So, there’s a big issue with how our data is being handled in the US. For a long time, big tech companies have been collecting tons of information about us without any real rules.
They use this info to make money, but it also means they’re invading our privacy, checking out our lives, and knowing really personal things about us. They’ve set up a complex system of databases and computer programs that use our data to figure out stuff about us, like where we are, our health, how much money we have, and even things like our gender and race.
They use this to sort people into different groups, which can lead to unfair treatment, especially for people who are already struggling. Now, there’s this law called the American Data Privacy and Protection Act that’s being talked about.
If it gets passed, it would make these tech companies change how they’re using our data. It’s meant to stop the not-so-great things they’re doing with our information, like watching us too closely and treating some groups unfairly. This could make things more fair and private for everyone.
Table of Contents
What Is the American Data Privacy and Protection Act (ADPPA)?
You know how big tech companies have been collecting tons of information about us without much control. They use this info to make money, but it’s invading our privacy and even leading to unfair treatment.
They’re using complicated systems to figure out personal stuff about us and then deciding who’s important and who’s not based on things like our health, money, where we live, gender, race, and other stuff about us. This hurts people who are already struggling in society.
But now, there’s a new law called the American Data Privacy and Protection Act. It’s designed to stop these companies from being so invasive and from treating people unfairly online. This law would make them change their ways and protect our privacy better.
What’s in the American data privacy and protection act (ADPPA) Bill Currently?
So, there’s this thing called the American data privacy and protection act (ADPPA), which is a law related to data privacy.
It’s kind of similar to other laws like the CPRA that deal with how companies handle your personal information. Just like how you can break down the important parts of a story, you can break down the important parts of these laws.
Now, this American data privacy and protection act (ADPPA) law has a lot of the same important pieces as other laws, but there are some differences too. And these differences could be really important for businesses if this law becomes real.
Let’s talk about some cool things in this law and also the changes that have been made so far. It’s like looking at the details of a new movie – you know the main plot, but there are interesting twists that can affect how you feel about it.
Notable Features of the American data privacy and protection act (ADPPA)
1. Variations in Definitions
It’s a bit different from other laws that talk about data privacy. Let me break down the main differences for you:
- Covered entities: American data privacy and protection act (ADPPA) says that any entity or person that collects, processes, or moves data and follows the Federal Trade Commission Act rules, is a common carrier under the Communications Act, or is a non-profit, is included. This means that most businesses fall under its rules.
- Covered data: American data privacy and protection act (ADPPA) includes any info that can identify a person or device. This covers things like names, addresses, and even data that’s closely linked to an individual. It also counts unique things like IP addresses and advertising IDs.
- Children: In the American data privacy and protection act (ADPPA), a “child” is someone under 17 years old. This is important because other data privacy laws usually consider kids under 13 or 16 as children. The American data privacy and protection act (ADPPA) covers how businesses should handle kids’ data differently.
- Sensitive data: American data privacy and protection act (ADPPA) goes beyond what other laws consider sensitive data. Most laws think stuff like race, genetics, or kids’ data is sensitive. California law also includes things like social security numbers. But the American data privacy and protection act (ADPPA) adds more to the list, like login details for devices.
There are some other small differences too, but that’s the main stuff. It’s all about how businesses handle data and privacy in a different way compared to other laws.
2. Preemption
So, imagine there’s this new law called the American data privacy and protection act (ADPPA) that people are talking about. If this law gets passed, it will become the boss of all the other data privacy laws that each state has made.
So, if a business is following a specific state law, like Connecticut’s CTDPA, they would have to change and follow the rules of the American data privacy and protection act (ADPPA) instead.
But here’s the catch: some states, especially California, are not happy about this. They don’t want their own laws to be ignored in favor of the American data privacy and protection act (ADPPA).
However, the American data privacy and protection act (ADPPA) isn’t all-powerful. It does have some exceptions.
For example, certain specific laws that are about privacy, like the Children’s Online Privacy Protection Act (COPPA), would still matter. Also, some parts of California’s CPRA would still apply, even if the American data privacy and protection act (ADPPA) takes over.
3. Private Right of Action
If you’re concerned about a company not following the rules to protect your private information. A private right of action is like giving you the power to take legal action against that company.
In the US, most data privacy laws don’t usually let individuals sue companies directly. But there’s this new law called the American data privacy and protection act (ADPPA) that does allow it.
Before you can actually sue, there are some steps you need to follow. First, you have to tell either the Federal Trade Commission (FTC) or your state’s attorney general about the issue. Then, they have about two months to decide if they want to join your lawsuit.
But that’s not all. You also have to tell the company you plan to sue. And you have to give them about 45 days to fix the problem before you go to the FTC or the attorney general.
So, a private right of action is like giving individuals the chance to take legal action against companies that aren’t doing their part to protect people’s data. But it’s not as simple as just suing right away – there’s a process to follow.
4. Special Category for Large Data Holders
ADPPA (which stands for something like the “Advanced Data Privacy Protection Act”) is a set of rules for businesses that deal with a lot of people’s information. But it treats big businesses differently from smaller ones.
To be considered a big data holder under these rules, a business needs to meet one of these conditions:
- Make more than $250 million in money every year, OR
- Handle the information of over 5 million people, OR
- Deal with the sensitive information of 200,000 people every year.
So, companies like Facebook and Google, which have tons of users and make lots of money, fall into this category. If they’re under the American data privacy and protection act (ADPPA), they would have to follow extra rules.
These rules might include telling people more about what they’re doing with their data, getting special certifications, and letting outside experts check their practices to make sure they’re being responsible with people’s information.
5. Special Category for Small Businesses
The ADPPA (Assured Data Protection and Privacy Act) has rules for defining small businesses. According to these rules:
- Small businesses can’t be data brokers.
- They should make less than $41 million in a year.
- They can’t handle the data of more than 200,000 people every year.
What’s important here is that there’s no minimum limit for the number of people’s data they handle. Unlike other state privacy laws which might only apply to businesses handling over 100,000 people’s data, the American data privacy and protection act (ADPPA) affects pretty much all kinds of businesses in some way.
Even though there are a few cases where small businesses might not have to follow all the rules of the American data privacy and protection act (ADPPA), most of the important requirements still apply to them.
6. Right to Opt-out of Data Transfer
The American data privacy and protection act (ADPPA) is like other laws that protect people’s privacy when it comes to their personal data. This law gives individuals some special rights. One of the unique rights it offers, which is also found in the CPRA law, is the ability for people to say “no” to their data being given to other companies.
You see, in some other state laws, people can choose to say “no” to their data being sold, but with the American data privacy and protection act (ADPPA) and CPRA, individuals can say “no” to their data being shared with other companies, whether money is involved or not. It’s like an extra layer of control over who gets their personal information.
Amendments to the American data privacy and protection act (ADPPA)
It has gone through some changes in the House committee recently, and I’ll break down what those changes are in simple terms.
1. Enforcement in California: One concern about the ADPPA was that it might conflict with California’s stronger privacy law called CPRA. To address this, they made an amendment that says California’s own privacy authority,
The CPPA (California Privacy Protection Authority), will be responsible for enforcing the ADPPA within California. For other states, the FTC (Federal Trade Commission) or state attorney general would handle enforcement.
2. Private Right of Action: Originally, the bill said that people could take legal action four years after the law passed if their privacy was violated. The change in the committee made it possible for people to sue after just two years.
3. Small Business Exemption: Small businesses with less than $25 million in yearly revenue, fewer than 50,000 people’s data, and less than half of their income from sharing data, are now exempt from private lawsuits related to the bill.
4. Employee Data Exclusions: The bill treats employee data differently from regular consumer data. The committee expanded the list of types of employee data that get special treatment.
5. Age Knowledge for Consumers Under 17: The bill treats children’s data differently from adults’, but only if businesses know that the person is under 17. They changed how businesses define “knowledge” of a consumer’s age under 17 based on the size of the business.
6. Exclusion for Child Protection: An amendment ensures that an organization called the National Center for Missing and Exploited Children can use children’s data legally. This is important for their mission to fight child trafficking, abuse, and abduction.
In a nutshell, the American data privacy and protection act (ADPPA) bill is being adjusted to make sure it works well with California’s privacy law, gives people the right to sue sooner, doesn’t burden small businesses too much, has special rules for employee data, considers the age of consumers, and also keeps an organization working to protect children’s rights.
Criticisms of the American data privacy and protection act (ADPPA)
Different lawmakers have different opinions about whether it’s good or not, focusing on its strengths or weaknesses.
The main issue that critics have is about how the American data privacy and protection act (ADPPA) would be enforced.
The ADPPA says you can take legal action if your privacy rights are violated, but it doesn’t have a strong system in place for making sure the rules are followed.
For example, the GDPR in Europe has special organizations that make sure companies follow the rules and punish them if they don’t. But with the ADPPA, the job of making sure companies follow the rules could fall on either the FTC (Federal Trade Commission) or state lawyers, who have many other things to handle besides just privacy.
The ADPPA also changes how other state laws related to privacy work. It kind of takes over some of them. There was a change made to allow the CPPA (California Privacy Protection Agency) to enforce the ADPPA rules in California.
This was done to make sure that California wouldn’t have weak rules if another law (CPRA) got replaced by the ADPPA. But the ADPPA could also replace laws in other states, including ones with more business-friendly privacy laws like Utah’s. This has made some business-focused lawmakers unhappy.
What’s Next for the ADPPA?
Right now, it has made progress by going through the House committee. They made some changes to it, which were explained earlier.
But it’s not a done deal yet. The bill needs to pass a vote in the House to move forward. If it does get enough votes, it will then move to the Senate. There, it will be looked at by the Senate Committee on Commerce, Science, and Transportation. If this committee likes the bill, they’ll send it for a vote on the Senate floor.
If it manages to pass that Senate vote, it’ll make its way to President Biden’s desk. He’ll then decide whether to approve it and make it a law. So, the whole process involves going through different stages of approval in both the House and the Senate before it can become an official law.
What Are Its Chances?
This law, called the American data privacy and protection act (ADPPA), has made some progress, but it’s not a law yet – it has to go through a lot more steps before that happens.
One big problem is that a senator named Cantwell doesn’t like the law as it is. She’s in charge of a committee that looks at laws like this before they become official.
She’s upset that the law doesn’t have strong ways to make sure people follow it. But if they make the law stricter, it might lose support from both sides of the political spectrum. So, things need to change either in the law or in people’s opinions.
Even though the law isn’t final, it’s still important for people who work with privacy and businesses to understand it. Many people like the idea of this law and want it to become real. Even if it doesn’t become a law, any future laws about data privacy might be similar to this one.
No matter what happens with the law, a company called Osano is there to help businesses follow the rules. They’re keeping an eye on how the law is progressing and any other privacy changes that might affect businesses.
