The US Data Privacy and Protection Act is a bipartisan federal data privacy law that is gaining momentum and could have significant implications for businesses when signed into law.
The ADPPA establishes personal data handling requirements for businesses, nonprofits, and common carriers, such as limiting data collection and processing that is necessary to provide a specific service. The bill also prohibits companies from transferring personal data without the explicit consent of the consumer and requires consumer opt-in for targeted advertising.
In addition, the bill targets data algorithms, requiring businesses to provide an outline of how their algorithms work and what data the algorithms use.
Forrester Research analyst Stephanie Liu said the US House Committee on Energy and Commerce passed the bill in July, which is the farthest a privacy bill is at the federal level.
Liu said it is important that the bill is both bipartisan and bicameral as it goes on the floor of the House for consideration.
“When you get that collaborative approach right off the bat, I think it gives a very strong starting point,” she said.
dealing with data privacy
Constellation Research vice president and analyst Liz Miller said ADPPA finds and codifies common ground between organizations that need to access data and provide data to consumers.
“It doesn’t set a hard and fast line of what privacy is, what data is, how it is protected, what the implications are,” Miller said. “It’s really, how we allow the average person to clearly understand and determine what is and what is not private, and it gets everyone on the same page.”
ADPPA addresses everything from data capture and processing to algorithmic pitfalls, such as bias in hiring and loan approval.
According to the bill, any holder of big data using an algorithm that could potentially cause harm to a person must make an impact assessment of the algorithm based on the methods of the algorithm, its purpose and proposed uses, what data the algorithm uses. and what information it describes. algorithmic output.
Forrester’s Liu said the bill also addresses data storage.
Referring to the 2021 T-Mobile data breach, where a cybercriminal accessed the personal information of millions of consumers, Liu explained that a significant portion of that data belonged to consumers who were no longer T-Mobile customers. The company stored that personal data for years “without any commercial purpose,” she said.
“As data breaches become more and more frequent, I think this is going to be a growing problem,” Liu said. “So I love the rights that [the ADPPA] consumers, but I like that it trumps those data storage requirements and algorithms.”
How will it affect businesses
Liu said many companies could be affected by a bill like the ADPPA because there are some exemptions for businesses covered in the bill text.
The bill requires companies to know what their customer data is with third parties. Liu said the bill also means that companies will have to seek permission from consumers to share sensitive data such as browser history and geolocation data with third parties. This means businesses will need to find ways to be transparent with consumers about their data processes, as well as consider strategies focusing on how to persuade consumers to share their data with the company. will happen, she said.
Stephanie LiuAnalyst, Forrester Research
Along with the data privacy guidelines that the ADPPA-like bill lays out, Constellation’s Miller said it’s time for businesses to begin negotiating a cross-functional, “organizationally embraced” data privacy strategy, in which only data is collected. Focusing on doing and using. required from consumers.
“Privacy isn’t about taking all the data and then securing it,” Miller said. “It’s not privacy – it’s security.”
Even as regulatory approaches to data privacy such as the ADPPA make their way into Congress, tech companies such as Google, Meta and Apple began to limit companies’ abilities to track users and collect data. Which Liu said is a sign of a change in business data collection practices. ,
“The writing is on the wall for the days of background data collection, when you could easily follow someone on websites, on apps, collect their data, and sell their data,” Liu said. “It is very clear from both a regulatory standpoint and a technical standpoint that those days are numbered.”
exemption to government agencies
Miller said there aren’t many exemptions for businesses under the bill, but government entities such as boards, authorities, commissions or agencies are exempt from ADPPA requirements. This means that government agencies will be allowed to collect, process, transfer and share data with third parties.
“Government agencies sit completely outside this law,” she said.
Makenzie Holland is a news writer covering big tech and federal regulation. Prior to joining TechTarget, she was a general reporter for Wilmington Starnews And on a crime and education reporter Wabash Plain Dealers,