What Is the ADPPA? Marketing News to Know

Melanie Balke
August 28, 2023

It’s a phrase that strikes fear into marketers. It’s the unutterable phrase — the “words we shall not say.”

That’s right! I’m talking about privacy regulations.

Society’s codependent relationship with technology is only growing, and governments worldwide are stepping up their data privacy laws. Yes, that includes America, a country long overdue for some retooled data privacy regulations.

More precisely, we’re talking about the American Data Privacy Protection Act.

A Little Bit of Background

Four men in 1940s military uniforms look at a document. Overlaid text reads, “The History: Reviewing the CAN-SPAM Act.”

Okay. Let’s back up some.

Since the 2000s, American businesses have been subject to the aging CAN-SPAM Act.

Much like its European law cousin, the CAN-SPAM Act aimed to refine and standardize data protection and online safety. At the time, some even considered it revolutionary and prohibitive! In a 2003 op-ed for CNN, law professor Anita Ramasastry claimed the act would be “unlikely to achieve its goal.” She also predicted that the law would be subject to lawsuits for violating First Amendment rights.

Now, a full twenty years later, we know that CAN-SPAM was fairly successful. Moreover, the Federal Trade Commission — which oversees and enforces the CAN-SPAM Act — still uses that old, bipartisan bill to protect consumers.

Here Comes the California Consumer Privacy Act!

Later, in 2018, California decided that the then-fifteen-year-old bill was no longer doing its job. This conclusion drove the state’s passage of the more restrictive California Consumer Privacy Act (CCPA).

Again, the CCPA took inspiration from its European cousin. In addition to supporting the measures laid out by CAN-SPAM’s federal law, the CCPA beefed up its data privacy by creating its own regulatory group — the California Privacy Protection Agency.

The CCPA also defined five near-infallible rights for consumers:

  • The Right to Correct: Users can correct any personal information within a database.
  • The Right to Delete: Consumers can delete (or, in some cases, request deletion of) their personal data.
  • The Right to Know: Individuals can know what data is kept and how it is used. Companies must also be able to tell users the source of such information.
  • The Right to Non-Discrimination: Consumers cannot be refused service or provided comparatively worse service for refusing to comply with a company’s data collection policy.
  • The Right to Opt-Out: An individual can refuse compliance at any time and for any reason.

Notably, these rights are also cemented by the ADPPA.

So… What Is the American Data Privacy Protection Act (ADPPA)?

Overlapping leaves. “The Basics: What is the ADPPA?”

What does any of that have to do with the ADPPA?

Well, both bills enjoyed (and, in the case of the ADPPA, are enjoying) bipartisan support. Regardless of if the ADPPA passes, it will return. This is a bill marketers should not ignore, as it’s bound to pass eventually. And — when that happens — marketers should be ready.

So, let’s start with the basics.

The American Data Privacy Protection Act (ADPPA) is a bipartisan bill introduced to the House of Representatives on June 22, 2022, by Frank Pallone, a Democratic representative from New Jersey. As of the date of this post — in late August 2023 — it’s caught in legislative limbo. Insider Intelligence’s Evelyn Mitchell-Wolf noted that the bill stalled after its approval by the Energy and Commerce Committee; thus, it is restarting its legislative journey.

And… what does the America Data Privacy Protection Act actually do?

By its own admission, the new legislation “aims to create a comprehensive data privacy framework.” However, that legalese statement isn’t going to make sense to most people. Let’s break it down and translate all that lawyer talk into plain English.

On the surface, it’s meant to protect consumers’ sensitive data. For marketers, that means we’re looking at humongous changes to how we handle, store, and use our information.

The ADPPA’s Biggest Hurdles

Right now, two factors are holding the bill back: limitation and preemption.

The tech industry (and some marketers, too!) believes that the bill is too prohibitive. (Sound familiar?) Such organizations advocate for less oversight. “If this bill passes,” one of their theoretical arguments might say, “everyone suffers! Technology needs this information to grow!”

Many critics also point out that the new privacy regulations will supersede state laws, such as the CCPA. Again, the key point is a business’s ability to access and collect data. Many state regulations are older, and compliance is much, much simpler. Their age also makes these legal texts less comprehensive.

The “correctness” of such arguments isn’t the topic of this post, though. However, businesses should know that people want data privacy. When polled by Insider Intelligence, over 80% of respondents (83.6%… to be exact) reported they would support revised data privacy legislation. Thus, the question might be if we — as marketers and small (or large!) businesses — want to reclaim consumer trust.

What ADPPA Means for Marketers

Various stamps. “What to Know: ADPPA, Marketing, and You.”

Like most legislation, ADPPA is dense; you can easily spend hours deciphering the original text. It’s also packed with plenty of legalese and definitions, including phrases like “covered entities” and “sensitive data.”

And — as owners of small businesses will eagerly tell you — there are only so many hours in each day.

So, let’s break this massive privacy law into bite-sized chunks. What does the ADPPA mean for your marketing, and how will this data privacy and protection act change your strategy? For many, you won’t be directly impacted. Users of third-party websites or “outsourced” marketing can (generally) trust that their data brokers are keeping tabs on this news. However, if you’re a first-party data handler, you’ll want to know more about the ADPPA.

Everyone Will Need Affirmative Consent

One of the American Data Privacy and Protection Act’s biggest changes to national privacy regulations is federally mandated affirmative consent for any form of targeted advertising. In other words, there can be zero room for compliance uncertainty. Users must be given an active choice to agree to a company’s data processing procedures. Those pre-filled checkboxes won’t cut it anymore!

Now, there’s some good news. Many data handlers already abide by such a law. “Affirmative express consent” — as it is called in the American Data Privacy and Protection Act §2(1) — has been a longstanding requirement under the CCPA and European GDPR.

The text of the ADPPA helpfully elaborates, giving ADPPA-covered entities (that would be you and your company) a checklist for opt-in privacy compliance. Under these new guidelines, an individual’s agreement must be made after users…

  • Are given the option to opt out of data collection. Moreover, the option to refuse data collection must be “at least as prominent” as the option to accept.
  • Are informed of all individual rights. This information must be provided in an easily accessible manner and written in simple terms.
  • Know what data is stored and how that personal data is used. Information about an individual’s data should include details on any third-party data handlers.

Again, most organizations already abide by these laws. Any business operating internationally will — by virtue of abiding by the GDPR — be reasonably safe from these proposed changes. Likewise, compliance with the CCPA means your privacy policies won’t require much retooling.

Businesses Should Understand the Data Minimization Principle

In modern parlance, “data minimization” is what it claims to be. It’s a straightforward proposal, positing that collecting less data is safer than hoarding information you don’t need.

And — when you think about it — that makes sense! If you don’t need to know a user’s identifying information, why keep it? You’re only exposing yourself to more trouble should you experience a data breach. I’m sure you’ve seen all the news reports. Plenty of customers sue companies after their sensitive covered data gets leaked, and they have every right to do so!

The American Data Privacy and Protection Act takes this theory a step further by turning that theory into federal privacy legislation. Moreover, the ADPPA defines 17 acceptable uses for covered data under Article I §101(b):

  • As Requested for Emergency Situations: Companies may store information identifying individual users as necessary, and such information should be available to officials in the event of a crime, disaster, or national security breach.
  • As Required by Federal or State Law: Covered data may be used and made available upon request to local, tribal, and Federal law enforcement.
  • Asset Transfer: Data may be transferred between covered entities, but all users must be given ample opportunity to consent. Refusal should be treated as a deletion request.
  • Authenticating Users: This may include information needed to automate data deletion requests.
  • Data Security: Services may collect additional personal data if it is necessary for data protection.
  • Delivering a Product or Service: Obviously, you need customer data to deliver a product or service!
  • Delivering Non-Marketing Material: This category remains somewhat vague. Per Article I §101(b)(11), non-marketing material should be “reasonably anticipated” and may include items such as bills, confirmation messages, or invoices.
  • Direct Communication: Sensitive covered data may be used for first-party communication between a customer and their chosen business.
  • First-Party Advertising: Under the currently proposed Article I § 101(b)(16), any business managing its own marketing may use personal data to deliver targeted advertising. This does not apply to users under the age of 17!
  • First-Party Communication: Consumers initiating communication with a company implicitly consent to providing data via electronic, vocal, or written communication.
  • “Good Faith” Harm Reduction: Should a data handler believe an individual’s online activities indicate a risk to one or more users, this data privacy legislation allows covered entities to report necessary information to relevant sources.
  • Internal Usage: Per Article I §101(b)(2), customer data can be used for “internal” or public reasons, such as improving a service, network or inventory management, repairing a product, and spam prevention.
  • Recalls: Similar to the “internal usage” section, Article I § 101(b)(9) allows businesses to use information to notify users of recalls.
  • Research: Both public and private data may be used for valid academic purposes.
  • Responding to Breaches: Information can be used to prevent and respond to security breaches.
  • Targeted Advertising: Third-party handlers can use information for targeted advertising unless the user opts out or is under the age of 17.
  • Warranties: Users consent to data collection if the information is needed to fulfill a warranty.

Note that “covered data” does not include de-identified information. As such, anonymous information can be used for additional purposes. Similarly, any automated inferences based on such data are exempt from these restrictions.

Shaking Up AI

Finally, whether you like it or not, so-called “artificial intelligence” is making a huge splash in the tech world. However, these algorithms are infamous for scraping data from non-consenting individuals. From visual AIs snagging licensed material to writing “generators” stealing (oddly enough) fanfiction, this technology is jam-packed with thorny moral problems.

Naturally, the American Data Privacy and Protection Act aims to reform this booming industry. Under the newly proposed guidelines, companies will be required to submit all AI algorithms for approval. This process, called an “audit” within the law’s text, aims to promote harm reduction and eliminate inappropriately scraped data. As many privacy advocates, artists, and writers point out, this path forward may not be well-liked by the tech industry, but it’s essential for maintaining consumer trust.

Data Privacy Legislation and You

Overlapping leaves. “Make It Easy: Hire a Team of Experts.”

Ultimately, it’s a lot to learn. Few small businesses have the time and manpower to fully research the topic, and you should really consult a lawyer for a complete run-down of these newly proposed laws.

Alternatively, you can trust marketing experts. At The Email Marketers, you’ll find a team of educated, enthusiastic individuals, and they’re ready to help your business thrive. We’ll help you reach the next level of success and keep you out of those thorny legal problems.

If you’re ready to see what we can do for you, schedule a free strategy session! We’ll discuss your needs and lay out a plan that’s tailor-made for your business. You can also check the rest of the blog for more marketing tips, tricks, and news.

(The information contained in this post is provided for informational purposes only and should not be construed as legal advice on any subject matter.)