What the American Data Privacy and Protection Act Means for the Security Industry
SIA’s Jake Parker Shares Analysis
Originally known as the “three-corners” bill, the American Data Privacy and Protection Act (ADPPA) is significant because it is the first framework for a U.S. national data privacy law that has been developed on a bipartisan basis, albeit only at the committee level so far. Developed jointly by three congressional committee leaders, House Energy and Commerce Committee Chair Frank Pallone (D-N.J.) and Ranking Member Cathy McMorris Rodgers (R-Wash.) and the Republican leader on the Senate Commerce Committee, Sen. Roger Wicker (R-Miss.), the measure was passed by the House Committee on Energy and Commerce in July; however, the likelihood of further action by the full House is not clear, as its path forward is complicated by concerns expressed by House Speaker Nancy Pelosi (D-Calif.) and the California delegation over its preemption of that state’s data privacy laws and opposition from Senate Commerce Committee Chair Maria Cantwell (D-Wash.).
The scope of the proposal is extremely broad, as it would extend requirements to nearly every U.S. business. ADPPA is dissimilar to the five existing comprehensive state data privacy laws and Europe’s General Data Protection Regulation in significant ways. For example, instead of a consent-based framework, the collection and processing of personal data is permitted based on whether the activity falls within specially defined categories of permissible uses, in an effort to minimize the overall amount of data collected. We were pleased that these categories specifically include physical security, life safety, network security and several other purposes that align with end use of products provided by our industry.
At the same time, there are a number of definitions and requirements that lack clarity and additional restrictions on data transfer that could result in mixed impact on security technology implementation, depending on the application. Additionally, of great concern both to our industry and to the broader business community is the inclusion of a private right of action for enforcement that is likely to result in abusive lawsuits, only partial state preemption that does not address deeply flawed laws like the Illinois Biometric Information Protection Act and expansive authority provided to the Federal Trade Commission to interpret and create new requirements.
Enactment of a national data privacy framework could provide clear, meaningful and workable data privacy rules at the federal level. SIA advocates for ensuring any framework provides for the continued functionality and effectiveness of safety and security technology applications and the societal benefits that flow.
Given the far-reaching impact, it’s important as a nation that we get this right. ADPPA is a good start, but it needs work. It’s also likely to undergo further changes if considered further this year. In any case, many observers view it as the starting point for consideration of national data privacy legislation next Congress, so it’s an issue that industry needs keep a close eye on.