The American Data Privacy and Protection Act Is Now on the House Floor. How Has It Changed?

The Commerce and Energy Committee has voted to send the American Data Privacy and Protection Act (ADPPA) to the House, but not without some changes.

For the changes in the AINS (Amendment in the Nature of a Substitute), see my previous post.

But below are the key changes involved in the additional amendments that were passed.

Specific duty to identify and mitigate privacy risks related to covered minors to result in reasonably necessary and proportionate residual risk to covered minors (Castor and Walberg).FTC to consults with NIST in connection with establishing processes for practices and procedures to secure covered data against unauthorized access (McNerney and Curtis).Narrowing the obligation for the appointment of a privacy and data security office to entities or service provider that have more than 15 employees (Carter and Craig).

Service providers: (Hudson and O’Halleran)

Required to “adhere to the instructions of covered entity.”The section clarifies how service providers are to assist covered entities in fulfilling consumer requests, namely by (1) providing appropriate technical and organizational measures while taking into the account the nature of the processing (Hello GDPR Art 28 language), (2) complying with the request per covered entity’s instructions or (3) providing written verification to the covered entity that the service provider doesn’t hold covered data related to the request.Service provider agreement needs to require that downstream service providers (like GDPR sub-processors) also be treated as a service provider.Pursuant to covered entity’s request, service providers must provide the covered entity with the information necessary for

Read more

Explore the site

More from the blog

Latest News