The latest proposed Federal Privacy Law, titled the American Data Privacy and Protection Act ("ADPPA"), continues to gain momentum and in late July 2022, the House Committee on Energy and Commerce voted to advance the bill to the House.1 This is the first time a comprehensive privacy bill will be made available for full chamber vote in either the House or the Senate.2
The purpose of this article is to identify a set of example requirements in the ADPPA which may require organizations to modify or enhance their data privacy strategy. We should know later this year if the ADPPA will become a reality and understanding the potential impact will allow organizations to be better prepared.
- Sec. 301. Executive Responsibility– A
large data holder is defined as generating $250 million in revenue
and processing covered data of 5 million individuals. Large data
holders will need to certify annually with the Federal Trade
Commission ("FTC") that the organization maintains both
1) internal controls reasonably designed to comply with the ADPPA
and 2) internal reporting structures to ensure that such certifying
executive officer is involved in and responsible for the decisions
that impact the compliance by the large data holder.
- Analysis: We anticipate that if an internal audit function exists within the large data holder, that such function will be heavily involved in evaluating the organization's privacy program. Data privacy will be included in their internal audit's annual audit plan. In coordination with the internal audit function, most large data holders will likely rely on third party assessments to support the annual certification process.
- Sec 208. Data Security and Protection of Covered Data
– Section 208 requires that organizations
"dispose of covered data in accordance with a retention
schedule that shall require the deletion of covered data when such
data is required to be deleted by law or is no longer necessary for
the purpose for which the data was collected..."
- Analysis: Prior sovereign privacy laws such as the General Data Protection Regulation ("GDPR") and California Privacy Rights Act ("CPRA") refers to the importance of deleting personal information when such data is no longer necessary to support the purpose of which it was collected. Neither the GDPR or CPRA; however, specifically reference that covered data should be disposed of pursuant to a "retention schedule". Organizations will need to modernize their retention schedules and operationalize such record retention and data dispositioning activities in order to comply with the ADPPA.
- Sec. 202. Transparency – Section 202
includes several requirements related to the content of the privacy
policy, clarity of the privacy policy, and subsequent change
notification process.
- Content of a Privacy Policy- A covered entity
or service provider shall have a privacy policy that includes
"the length of time the covered entity or service provider
intends to retain each category of covered data, including
sensitive covered data, or, if it is not possible to identify that
timeframe, the criteria used to determine the length of time the
covered entity or service provider intends to retain categories of
covered data."
- Analysis: This same language exists in the CPRA and has led many mega brands to focus on deleting data at scale. Other language in Section 202 related to the contents of a privacy policy also includes the same categorical requirements that are apparent in the California Consumer Privacy Act (CCPA) which led organizations to include charts in their privacy policies showing the categories of personal information collected, business purpose for each category of collection and if it is sold. It is interesting to note that the ADPPA pairs the use of the term "retention schedule" with the retention period privacy policy disclosure requirements and implies organizations need to be deleting data. Given the lack of many organizations' progress in this area, combined with the difficulty in implementing a well run records management program, this may very well be an easy area for enforcement.
- Changes to Privacy Policies and Notification:
"If a covered entity makes a material change to its
privacy policy or practices, the covered entity shall notify each
individual affected by such material change before implementing the
material change with respect to any prospectively collected covered
data and...provide a reasonable opportunity for each individual to
withdraw consent." "In addition, each large data holder
shall retain copies of previous versions of its privacy policy for
at least 10 years beginning after the date of enactment of this Act
and publish them on its website. Such large data holder shall make
publicly available, in a clear, conspicuous, and readily accessible
manner, a log describing the date and nature of each material
change to its privacy policy over the past 10 years."
- Analysis: The implementation of these requirements are relatively straightforward. For example, an organization can send an email notifying its customer base of changes in the privacy policy. Similarly, historical privacy policies can be retained and linked to in the main privacy policy. We highlight this item given such language is not in the CCPA or GDPR.
- Clarity: In addition to the privacy policy
requirements in section 202 (there is a long list of requirements
in section 202, similar to the requirements in the GDPR and CCPA),
a large data holder that is a covered entity "shall provide a
short form notice of its covered data practices in a manner that
is— no more than 500 words in length."
- Analysis: No explanation is needed here. We believe this is a good step forward for both the customer and separately, businesses focused on the privacy principle of transparency and streamlining the vision of their privacy program.
- Content of a Privacy Policy- A covered entity
or service provider shall have a privacy policy that includes
"the length of time the covered entity or service provider
intends to retain each category of covered data, including
sensitive covered data, or, if it is not possible to identify that
timeframe, the criteria used to determine the length of time the
covered entity or service provider intends to retain categories of
covered data."
- Sec. 103. Privacy by Design - Policies, Practices and
Procedures– "A covered entity and a service
provider shall establish, implement, and maintain reasonable
policies, practices, and procedures that reflect the role of the
covered entity or service provider in the collection, processing,
and transferring of covered data and that...mitigate privacy risks,
including substantial privacy risks, related to the products and
services of the covered entity or the service provider, including
in the design, development, and implementation of such products and
services..."
- Analysis: We envision that organizations will need to introduce procedures and development lifecycle workflows to govern their Privacy by Design practices. We've helped many clients with this already as part of their GDPR/CCPA/CPRA modernization efforts; however, the language regarding such Privacy by Design requirements in such prior regulations was not as specific as what we see in the ADDPA.
- Other noteworthy items included in the ADPPA:
- Privacy impact assessments are in scope: Impact assessments were largely born from the GDPR, and most of the US State laws set to go live in 2023 have a similar requirement. As such, organizations should already be well underway in developing a repeatable PIA process.
- Permissible Purposes: The ADPPA includes a section titled "Permissible Purposes" which lists out a set of purposes for which a covered entity may collect, process, or transfer covered data. This list of Permissible Purposes is very similar to what we see in the GDPR as a legal basis for processing. For example, a permissible purpose under the ADPPA includes collecting data to complete a transaction, comply with a legal obligation, and to conduct scientific research. The ADPPA list goes on to include items related to fulfilling a product warranty and effectuating a product recall.
- Analysis: For those privacy professionals who have previously developed a records of processing activities pursuant to GDPR Article 30, whereby a legal basis is assigned to each processing activity, similarly under ADPPA we will likely need to assign a permissible purpose to each record in a U.S. centric data inventory. We can envision a scenario where regulators ask for such information as part of an enforcement action.
- Sec 208 Data Security and Protection: The ADPPA is more specific than prior data privacy laws in terms of what a security program should include. For example, the ADPPA includes requirements related to assessing vulnerabilities, preventative and corrective actions, and the evaluation of such preventative and corrective actions.
We would be encouraged to see the ADPPA passed so that our clients have a common set of requirements to follow. If the ADPPA does get enacted, rather than chasing the requirements in each incremental new state law, organizations can focus on higher level activities such as developing programs to delete personal information at scale. Such programs require heavy investment, but deletion programs are one of the few areas that quantifiably reduce both privacy and cyber risk.
Footnotes
1 https://docs.house.gov/meetings/IF/IF00/20220720/115041/BILLS-117-8152-P000034-Amdt-1.pdf
2 https://iapp.org/news/a/american-data-privacy-and-protection-act-heads-for-us-house-floor/
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
