On July 20, 2022, the House Energy and Commerce Committee (E&C) approved the proposed American Data Privacy and Protection Act (ADPPA) by a 53-2 margin. In a two-decade effort to develop a national security and digital privacy framework, ADPPA represents a huge step forward by Congress to create new protections for all Americans. This is especially true as it comes at a time when five out of the fifty United States (California, Colorado, Connecticut, Utah, and Virginia) have their own data privacy laws.
As we're still researching and staying abreast of the information that's readily available, we wanted to keep associations in the loop of what ADPPA is and how it could impact associations if passed.
What is ADPPA?
If you're familiar with the European Union's General Data Protection Regulation (GDPR), then consider this an equivalent to that just based in the U.S. Its goal is to unify global privacy protections for better harmony.
ADPPA is a federal law – that has yet to be passed – that requires any organization collecting and processing personal data of individuals in the U.S. to provide notice to those individuals. The law applies to both for-profit businesses and non-profit organizations. Basically, if your website targets residents in the U.S., then the data privacy law will apply to your association.
The data covered under ADPPA is broadly defined stating that it generally covers "any information that 'identifies or is linked or reasonably linkable' to an individual or a device identifying an individual, including derived data and unique identifiers like cookies and IP addresses."
The Act creates a "privacy by design" and data minimization framework, which means that it only allows organizations to collect and user data if it complies under one of the 17 permitted purposes of the law.
How could ADPPA affect associations, if passed?
If passed, the ADPPA could change the way associations do business. The Act requires businesses that collect and use personal information to comply with strict privacy rules. This means that associations would need to be more careful about how they collect, store and manage data on individuals, including members and non-members.
The Act would require organizations to provide individuals with greater transparency and control of their personal data. It would do this by providing individuals with the right to access, correct and delete their data, as well as requiring organizations to provide clear notices on how they collect, use and share consumer information. It would also prohibit the sale of children's personal information without parental consent.
With all of the current policies in place, GDPR is the most conservative when it comes to data privacy. Many associations have already complied with the regulations under that policy. As the Act is still being deliberated, take the maximalist approach and make sure your organization complies with GDPR. By doing so, you'll already be ahead of the game if ADPPA passes.