A draft bipartisan bill was released last week by congressional leaders, and if it is adopted, the bill will go on to establish a comprehensive privacy law federally for the first time in the history of the nation. It is named the American Data Privacy and Protection Act, and its shortened version is the ADPPA, which will be providing people in America with several rights that relate to data collected from them.
It would include rights for accessing this data, deleting the data, correcting the data, and also preventing using this data without acquiring consent from the individual in question. The response would be that businesses in numerous sectors will be facing new consequences related to the data they are collecting from the individuals they are serving.
The best part is that the ADPPA is already sharing most of its features with other comprehensive privacy laws that are active on the state level, like the CCPA or the California Consumer Privacy Act, which have been adopted in recent years. It has also borrowed several elements from the health privacy law in America and the regulations that have been adopted from HIPAA or the Health Insurance Portability and Accountability Act.
However, in many respects, it is more sophisticated than these laws, and it will be America’s answer to the GDPR or General Data Protection Regulation, which is the governing privacy framework for Europe. Releasing the draft legislation signals a crucial compromise between the Republican and Democratic leaders from the Commerce and House Energy Committee. They managed to come together on important issues like the private right of action and state law preemption.
There has been some criticism about the draft bill in some quarters. Some advocates of privacy hold the view that the legislation isn’t as comprehensive as it should be and representatives of various industries viewing some provisions, like allowing the private right of action, believe it to be an unacceptable measure. Hence, it’s still not clear if the ADPPA will get enough support from everyone to be enacted as a new law.
How Will the ADPPA Be Applicable to Different Entities?
The ADPPA will be applied in broad terms to ‘covered data’, which is collected by ‘covered entities.’ The meaning of covered data is any information that can be linked to an individual or identifies an individual. The only thing excluded from covered data is information that is available publicly, de-identified data, and employee data. On the other hand, covered entities involve a party or an entity that processes, collects, and transfers covered data, which comes under the Federal Trade Commission or FTC’s jurisdiction.
Unlike some privacy laws that are applied state-wide, the ADPPA will also apply to small businesses that don’t have much revenue as well as nonprofit businesses. There are also no exceptions made for government entities, even though the courts interpret other laws that have used the same language as not being applicable to state and federal agencies.
However, most businesses in the financial services, healthcare, and education sector won’t be required to follow the law for all the data that they collect and hold. Apart from that, those small businesses which don’t have any interstate commerce will be outside the jurisdiction of the FTC and would also be exempted from following the law. Additionally, organizations with at least $41 million or less in annual revenue won’t be required to follow some parts of the law, according to the ‘small data exception.’
When the ADPPA is adopted as a law, it will place numerous duties and other requirements, especially on covered entities regarding covered data. These will include the following:
Covered data can’t be unnecessarily used or collected by covered entities.
Prohibited and Restricted Practices
Some practices will be completely prohibited or restricted. There will be significant limits on allowing covered entities to allow transfers of accurate geolocation information, physical activity information, and browsing history collected from a wearable device or smartphone. Covered entities will also not be allowed to engage in collecting, processing, and transferring genetic information, biometric information, or intimate images that are known to be nonconsensual, except in some circumstances.
Privacy by Design
All covered entities will need to implement and establish procedures and policies regarding the transfer, collection, and processing of covered data.
Pricing and Denials
Covered entities will not be allowed to deny a product or service, condition a product or service, or set the price of a product or service based on the agreement of an individual to waive away their privacy rights.
Collecting entities that are third party, which are covered entities who obtain their revenue by processing covered data, which wasn’t collected directly from the individuals by the entity, will have to follow additional obligations that include registering with the FTC whenever they process covered data on 5,000 people or more.
The ADPPA would require that individuals have numerous rights about the data that covered entities collect from them. Most of these rights are the same as the rights granted to people under the comprehensive privacy laws that are applied statewide, such as the HIPAA and GDPR. Their rights regarding controlling the data and ownership will include the following:
Any person’s right to access covered data about them in a format that can be read by humans and can be downloaded online.
Accounting of Disclosures
Any person’s right to acquire the name of all third parties who have gained access to that person’s information by the covered entity, which would also include a description as to why the information was transferred in the first place.
Any person’s right to correct any incomplete or inaccurate information that is held regarding that person.
Any person’s right to delete all covered data about the person.
Any person’s right to export some covered data in a format that is machine-readable and human-readable, the amount of which would be feasible.
All covered entities have around 30 to 60 days for responding to requests about the control and ownership of data, which would depend on the covered entity’s size. They would also have to respond without charging the individual anything for the first two times in which they exercise one of their rights during a period of 12 months.
Covered entities can also deny the request under some circumstances, especially if they can’t verify the identity of the person making the request, if it’s impossible or impractical to comply with the request, or if completing the request would mean interfering with law enforcement.
There will also be opt-out and consent rights for individuals. Covered entities won’t be allowed to collect or process covered data that is sensitive, which includes identifiers issued by the government like social security numbers, credit card numbers, health data, genetic information, biometric information, accurate geolocation information, and specific demographic information like religion or race, apart from other data, without the consent of the individual.
People would also have the right to choose not to get their covered data transferred and choose not to get targeted advertising. In addition, there will be restrictions applied for data on minors who are below 18 years of age.
The ADPPA would also look to protect civil rights. These will be subjected to some exceptions and will ensure that covered entities can’t collect, transfer, or process covered data in any manner that is discriminatory against any person on the basis of their color, race, religion, sexual orientation, disability, gender, or national origin.
Larger data holders, which are covered entities with annual revenues of around $250 million and have collected covered data on 5 million people or more or the sensitive data of 100,000 people or more, will have to engage in something known as the algorithm impact assessment. In this assessment, the data holders will have to document what steps they took to mitigate all potential harms from their algorithms, which relate to education, children, housing advertisements, healthcare, employment, credit, or insurance, public accommodations access, and other discriminatory impacts. All covered entities will need to evaluate the design of their algorithms to reduce the chances of any harm.
All covered entities will also have a requirement to secure the data of individuals. Covered entities must establish, maintain, and implement reasonable technical, administrative, and physical practices for data security for the protection of covered data against unauthorized acquisition and access. Even though the data security practices can be tailored based on the size of an entity and its complexity, among numerous factors, all covered entities which have failed to qualify for these small data exceptions will have to adopt other practices like conducting an assessment to determine the vulnerability of every system that holds covered data.
Article by [author-name] (c) Irish Tech News - Read full story here.