Unveiling the American Privacy Rights Act of 2024

Introduction

Representative Cathy McMorris Rodgers (R-Wash.), Chair of the U.S. House Committee on Energy and Commerce, alongside Senator Maria Cantwell (D-Wash.), Chair of the Senate Committee on Commerce, Science, and Transportation, unveiled a groundbreaking legislative proposal on April 7. This initiative aims to establish the United States inaugural comprehensive data privacy law at the federal level, reigniting an effort that had lain dormant in Congress for nearly two years.

Dubbed the American Privacy Rights Act of 2024 (APRA), this legislation seeks to set a new standard for data privacy and security regulation nationwide. Central to APRA is the recognition of individual data control rights for consumers and the imposition of corresponding obligations on a broad spectrum of corporations. These obligations include granting consumers the right to opt out of targeted advertising and certain algorithms, alongside imposing additional requirements on major players in the data landscape such as data brokers and “large data holders.”

APRA draws inspiration primarily from its predecessor, the American Data Privacy and Protection Act (ADPPA), which advanced further in Congress than any prior comprehensive privacy bill. 

Similar to ADPPA, APRA introduces a private right of action to empower individuals, while also seeking to replace the current patchwork of state privacy laws with a cohesive federal framework through preemption provisions. 

However, APRA distinguishes itself through several key enhancements and modifications. Notably, APRA introduces a stricter data minimization mandate applicable to both covered entities and service providers, marking a significant departure from existing practices. Moreover, in addition to granting consumers the right to opt out of targeted advertising and data transfers, APRA extends this privilege to encompass covered algorithms and AI-driven decisions. Addressing concerns raised by Senator Cantwell in prior discussions, APRA prohibits covered entities from mandating arbitration for “significant privacy harms.” 

Unlike its predecessor, APRA does not propose heightened protections for minors, potentially due to existing federal safeguards provided by the Children’s Online Privacy Protection Rule. Furthermore, the legislation would terminate the current FTC rulemaking pertaining to commercial surveillance and data security.

Impact on Businesses 

Previously, the prospect of Congress passing a comprehensive federal privacy bill, especially in an election year, seemed bleak. However, the recent introduction of APRA has injected a new sense of possibility into the conversation, albeit against some opposition. One positive aspect of APRA is its bipartisan support, signaling a potential step towards a national standard for data privacy that both companies and consumers have been awaiting. 

While there is consensus in Congress regarding the need for preemption, it’s important to note that APRA’s preemption provisions are somewhat limited. 

For instance, they may not preempt certain health laws such as Washington’s My Health My Data Act or the Biometric Information Privacy Act, which pose significant risks for companies due to their private right of action provisions.

Businesses should recognize that APRA imposes more extensive compliance obligations compared to most state privacy laws and includes robust enforcement mechanisms through both private right of action and FTC enforcement. 

Despite this, many companies may view a uniform national standard that supersedes state laws as a worthwhile trade-off, especially considering the proliferation of state privacy laws and their evolving nature. 

For instance, Maryland’s recently passed law introduces data minimization requirements that exceed those of other states, while New Jersey’s law includes a rulemaking provision that adds to companies’ regulatory burden. In light of these ongoing developments at the state level, businesses must carefully assess whether advocating for a single federal standard is in their best interest. The active landscape of state-level privacy legislation underscores the importance of strategic decision-making in navigating the complexities of data privacy regulation.

Key Changes 

The draft bill introduces several key provisions that are poised to significantly impact businesses across various sectors. Here’s a breakdown of the major implications:

• Private Right of Action: APRA establishes a private right of action, akin to its predecessor ADPPA, enabling individuals to seek recourse for violations of certain provisions. Notably, this right applies to data subject rights provisions, although not uniformly across all aspects of the law. Unlike ADPPA, APRA does not include a delay for the private right of action to take effect. However, it does not entail statutory damages but allows for the recovery of reasonable attorneys’ fees and litigation costs. Moreover, it offers businesses the opportunity to rectify actions that prompt injunctions.
• Preemption Provision: The bill includes preemption provisions akin to ADPPA, aiming to streamline business compliance. However, it softens this aspect by implementing a small carveout for remedies, acknowledging the concerns of states like California regarding the restriction of their ability to establish data protections beyond the federal standard.
• Strict Data Minimization Standard: APRA imposes a stringent data minimization standard on covered entities and service providers, mandating that personal data collection, processing, retention, and transfer adhere to the principle of necessity, proportionality, and limitation. This standard surpasses current requirements under state privacy laws, outlining 15 permitted purposes for data activities.
• Enforcement Mechanisms: In addition to the private right of action, the FTC and state attorneys general are empowered to enforce APRA’s provisions. The bill directs the FTC to promulgate rules, develop guidelines, establish a data broker registry, and create a new enforcement bureau. 
• Regulation of Data Broker and Ad Tech Industry: APRA imposes limitations on secondary uses of data and mandates direct obligations for data brokers. It grants consumers the right to opt out of data transfer and targeted advertising and requires the implementation of a universal opt-out preference mechanism.
• Focus on Large Data Holders: Large data holders, defined as entities with over $250 million in annual revenue and handling data from more than 5 million individuals, face additional obligations. These include appointing privacy and data security officers, certifying compliance practices to the FTC, and conducting periodic impact assessments.
• Quick Implementation: APRA is slated to take effect 180 days after enactment, providing a short window for covered companies to achieve compliance. The FTC is tasked with issuing guidance on various aspects within two years of enactment.

These provisions collectively underscore the significant regulatory changes and compliance burdens that businesses will need to navigate under APRA, emphasizing the importance of proactive adaptation to the evolving privacy landscape.

Key provisions 

1. Definitions:

• Covered Data: APRA defines “covered data” broadly, encompassing information identifying or reasonably linkable to individuals, with exclusions for certain categories such as employee information
• Covered Entity: The definition includes most non-profits, with exceptions for small businesses meeting specific criteria. However, businesses selling data, such as data brokers, are always within scope.
• Large Data Holder: This term, carried over from ADPPA, pertains to entities with substantial revenue and data collection volumes, subjecting them to additional requirements
• Sensitive Covered Data: The bill’s definition is expansive, encompassing various categories including consumer health data and information revealing online activities.