The American Data Privacy and Protection Act (ADPPA) represents a significant legislative effort to establish a comprehensive framework for protecting consumer data privacy in the United States. Introduced in 2022, the ADPPA aims to give individuals greater control over their personal information and increase transparency regarding data collection, usage, and sharing by businesses[1].
Key Provisions of the ADPPA
- Enhanced Individual Rights - The ADPPA empowers individuals with rights to access, correct, and delete their personal data held by companies. It also introduces stricter consent requirements, ensuring that companies obtain explicit and informed consent from individuals before collecting their personal data[1].
- Limitations on Data Sharing - The legislation places stringent restrictions on the unauthorized sharing and sale of personal data to third parties without explicit consent, aiming to curb the prevalence of data brokerage[1].
- Data Security Requirements - The ADPPA mandates companies to implement robust security practices to protect personal data against unauthorized access, thereby enhancing data security and requiring significantly higher “Duty of Care” [1][18].
- Privacy by Design - Covered entities are required to implement reasonable policies, practices, and procedures for collecting, processing, and transferring covered data, taking into account the entity's size, complexity, and the types of data engaged with[17].
- Transparency and Accountability - The act requires covered entities to provide privacy policies detailing their data collection, processing, transfer, and security activities in a readily available and understandable manner. It also mandates the disclosure of any data transfers to certain foreign countries[17].
Implications for Cybersecurity and Data Privacy
The American Data Privacy and Protection Act (ADPPA) has several implications for cybersecurity, primarily by setting forth requirements for data security and establishing practices that covered entities must adhere to to protect personal data from unauthorized access and cyber threats15.
Data Security Requirements
The ADPPA mandates that covered entities implement and maintain reasonable administrative, technical, and physical data security practices to protect and secure personal data against unauthorized access and breaches[15.] This includes:
- Risk Assessments - Entities must conduct regular risk assessments to identify potential vulnerabilities in their data processing systems1.
- Data Minimization - The act encourages data minimization, meaning entities should only collect and retain the minimum amount of personal data necessary for the purposes for which it is processed15.
- Privacy by Design - The ADPPA introduces the concept of 'privacy by design', which requires entities to integrate data privacy and security into their business practices and system designs from the outset1517.
Enhanced Consumer Rights
The ADPPA enhances consumer rights, indirectly impacting cybersecurity by giving consumers more control over their data and requiring entities to be more transparent and accountable in their data handling practices15. This includes the right to access, correct, and delete personal data and the right to data portability.
Third-party and Vendor Management
The act also addresses the security of data shared with third parties. It requires covered entities to ensure that third-party service providers who access or process personal data on their behalf maintain the same data protection and security level as the covered entity[15].
Civil Rights and Algorithms
The ADPPA prohibits covered entities from processing information in ways that discriminate against individuals. This includes ensuring that algorithms and automated decision-making processes do not result in unfair or biased outcomes[1]]. This may require entities to implement additional cybersecurity measures to monitor and audit algorithms for discriminatory effects.
Implications for Cybersecurity
- Increased Security Measures - Organizations must enhance their cybersecurity measures to comply with the ADPPA's data security requirements, potentially leading to increased investment in cybersecurity infrastructure and services[15].
- Greater Accountability - The act holds entities accountable for the security of personal data, which may lead to more stringent cybersecurity policies and procedures[15].
- Compliance Complexity - The ADPPA introduces new compliance challenges for businesses, as they must navigate and adhere to the act's requirements, which may necessitate changes to existing cybersecurity practices[15].
The American Data Privacy and Protection Act would significantly impact cybersecurity by imposing strict data security requirements, enhancing consumer rights, and mandating accountability for data protection throughout the data lifecycle. These provisions strengthen the cybersecurity posture of entities handling personal data and protect individuals data.
Citations:
[1] https://shardsecure.com/blog/understanding-adppa
[2] https://epic.org/issues/privacy-laws/united-states/
[3] https://crsreports.congress.gov/product/pdf/LSB/LSB10776
[4] https://www.sidley.com/-/media/files/publications/2014/11/the-privacy-data-protection-and-cybersecurity-la__/files/united-states/fileattachment/united-states.pdf
[5] https://www.govtech.com/policy/a-review-the-american-data-privacy-and-protection-act
[6] https://termly.io/resources/articles/us-federal-data-privacy-law/
[7] https://www.varonis.com/blog/us-privacy-laws
[8] https://www.osano.com/articles/data-privacy-laws
[9] https://www.congress.gov/bill/117th-congress/house-bill/8152
[10] https://www.paulweiss.com/practices/litigation/cybersecurity-data-protection/publications/the-year-that-was-key-cybersecurity-and-privacy-developments-in-2023-and-issues-for-2024?id=49630
[11] https://www.gibsondunn.com/us-cybersecurity-and-data-privacy-outlook-and-review-2024/
[12] https://www.brookspierce.com/publication-u-s-privacy-law-outlook-whats-on-the-horizon-in-2024
[13] https://www.nytimes.com/wirecutter/blog/state-of-privacy-laws-in-us/
[14] https://www.brookings.edu/articles/examining-the-intersection-of-data-privacy-and-civil-rights/
[15] https://www.forbes.com/sites/conormurray/2023/04/21/us-data-privacy-protection-laws-a-comprehensive-guide/?sh=58d12c865f92
[16] https://www.wilmerhale.com/en/insights/blogs/wilmerhale-privacy-and-cybersecurity-law/20240116-2024-privacy-law-preview
[17] https://www.commerce.senate.gov/services/files/9BA7EF5C-7554-4DF2-AD05-AD940E2B3E50
[18] https://www.wolfandco.com/resources/blog/in-depth-look-american-data-privacy-protection-act/
[19] https://therecord.media/state-privacy-laws-big-tech-lobbying-report
[20] https://iapp.org/news/a/reframe-data-privacy/