Centro Studi Privacy - ADPPA disclaims all warranties, expressed or implied, with respect to the contents of this material,
including any warranties of accuracy, merchantability, or fitness for a particular purpose. Nothing herein should be construed as legal advise.
Key Concept ADPPA VS GDPR
1. Covered Data vs. Personal Data
Covered data in the ADPPA is defined as information that identifies or is linked or reasonably linkable to individuals but excludes de-identified data, employee data, and publicly available information. In the GDPR Personal data are any information which are related to an identified or identifiable natural person.
2. Individuals vs. Data Subject
Individual refers to the person who the covered data relates to, so it is comparable to the GDPR-term of data subjects.
3. Covered Entities vs. Data Controllers
The role of a covered entity under the ADPPA is comparable to the role of a controller under the GDPR.
4. Privacy Policy vs. Data Protection Declaration
Covered entities and service providers are required to provide a privacy policy. The required information largely corresponds to those required under Art. 13/14 GDPR.
American Data Privacy
Protection Act, what’s new now?
Open articles' navigation
Data protection key definitions
Data protection key definitions
Chapters:
1. Covered Entities
2. Covered data
3. Service Providers
4. Third parties
Data protection key principles
Data protection key principles
Chapters:
1. Data Minimization
2. Strenghtened protection for Sensitive Data
3. Prohibition of misleading or manipulative processing
4. Privacy by design
5. Transparency and language
Invasive processing of personal data
Invasive processing of personal data
Chapters:
1. Discriminatory processing of personal data and automated decision making
2. Processing via Algorithmic
Protection of minors
Protection of minors
Chapters:
1. Protection of minors
Data security practices
Data security practices
Chapters:
1. Data Security Requirements
2. Privacy Impact Assessment
Consumer data rights
Consumer data rights
Chapters:
1. Rights of individuals about their personal data
Enforcement
Enforcement
Chapters:
1. Government Enforcement
2. Private right of action
Read and compare the changes
An in-depth comparison between ADPPA (American Data Privacy and Protection Act) and the CALIFORNIA PRIVACY LAWS* *CCPA (California Consumer Privacy Act) and CPRA (California Privacy Rights Act)
Result of comparison
ADPPA
California Privacy laws CCPA/CPRA
The right of action as set out by CCPA has a narrower application compared with the ADPPA right of action.
Delayed private right of action, which would go into effect two years after the ADPPA will be enacted. ADPPA will grant the right to seek compensatory damages, injunctive or declaratory relief for certain violations of the Act in federal court.
Individuals would be required to notify the FTC and state AGs of their intent to bring action. The FTC or state AGs would have 60 days to decide whether to intervene in the suit. Prior to filing suit against small data holders or for injunctive relief, an individual must provide the covered entity with 45 days’ written notice identifying the alleged violations. Covered entities would be provided with 45 days to cure the alleged violation.
Individuals would not be permitted to bring an action against a covered entity that: has less than $25 million in annual revenue; collects, processes, or transfers the covered data of fewer than 50,000 individuals; or derives less than 50% of its revenue from transferring covered data.
Individuals may exercise a private right of action only in case of data breaches caused by businesses. ADPPA does not preempt the above mentioned right.
An in-depth comparison between ADPPA (American Data Privacy and Protection Act) and the CALIFORNIA PRIVACY LAWS* *CCPA (California Consumer Privacy Act) and CPRA (California Privacy Rights Act)
Result of comparison
ADPPA
California Privacy laws CCPA/CPRA
ADPPA has a wider application (nationwide) and enforcement through the FTC Bureau, the AF and national privacy protection agencies. California law generally applies locally.
The ADPPA would be enforced by a new FTC bureau and state attorneys general (AG) or, in the case of California, the California Privacy Protection Agency. State AGs would be required to notify the FTC prior to initiating a civil action so the FTC may intervene.
CA Privacy Protection Agency (CPPA) enforces and issues regulations.
CPPA can get statutory civil penalties.
The Chief Privacy Auditor will audit businesses to ensure compliance with the law.
Violations of CCPA can also be enforced by over 60 district and city attorneys.
An in-depth comparison between ADPPA (American Data Privacy and Protection Act) and the CALIFORNIA PRIVACY LAWS* *CCPA (California Consumer Privacy Act) and CPRA (California Privacy Rights Act)
Result of comparison
ADPPA
California Privacy laws CCPA/CPRA
Quite similar.
ADPPA would recognize to individuals certain rights. Specifically, under the ADPPA, individuals would have the right to request: (1) access to covered data collected on the individual’s behalf; (2) correction of any inaccuracies in the individual’s covered data; (3) deletion of covered data obtained about the individual and notification to any third party or covered entity to which such data was transferred of the deletion request; (4) data portability; (5) to withdraw affirmative express consent that was previously provided; and (6) to opt out of transfers of covered data and targeted advertising.
The right to know about the personal information a business collects about them and how it is used and shared;
The right to delete personal information collected from them (with some exceptions);
The right to opt-out of the sale of their personal information; and
The right to non-discrimination for exercising their CCPA rights.
An in-depth comparison between ADPPA (American Data Privacy and Protection Act) and the CALIFORNIA PRIVACY LAWS* *CCPA (California Consumer Privacy Act) and CPRA (California Privacy Rights Act)
Result of comparison
ADPPA
California Privacy laws CCPA/CPRA
Quite similar, although in the ADPPA there are no specific provision concerning the submission of Privacy Impact Assessment to Federal/National authorities.
Large Data Holders are required to perform a Privacy Impact Assessment biennially in addition to the algorithmic assessment as
detail before.
Businesses are required to perform regular risk assessments (also in compliance with eventual regulations issued on such topic and according to CCPA). The assessment must balance the benefits of their data processing against risks to consumers.
The risk assessments must be submitted to CPPA.
An in-depth comparison between ADPPA (American Data Privacy and Protection Act) and the CALIFORNIA PRIVACY LAWS* *CCPA (California Consumer Privacy Act) and CPRA (California Privacy Rights Act)
Result of comparison
ADPPA
California Privacy laws CCPA/CPRA
Quite similar (except for the fact that ADPPA requires the presence of a specific figure for certifying the compliance with ADPPA).
Covered entities are required to implement reasonable administrative, technical, and physical data security practices and procedures against unauthorized access and acquisition of covered data.
Large data holders must perform specific audits on data protection matters (at least every 2 years) in order to demonstrate the compliance with alle relevant privacy laws. Such reports must be kept available for the FTC upon request.
An executive must certify the compliance of the covered entity with the Act.
Businesses must implement reasonable security procedures and practices according to the nature of the personal information to protect from unauthorized or illegal access, destruction, use, modification, or disclosure.
No specific provisions concerning general assessment on privacy issues but only related to cybersecurity aspects
No specific provision on such issue.
An in-depth comparison between ADPPA (American Data Privacy and Protection Act) and the CALIFORNIA PRIVACY LAWS* *CCPA (California Consumer Privacy Act) and CPRA (California Privacy Rights Act)
Result of comparison
ADPPA
California Privacy laws CCPA/CPRA
ADPPA sets out stricter criteria and fulfillments when processing personal data of minors.
Information concerning individuals under the age of 17 is generally identified as sensitive data when the covered entity knows the age of the individual.
Targeted advertising is prohibited with respect to such minors;
Necessity of a previous consent for data transfer to third parties.
Prohibition of selling kids and teens personal data, unless a specific consent has been provided by parents or individuals (age between 13 and 15).
An in-depth comparison between ADPPA (American Data Privacy and Protection Act) and the CALIFORNIA PRIVACY LAWS* *CCPA (California Consumer Privacy Act) and CPRA (California Privacy Rights Act)
Result of comparison
ADPPA
California Privacy laws CCPA/CPRA
ADPPA provides higher standards of protection when algorithm is involved in a certain processing of covered data.
Large data holders must implement yearly an assessment on its data processing and on the use of algorithms in connection with the respective data processing, if applicable, and provide this assessment to the FTC.
The assessment must highlight the bias as well as the risk of discrimination related to the use of algorithmic.
Covered entities must also include an assessment concerning the impact of the algorithm on covered data during its design phase.
No specific provision concerning the implementation of an impact assessment on algorithm.
An in-depth comparison between ADPPA (American Data Privacy and Protection Act) and the CALIFORNIA PRIVACY LAWS* *CCPA (California Consumer Privacy Act) and CPRA (California Privacy Rights Act)
Result of comparison
ADPPA
California Privacy laws CCPA/CPRA
ADPPA establishes an higher standard of protection against discriminatory processing.
With reference to automated decision making, ADPPA and California privacy laws are quite similar.
Prohibits Covered entities from intentional collecting, processing or transferring personal data that lead to discrimination of consumers on the basis of ethnical origin, race, color, religion, sexual orientation or disability
Exempts self-testing and DEI programs.
No specific provision on automated decision making (the general prohibition of discrimination applies).
No specific provision on such issue, neither CCPA or CPRA on discriminatory processing.
CPPA entails the possibility to issue specific regulations concerning automated decision making’s rights (e.g. opt-out right or right of access).
An in-depth comparison between ADPPA (American Data Privacy and Protection Act) and the CALIFORNIA PRIVACY LAWS* *CCPA (California Consumer Privacy Act) and CPRA (California Privacy Rights Act)
Result of comparison
ADPPA
California Privacy laws CCPA/CPRA
Quite similar
Covered entities are required to provide a privacy policy with some mandatory information. Any material change of a privacy policy triggers the obligation to notify the affected individuals and provide the opportunity to withdraw consent to materially different processing.
The privacy policy must also disclose eventual transfer of personal data outside US.
Covered entities must provide notices in all the languages used for performing the service required. Same rule applies for the FTC while issuing guidelines on topics related to data protection.
Covered entities are required to deliver information notices with certain standard. According to CCPA, some regulations could be issued in order allow an easier understanding by the consumers.
Notices must be available in the language primarily used to interact with the consumer.
Statute grants CPPA rulemaking
An in-depth comparison between ADPPA (American Data Privacy and Protection Act) and the CALIFORNIA PRIVACY LAWS* *CCPA (California Consumer Privacy Act) and CPRA (California Privacy Rights Act)
Result of comparison
ADPPA
California Privacy laws CCPA/CPRA
ADPPA provides an higher standard of protection as it establishes a detailed list of privacy by design fulfillments to be implemented, also with particular focus on certain categories (e.g. individuals under age 17).
Covered entities are required to implement reasonable administrative, technical, and physical data security practices and procedures against unauthorized access and acquisition of covered data. Also a list of specific data security practices to be implemented as a minimum is provided under ADPPA.
As part of the requirements for privacy by design, covered entities must establish policies, practices and procedures to address privacy risks and implement training and safeguards (with particular regard to individuals under age 17).
Absence of a specific provision on such principle.
An in-depth comparison between ADPPA (American Data Privacy and Protection Act) and the CALIFORNIA PRIVACY LAWS* *CCPA (California Consumer Privacy Act) and CPRA (California Privacy Rights Act)
Result of comparison
ADPPA
California Privacy laws CCPA/CPRA
Quite similar
Prohibition concerning deceptive advertising.
Covered entities may offer incentives to individuals in order to participate to market surveys or loyalty program. However they cannot condition or deny a service/product due to the exercise of the individual’s right of cancellation.
Prohibition concerning deceptive advertising
Businesses are prohibited from discriminating consumer in relation to the exercise of his/her privacy rights.
Businesses can submit to individuals “financial incentives” as compensation for processing their personal information.
An in-depth comparison between ADPPA (American Data Privacy and Protection Act) and the CALIFORNIA PRIVACY LAWS* *CCPA (California Consumer Privacy Act) and CPRA (California Privacy Rights Act)
Result of comparison
ADPPA
California Privacy laws CCPA/CPRA
The protection provided by ADPPA is higher than the one set out by California privacy laws.
This because ADPPA restrictions apply in all circumstances (not just for inferring characteristics about a consumer). Furthermore, third party transfers and the use of consumer’s browsing history for secondary purposes requires a specific opt-in/consent.
Unlike the CCPA, ADPPA does not allow additional uses with notice and choice.
The above mentioned data minimization principle has an even stricter application for sensitive data.
The term sensitive data covers a wider range of data categories, such as health data, biometric genetic data and sexual orientation. Also government issued identifiers, financial account numbers, geolocation, private communication, log in credentials, calendar information, address book information, private photos/videos are included in such definition.
Race, ethnic origin, religion, or union membership are not considered as Sensitive Data.
Processing of sensitive covered data is only permitted if strictly necessary for providing a specific product or service requested by the individual or other permitted purposes (e.g. comply with legal obligations, user authentication, security and fraud prevention, public interest research).
A strengthened protection of sensitive data is required only when its purpose of processing consists of “inferring characteristics about a consumer.” In such case, companies may avoid to seek for consent if the processing is necessary for providing a service, for security purposes, for non-customized adversting, internal operations and quality assurance (other exceptions could be implemented by the legislator).
In some cases, companies just need to inform consumers with a notice and provide them with an opt-out mechanism.
Sensitive personal information includes, inter alia, race, religion, or union membership; communications content; and sexual behavior informations, govt. identifiers; health and financial informations, biometric and genetic data; login credentials; location.
An in-depth comparison between ADPPA (American Data Privacy and Protection Act) and the CALIFORNIA PRIVACY LAWS* *CCPA (California Consumer Privacy Act) and CPRA (California Privacy Rights Act)
Result of comparison
ADPPA
California Privacy laws CCPA/CPRA
Quite similar
Third-party collecting entities refers to the covered entities whose principal source of revenue is derived from processing or transferring data that the entity did not directly collect. In addition to the requirements imposed on covered entities, third-party collecting entities would be required to: (i) register with the national FTC register; (ii) place additional notice on their website to inform consumers of their role as a third-party collecting entity; and (iii) respect signals from the “Do Not Collect” registry (deletion of personal data within 30 days)
Such Third parties must get registered with the state according to National Californian laws.
The opt-out mechanism/rule also applies to Third parties.
As for covered business, also Data brokers must provide the same “Do not sell or share my information” link.
An in-depth comparison between ADPPA (American Data Privacy and Protection Act) and the CALIFORNIA PRIVACY LAWS* *CCPA (California Consumer Privacy Act) and CPRA (California Privacy Rights Act)
Result of comparison
ADPPA
California Privacy laws CCPA/CPRA
Quite similar, although ADPPA is more detailed and includes more prohibitions for service providers (e.g. stop providing the service in case of covered entities’ infringement).
Service providers can only collect and process personal data for executing the service required and are prohibited from transferring data without opt-in consent.
Service providers are prohibited from continuing to provide the service if it knows the covered entity infringes ADPPA.
Service providers must receive covered data from a covered entity according to a written contract.
No liability of the Covered Entity if, at time of transfer, it has no reason to know the service provider was likely to violate the Act.
No liability of the Service provided for ADPPA’s infringements by the covered entity if it received covered data in compliance with the ADPPA.
Prohibition of using personal data except for running the business relationship.
Service providers are subject to the same fulfillments of businesses and must grant an equivalent level of protection from a privacy standpoint.
No liability for businesses for service provider violations if, at time of data transfer, they did not have actual knowledge, or reason to believe, that the service provider intended to violate the Act.
An in-depth comparison between ADPPA (American Data Privacy and Protection Act) and the CALIFORNIA PRIVACY LAWS* *CCPA (California Consumer Privacy Act) and CPRA (California Privacy Rights Act)
Result of comparison
ADPPA
California Privacy laws CCPA/CPRA
Quite similar
Covered data is defined as any information that identifies or is linked/linkable to natural person. Employee data, de-identified data and publicly available information are out of scope.
Personal information is defined as anything that could be linked, directly or indirectly, with a particular consumer or household.
An in-depth comparison between ADPPA (American Data Privacy and Protection Act) and the CALIFORNIA PRIVACY LAWS* *CCPA (California Consumer Privacy Act) and CPRA (California Privacy Rights Act)
Result of comparison
ADPPA
California Privacy laws CCPA/CPRA
The fulfillments established by ADPPA with reference to data minimization are stricter than the ones defined by California privacy laws.
The ADPPA’s duty of loyalty is focused on data minimization. This duty requires a covered entity to only collect and process the covered data that is reasonably necessary and proportionate to the product or service being provided. Additionally, the ADPPA prohibits or restricts specific covered data practices what is reasonably necessary and proportionate to i) provide a product and/or service requested by the individual, ii) deliver a reasonably anticipated communication, or iii) perform an expressly permitted purpose.
The processing of a consumer’s data (collection, use, retention, and sharing) must be necessary and proportionate to achieve the purposes for which it was collected or processed, or for another disclosed purpose that is compatible with the original purpose.
An in-depth comparison between ADPPA (American Data Privacy and Protection Act) and the CALIFORNIA PRIVACY LAWS* *CCPA (California Consumer Privacy Act) and CPRA (California Privacy Rights Act)
Result of comparison
ADPPA
California Privacy laws CCPA/CPRA
ADPPA has a wider scope of application if compared with CCPA. In fact, ADPPA applies to any entity (regardless of the CCPA criteria e.g. annual gross revenue). Some additional criteria are established depending on whether it is a large or small business.
Covered entity is defined as i) the entity or person that alone or jointly with others establishes the purposes and means of collecting, processing, or transferring covered data and ii) that is subject to the Federal Trade Commission Act, the Communications Act of 1934 or is a non-profit organization.
An entity that controls or is controlled by or is under common control with another covered entity is included by the term covered entity (no distinction between legal entities within the same group).
Businesses that: i) have annual gross turnover exceeding $25M; or, ii) collect personal information of 100,000 consumers or iii) at least 50% of its revenue comes from selling consumers’ personal information.
Changes Made in the AINS to the American Data Privacy and Protection Act (HR 8152)
Download the list of the most significant changes in the American Data Privacy and Protection Act (ADPPA) – July, 19th 2022
Fill the form and we will reply to you as soon as possible.
Centro Studi Privacy disclaims all warranties, expressed or implied, with respect to the contents of this material,
including any warranties of accuracy, merchantability, or fitness for a particular purpose. Nothing herein should be construed as legal advise.
