After a flurry of recent lawmaking, America’s perpetually gridlocked Congress is starting to look “strikingly functional”. That includes some progress on the American Data and Privacy Protection Act (ADPPA), which moved through the House committee in July. The ADPPA could finally bring modern privacy protections to consumers in all 50 U.S. states. It's now likely up to next year's Congress to make further progress.
How big a deal is this? Well, one top privacy analyst recently told me he’d peg the chance of the bill’s passage at no better than one in six. Certainly, the ADPPA faces an uphill struggle: industry groups hate provisions enabling consumers to sue over privacy violations, privacy advocates worry the law is weak on enforcement, and California lawmakers fret that a federal law would preempt their own state’s privacy rules.
3 key learnings from the U.S. federal data privacy legislation
Whether or not the ADPPA winds up with Joe Biden’s signature on it, it’s worth watching closely — because it shows the direction in which privacy regulations are now heading. Business leaders should pay close attention. Is your privacy infrastructure is resilient and adaptable enough to cope with the next wave of privacy rulemaking?
Here are three key trends to watch:
- More data is being regulated
The ADPPA casts a broader net than other major privacy rules, in part because it applies to data that identifies, is linked to, or is reasonably linkable to any individual or any device that, in turn, identifies an individual. It should be apparent that “reasonably linkable” is doing a lot of work there — especially because the ADPPA specifies that data’s linkability is assessed in aggregate, meaning that even apparently innocuous data can fall under the law’s auspices if it can plausibly be linked to an individual when combined with other data.
Lawyers can quibble over whether or not that’s a stronger standard than existing regulations, but the ADPPA certainly casts a broad net. The exclusions in the ADPPA also diverge from existing regulations: for instance, employee data is excluded, but only for employers and only for purposes relating directly to the employee’s work for the company.
The trend line is clear: businesses should expect even more of their data to become subject to data privacy regulations in coming months and years. That could force businesses to reassess and rewire data privacy infrastructure in real time as more data falls under regulatory purview, or as the accumulation of data triggers new regulatory oversight.
- A new ethical focus
The ADPPA goes well beyond U.S. state laws and the GDPR in classifying “Sensitive Data” that requires heightened privacy protections. Like state privacy laws, the ADPPA classifies data relating to race, citizenship, religion, health, sexual orientation, and biometrics as sensitive. But it goes beyond some state laws in also classifying web-surfing information as sensitive, along with certain kinds of financial information, communications metadata, and other data types such as location (CPRA regs also make clear that location data is sensitive), skin color, intimate images, video streaming history, calendar and address book information, and more.
That adds up to a real burden for businesses, which will need to develop far more granular ways of cataloging and processing data across their entire ecosystem, from point of collection to point of use and beyond. Existing datasets will need to be restructured, and existing processes will have to be reimagined in order to ensure that sensitive data isn’t inadvertently commingled with other covered or non-covered data types.
But the ADPPA’s broader definition of data sensitivity also speaks to a growing recognition from regulators and lawmakers that consumers now see much of their data as sensitive, and expect businesses to respect their views. Regulators, in other words, are playing catchup with consumer preferences: businesses will need to meet and exceed regulatory standards, and create true ethical standards for data handling, in order to stay ahead of evolving consumer expectations.
- A maximal approach to minimization
The ADPPA goes beyond many existing regulations in requiring companies to anchor data collection and usage in specific approved purposes, and to collect and use only the data that is strictly necessary to those purposes. In other words, the ADPPA requires organizations to clearly articulate a narrowly defined goal before collecting data, to collect the least possible data required to achieve that goal, and to then use the data only for that specific purpose.
That’s a big deal because most organizations currently lack infrastructure designed to enable purpose-driven privacy management across the entire data lifecycle. Even if companies articulate a purpose in the moment of data collection, few anchor specific bits of data in their original purpose, or use that to determine how data is subsequently used, stored, or shared.
It’s easy to see which way the wind’s blowing: in future, many companies will need to significantly rebuild their data systems to put purpose at the center of their data handling — and also to dynamically apply purpose-based policies differentially across their datasets, depending on a given piece of data’s type and sensitivity. That’s a complex and fluid process that will require flexible, tech-forward, and highly automated data management tools.
Above all: enduring complexity
As these trends make clear, businesses that are hoping that a federal privacy law would make data privacy compliance simpler should think again. The ADPPA as currently written will leave California’s “privacy police,” the California Privacy Protection Agency (CPPA), in place, and will newly empower them to enforce the ADPPA’s provisions. Even with a federal law, businesses will face a complex network of different privacy requirements, and continuing uncertainty about what’s allowed and what isn’t in any given jurisdiction or geography.
More broadly, though, the ADPPA would deepen as well as broaden the privacy rulebook. As privacy regulations evolve, new kinds of data will need to be managed in new ways, and new requirements such as end-to-end purpose-driven data use will require significant changes to organizations’ existing data infrastructure. Along the way, regulators will continue to align with shifting consumer expectations around trust and data stewardship, placing new demands on businesses that fail to proactively implement ethical data practices.
The ADPPA shows, above all, that privacy compliance is a moving target. Trying to rebuild privacy infrastructure each time a new wave of regulations arrives will prove expensive and ineffective. Programmatic solutions, with data usage anchored in specific purposes across its entire lifecycle, and automated implementation of centrally managed data policies, are the only way to ensure that today’s organizations are ready for what lies ahead.
Will America’s newly functional Congress actually pass a federal data-privacy law? The jury’s still out on that one. What’s clear, though, is that the ADPPA represents the leading edge of global privacy regulation — and companies should act now to prepare for what lies ahead.