In June, a first draft of the American Data Privacy and Protection Act (ADPPA) seemed to appear out of nowhere. This bill aims to regulate how organizations collect, process, manage and store personal data at the federal level.
Over the next month, the bill underwent so many changes that it was impossible to say with complete certainty what was in it.
Despite time constraints, a flood of stakeholder comments and unexpected congressional opposition, the proposed U.S. Data Privacy and Protection Act continued to move forward.
In late June, the Energy and Commerce Committee formally introduced the American Data Privacy and Protection Act (ADPPA) to the U.S. House of Representatives, marking a major breakthrough in congressional negotiations on data privacy.
The bipartisan bill aims to create a comprehensive national data privacy framework, focusing on a robust set of consumer privacy rights, and is the U.S. equivalent of the GDPR, the European data protection and privacy regulation that has served as the benchmark for privacy.
Today, a new version of the ADPPA has taken shape. This could mean that after decades of inaction, the United States will have a real federal privacy law.
Several California legislators have expressed concern about how the federal bill could undermine the protections of the state’s data privacy law. Anna Eshoo and Nanette Diaz Barragán were the only ones to vote against advancing the bill.
« I recognize that this legislation would be an improvement for much of the country, but I can’t say the same for my constituents and all Californians, » Eshoo said.
The most distinctive element of the new bill is its focus on what is known as data minimization. That is, companies would only be allowed to collect and use user data if it is needed for one of the 17 permitted purposes outlined in the bill, such as authenticating users, preventing fraud and conducting transactions. Everything else is prohibited.
« The reason I really like this bill is that it takes a data minimization approach first, » says Sara Collins, senior policy advisor at Public Knowledge.
However, the Electronic Frontier Foundation (EFF) is disappointed with the latest version of the American Data Privacy Protection Act.
For example, under the current version of ADPPA, the Federal Telecommunications Commission (FCC) would lose the ability to enforce the privacy provisions of the Communications Act of 1934. Yet EFF argues that Congress should not exempt telecommunications companies from the scrutiny of expert federal regulators with in-depth knowledge of the industry.
By Mélissa Walehiane