What is the American Data Privacy and Protection Act and how should you prepare?

As of this writing, the American Data Privacy and Protection Act (ADPPA) is being considered in congress and it has bipartisan support.  Essentially, it would regulate how organizations keep and use consumer data. Much of today’s podcast research was taken directly from Wikipedia and the bill itself.

I invite everyone to read up on it for themselves in case there’s something specific that we do not cover today.  As always, details of the final bill could be more or less involved once the bill is finalized, but we want you to be aware of how it might affect you in the future.  If you are in a state that already has data privacy laws places as California and Virginia, then you’re likely already familiar with what you should be doing to protect your listener’s information.

The ADPPA has several main principles: data minimization, individual ownership, and private right of action.  It says that anyone who collects data from the public would have to minimize the data they collect down to that which is “necessary, proportionate, and limited to” their purpose. If you’re giving away lunch for two at a local restaurant, there’s no need to ask for how many kids they have, their sex, income, etc.  Just get the minimum amount of information required.

Then, the entrant must know what you plan to do with the information they give you.  Think contest entries, newsletter subscriber information, text to win entries, listener club membership information, etc.  You can’t take those contest entries and automatically sign everyone up for your newsletter with those e-mail addresses or share that information with a sponsor.  You can do those things, but you must first clearly specify your intentions before the listener signs up.

Anyone signing up for something with the radio station would have the right to know how their personal data will be used and which third parties receive it.  I remember back in the day collecting entries to win certificates at remotes and then giving all of those entries to the client so they could be added to their marketing mailing list.

ADPPA would also specifically limit the transfer and some processing of Social Security numbers, precise geolocation, biometric and genetic data, passwords, browsing history, and physical activity tracking.  These do not affect the average radio station, but just know that it’s included.  If you do accept someone’s Social Security number because they won a large prize, the security of that private information in your possession is now more important than ever.

ADPPA says that anyone would have the right to correct and download (if online) their user data. Organizations would have up to 90 days to process these requests, depending on their organization size. Individuals would also have the right to take legal action against organizations in violation of the Act for four years after its execution after first giving their state Attorney General and Federal Trade Commission 60 days’ notice to respond.

“Small data holders” like most of us are defined as organizations with adjusted gross revenue below $41 million over the past three calendar years, that process data for fewer than 100,000 individuals annually, and whose business does not primarily rely on transferring data. We could delete records rather than processing corrective requests and would be exempt from many requirements apart from the user’s right to delete data no longer in use.

So, once a contest has ended and the winner has been announced, remove all entries from your website and any other place they are stored.  Ensure they are not backed up and kept anywhere.  This is very important because if your station website ever became a victim of a data breach, you would be required to notify everyone who may have had their information taken.

Sure, we would never collect Social Security numbers or other vital personal information online, but simply getting a person’s name, e-mail address and date of birth is enough information for some nefarious entities to do some harm.

As the first federal user data privacy legislation, ADPPA would largely supersede state laws like the California Consumer Privacy Act and the Virginia Consumer Data Protection Act.  Other states are slowly coming online with their own privacy act, but I’m sure many will default back to this federal act.  The ADPPA includes a much broader definition of sensitive data than state-level laws.

In what situation would you not have to worry about any of this?  If you never take anyone’s personal information including contest submissions, newsletter signups, listener club membership, text to win entries, information gathered when downloading a mobile app, selling station swag online and receiving e-mail addresses, etc.  Basically, if you are collecting any listener information, you should be aware of the American Data Privacy and Protection Act as well as the other state privacy and protection acts.  And if you are doing any kind of business overseas, then be aware of the General Data Protection Regulation (GDPR) in the European Union.

With new privacy laws being put in place, you can expect some people out there to test the system so they can have a legal case against you.  Please reach out to your legal counsel for specific things to include on your station website so that you’re covered ahead of what’s to come.

Jim Sherwood serves as the chief creative, brand strategist, lead developer, meticulous project manager, and station collaborator for all Skyrocket Radio sites and projects. Jim is a 30+ year radio veteran with a resume spanning several small, medium, and large markets including roles as Digital Content Manager, Program Director, Production Manager, and Morning Show Host.