The U.S. Congress is once again focused on data privacy. This time, however, there may be sufficient bipartisan support to move things forward toward protecting American consumers and businesses. A new federal law, which is currently in draft, is the American Data Privacy and Protection Act (ADPPA). If it passes, this new bill would regulate how organizations collect, store, and use personal information (aka “covered data”), and it would take precedence over, and preempt a patchwork of data privacy regulation at the state and sector levels.
Historically, there had been little appetite in the U.S. for an all-encompassing federal bill similar to the European Union’s General Data Protection Regulation (GDPR), which addresses both consumer rights and dictates how businesses must protect consumer data. As a result, from coast to coast, states began to fill the void, ranging from the California Consumer Protection Act to the Virginia Data Protection Act. But each was limited to its own jurisdiction, which always seemed like a mere stepping stone to addressing the real, macro business needs of a modern, global marketplace.
Therefore, the U.S. seeks to create a single nationwide framework that would benefit consumers, businesses, and the country as a whole, by harmonizing and streamlining U.S. data privacy laws. However, with so many interested parties, there will be some who complain that the bill goes too far, and others that it does not go far enough. Previously, sticking points included the preemption of state laws, the extent of carve-outs (or exceptions) for existing legislation, and the private right of action (i.e. private citizens can enforce their rights in court).
Why is data privacy so important?
Every Internet user and responsible citizen should be concerned about data privacy. The collection, analysis, and potential misuse of personally identifiable information (PII) has ramifications far beyond the domain of e-commerce, such as skimming a credit card or wire fraud. In fact, there are serious concerns about its impact on our most basic human rights.
Data aggregators and brokers today have access to thousands of data points that refer to you personally, including where you live, work, sleep, party, worship, and seek medical treatment. Some of this information you voluntarily give to your apps, including selfies and biometrics. But these companies are also gathering data even when you think you are offline. For example, your Internet-connected devices – not just smartphones, but also laptops, PCs, cars, appliances, fitness trackers, and much more – frequently ping cell phone towers and connect to WiFi networks, which at a minimum give away your location via GPS.
With access to so much personal data, data brokers can make an astonishing array of inferences about you. If your Internet searches relate to fertility, contraception, pregnancy, abortion, or reproductive health, you are likely to be tagged as an “Expectant Parent.” If your queries are political in nature, you may be categorized as belonging to a certain political party, or likely to vote for a particular candidate.
What happens next? In many cases, the data broker will sell your personal information to unknown third parties. And what will they do with it? Whatever they want, including spamming you with information or propaganda, perhaps related to your pregnancy, or about an upcoming election. That kind of intelligence also makes phishing scams, and even identity theft, much easier. Think about it: do you want random businesses, marketers, criminals, stalkers, or government spy agencies, to own a precise profile of your life?
The Federal Trade Commission
The Federal Trade Commission (FTC) recognizes these dangers. In a recent statement, the FTC announced that it is “vigorously” committed to enforcing US law against the illegal use and sharing of sensitive personal data, in an effort to protect the security and privacy of US consumers. In fact, the FTC has already brought hundreds of cases forward, some of which resulted in substantial civil penalties.
For you, the clear takeaway is that, in the near future, there will be more data privacy laws and regulations – and there are agencies already eager to enforce them. Therefore, in order to prepare for the future, your organization has a lot of work to do. How much covered data do you collect? Where is it stored? Is it properly protected – both at rest and in transit? Can you vouch for any third parties with whom you share data?
What will the ADPPA cover?
The ADPPA may be just around the corner, so let’s consider some of its proposed aspects:
Data Minimization and Restrictions
- The collection, processing, and transfer of data must be “necessary, proportionate, and limited.”
- There will be additional requirements for certain data types, including SSNs, precise geolocation, biometrics, genetics, passwords, Internet searches, and browsing history.
Individual Ownership and Control
- Personal data subjects have the right to 1) access their data, 2) know why you are collecting their data, 3) know the names of third parties also in possession of their data, and 4) be able to correct inaccurate data.
Private Right of Action
- Four years after ADPPA goes into effect, private citizens will gain the ability to take legal action against a covered entity, if they believe it violated ADPPA.
Large Data Holders
- Organizations that make $250M+, process the data of 5M+ individuals, or process the sensitive data of 100K+ individuals, must certify compliance with ADPPA.
- Small data holders are likely to have some exemptions.
Third Parties
- Third parties must place a clear data collection notice on their website or app, allow the audit of covered data, and provide a set of required information to the Third-Party Collecting Entity Registry.
What is industry saying?
In a recent letter, the Credit Union National Association (CUNA) articulated strong support for national data security and privacy legislation that preempts state laws: “We firmly believe that there can be no data privacy until there is strong data security.” Noting that credit unions and their members are adversely impacted by lax data security standards in the marketplace, CUNA supports addressing data security and privacy through a comprehensive framework, including all entities under FTC jurisdiction, and creating enforcement measures to address the harms that result from privacy and security violations.
On the other hand, the National Restaurant Association (NRA) has voiced concerns that the ADPPA, in its current form, would have negative ramifications for the restaurant industry. While it supports a preemptive federal data privacy law, the NRA worries that there are so many carve-outs (i.e. exemptions for existing states laws and regulations) that the bill’s preemption provision would be too weak (and complicated) to benefit its industry. Further, the NRA fears that the ADPPA’s private right of action could allow consumers to file frivolous lawsuits and enable trial lawyers to act as privacy “trolls.” Finally, third-party liability concerns could make it difficult for restaurants to build special relationships with their customers, such as loyalty programs.
How VGS Helps
VGS offers strategic, future-proof solutions to both current and planned data privacy legislation. With VGS, your business can securely collect, store, and operate on any sensitive or “covered data,” including payment cards, ACH, PII, and credentials. Further, with our Data Security as a Service (DSaaS) solutions, you can quickly satisfy most of the data handling and security controls for standard compliance frameworks, such as PCI DSS and California Consumer Protection Act. And should ADPPA be signed into law, rest assured the VGS Platform will support it as well!
Protect PII Data and Gain Customer Trust
Offload personally identifiable information (PII) data to VGS to meet data privacy compliances like GDPR and CCPA. Retain all of your data value, none of the risk. Learn More