First Look - the American Data Privacy and Protection Act

A federal privacy bill in the US isn’t anything particularly new. There have been several attempts in the past couple of decades to provide greater protections than what is currently afforded under the patchwork of state legislation. But, on Friday, a bipartisan draft bill was released suggesting one big step closer to federal standards governing how companies collect, process, transfer and protect data.

The draft bill, if enacted, would give rise to the American Data Privacy and Protection Act. The Act, broadly speaking, aims to ‘provide consumers with foundational data privacy rights, create strong oversight mechanisms, and establish meaningful enforcement’. 

The 64-page bill introduces many concepts those familiar with GDPR, CCPA and HIPAA will already be well-versed in such as rights to consent and object, accessing and deleting data, data minimization and covered data/entities. It also explicitly calls for compliance guidelines and programs, privacy by design, establishment of data security practices and the creation of a new bureau within the Federal Trade Commission (amongst a host of enforcement measures).

Sensitive (Covered) Data

Making up 2 of the 64 pages of the bill, we suspect this list was more extensive than most people expected. The Act defines sensitive covered data as any of the following:

• Government-issued identifier that is not displayed in public - SSNs, passports and driver’s licenses.
• Health information
• Financial information, including banks accounts and credit/debit cards
• Account log-in credentials
• Biometric information. Yes, you read that right!
• Precise geolocations
• Private communications, address books, photos and video recordings
• Some demographic information outside of reasonable disclosure.
• Tracking of online activities (including across third party websites) and streaming & television activities 

Affirmative Express Consent

This is one of those things that is difficult to understand why it hasn’t existed sooner. It means individuals will need to affirm their consent to a specific, informed and unambiguous authorization, and requires entities to make that request in clear and easy-to-understand language. Inferred consent is unacceptable in this regard.

Data Minimization

Whilst subject to further guidance on definitions, this generally means you can’t collect, process or transfer data beyond what is reasonably necessary, proportionate and limited to: provide requested products or services by an individual; communication that is reasonably anticipated in the context of the relationship with the individual; or for a purpose expressly permitted by the Act.

Did someone say GDPR? It’s taken years for companies in Europe to enact reasonable and effective data minimization practices, so early communication of guidance on this front along with clear support guidelines and enforcement structures will be key!

Privacy by Design

Whilst the commission will issue guidance within one year of the enactment of the Act, this section shouldn’t be taken lightly in the meantime. This is an express requirement and obligation to “establish and implement reasonable policies, practices, and procedures regarding the collection, processing, and transfer of covered data”

It goes further to cover that these policies, practices and procedures should mitigate privacy risks to individuals under the age of 17, mitigate privacy risks related to the design, development and implementation of products and services, and include training and safeguards to promote compliance with all privacy laws applicable to the processing of data. 

Executive Responsibilities

Privacy officers and data security officers are now appointed positions and they must be employees designated to implement and maintain the data security and privacy programs required to safeguard data to comply with the Act. For large data holders (broadly those with >250M revenue and exceeding data volume thresholds), there are additional responsibilities related to privacy impact assessments and annual certifications. The annual certification also needs to be signed off on by the CEO or highest ranking executive/officer.

If GDPR enforcement measures are anything to go by (up to €20 million, or 4% of worldwide turnover), and combined with the reputational damage that data breaches cause, CEOs and CISOs will have little choice but to re-examine their entire data security framework, tech stack and policies should this bill be passed. 

Data Security & Protection

The requirements for data security and protection of data in the bill are no small feat, and we’ll be watching closely at future guidance from the Federal Trade Commission on this. As a starting point, there is an express requirement and obligation to establish, implement and maintain reasonable data security practices and procedures to protect and secure data. More specifically, and at a minimum, it will need to include:

1. Identifying and assessing vulnerabilities of each system that collects, processes or transfers data
2. Taking preventative and corrective action to mitigate risk and vulnerabilities, and then evaluating these safeguards.
3. Disposal of data that is required to be deleted by law or no longer necessary for the purpose it was collected. 
4. Training and designation of employees to maintain and implement data security practices.

It should come as no surprise this one is close to Metomic’s heart. It’s a problem we see (and solve!) daily, particularly in the context of the explosion of SaaS applications and deficiencies in existing policies and practices to find and prevent data breaches without getting in the way of employees doing their jobs. Simple things like ex-employees SSNs still floating around Slack and customer bank details in Intercom or Zendesk pose business-critical risks to growing organisations daily. Metomic helps you discover and control sensitive data in cloud applications so that you can focus on growing your business.

Get in touch today for a chat with our team and a demo of our product.

Photo by Harold Mendoza on Unsplash