The US House Energy and Commerce Committee approved the proposed American Data Privacy and Protection Act (ADPPA) by a 53-2 margin on July 20, 2022. With this accomplishment, the ADPPA has made it further along the federal legislative process than any other data privacy regulation in US history.
Both republicans and democrats in the House and the Senate support the bill, and its passage could radically change the privacy landscape in the US. Still, if not passed or its preemption clause is removed, companies doing business in the US could look at a highly complex environment to operate in.
If the ADPPA is signed into law, it will preempt all other state data privacy laws, which means businesses operating in the US would have one data privacy law to comply with instead of separate regulations from each state with differing definitions, timelines, and requirements. So, a business currently subject to the new Connecticut, California, Virginia, Utah, or Colorado laws law would instead need to comply with the single ADPPA. This preemption provision of the ADPPA would greatly simplify data privacy compliance in the US.
Preemption is a significant stumbling block in the ADPPA. Many states, namely California, don’t want their laws to be superseded by the ADPPA.
As technology advances and data privacy becomes increasingly important to individuals, the states are stepping up to create their data privacy laws. By the end of 2022, 5 states had enacted data privacy laws. However, in the first month of 2023, approx. 9 state legislatures had filed new data privacy bills. How many will be passed is anyone’s guess, but by the end of 2024, the majority of states will have passed data privacy bills.
If the ADPPA does not become law with the preemption provision, what does that means for businesses? With the prospect of most states having their own (differing) data privacy laws soon, companies collecting personal information will face more significant complexities and spiraling compliance costs.
Data privacy laws are designed to protect personal information from being misused or mishandled. By granting individuals greater control over how their data is collected, secured, used, and shared, the data privacy laws are expected to help to ensure that personal information remains secure and that businesses are held accountable for how they handle data.
Consider this; for an organization collecting personal information, they will need to individually track the individual’s state of residence, the consent that was received, when it was received, the individual state laws around the length of time it can be retained, and the differing state law definitions and exemptions.
Additionally, each state data privacy law includes specific data subject rights such as the right to query the company about the detailed personal information that has been collected on them as well as the right to have their personal information erased – if no other laws stop the erasure such as federal data retention requirements (financial services) and involvement in litigation. These rights are absolute, meaning an organization must fully comply – not just give it their best effort.
Companies will need to invest in new technologies and procedures in order to comply with the various state laws. In addition, they will likely need to hire additional staff to monitor compliance and ensure they follow all applicable individual laws. Implementing such measures will be expensive, especially for small businesses.
These new data privacy laws include data security requirements. New data security requirements could consist of implementing additional security measures like encryption (I hope), multi-factor authentication or, eventually zero-trust architectures. This will also ultimately mean providing more transparency into customer data use.
Furthermore, businesses will face greater legal liability if they fail to comply with state-level data privacy laws. Companies that fail to comply could face fines, civil penalties, or even criminal charges brought by the state Attorney Generals if found to violate the law. This could result in a significant financial hit for businesses as well as bad publicity, especially for companies that are not prepared for such an eventuality.
Finally, businesses will also experience a loss of customer trust if they fail to comply with state-level data privacy laws. As customers become more educated about how their data is being used, they may be less likely to trust a business if they feel their data is not adequately protected. This could lead to a loss of existing customers and a decrease in overall sales and profits.
Overall, the outcome for businesses if each state passes a data privacy law and the federal ADPPA law is passed and does not include preemption could be significant. Companies will no doubt face increased compliance costs, stricter regulations, greater legal liability, and a loss of customer trust if they are not in compliance with the law.
As such, businesses should be sure to prepare for these potential outcomes and ensure they comply with any applicable data privacy laws. Doing so can help to ensure their data remains secure and their customers remain confident in their data privacy practices.