Recently, a bipartisan coalition in Congress introduced a federal privacy bill, known as the American Data Privacy and Protection Act ("ADPPA"). The bill would, if passed, represent a sweeping change to the privacy landscape with several new requirements that businesses would need to meet. One pivotal provision is the federal privacy policy requirement. Today, the most notable consumer data privacy law is the California Consumer Privacy Act ("CCPA"), which requires privacy policies for doing business with California consumers. And, with California representing such a large consumer base, most businesses have already implemented these privacy policy requirements to maintain access to California consumers. Now, the ADPPA would require every company collecting personal data to have a public-facing privacy policy and for those policies to include certain elements.

Please note that the ADPPA has only passed its first subcommittee and is likely to undergo further amendment as it proceeds through the legislative process. This blog is based on the requirements set forth in the most current version of the ADPPA available at the time of posting.

What provisions must a federal privacy policy include?

TheADPPA's primary goal with its privacy policy requirements is to ensure that consumers know why a business is collecting personal data and what the business intends to do with that data. Coupled with that is a requirement that privacy policies be written in plain English. Many of today's privacy policies are difficult to understand, even for privacy lawyers. And if that is the case, a business cannot expect an average consumer to understand its privacy policy.

Many of the ADPPA privacy policy requirements mirror those already contained in the CCPA. If the bill passes, the ADPPA would require businesses to disclose the following:

  • The categories of information that the business collects;
  • The length of time that the business will keep each category of collected data or disclose the criteria it uses to determine when to delete that data;
  • The names of any third parties to whom the business transfers data;
  • The categories of data that the business transfers to third parties;
  • The purpose of any such transfers to third parties; and
  • A description of how a consumer may exercise her/his privacy rights.

Two additional requirements for large data holders merit mentioning. The ADPPA defines a "large data holder" as a company that annually: (1) has over $250 million in revenue; (2) has collected, processed, or transferred the data of over 5 million individuals; and (3) has collected, processed, or transferred the sensitive data (e.g., SSN, bank account information) of more than 200,000 individuals. Large data holders must keep a running log (on the company's website) of each version of its privacy policy for the preceding 10 years. Large data holders must also include a short-form privacy notice (500 words or less) summarizing its data collection and processing policies; this short-form is in addition to the comprehensive privacy policy that the ADPPA would require of all businesses.

Why do the federal privacy policy requirements matter to your business?

Congress' goal in introducing the ADPPA is to create a single set of uniform rules for businesses to follow and, thus, circumvent the patchwork of state requirements in place today. If the ADPPA passes, the federal privacy policy framework will supersede and replace state counterparts. While these changes will not be onerous for those who are already complying with the CCPA, the federal requirements would still demand a fresh look at existing privacy policies.

While the ADPPA is just a bill, it nonetheless represents the strongest effort in years to codify a federal privacy law. With a truncated legislative calendar and some notable skepticism from certain senators, the bill has a long road ahead. Still, this framework–similar to the coming privacy laws in Colorado, Connecticut, and Virginia–is the most likely to command bipartisan agreement. Accordingly, businesses should take note and use the opportunity to take a fresh look at their consumer data collection, use, and sharing policies.

Similar Blog Posts:

Legislature Finalizes Virginia Privacy Law for 2023 Debut

UCPA Compliance: Using CCPA Compliance Efforts to Prepare for the Utah Consumer Privacy Act

Stay Compliant: Update Your Vendor Contracts Before 2023

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.