What the ADPPA Could Mean for Mid-Market Businesses and Startups

Written by

With the likely passage of the American Data Privacy and Protection Act (ADPPA), mid-market businesses and software-as-a-service (SaaS) startups need to consider how it will impact them. While many of these companies may already comply with GDPR, CCPA and other privacy regulations, the ADPPA will focus on more than just data governance – it will also create legislation around artificial intelligence (AI) algorithms and how businesses can use them.

Who Will the ADPPA Affect, and What Are the Implications?

If it passes, any company that uses AI algorithms will be affected by ADPPA. There are exceptions for businesses with a revenue of less than $41m that do not hold more than 100,000 records or that make less than 50% of their revenue through the sale of personal information. Only companies that meet all three of these criteria within the previous three years will be exempt, and that number is likely to be very small.

Big companies like Google and Amazon have the resources to build and test safe algorithms in-house. However, midmarket and startup businesses are less likely to have these resources. Because they aren’t typically building the algorithms themselves, they may not understand the process involved in developing them or how they were trained.

However, even companies that use third-party algorithms rather than build their own will still be subject to the law. Therefore, businesses that work with third-party development partners should ensure they receive detailed reports on the algorithms they can offer to the Federal Trade Commission (FTC) for review.

What Are the Key Points of the ADPPA, and How Do You Comply?

The ADPPA will establish a framework to protect consumer data privacy and create an Office of Data Privacy within the FTC. It protects against the discriminatory use of data, requiring companies to disclose the type of data they collect and how they use it. To this end, the FTC will need complete insight into how the algorithm works, what it’s expected to do, how effective it is, and how it’s trained.

It will be important for businesses to demonstrate that their algorithms are effective (i.e., they do what they are supposed to do), the costs of less data privacy don’t outweigh the benefits, and that the algorithms are safe, non-intrusive and non-discriminatory. For example, a key focus of the 2021 Facebook hearings centered around the social media giant’s advertising algorithm’s impact on children. The company was under scrutiny for its algorithms that served ads featuring weight loss products to teens who viewed pages about eating disorders and other instances of inappropriate ads related to sensitive topics. If the ADPPA passes, the FTC would likely consider these kinds of algorithms unsafe, requiring further development to protect users.

The ADPPA will induce smart companies into the evaluation of algorithms at the design phase so that biases can be identified before the algorithm is built. All companies will require an external auditor to conduct and assess their AI algorithms. Then, a third-party evaluator will also need to write a comprehensive report for the FTC to show that its algorithm is working correctly, doesn’t collect unneeded data, is unbiased and is not discriminatory. 

Approaching ADPPA Compliance with Limited In-House Resources

Many mid-sized organizations have difficulty understanding how rapidly evolving data privacy legislation might apply to them. The good news is they don’t have to handle regulations like ADPPA compliance on their own. In fact, the law requires the algorithm assessment and reporting to be done by an outside party. Businesses that are already working with a partner on building and using AI algorithms can also have them help create the report for the FTC. These partners know how the algorithm was developed and trained, meaning they’ll be better able to provide a comprehensive review and ensure the algorithm is safe and effective for the FTC. 

Companies need to prepare for the future of consumer data privacy regulations, regardless of whether ADPPA passes this year. If it doesn’t pass this year, there’s a good chance a similar bill will pass soon. In fact, venture capital investment is already going into solutions to help third parties assess these algorithms in expectation of future legislation. By implementing data protection best practices today, businesses have a real opportunity to show consumers that they care about their safety by providing clear data on the makeup of their algorithms. A third-party audit could prevent production from coming to a halt by keeping organizations informed about AI algorithm bias and similar issues while also improving customer trust in the business. 

What’s hot on Infosecurity Magazine?