The New National Data Policy May Bridge the Gap HIPAA Does Not Cover
Written and medically reviewed by Dorcas Morak, Pharm.D
The national data privacy proposal, American Data Privacy Protection Act (ADPPA), may bridge some of the current gaps left by the Health Insurance Portability and Accountability Act (HIPAA) if approved. The national data privacy proposal will have broader coverage that will address privacy issues that led to the current under-regulated vacuum.
Read on to know ADPPA's relevant features and possible ways to impact a wider range of businesses than the existing data privacy policies.
How is ADPPA Different from Existing Data Privacy Policies?
The ADPPA shares many elements with other contemporary data privacies but differs in many of its specifics. If ADPPA is approved into law, the differences may have a significant effect on businesses.
What are the Variations in ADPPA?
Unlike other data privacy policies, there are various variations in the definitions of the ADPPA:
- "Covered entities," are any organization or individual that gathers, processes, or transfers data that is governed by the Federal Trade Commission Act, is a common carrier under the Communications Act, or is a non-profit. This definition covers most businesses.
- "Covered data," is any information that identifies, links, or is reasonably linkable to an individual or a device. It also includes any information or special identifiers produced from such information, such as IP addresses, identifiers for targeted advertising, and similar things.
- ** "Children,"** refers to everyone under the age of 17. This is essential since businesses are frequently required by data privacy rules to handle children's data in specific ways.
- "Sensitive data," refers to a range of data types that go beyond what is protected by existing state privacy laws. Sensitive information includes race, ethnicity, genetic data, children's data, login credentials for any devices, etc.
How will ADPPA Affect existing States laws?
If ADPPA is passed into law, it will supersede all other state data privacy laws that may bind any company with a few exemptions.
How would ADPPA Affect Individuals?
A private right of action is an individual's right to sue a company for non-compliance. This provision is not in the majority of US data privacy regulations.
How would ADPPA Affect Businesses?
The impact of ADPPA on business depends on the volume of data they handle. Therefore, businesses are categories as either Large Data Holders or Small Data Holders.
Criteria for Businesses to Qualify as Large Data Holders
Businesses must meet the following criteria to qualify as large data holders:
- Must have gross annual sales of more than $250 million, and
- Must process the data of more than 5 million individuals, or
- Must process the sensitive data of 200,000 individuals annually.
Under the ADPPA, large data holders like Facebook and Google would be subject to a variety of additional disclosures, certifications, and audit obligations. They would have to do yearly evaluations of the effects of their algorithms, provide access to privacy policies, and report these evaluations to the Federal Trade Commission (FTC).
Criteria for Businesses to Qualify as Small Data Holders
ADPPA defines small data holders as those that:
- Are not data brokers.
- Have less than $41 million in annual gross income, and
- Process the data of fewer than 200,000 people each year, and
- Acquire less than 51 percent of revenue from transferring personal data.
Businesses that meet this criterion are exempt from the naming a company privacy and data officer; allowed to delete rather than correct data with a correction request; not required to port user data; not mandated to impose certain data security practices noted in the bill.
ADPPA has no lower boundary, unlike other privacy regulations that exempt businesses that process the data of fewer than 100,000 people. So, almost all forms of business are included.
Do Individuals Have the Right to Opt-Out of Data Transfer?
Yes. Unlike most other data privacy laws, the ADPPA allows individuals to opt-out of having their data shared with third parties regardless of the involvement of money.