Amanda Scott

Associate Editor

Loyola University Chicago School of Law, JD 2024

In June 2022, a draft of a bipartisan bicameral bill known as the American Data Privacy and Protection Act was introduced. This bill was proposed as a replacement to current laws to further protect and strengthen federal data privacy and protection regulations. This Act serves as a melting pot for pre-existing state-level data privacy and protection laws. The guidelines created by this bill include providing consumers with foundational data privacy rights, strengthening oversight mechanisms, and establishing meaningful enforcement. Moreover, this bill was regarded as “another major step in putting people back in control of their data and strengthening our nation’s privacy and data security protection” by the Energy and Commerce Committee Chair Frank Pallone, D-N.J., Ranking Member Cathy McMorris Rodgers, R-Wash., in addition to Subcommittee on Consumer Protection and Commerce leaders Jan Schakowsky, D-Ill., and Gust Bilirakis, R-Fla.

What the Act protects

The American Data Privacy and Protection Act (ADPPA) is structured to protect data that is known as “covered.” Covered data is defined as information that either identifies an individual or is linked or reasonably linkable in any capacity to an individual. Within this umbrella term lies mass amounts of personal data, notably including health records. This is suggestive that the proposed Act would provide individuals with rights over their personal healthcare data. Inclusive of this is the autonomy to have data deleted, restricted, or corrected. Yet, the Act does not protect government entities, including de-identified data, employee data, and publicly available information. This Act does however reach “sensitive covered data.” Sensitive covered data is any information regarding health records from the past, present, or future. In essence, this bill requires affirmative express consent before an ADPPA-covered entity is allowed to collect and process healthcare data or transfer it to another entity. This provides people with nearly outright control of their healthcare records. On a grand scale, ADPPA-covered entities will have their data significantly more guarded.

Transparent consumer data rights

Protection of consumer data in the healthcare field and beyond begins with consumer awareness and transparency. The Commission is set to publish this Act within 90 days of it being enacted, detailing each provision, and providing updates. This includes elaboration on how the Act details individual data ownership and control, the right to consent and object, data protections for children and minors, third-party collecting entities, civil rights and algorithms, data security and protection of covered data, small business protections, and unified opt-out mechanisms. Among this data is the transfer of precise geolocation, browsing history, and physical activity collected from devices. By providing total transparency with this extensive information, the ADPPA is striving to allow for all consumers to have more education and therefore more control over their data. Largely, the proposed Act is designed to enhance the protection of consumer data rights and be transparent about what data is collected.

Corporate accountability and applicability

The ADPPA is structured to protect consumers by creating a deeper sense of accountability and enforceability for those responsible for data transmission. Regarding corporate accountability, this Act details executive responsibility, service providers and third parties, technical compliance programs, the commission-approved compliance guidelines, and digital content forgeries. This is immensely important in holding hospitals accountable for upholding healthcare data privacy. An additional step the ADPPA has taken towards accomplishing this goal is requiring privacy policies to be made public, including those that entail the entity’s data collection, processing, and transfer activities. This is yet another way the Act is designed to provide transparency. Furthermore, entities which are ADPPA-covered would be unable to deny someone a service or product because they refused to waive any privacy rights.

In like manner, this Act emphasizes enforcement by all levels ranging from the federal trade commission, state attorneys general, and individuals. It also touches on the relationship between federal and state laws as well as severability, COPPA, authorization of appropriations, and effective date. Regarding healthcare organizations, those entities which are compliant with HIPAA are viewed as compliant with the ADPPA. However, they are only compliant in relation with the laws covering the data. While, as of September 2022, this bill has not yet been passed, bills of its kind and those of similar nature are positive steps froward in strengthening personal and healthcare data security.