Unveiling the American Privacy Rights Act of 2024

america, united states, map-875164.jpgIntroduction

Representative Cathy McMorris Rodgers (R-Wash.), Chair of the U.S. House Committee on Energy and Commerce, alongside Senator Maria Cantwell (D-Wash.), Chair of the Senate Committee on Commerce, Science, and Transportation, unveiled a groundbreaking legislative proposal on April 7. This initiative aims to establish the United States inaugural comprehensive data privacy law at the federal level, reigniting an effort that had lain dormant in Congress for nearly two years.

 

Dubbed the American Privacy Rights Act of 2024 (APRA), this legislation seeks to set a new standard for data privacy and security regulation nationwide. Central to APRA is the recognition of individual data control rights for consumers and the imposition of corresponding obligations on a broad spectrum of corporations. These obligations include granting consumers the right to opt out of targeted advertising and certain algorithms, alongside imposing additional requirements on major players in the data landscape such as data brokers and “large data holders.”

 

APRA draws inspiration primarily from its predecessor, the American Data Privacy and Protection Act (ADPPA), which advanced further in Congress than any prior comprehensive privacy bill. 

 

Similar to ADPPA, APRA introduces a private right of action to empower individuals, while also seeking to replace the current patchwork of state privacy laws with a cohesive federal framework through preemption provisions. 

 

However, APRA distinguishes itself through several key enhancements and modifications. Notably, APRA introduces a stricter data minimization mandate applicable to both covered entities and service providers, marking a significant departure from existing practices. Moreover, in addition to granting consumers the right to opt out of targeted advertising and data transfers, APRA extends this privilege to encompass covered algorithms and AI-driven decisions. Addressing concerns raised by Senator Cantwell in prior discussions, APRA prohibits covered entities from mandating arbitration for “significant privacy harms.” 

 

Unlike its predecessor, APRA does not propose heightened protections for minors, potentially due to existing federal safeguards provided by the Children’s Online Privacy Protection Rule. Furthermore, the legislation would terminate the current FTC rulemaking pertaining to commercial surveillance and data security.

 

 

Impact on Businesses 

Previously, the prospect of Congress passing a comprehensive federal privacy bill, especially in an election year, seemed bleak. However, the recent introduction of APRA has injected a new sense of possibility into the conversation, albeit against some opposition. One positive aspect of APRA is its bipartisan support, signaling a potential step towards a national standard for data privacy that both companies and consumers have been awaiting. 

While there is consensus in Congress regarding the need for preemption, it’s important to note that APRA’s preemption provisions are somewhat limited. 

For instance, they may not preempt certain health laws such as Washington’s My Health My Data Act or the Biometric Information Privacy Act, which pose significant risks for companies due to their private right of action provisions.

 

Businesses should recognize that APRA imposes more extensive compliance obligations compared to most state privacy laws and includes robust enforcement mechanisms through both private right of action and FTC enforcement. 

 

Despite this, many companies may view a uniform national standard that supersedes state laws as a worthwhile trade-off, especially considering the proliferation of state privacy laws and their evolving nature. 

For instance, Maryland’s recently passed law introduces data minimization requirements that exceed those of other states, while New Jersey’s law includes a rulemaking provision that adds to companies’ regulatory burden. In light of these ongoing developments at the state level, businesses must carefully assess whether advocating for a single federal standard is in their best interest. The active landscape of state-level privacy legislation underscores the importance of strategic decision-making in navigating the complexities of data privacy regulation.

 

 

Key Changes 

The draft bill introduces several key provisions that are poised to significantly impact businesses across various sectors. Here’s a breakdown of the major implications:

 

  • Private Right of Action: APRA establishes a private right of action, akin to its predecessor ADPPA, enabling individuals to seek recourse for violations of certain provisions. Notably, this right applies to data subject rights provisions, although not uniformly across all aspects of the law. Unlike ADPPA, APRA does not include a delay for the private right of action to take effect. However, it does not entail statutory damages but allows for the recovery of reasonable attorneys’ fees and litigation costs. Moreover, it offers businesses the opportunity to rectify actions that prompt injunctions.
  • Preemption Provision: The bill includes preemption provisions akin to ADPPA, aiming to streamline business compliance. However, it softens this aspect by implementing a small carveout for remedies, acknowledging the concerns of states like California regarding the restriction of their ability to establish data protections beyond the federal standard.
  • Strict Data Minimization Standard: APRA imposes a stringent data minimization standard on covered entities and service providers, mandating that personal data collection, processing, retention, and transfer adhere to the principle of necessity, proportionality, and limitation. This standard surpasses current requirements under state privacy laws, outlining 15 permitted purposes for data activities.
  • Enforcement Mechanisms: In addition to the private right of action, the FTC and state attorneys general are empowered to enforce APRA’s provisions. The bill directs the FTC to promulgate rules, develop guidelines, establish a data broker registry, and create a new enforcement bureau. 
  • Regulation of Data Broker and Ad Tech Industry: APRA imposes limitations on secondary uses of data and mandates direct obligations for data brokers. It grants consumers the right to opt out of data transfer and targeted advertising and requires the implementation of a universal opt-out preference mechanism.
  • Focus on Large Data Holders: Large data holders, defined as entities with over $250 million in annual revenue and handling data from more than 5 million individuals, face additional obligations. These include appointing privacy and data security officers, certifying compliance practices to the FTC, and conducting periodic impact assessments.
  • Quick Implementation: APRA is slated to take effect 180 days after enactment, providing a short window for covered companies to achieve compliance. The FTC is tasked with issuing guidance on various aspects within two years of enactment.

These provisions collectively underscore the significant regulatory changes and compliance burdens that businesses will need to navigate under APRA, emphasizing the importance of proactive adaptation to the evolving privacy landscape.

 

Key provisions 

  1. Definitions:
  • Covered Data: APRA defines “covered data” broadly, encompassing information identifying or reasonably linkable to individuals, with exclusions for certain categories such as employee information
  • Covered Entity: The definition includes most non-profits, with exceptions for small businesses meeting specific criteria. However, businesses selling data, such as data brokers, are always within scope.
  • Large Data Holder: This term, carried over from ADPPA, pertains to entities with substantial revenue and data collection volumes, subjecting them to additional requirements
  • Sensitive Covered Data: The bill’s definition is expansive, encompassing various categories including consumer health data and information revealing online activities.
  1. Substantial Privacy Harm: APRA introduces this term, delineating various forms of harm that warrant legal action, including financial, physical, or mental harm, intrusion of privacy, and discrimination based on protected characteristics.
  2. Exemptions: The bill exempts certain entities, such as state and city entities, and provides information-level exemptions for entities governed by federal laws like GLBA, HIPAA, FCRA, and FERPA.
  3. Privacy Notices: Covered entities must furnish publicly available privacy policies, detailing data collection, sharing practices, and opt-out mechanisms. Large data holders have additional obligations to provide concise notices.
  4. Consumer Controls and Opt-Out Data Rights: Consumers are granted rights to access, correct, delete, and export their data. They also have clear opt-out options for data transfer and targeted advertising.
  5. Data Security: Covered entities and service providers must implement reasonable data security practices commensurate with the nature and sensitivity of the data involved.
  6. Requirements for Large Data Holders: Large data holders must appoint privacy and data security officers, certify compliance to the FTC, and conduct periodic privacy impact assessments.
  7. Data Broker Regulation: Data brokers are mandated to maintain transparent opt-out mechanisms and register with the FTC.
  8. Civil Rights and Algorithms: Discriminatory data processing based on protected characteristics is prohibited. Large data holders must assess algorithmic impacts, and consumers have rights regarding algorithmic use.
  9. Privacy-Enhancing Pilot Program: The FTC runs a pilot program to promote privacy-enhancing technology adoption, with participating entities presumed compliant with data security requirements.
  10. FTC Rulemaking Authority: The FTC is tasked with promulgating rules and issuing guidance on various aspects of the bill, including a universal opt-out mechanism, data security practices, and data control rights.
  11. Private Right of Action and Enforcement Levers: Individuals have a private right of action for violations, with the FTC and state attorneys general empowered for enforcement. The FTC would establish a new enforcement bureau.
  12. Limited Compromise to Preemption: While state laws would be preempted, there are limited carve outs for certain remedies, preserving individual rights under specific state laws.
  13. Cure Period: Individuals must provide entities with a 30-day cure period before initiating lawsuits for injunctive relief.
  14. Effective Date: The Act would take effect 180 days after passage.

Looking Ahead 

The unveiling of the draft bill has sparked considerable early discourse ahead of its formal introduction on both sides of Capitol Hill. 
 
Although the specific dates for the formal introduction of the APRA bill in either chamber have yet to be determined, it is anticipated to follow the standard legislative process. This entails introduction and markup in committee before proceeding to the House and Senate floors for voting.
 
In the interim, the bill’s sponsors, Cantwell and Rodgers, are actively promoting and disseminating the draft. Notably, on April 17, Rodgers and House Energy and Commerce Committee Ranking Member Frank Pallone, Jr., D-NJ, convened a hearing for the Innovation, Data, and Commerce Subcommittee titled “Legislative Solutions to Protect Kids Online and Ensure Americans’ Data Privacy Rights.” 
 
This hearing addressed various privacy and online safety bills, with APRA taking precedence. During the session, five of the six witnesses emphasized the significance of the data minimization provisions within APRA. However, there were differing opinions on matters such as preemption and regulations concerning data brokers, highlighting that while there is a general consensus supporting a federal privacy bill, discrepancies persist in the specifics.
 

Author

Kosha Doshi

Legal Intern Data Privacy and Digital Law at EU Digital Partners

Kosha is a co-author of “Facial Recognition at CrossRoads: Policy Perspectives on Disruption and Innovation” at Closing the Gap 2023 | Emerging and Disruptive Technologies: Regional Perspectives Conference in the Hague, Netherlands.