The American Data Privacy Protection Act (ADPPA) is the first nationwide US privacy bill that stands a chance of being legislated and changing the face of the entire US privacy landscape. To date, advocates, academics, nonprofits, and politicians from different schools of thought are still raising various concerns about the bill — specifically, how effective it will be and to which extent it will be enforced.
However, there is a general consensus that when it comes to data minimization regulations specifically, the ADPPA’s proposed guidelines could significantly reshape the processes and procedures businesses will utilize to collect consumer data. But will the data minimization change stop there? We believe the answer is “no” and hope its influence will extend far beyond formal enforcement.
Data minimization garners special attention by lawmakers
Out of all its sections and clauses, data minimization receives special attention from the ADPPA. True, when comparing ADPPA to other privacy regulations, like the GDPR or CCPA, the rigidness of the data minimization section might not seem especially unique. It even provides businesses with a bit more freedom than the elder siblings. But compared to the rest of the privacy regulations in the ADPPA (as it seems to be coming along these days), the data minimization section stands out like a clown at a black-tie wedding.
While many privacy rights sections of the proposed bill are vague or somewhat wishy-washy (which is perhaps the result of the ADPPA being a bi-partisan bill), the data minimization section is stricter and gives less leeway for interpretation or a loophole for minimizing enforcement.
With the bill taking a data-minimization first approach, businesses are only allowed to collect the amount of data they reasonably need and only for a specified set of reasons. This minimizes the risk of individuals’ personal data abuse, whether intentionally or accidentally, by the business itself or an external hacker.
How does this play out?
The ADPPA requires businesses to minimize data collection and use
De facto, this means businesses and other entities are entitled to collect, process, and transfer personal data only to the extent that is necessary and proportionate to their offering, and no more than that. It’s also interesting to note that the ADPPA even goes beyond other laws in this sense, namely the CCPA, and applies these restrictions to nonprofits and small businesses as well (though they do get some exemptions).
As an additional layer of data minimization requirements, the ADPPA prohibits transferring or sharing highly sensitive personal information like social security numbers, biometric information, etc. Any data that is vulnerable and especially susceptible to being maliciously exploited is out of the picture from the get-go. Finally, the ADPPA expands on the restrictions and instructs businesses on what to do to achieve these practices. Things aren’t left to chance. Companies must implement privacy by design principles by putting policies and procedures in place to ensure the implementation of privacy standards across their products and services. These policies and procedures must also have a specific focus on mitigating risks for children under 17 years of age. Large data holders will also be required to provide metrics and reporting and submit an annual impact assessment if they use an algorithm that poses a “consequential risk of harm.” Finally, most businesses will have to submit a biennial privacy impact assessment.
The ADPPA also requires businesses to provide individuals with the ability to access, correct, delete and prevent the transfer of their information, similar to rights offered by the GDPR and the CCPA. This is the final way for the ADPPA to achieve its data minimization goals. Firstly, by instructing businesses what to do. Secondly, by determining how they should do it. Thirdly, democratizing data minimization for consumers by taking some of the control out of the businesses’ hands and letting individuals act as part of the checks and balances system (while doubling as the subjects of interest) to help ensure data minimization.
To drive this point home, the data minimization section even appears under a “Duty of Loyalty,” i.e., data minimization should be engaged in on the basis of trust and transparency. This means that businesses are expected to be able to demonstrate they went the whole nine yards when dealing with personal data.
The 17 permitted purposes of data collection
But there’s more. While data processing is only allowed for “reasonably necessary and proportionate” requirements for providing products or services as requested by the individual, the ADPPA permits collecting data for one or more of seventeen defined purposes. These include performing a transaction, developing or repairing a product or service, and effectuating a product recall, among others.
Compared to other privacy laws, and especially the Californian CCPA (and CPRA), which the ADPPA is often compared to, the ADPPA is more permissive in its data collection use cases. Specifically, the ADPPA is laxer on allowing data collection for advertising and marketing purposes, including targeted marketing.
Does the buck stop here?
ADPPA advocates are trying to push the bill along and get it legislated. They claim that the ADPPA will finally cement a single, cross-USA privacy standard with clear guidelines for data minimization. First and foremost, they argue, this will help the majority of US citizens, those not currently protected by data minimization laws, to enjoy the merits of their data being protected.
But there might be more to ADPPA than just the immediate consequences of enacting the bill. The ADPPA does not have to be the end of the nationwide US privacy debate and journey. Rather, it can be its beginning.
The GDPR and the CCPA each provided local legal requirements and restrictions, but their influence has spread far and beyond. The GDPR inspired global privacy initiatives and regulations in both the public and private sectors. For example, one of the most recent vocal private initiatives was Apple’s requirement that app owners easily enable account deletion.
The GDPR also revolutionized the global debate and raised awareness of the importance of personal privacy. The public sentiment toward privacy is clearly demarcated into two: before the GDPR and after the GDPR.
The CCPA’s legislation and subsequent debates also had a snowball effect. The CCPA is evolving into the CPRA, which in turn is impacting the current ADPPA itself – both in terms of shaping the ADPPA legislation and taking on a role in the ADPPA discussion itself.
For residents of California, the ADPPA in its current form is a step back. It’s no wonder the California Privacy Protection Agency recently voted to oppose the current state of the ADPPA and any bill that preempts the CCPA.
But a nationwide bill beyond its legal implications will almost surely spark a national debate beyond the Californian borders. Such a debate could help raise awareness among US citizens, help remold common data minimization conceptions and redefine how businesses interact with and use their customers’ data. On a global level, the US could help lead the charge for getting awareness among global companies and inspire privacy laws with countries that still haven’t completed this process. While the ADPPA is by no means the first or the most extensive privacy regulation, the US’s global clout is of enough influence on its own to spark ripple effects and changes due to its leading role in the global economic and technical landscape.
There’s also something to say about ADPPA’s relative flexibility compared to the GDPR rigidness. While many voice their concerns that this means businesses will get away with anti-privacy-oriented activities, the ADPPA’s more lenient approach also enables companies to ease into such regulations and implement them stress-free while maintaining a consumer-first approach, rather than operating solely out of fear of being fined. This is especially important for businesses that want to do right by their customer but don’t have a giant legal team or in-house privacy professionals who can help them get all the moving pieces implemented and put together immediately and efficiently. For many, this privacy-first approach is probably new and requires adjustments and getting used to. It will be up to legislators to enforce it and to find the right balance to ensure fines are used as an effective and motivating enforcement strategy.
As the ADPPA is implemented by advocating for consumer protection, there is an opportunity here for forging a new business-consumer dynamic – together. One that is built on trust and doing the right thing, but without the finger-pointing or blame games that might accompany aggressive reforms.
For privacy professionals, the clear federal requirement could even be a significant stepping stone to achieving privacy goals with internal stakeholders instead of them having to fight uphill battles like many have to do today.
What to do today
This data minimization and privacy debate is real, even before (and if) the ADPPA is set in stone. This means its impact is real, and we believe the impact will be augmented as the ADPPA debates become more vocal. From a democratic approach, this is a blessing, as our culture and norms are being molded through the voices of different players. As a business, it’s worth considering how to jump ahead of the game and benefit from the change that is already taking place.
We believe that the players that will enjoy the outcomes of the ADPPA are those that will embrace data minimization and privacy by design principles. The ADPPA will also make it easier for companies to implement standardization practices such as implementing a “golden rule,” a standardized way for handling privacy requests, regardless of geo-location, that can make the privacy rights experience for companies more seamless while taking into account requirements, both from a compliance point of view and as a way to create a sense of trust and transparency with customers.
After all, consumer rights, activism, and privacy regulations aren’t going anywhere (Gartner predicts 75% of the global population will be covered under modern privacy legislation by 2024). Neither are data risks like breaches. Prioritizing data minimization and data governance internally by businesses is the way to go, regardless of external ADPPA circumstances. Companies today can already go above and beyond by implementing customer data minimization. This will show they care about them and their business, regardless of the state they live in or if their representatives voted for or against ADPPA. Last but not least, companies with a privacy-first proactive approach will be better prepared for any privacy regulation or requests that the future holds.