If passed, the American Data and Privacy Protection Act (ADPPA) will cover almost every US business.
This federal privacy law, which failed to pass last year but is still supported by many US lawmakers, will impose sweeping new requirements on how businesses collect and use personal information.
The ADPPA is arguably tougher than any current US privacy law, and will apply to businesses of all sizes and sectors. Here’s a look at who’s covered by the ADPPA, so you can figure out how to prepare.
Covered data and sensitive covered data under the ADPPA
Before we look directly at who’s covered by the ADPPA, we need to define a couple of terms.
The ADPPA only applies in the context of certain types of information. The main type of information relevant to the ADPPA is “covered data”, defined as:
“…information that identifies or is linked or reasonably linkable, alone or in combination with other information, to an individual or a device that identifies or is linked or reasonably linkable to an individual, and may include derived data and unique persistent identifiers.”
Covered data is, essentially, “personal information” or “personal data”: Information that identifies a person, or that is about a person who can reasonably be identified.
Covered data extends beyond the obvious types of information, such as names, addresses, or social security numbers. Other information, such as device IDs, IP addresses, and cookies, can also be covered data.
The following types of information do not count as “covered data”:
- De-identified data (whereas [email protected] is covered data, [email protected] is de-identified data).
- Employee data
- Publicly available information
- Information derived from publicly available information from multiple sources, except sensitive covered data.
The ADPPA also defines “sensitive covered data”, to which special rules apply. There are 16 categories of sensitive covered data, including:
- Government-issued ID numbers
- Health data
- Financial data
- Private correspondence, images, videos, and audio files
- Revealing photos
- Information about minors
- Race, ethnicity, union membership
“Processing” data means doing practically anything with data: Collecting it, storing it, sharing it, or otherwise using data in almost any way.
Covered entities under the ADPPA
The ADPPA applies more broadly than most state privacy laws, which normally only cover businesses that collect a lot of data about people in the state or with high annual turnovers.
The act applies to “covered entities”. The definition of a “covered entity” is quite long, but here’s the starting point:
“…any entity or any person, other than an individual acting in a non-commercial context, that alone or jointly with others determines the purposes and means of collecting, processing, or transferring covered data.”
“Determining the purposes and means” is a concept imported from European data protection law. You “determine the purposes and means” of processing data if you decide why and how to process data.
For example, if you want to send your customers a newsletter, this is your purpose (“why”) for collecting their email addresses. The means (“how”) of collecting email addresses might be via a form on your website,
In addition, a covered entity must be:
- Covered by the FTC Act
- A “common carrier” under the Communications Act
These characteristics cover practically any business operating online in the US. Non-profits, government agencies, and some other bodies are excluded.
Service providers under the ADPPA
The ADPPA also covers “service providers”, but different rules apply to these types of companies.
A service provider collects, processes, or transfers covered data on behalf of a covered entity or government entity; and receives covered data from or on behalf of that entity.
This means that a service provider acts under the instructions of a covered entity. So, for example, if you use a company such as Mailchimp to send marketing emails, Mailchimp would be a “service provider” for the purposes of the ADPPA.
Large data holders under the ADPPA
While the ADPPA applies to almost all businesses, there are special rules for “large data holders”.
A large data holder is any covered entity or service provider that, in the previous calendar year:
- Had gross annual revenues of over $25 million.
- Collected, processed, or transferred:
- Covered data of at least 5 million individuals or devices (excluding transaction data), and
- Sensitive covered data of at least 200,000 individuals or devices
Some types of data do not contribute to these thresholds, including:
- Personal email addresses
- Personal phone numbers
- Login data
Obligations under the ADPPA
If you’re covered by the ADPPA, you’ll face many new requirements for processing covered data.
Among many other obligations, covered entities must:
- Only collect the minimum amount of covered data necessary for a specified purpose.
- Not collect sensitive covered data without consent.
- Implement reasonable data security
- Facilitate people’s rights, including the rights to access, correct, and delete covered data.
Large data holders have more extensive requirements, including appointing a data protection officer, conducting data protection impact assessments, and keeping records of how they process covered data.
If the ADPPA passes, the law’s final version might look different from the current bill. However, understanding the bill in its current form will help you prepare for new privacy laws that might emerge at the state or federal level.