The American Data Privacy and Protection Act, H.R. 8152, recently amended and reported out by the U.S. House Committee on Energy and Commerce, represents important progress toward a passage of a privacy law in the United States.

For smaller companies, the ADPPA provision for approved compliance programs is welcome news. Section 304 provides that enterprises whose revenues, data collection, data processing and transfer activities do not reach certain thresholds (as set forth in Section 209) may participate in U.S. Federal Trade Commission-approved programs designed for smaller businesses.

Properly designed and administered, approved compliance programs can offer an important resource for smaller companies that are required to meet the obligations of a law but lack the in-house privacy expertise and deep resources of larger organizations. These programs could provide businesses with an effective, workable solution tailored to their circumstances, business model and data holdings for a fee suited to their budget. Such programs can identify and address the unique challenges confronted by smaller companies that may innovate using a particular processing method (such as artificial intelligence) or a particular kind of sensitive data (such as health information). By providing a path to compliance for smaller companies, these programs would enhance privacy protection across the digital market.  

Advice and consultation

Among the benefits an approved compliance program can offer small businesses is access and consultation with privacy expertise and resources that might otherwise be beyond their reach. Knowledgeable technical program staff can bring a detailed understanding of the unique challenges raised, for example, by a company’s business model or the sectoral regulatory obligations it must meet.

These programs can work with small companies that may have already taken initial steps to better understand their data holdings, processing methods, and data flows; identify risks and gaps in data governance; and understand strengths and shortcomings in their privacy notice and third-party agreements. Equipped with this knowledge, they can advise businesses about additional measures they must implement to remediate shortcomings. They can also provide guidance about how to implement processes necessary to promote the proper handling of data, effectively manage data breaches and conduct the due diligence necessary when transferring data to third-party service providers for processing.

For businesses just starting out, working to meet program requirements can sensitize personnel to the importance of privacy not only from the perspective of compliance, but also as an enabler of data innovation and business opportunities. A program can help them build their processes in a way that takes privacy and data protection responsibilities into account at the beginning of product and services development, minimizing the need to retrofit data protection into established systems. Perhaps most important, they can help identify a path to compliance that works effectively even in the earliest stages of the company’s development.

Ideally, an approved compliance program would establish an iterative, consultative process. Companies, with guidance from a program and an understanding of requirements, can take initial steps to implement solutions. They can then look to program staff for further review and advice until they are deemed compliant.

Ongoing oversight essential for credibility 

Two kinds of oversight will be critical to the credibility of approved compliance programs. First, FTC oversight of the programs themselves will be essential. Section 304 of the bill appropriately provides that to obtain FTC approval, a program will need to establish standards that “meet or exceed” the requirements of law. It will also be important that programs are able to demonstrate that these standards, when designed to work for smaller companies in targeted sectors or engaged in specific activities, would effectively bring participants into compliance.  

The programs’ rigorous oversight of participating companies will also be important. Periodic review will be needed to verify that they continue to implement compliance measures; determine whether that implementation yields effective protections; assess whether changes are needed in light of new offerings or data processing methods; and ensure businesses are not making representations that they participate in programs when they have not met or renewed requirements. 

Enforcement

Companies will need to understand the program rules of enforcement and the consequences for failure to meet requirements. It will also be important to establish expectations that such rules will be robustly enforced. However, programs should be encouraged to work with participants that may fall out of compliance inadvertently or in isolated incidents to help them meet obligations. Disciplinary action should be reserved for participants that disregard instructions to remedy, continue to represent that they meet program requirements after failing to qualify or renew, or that willfully or negligently violate program rules repeatedly. As the bill provides, it will be important that a company’s history of compliance with an approved program be considered by the FTC, state attorneys general and the courts in case of enforcement proceedings.

To promote transparency and provide assurances that they are exercising necessary oversight, programs should report on participant compliance. By informing the FTC about the kinds of issues they are addressing and how, disciplinary protocols, and metrics about the nature and frequency of disciplinary actions, approved compliance programs can demonstrate that they are effectively helping companies meet their obligations and comply with legal requirements.