Currently, the proposed adoption of the first US federal data privacy legislation, the American Data and Privacy Protection Act (ADPPA), is heavily discussed. In our past post, we have compared the Acts’ scope and principles to these under the EU GDPR. In this post, we will outline which rights the proposed Act confers upon individuals and how your business can prepare to honour individuals’ rights in compliance with the ADPPA.
To help businesses understand the extent of their obligations, the Federal Trade Commission will publish a public web page describing the Act’s provisions in plain language after the enactment of the ADPPA. Amongst others, all individuals’ rights shall be listed separately for individuals and covered entities. If the ADPPA signs into law, you are best advised to carefully check this website to better understand the scope of the rights and necessary measures to enable their exercise by individuals. Businesses should regularly consult the page, as the Commission will keep it updated with any changes.
Under the heading ‘individual data ownership and control’, the ADPPA groups together several individuals’ rights which businesses have to comply with upon request by individuals. Businesses who already adhere to State privacy legislation and the GDPR are likely familiar with most rights.
You must grant individuals the right to access their data which you collect, process or transfer. When receiving such access request, businesses must provide the data in human-readable format. Importantly, you do no need to prove access to data processed more than 2 years prior to the request. A similar time restriction cannot be found under the GDPR. The information individuals must be provided with are similar to the ones required under the GDPR, which however requires more items. Under the ADPPA, you must provide the name of third parties and categories of service providers which received the data, sources from which the data was collected and a description of the purposes of which the covered entity transferred the data to a third party or a service provider. Accordingly, to be able to satisfactorily fulfil a data access request, your business needs a good overview of all its data processing operations, different data flows and actors involved. Thorough data mapping is crucial!
Individuals further have the right to information prior to the processing of their data, similar to the GDPR. This obliges businesses to draw up comprehensive privacy policies. Information on the required content can be found in our previous post, under the principle of transparency.
As under the GDPR, businesses must equally allow individuals to correct any inaccurate or incomplete data and instruct any recipients of the data to equally correct the information. You may only refuse such request if the data cannot reasonably be verified as inaccurate or incomplete. Interestingly, amongst current State legislation, this right cannot be found in the Utah Consumer Privacy Act.
Similarly, businesses must delete the data they process of individuals and notify recipients of the data of such erasure. This right has become known as the ‘right to be forgotten’ under the GDPR. To remain ADPPA compliant, it is crucial that you honour any erasure requests and only reject them, when one of the limited provided exceptions apply: Erasure would unreasonably interfere with your provision of products or services to another person, the information relates to a public figure, the data is necessary to perform a contract between you and the individual or to comply with a professional ethical obligation or the data constitutes evidence of an unlawful activity or an abuse of your products or services. At first sight, the right to erasure under the ADPPA seems broader than under the GDPR, as the latter only allows for erasure when one of the conditions of its Art. 17(1) are fulfilled, such as the data processing is no longer necessary for its original purpose. However, in practice, exceptions to the right under the ADPPA will require erasure in similar situations. When receiving an erasure request, it is important that you carefully consider whether the processing of this data is really necessary to provide your service to the individual or another individual. If not, you most likely have to comply with the erasure request.
You must further export data to the individual or directly to another entity in a human-readable format and in a portable, structure, interoperable and machine-readable format. This right can be found in the GDPR as the right to data portability.
The ADPPA cautions businesses to not hinder the effective exercise of individuals’ rights, whether through statements or design of the user interface. Accordingly, it is important that you adequately inform the individuals whose data you process of how they can exercise their rights. Additionally, you must provide easy ways for them to do so, for instance via formulars provided on your website. Individuals’ rights requests must be honoured within 60 days after the request, unless a maximum of 45 additional days is necessary due to the complexity and number of the requests. This leaves you with slightly more time than under the GDPR, where a maximum response time of one month is allowed in most cases. You must allow two requests per year free of charge.
Requests can only be refused if they relate to data collected for a single one-time transaction, they are impossible or demonstrably impracticable to comply with, require the re-identification of de-identified data, release trade secrets or confidential business information or interfere with law enforcement or are illegal.
Individuals have the right to withdraw their consent to the processing or transfer of their data at any time. You must provide for a withdrawal mechanism which is as easy to follow for individuals as providing the initial consent, for instance a button to click in your privacy policy. This is identical to the respective right under the GDPR. Moreover, businesses must allow individuals to object to data transfers to third parties unless the data transfer is based on one of the permissible purposes of section 101(b)(1). Additionally, individuals must be enabled to opt out of targeted advertising. When receiving such request, you need to immediately stop processing the data for this purpose. The absolute right to object to data processing for marketing purposes can also be found in the GDPR. Regarding the withdrawal of consent, the right under the GDPR is broader. It does not only relate to the transfer of data but equally to the processing of data by the controller or processors, the equivalents to the covered entity and the service provider.
The ADPPA further prohibits businesses from processing data via algorithmic systems in such way that it discriminates on the basis of race, colour, national origin, sex or disability. You are only exempted from the assessment of possible discrimination of your AI systems for self-testing to prevent discrimination or to diversity an applicant, participant or customer pool. In contrast, the GDPR generally prohibits automated decision-making which legally or otherwise significantly affects data subjects, even if the outcome is non-discriminatory. However, Art. 22(2)GDPR provides several exceptions as to when businesses can employ such automatic decision-making.
Accordingly, the ADPPA confers almost identical rights upon individuals as the EU GDPR and current State legislation. Only the right to restriction of processing, found in Art. 18 GDPR, is not incorporated into the ADPPA. However, when receiving a request to rectify the inaccuracy of data or an objection to processing under the ADPPA, you should also restrict the processing concerned during the time they examine the request.
To best prepare for the case that the ADPPA enters into force, it is crucial that you implement appropriate systems to receive requests by individuals and mechanisms how to carry them out fast and effectively.
|
GDPR |
ADPPA |
Right to access |
Art. 15: list of items to be provided |
Sec. 203(a)(1): list of items to be provided; only for data processed within 24 months prior to request |
Right to information |
Privacy notice: content in Art. 13/14 |
Privacy notice: content in sec.202(b) |
Right to rectification |
Art. 16: inaccurate or incomplete data |
Sec. 203(a)(2): inaccurate or incomplete information |
Right to erasure |
Art. 17(1): data processed by controller if one of the conditions in para 1 apply; Exceptions in Art. 17(3) |
Sec. 203(a)(3): data processed by covered entity Exceptions in Sec. 203(e)(3)(A)(x) |
Right to data portability |
Art. 20 |
Sec. 203(a)(4) |
Right to withdraw consent |
Art. 7(3): withdraw if data processing is based on consent |
Sec. 204(a): withdraw consent to data transfers |
Right to object/opt-out |
Art. 21(1): if one of the conditions of para 1 apply Art. 21(2-3): absolute right for marketing purposes |
Sec. 204(b): object to data transfers unless based on permissible purpose Absolute right for marketing purposes |
Right to restriction of processing |
Art. 18(1): if one of the conditions of para 1 apply |
/ |
Algorithmic decision-making |
Art. 22(1): prohibited if legally or similarly affecting individual Art. 22(2): exceptions |
Sec. 207: prohibition of discrimination unless for self-testing or to diversify applicant/participant/customer pool |