure that they understand their obligations under any US state legislation and how the ADPPA impacts US state laws.

If the ADPPA passes, businesses and organisations should seek legal advice to understand their legal obligations and it would be best to harmonise any compliance and data privacy policies to make it easy for consumers to understand what is happening with their personal information.

Katherine Sainty Director
[email protected]
Aisling Hamilton Graduate Lawyer
[email protected]
Sainty Law, Sydney