What is the ADPPA, the upcoming US federal privacy bill?

The ADPPA is a proposed US federal privacy law. While it still needs to pass the full House and the Senate, businesses should consider how they would adapt to the new legislation if it becomes law.

Anthony Woodward

Written by

Anthony Woodward

Reviewed by

Share on Social Media
October 14, 2022
What is the ADPPA, the upcoming US federal privacy bill?

Finding it hard to keep up with this fast-paced industry?

Subscribe to FILED Newsletter.  
Your monthly round-up of the latest news and views at the intersection of data privacy, data security, and governance.
Subscribe Now

With bipartisan support, the American Data and Privacy Protection Act (ADPPA) is out of the U.S. House of Representatives Committee on Energy and Commerce by a vote of 53-2 on July 20, 2022. The bill still needs to pass the full House and the Senate in the coming months, but businesses would do well to consider how they would adapt to the new legislation if and when it becomes law.

What’s in the ADPPA?  

The American Data Privacy and Protection Act is a long-awaited, comprehensive federal privacy law that aims to restrict the collection, processing, and transfer of the personal data of Americans and gives U.S. citizens greater rights over their personal data.

The bill excludes three big data categories: deidentified data, employee data and publicly available information.

How ADPPA protects data

The act would require data collection by businesses and organizations to be as minimal as possible. The bill allows covered entities to collect, use or share an individual’s data only when reasonably necessary and proportionate to a product or service the person requests or to respond to a communication the person initiates. It allows collection for authentication, security incidents, prevention of illegal activities or serious harm to persons, and compliance with legal obligations.

People would gain rights to access and have some control over their data. ADPPA gives users the right to correct inaccuracies and potentially delete their data held by covered entities.

The bill permits data collection as part of research for public good. It allows data collection for peer-reviewed research or research done in the public interest – for example, testing whether a website is unlawfully discriminating. This is important for researchers who might otherwise run afoul of site terms or hacking laws.

How should organizations prepare?

It’s important to consider what controls you’ll need to meet these potential data protection obligations.

The key consideration? Organizations need to know how much data was proportional to collect, and ensure they have a process to minimize its collection, so they can limit it to that which is reasonably necessary.

Organizations also need to be prepared to deactivate (dispose) of data in systems when requested and offer even greater protection to ensure data collected from children or minors stays protected within the organization.

RecordPoint can help

RecordPoint already helps organizations subject to other regulations, including privacy regulation such as the General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA). If the ADPPA becomes law, these same solutions will help organizations subject to this new regulation.  

In-place records management  

RecordPoint’s Records365 offers in-place records management to all your data sources, including physical records, allowing you to create an exhaustive data inventory. This allows teams to search and find all records that match a given query, regardless of data source. Because records are managed in-place, your data inventory is always up-to-date and accurate.  

Data categorization  

RecordPoint allows organizations to categorize their data, which means businesses can be confident that when they collect data, they are doing so for an approved purpose, and its collection is reasonable and proportionate to that needed to provide the product or service a person requests. Entities can also use this to categorize data related to minors, enabling specific retention plans in line with the ADPPA regulation.

Data privacy  

RecordPoint's data privacy product can help agencies identify records containing personally identifiable information (PII), understand where it is, and ensure rules are established to keep the data protected. In the context of the ADPPA, this will help entities identify data collected from children or minors and to take steps to secure the data.

Data minimization  

RecordPoint’s data minimization solution ensures data is only retained for as long as required. When agencies are correctly implementing retention plans, they may proactively perform disposition of records that have a prescribed schedule. This reduces the total volume of data that must be reviewed, making sure anything that is held is done so legally and in line with compliance obligations. The identification and remediation of ROT also aids in reducing irrelevant and unimportant records from the overall data corpus.  

While the ADPPA has a way to go until it becomes law, businesses gain other benefits from adopting RecordPoint's Data Trust Platform. In an environment of data chaos, with frequent data breaches and low customer trust, make trust your competitive advantage with our customizable platform.

Discover Connectors

View our expanded range of available Connectors, including popular SaaS platforms, such as Salesforce, Workday, Zendesk, SAP, and many more.

Explore the platform

Protect customer privacy and your business

Know your data is complete and compliant with RecordPoint Data Privacy.

Learn More
Share on Social Media

Assure your customers their data is safe with you

Protect your customers and your business with
the Data Trust Platform.