Trending
Detectives De France

Proposed Federal Privacy Act – 5 Key Impacts on Your Privacy Program, David Manek, Kenric Tom | Ankura

0
By on Law Security

The latest proposed federal privacy law, the American Data Privacy and Protection Act (“ADPPA”), continues to gain momentum and in late July 2022, the House Committee on Energy and commerce voted to move the bill forward in the House.[1] This is the first time that a comprehensive privacy bill will be made available for full vote in either the House or the Senate.[2]

The purpose of this article is to identify a set of example requirements in the ADPPA that may require organizations to modify or improve their data privacy policy. We should know later this year if the ADPPA will become a reality and understanding the potential impact will allow organizations to be better prepared.

  • Second. 301. Executive Responsibility– A large data holder is defined as generating $250 million in revenue and processing the covered data of 5 million people. Big data owners will be required to certify annually to the Federal Trade Commission (“FTC”) that the organization maintains both 1) internal controls reasonably designed to comply with ADPPA and 2) internal reporting structures to ensure that this senior certification executive is involved in and accountable for decisions that impact compliance by the big data holder.
    • Analysis: We anticipate that if an internal audit function exists within the big data custodian, that function will be heavily involved in evaluating the organization’s privacy program. Data confidentiality will be included in the annual audit plan of their internal audit. In coordination with the internal audit function, most large data holders will likely rely on third-party assessments to support the annual certification process.
  • Second. 208. Data Security and Data Protection Covered – Section 208 requires organizations to “dispose of Covered Data in accordance with a retention schedule which shall require deletion of Covered Data when such data is required to be deleted by law or is no longer necessary for the purposes for which the data was collected. …”
    • Analysis: Prior sovereign privacy laws such as the General Data Protection Regulation (“GDPR”) and the California Privacy Rights Act (“CPRA”) reference the importance of delete personal information when that data is no longer necessary to support the purpose for which it was collected. Neither the GDPR nor the CPRA; however, specifically mention that the covered data must be disposed of in accordance with a “retention schedule”. Organizations will need to modernize their retention schedules and operationalize these record retention and data disposition activities in order to comply with the ADPPA.
  • Second. 202. Transparency – Section 202 includes several requirements related to the content of the privacy policy, the clarity of the privacy policy, and the process for notifying subsequent changes.
    • Content of a privacy policy– A Covered Entity or Service Provider must have a privacy policy that includes “the length of time the Covered Entity or Service Provider intends to retain each category of Covered Data, including Sensitive Covered Data, or, if that time period cannot be identified, the criteria used to determine the length of time the Covered Entity or Service Provider intends to retain the Covered Categories of Data.”
      • Analysis: This same language exists in the CPRA and has led many major brands to focus on large-scale data deletion. The alternate language of Section 202 relating to the content of a privacy policy also includes the same categorical requirements that are apparent in the California Consumer Privacy Act (CCPA) that have led organizations to include graphics in their privacy policies. showing the categories of personal information collected, the business purpose information for each collection category and whether it is sold. Interestingly, the ADPPA associates the use of the term “retention schedule” with the privacy policy disclosure requirements of the retention period and implies that organizations must delete the data. Given the lack of progress many organizations have in this area, combined with the difficulty of implementing a well-managed records management program, this could very well be an easy area to apply.
    • Changes to privacy policies and notification: “If a Covered Entity makes a material change to its privacy policy or practices, the Covered Entity must notify each Affected Individual of such material change prior to implementing the material change with respect to Covered Data collected prospectively. and…provide a reasonable opportunity for each individual to withdraw consent.” this law and publish them on its website. This large data holder must make available to the public, in a clear, visible and easily accessible manner, a log describing the date and nature of each significant change made to its privacy policy during the last 10 years.
      • Analysis: Implementing these requirements is relatively straightforward. For example, an organization can send an email notifying its customer base of privacy policy changes. Likewise, historical privacy policies may be retained and linked to the primary privacy policy. We highlight this because such language is not found in the CCPA or GDPR.
    • Clarity: In addition to the Section 202 Privacy Policy requirements (there is a long list of requirements in Section 202, similar to GDPR and CCPA requirements), a large data holder who is a Covered Entity” must provide a brief notice of its covered data practices in a manner that does not exceed 500 words.”
      • Analysis: No explanation is needed here. We believe this is a good step forward both for the customer and, separately, for companies focused on the privacy principle of transparency and streamlining their privacy program vision.
  • Second. 103. Privacy by Design – Policies, Practices and Procedures– “A Covered Entity and Service Provider shall establish, implement and maintain reasonable policies, practices and procedures that reflect the Covered Entity or Service Provider’s role in the collection, processing and transfer of Data covered and which… mitigate confidentiality risks, including substantial privacy risks, related to the Covered Entity’s or Service Provider’s products and services, including in the design, development and implementation of such products and services…”
    • Analysis: We anticipate that organizations will need to introduce development lifecycle procedures and workflows to govern their privacy-by-design practices. We have already helped many customers in this area as part of their GDPR/CCPA/CPRA modernization efforts; however, the language regarding these privacy-by-design requirements in those earlier regulations was not as specific as what we see in the ADDPA.
  • Other notable items included in the ADPPA:
    • Privacy Impact Assessments are covered: Impact assessments were largely born out of GDPR, and most U.S. state laws slated to take effect in 2023 have a similar requirement. As such, organizations should already be well underway in developing a repeatable PIA process.
    • Authorized purposes: The ADPPA includes a section titled “Permitted Purposes” which lists a set of purposes for which a Covered Entity may collect, process or transfer Covered Data. This list of permitted purposes is very similar to what we see in the GDPR as the legal basis for processing. For example, a permitted purpose under the ADPPA includes collecting data to complete a transaction, comply with a legal obligation, and conduct scientific research. The ADPPA list continues to include items related to performing a product warranty and performing a product recall.
      • Analysis: For privacy professionals who have previously developed a register of processing activities in accordance with Article 30 of the GDPR, in which a legal basis is assigned to each processing activity, similarly, under ADPPA, we will likely need to assign an authorized purpose to each record in a US-centric data inventory. We can envision a scenario where regulators request this information as part of an enforcement action.
  • Second. 208. Security and data protection: The ADPPA is more specific than previous data privacy laws in terms of what a security program must include. For example, the ADPPA includes requirements related to vulnerability assessment, preventive and corrective actions, and evaluation of those preventive and corrective actions.

We would be encouraged to see the ADPPA adopted so that our customers have a common set of requirements to follow. If the ADPPA is enacted, rather than pursuing the requirements of each additional new state law, organizations can focus on higher-level activities such as developing programs to delete personal information on a large scale. Such programs require heavy investment, but removal programs are one of the few areas that measurably reduce both privacy and cyber risk.

[1] https://docs.house.gov/meetings/IF/IF00/20220720/115041/BILLS-117-8152-P000034-Amdt-1.pdf

[2] https://iapp.org/news/a/american-data-privacy-and-protection-act-heads-for-us-house-floor/

Related posts:

  1. Second Hong Kong Official Says Security Law Allows Freedom | WGN 720 radio
  2. Trump joins Texas Governor Abbott and law enforcement officials to discuss border security and visit the unfinished wall – CBS Dallas / Fort Worth
  3. DHS sounds the alarm on potential summer violence linked to August conspiracy theory
  4. China promulgates new data security law
Share.

About Author

Comments are closed.