Common Questions about the American Data Privacy and Protection Act

The draft American Data Privacy and Protection Act (ADPPA) is a landmark data privacy bill that is being considered by the US congress. If ADPPA becomes law, it will have a significant impact on business that operate in the US. While it's being considered, it's worth taking a closer look at its provisions, and giving thought to how this might impact your business if it goes into effect.

Here are a few common questions that businesses are asking about ADPPA:

What is the ADPPA, and what does it cover?

The draft American Data Privacy and Protection Act is a data privacy law that applies to organizations operating in the United States. This includes nearly any organization that collects, processes, or transfers covered data (PII) subject to FTC oversight, as well as nonprofit organizations and common telecom carriers. It also includes data brokers, or “third-party collecting entities” that make most of their revenues by buying and selling PII.

When will ADPPA go into effect?

When, or whether, the ADPPA will go into effect remains to be seen. The Senate could pass the ADPPA and send it to the White House for final approval before the end of 2022.

Who enforces the ADPPA, and what will be the consequences for noncompliance?

The ADPPA, if passed, will be enforced by the US Federal Trade Commission (FTC). The FTC will deem violations of the ADPPA to be unfair or deceptive acts and will have the power to fine violators of the ADPPA up to $46,000 in 2022 (this number is adjusted for inflation each year).

Will the ADPPA affect my company, and if so, what can we do to prepare?

If your company operates in the US and handles the PII of US residents, ADPPA is likely to affect you. The best way to prepare for ADPPA is to make sure that you’re handling sensitive data in compliance with other, existing data protection laws like CCPA and GDPR by following privacy by principles: data minimization, securing sensitive data from theft or misuse, etc. You can also reduce your risk of data breaches as a benefit of preparing for the possible passage of the ADPPA.

Is ADPPA subject to further changes before going into effect?

Yes. Because the US Senate has not passed the bill and sent it on to the White House for approval, it’s subject to further change. In fact, the ADPPA is currently undergoing active review and discussion.

Can my company become “ADPPA Certified”?

No. The current draft ADPPA bill doesn’t include provisions for up-front certification.

The Big Picture on Data Privacy

Regardless of whether the ADPPA becomes US law, there is a growing movement at the state and federal level – not to mention globally – to strengthen regulations around sensitive data. This movement is likely to translate into a federal data privacy law at some point.

In the meantime, companies across the globe that do business in the EU are grappling with how best to comply with GDPR, which has many provisions in common with ADPPA. And US companies are considering how to comply with various state-level data privacy laws, like California’s CCPA and CPRA.

To learn more about the history of data privacy laws and what to expect in the future, see: A Brief History of Data Privacy, and What Lies Ahead. Still have questions? Contact us to learn more.