International Data Privacy Day is recognized on January 28 in the United States and in over 47 other countries. This day serves as an annual reminder for companies to re-evaluate their data privacy and cybersecurity practices to ensure compliance with current standards and to prepare for coming changes in privacy and data protection laws. Companies continue to face challenges in establishing and maintaining compliance to avoid exorbitant expense and penalties.
American Data Privacy and Protection Act
U.S. Congressman Frank Pallone of New Jersey has sponsored H.R. 8152, known as the American Data Privacy and Protection Act (ADPPA), legislation that was placed on the House calendar on December 30, 2022. If put into law, the ADPPA will preempt state laws that are covered by its provisions with some exceptions for certain categories of state laws such as antitrust, and specified laws in Illinois and California. With state laws concerning data privacy taking effect this year in five states, and the potential for federal pre-emption, businesses may struggle with how to best position themselves to maintain compliance and avoid fines and penalties.
As the ADPPA bill stands now, profit and nonprofit companies would be required to comply with specific limitations in handling personal data that identifies an individual or may be used to identify an individual. These specific limitations include restrictions on the collection, processing, and transfer of personal data to provide a requested product or service among other specified circumstances. The ADPPA would also prohibit companies from transferring individuals' personal data without express consent.
A private right of action is also provided in the ADPPA. If made into law, two years after the ADPPA takes effect, any person or class of persons may bring a civil action against any company based on any violation. The ADPPA further establishes consumer data protections, including the right to access, correct, and delete personal data. Prior to engaging in targeted advertising, the ADPPA requires companies to provide individuals with an opt out of such advertising. Additional protections are provided in the ADPPA for personal data of individuals under the age of 17.
The ADPPA would require companies to implement security practices to protect and secure personal data against unauthorized access. The Federal Trade Commission (FTC) may issue regulations for compliance with this requirement.
The ADPPA provides for its enforcement by the FTC and state attorneys general. There are exceptions with regards to enforcement of the California Privacy Rights Act and California Consumer Privacy Act that allow the California Privacy Protection Agency (CPPA) to enforce relevant California state laws.
Measures Businesses Can Take Now
Despite the above federal pre-emption and possible disparities among privacy laws, there are some measures that businesses can take now. Implementing these measures may help your company avoid regulatory investigations and possibly avoid large financial penalties.
- Privacy Audits- a third-party audit is a very effective way to better understand your infrastructure and practices to withstand external and internal threats. Conducting regular audits may evidence your organization’s commitment to data security and possibly mitigate damages in the event of a data breach.
- Data Breach Plan-Data Breaches are not solely caused by malicious external actors but can also originate internally within an organization. Businesses should be prepared for and expect that a breach will occur. Preparedness includes having a comprehensive incident response and data breach plan in place.
- Privacy and Cybersecurity Policies- Developing an internal privacy statement sets guidelines for your organization to follow as to the collection, storage, and maintenance of personally identifiable and sensitive information. Cybersecurity policies can be drafted to set acceptable use and remote access standards as well as data breach response and recovery plans in line with your organization’s needs and expectations.
- Training- Training employees concerning information privacy and security policies, and the proper handling and protection of personal information is an important step for mitigating and avoiding damages caused by inadvertent noncompliance.
It is uncertain when federal regulation through the ADPPA will occur if at all. However, there are measures businesses can take now to better position themselves in 2023. Within Lerner David’s full-service IP practice, the firm assists companies ranging from start-ups to large multinationals with Privacy Law and Cybersecurity compliance. Lerner David has experienced Privacy Professionals, well-versed in Privacy Law and Cybersecurity compliance that can tailor plans that best suit your business needs.