What the American Data and Privacy Act means for businesses

Feb. 15, 2023
Whether or not ADPPA passes this legislative term, there’s a good chance a similar bill will pass soon

The American Data Privacy and Protection Act (ADPPA) is a potential major bipartisan bill that introduces oversight on how consumer data is collected and processed by U.S. businesses. The legislation aims to strengthen data privacy and to provide oversight on how artificial intelligence (AI) algorithms are used to uncover insights in the data that can be monetized. The goal of this legislation is to ensure the safety, integrity, and equity of AI algorithms.

While the potential legislation is important for protecting individual privacy rights, it will have significant implications for businesses when developing and managing their AI algorithms.

What is the ADPPA?

The ADPPA is bipartisan federal data privacy legislation that will create an Office of Data Privacy within the Federal Trade Commission (FTC) to oversee the way that companies use and collect data. However, the ADPPA is about more than just data — it will also examine AI algorithms to determine whether they’re safe, effective, and non-discriminatory. Companies will have to disclose what data they collect, how they plan to use it, and how long they intend to retain it. The pending legislation is a natural extension of GDPR and CCPA, which many states have already accepted as the standards for data privacy in the United States.

It’s important to note that ADPPA won’t just affect large enterprises, it will apply to all businesses of any size. The only businesses that will be exempt from the regulations will be small businesses that for the three years prior to the law's passing have:

●    Revenue that was less than $41 million a year

●     Personal data sales that accounted for less than 50% of their revenue

●     Not processed more than 100,000 records

It is likely that only a small number of businesses will meet all three of these criteria, especially due to the threshold of the record. And even if businesses meet these criteria now, if they have any plans to grow, they will unlikely be able to meet the criteria in the future. This means that most businesses will need to prepare to comply with ADPPA regulations eventually.

Why Do We Need the ADPPA?

The ADPPA is necessary because people in the United States are seeing harmful, unintended outcomes from poorly designed AI algorithms. In 2021, the United States Senate held an entire hearing on the AI algorithm that targeted harmful Facebook ads toward children. AI bias has also led some businesses to engage in unintentional discriminatory practices.

For example, Amazon stopped using a recruiting tool in 2017 because it found that the algorithm prioritized male candidates over females. The algorithm was supposed to send resumes that reflected those of its top performers to the top of the list, making it easier for hiring managers to create a shortlist of interviewees. However, in a tech industry that is largely dominated by men, the algorithm interpreted the context to mean that women were less valuable candidates and pushed them to the bottom of the list, showing obvious discrimination and preventing them from getting a fair shot at the job.

Some oversight is necessary for AI models. While collecting consumer data plays a significant role in creating engaging customer experiences, businesses need to know how to balance data collection and state-of-the-art, effective algorithms with maintaining people’s privacy.

How to Gain ADPPA Compliance

To comply with the ADPPA, organizations must be able to provide complete insight into how the algorithm works, what it’s expected to do, and how it’s trained. Businesses will also need to demonstrate that their algorithms are effective (i.e., they do what they are supposed to do), the costs of fewer data privacy don’t outweigh the benefits, and that the algorithms are safe, non-intrusive, and non-discriminatory.

Additionally, the FTC will require documentation on how companies are training the AI models. Are they using data sets that are large and diverse enough to avoid skewing results? Is there a human supervising or auditing the AI during the training? These and similar questions will help determine whether the model is running effectively or having unexpected consequences, such as unsafe ads being targeted towards minors or discriminatory hiring processes.

Be Proactive About Pending US Federal Data Privacy Legislation

Regardless of whether ADPPA passes this year, it’s worth monitoring closely since it shows where privacy regulations are heading. In fact, VC-backed companies are already mobilizing solutions to aid auditors in anticipation of the passage of legislation. Will your AI algorithms stand up to the next round of privacy regulations? The federal government is finally recognizing the need for privacy standards to verify good AI algorithm practices, and protect consumers and expects businesses to comply.

However, many organizations are struggling to understand how evolving data privacy legislation might apply to them and are turning to third-party sources for help. In fact, the legislation will require all organizations - whether they’ve designed the AI in-house or not - to hire an outside auditor to evaluate AI algorithms for FTC compliance. Startups and mid-sized businesses are especially vulnerable because they likely don’t have the monetary or human resources necessary to adequately develop algorithms or assess them. Third-party sources can not only develop AI algorithms with knowledge of regulatory requirements, but they can create the reports required by the FTC. They know how the algorithm was developed and how it was trained, meaning they’ll be better able to provide a comprehensive review and ensure that the algorithm uses best practices, is safe and is effective.

Whether or not ADPPA passes this legislative term, there’s a good chance a similar bill will pass soon. As more data falls under regulatory purview, businesses should be prepared to have more of their data and the algorithms running on that data subject to data privacy regulations in the months ahead. Therefore, there’s no better time than the present to start evaluating your current data privacy algorithms and infrastructure and assess where your organization stands. Third-party audits help organizations stay informed about AI algorithm bias and other issues while ensuring they are ready for what lies ahead.

About the author: Mike O’Malley is the SVP of strategy at SenecaGlobal, a leading provider of outsourcing services that help startups accelerate innovation – from prototype to production - for health tech, security tech, and fintech markets. He has been in product development for 20+ years leading development, product management, marketing, and M&A in the tech space. Throughout his career, Mike has combined deep engineering knowledge with business acumen to help companies figure out what creates success in the market for a product or solution. Then he builds and coaches teams to make it happen again and again. Mike holds a Bachelor of Science and a Master of Science degree in electrical engineering and a Master of Business Administration from the University of Illinois.