A new US data privacy bill aims to give you more control over information collected about you – and make businesses change how they handle data

Data privacy in the U.S. is, in many ways, a legal void. While there are limited protections for health and financial data, the cradle of the world’s largest tech companies, like Apple, Amazon, Google, and Meta (Facebook), lacks any comprehensive federal data privacy law. This leaves U.S. citizens with minimal data privacy protections compared with citizens of other nations. But that may be about to change.

With rare bipartisan support, the American Data and Privacy Protection Act moved out of the U.S. House of Representatives Committee on Energy and Commerce by a vote of 53-2 on July 20, 2022. The bill still needs to pass the full House and the Senate, and negotiations are ongoing. Given the Biden administration’s responsible data practices strategy, White House support is likely if a version of the bill passes.

As a legal scholar and attorney who studies and practices technology and data privacy law, I’ve been closely following the act, known as ADPPA. If passed, it will fundamentally alter U.S. data privacy law.

ADPPA fills the data privacy void, builds in federal preemption over some state data privacy laws, allows individuals to file suit over violations and substantially changes data privacy law enforcement. Like all big changes, ADPPA is getting mixed reviews from media, scholars and businesses. But many see the bill as a triumph for U.S. data privacy that provides a needed national standard for data practices.

Who and what will ADPPA regulate?

ADPPA would apply to “covered” entities, meaning any entity collecting, processing or transferring covered data, including nonprofits and sole proprietors. It also regulates cellphone and internet providers and other common carriers, with potentially concerning changes to federal communications regulation. It does not apply to government entities.

ADPPA defines “covered” data as any information or device that identifies or can be reasonably linked to a person. It also protects biometric data, genetic data and geolocation information.

a city street view with a young woman looking down at her phone in focus while passersby are out of focus

Protected data includes your location.
Christoph Hetzmannseder/Moment via Getty Images

The bill excludes three big data categories: deidentified data, employee data and publicly available information. That last category includes social media accounts with privacy settings open to public viewing. While research has repeatedly shown deidentified data can be easily reidentified, the ADPPA attempts to address that by requiring covered entities to take “reasonable technical, administrative, and physical measures to ensure that the information cannot, at any point, be used to re-identify any individual or device.”

How ADPPA protects your data

The act would require data collection to be as minimal as possible. The bill allows covered entities to collect, use or share an individual’s data only when reasonably necessary and proportionate to a product or service the person requests or to respond to a…

Access the original article

Subscribe
Don't miss the best news ! Subscribe to our free newsletter :