The American Data Privacy and Protection Act is bipartisan federal data privacy legislation that’s gaining momentum and could have significant implications for businesses if signed into law.
The ADPPA establishes personal data handling requirements for businesses, nonprofits and common carriers, such as limiting data collection and processing to what is necessary for providing a specific service. The bill also prohibits companies from transferring personal data without express consumer consent and requires consumer opt-in to targeted advertising.
In addition, the bill targets data algorithms, requiring businesses to provide an outline of how their algorithms work and what data the algorithms use.
The U.S. House Committee on Energy and Commerce passed the bill in July, which is the farthest a privacy bill has gone at the federal level, Forrester Research analyst Stephanie Liu said.
Liu said it’s significant that the bill is both bipartisan and bicameral as it moves to the House floor for consideration.
“When you’ve got that collaborative approach off the bat, I think that gives it a much stronger starting point,” she said.
Tackling data privacy
The ADPPA finds and codifies common ground between organizations that need data access and consumers providing that data, said Liz Miller, vice president and analyst at Constellation Research.
“This does not set down a hard-and-fast line of what is privacy, what is data, how is it protected, what are the ramifications,” Miller said. “It really is, how do we allow the average person to clearly understand and determine what is and is not private, and it gets everybody on the same page.”
The ADPPA addresses everything from data capture and processing to algorithmic harms, such as bias in hiring and loan approval.
According to the bill, any large data holder using an algorithm that could potentially cause harm to an individual must conduct an impact assessment of the algorithm that describes the algorithm’s methodologies, its purpose and proposed uses, what data the algorithm uses, and what information the algorithm outputs.
The bill also addresses data storage, Forrester’s Liu said.
Referencing the 2021 T-Mobile data breach, where a cybercriminal accessed the personal information of millions of consumers, Liu pointed out that a significant amount of that data belonged to consumers who were no longer T-Mobile customers. The company stored that personal data for years “for no business purpose,” she said.
“As data breaches get more and more frequent, I think that’s going to be a growing problem,” Liu said. “So I love the rights that [the ADPPA] gives consumers, but I love that it is also building out those data storage requirements and the algorithmic harms piece.”
How it would affect businesses
Liu said a range of companies stands to be affected by a bill like the ADPPA as there are few exemptions for businesses included within the bill text.
According to the bill, companies will have to know what third parties have their customer data. The bill also means companies will have to get permission from consumers to share sensitive data such as browser history and geolocation data with third parties, Liu said. That means businesses will need to find ways to be transparent with consumers about their data processes, as well as consider strategies focused on how to convince consumers to share their data with the company to begin with, she said.
Stephanie LiuAnalyst, Forrester Research
With the data privacy guidelines that a bill like the ADPPA lays out, Constellation’s Miller said now is the time for businesses to begin conversations on a cross-functional, “organizationally embraced” data privacy strategy, including focusing on collecting and using only the data that’s necessary from consumers.
“Privacy isn’t about taking all the data and then securing it,” Miller said. “That’s not privacy — that’s security.”
Even while regulatory approaches to data privacy like the ADPPA make their way in Congress, tech companies like Google, Meta and Apple have already begun limiting companies’ abilities to track users and collect data, which Liu said is signaling a change in business data collection practices.
“The writing is on the wall for the days of background data collection, when you could easily follow someone across websites, across apps, collect their data and sell their data,” Liu said. “It’s pretty clear from both the regulatory standpoint and the tech standpoint that those days are numbered.”
Exempting government agencies
While there aren’t many exemptions for businesses under the bill, government entities such as boards, authorities, commissions or agencies are exempt from ADPPA requirements, Miller said. That means government agencies would be allowed to collect, process, transfer and share data across third parties.
“Government agencies totally sit outside of this legislation,” she said.
Makenzie Holland is a news writer covering big tech and federal regulation. Prior to joining TechTarget, she was a general reporter for the Wilmington StarNews and a crime and education reporter at the Wabash Plain Dealer.