Bi-Partisan US Federal Privacy Bill ADPAA Gains Momentum
- Prohibition on targeted advertising to individuals under the age of 17
- Consent for data transfer required from the individual or a parent or guardian if the individual is between 13 and 17 years of age
Â
Title III â Corporate Accountability â under this section, entities considered large data holders will be subject to broader requirements intended to ensure compliance and increase transparency:
Â
- Annually attest compliance with the act by the chief executive officer, privacy officer and security officer, ensuring internal controls and reporting structures that certifying officers are involved in, and responsible for, decisions impacting compliance
- Biennial Privacy Impact Assessments must be conducted to weigh the benefits of the large data holderâs covered data collecting, processing and transfer practices against potential adverse consequences to individual privacy
- Technical compliance programs specific to any technology, product, service or method used by a covered entity to collect, process or transfer covered data shall be evaluated through a process determined by the commission, the details of which shall be made publicly available to any individual whose covered data is subject to the solutions
Â
Finally, Title IV outlines Enforcement, Applicability and Miscellaneous provisions. Highlights include:
Â
- The FTC will establish a new bureau concerning consumer protection and competition to enforce the act no later than one year after enactment
- An Office of Business Mentorship shall be established with the bureau to provide compliance guidance
- Establishment of a âVictims Relief Fundâ
- Enforcement by state attorneys general
- Private right of action
- Right to Cure (45 days)
Â
The ADPPA shall preempt state privacy laws with the exception of the Illinois Biometric Information Privacy Act and Genetic Information Privacy Act, Section 1798.150 of the California Civil Code (security provisions of CPRA) and other laws that solely address facial recognition, unsolicited marketing, health information and/or confidentiality of library records. Nor does the proposal change obligations of a covered entity under the Childrenâs Privacy Protection Act of 1998 (COPPA).
Â
Â
What Comes Next?
The bill will progress according to standard congressional process. As thereâs sure to be debate and edits to the current draft, itâs unlikely the bill will pass before the end of the current congressional session. Whether this bill or another, a federal privacy law will eventually unite the patchwork of U.S. privacy legislation under a cohesive, comprehensive consumer data protection law.
Â
Â
How to Prepare?
As federal and state privacy legislation continues to be debated, there are several steps companies can take to position themselves well for the future:
Â
- Monitor and assess privacy practices against current and forthcoming state laws â the clock is already ticking for California, Virginia, Colorado, Utah and Connecticut. Ensure your company is in compliance as the enforcement dates come to pass
- Incorporate industry best practices â assess your companyâs readiness against common threads across U.S. and international privacy laws. Support for the individualâs (data subjectâs) privacy rights, impact assessments and applying privacy principles (such as purpose limitation, data minimization and accountability), as well as implementing Privacy by Design, will put your company in a strong position to respond as more individuals realize data privacy rights and protections
- Start small â donât have a privacy function or program in place? Itâs okay. There are steps to take at any point in your companyâs privacy journey to increase and right-size privacy protections for the individuals whose data you collect to prepare for the next evolution of legislation â whether that be at the state, sector or federal level
Â
If you have questions about this draft legislation and how it might affect your organization, please drop us a line.
Gloss