Earlier this summer, a draft was released of the American Data Privacy and Protection Act (ADPPA) that is making its way through the legislative process. Although any formally proposed legislation will likely vary in some respects, this draft of the ADPPA provides some insight into what can be expected from any upcoming final iterations of the legislation.
The stated purpose of the ADPPA is “to provide consumers with foundational data privacy rights, create strong oversight mechanisms, and establish meaningful enforcement.” The ADPPA identifies four key components to achieve its purpose: (1) a duty of loyalty; (2) consumer data rights; (3) corporate accountability; (4) enforcement and applicability.
ADPPA outlines a duty of loyalty which is based on data minimization, certain loyalty duties, privacy by design, and loyalty to individuals with respect to pricing. In general, a covered entity shall not collect, process, or transfer covered data beyond what is reasonably necessary, proportionate, and limited to provide or maintain a specific product or service. With some exceptions, ADPPA restricts the collection, processing, and transferring of certain information, including Social Security Numbers, geolocation data, biometric information, and other sensitive personal information.
To be ADPPA compliant, a covered entity must establish and implement policies, practices, and procedures regarding the collection, processing, and transfer of covered data, which adequately safeguard data, mitigate privacy risks, and promote compliance with all applicable privacy laws.
Under ADPPA, a covered entity may not deny, charge different prices or rates, or condition (or effectively condition), the provision of a service or product to an individual on the individual’s agreement to waive any privacy rights guaranteed by the ADPPA.
Included in consumer data rights are: consumer awareness, transparency, individual data ownership and control, right to consent and object, and data protections for children and minors. To support these consumer data rights, ADPPA includes provisions governing third-party collecting entities, civil rights and algorithms, data security and protection of covered data, and opt-out mechanisms.
In addition to recognizing consumer rights and organizations’ duties, ADPPA also establishes certain corporate accountability measures for executives such as the required designation of at least one corporate privacy officer.
Although it is unclear when the United States will join the growing list of nations with comprehensive privacy legislation on the books, American Cyber Security Management is positioned to assist companies and organizations in proactively assessing and remediating their data privacy and cybersecurity management needs.
To learn more about how ACSM can help your organization please use our contact page https://www.americancsm.com/contact-us/ and schedule a free discovery call today.
American Cyber Security Management is a leader in data privacy, cybersecurity, and Compliance. Our mission is to help enterprises protect their data from internal and external threats. We offer on-demand assessment, implementation, and sustainability services that focus on Privacy and Cybersecurity readiness and compliance, risk reduction, and mitigation. https://www.americancsm.com