The American Privacy Rights Act of 2024 Explained: What Does the Proposed Legislation Say, and What Will it Do?
Perla Khattar / Apr 9, 2024
Rep. Cathy McMorris Rodgers (R-WA), Sen. Maria Cantwell (D-WA). Wikimedia
On April 7, 2024, House Committee on Energy and Commerce Chair Cathy McMorris Rodgers (R-WA) and Senate Committee on Commerce, Science and Transportation Chair Maria Cantwell (D-WA) unveiled a discussion draft of the American Privacy Rights Act of 2024 (APRA). This bipartisan and bicameral effort seeks to create a unified privacy standard across the United States, replacing an existing patchwork of state privacy laws.
The draft law emphasizes giving American consumers control over their personal information, including the ability to manage, correct, delete, and restrict the sale or transfer of their data. The draft also introduces measures to limit the amount of data companies can collect to what is necessary for their services, enhances protections for sensitive information, and allows people to opt out of targeted advertising and certain data processing activities. Additionally, the APRA includes provisions to enable individuals to take legal action against violations of their privacy rights.
The US government has tried to part ways with its patchwork approach to consumer privacy before. On June 21, 2022, the American Data Privacy and Protection Act (ADPPA) was introduced to the House and was, according to the International Association of Privacy Professionals, “the closest US Congress has ever been to passing comprehensive federal privacy legislation.” However, unlike the newly unveiled APRA, Senator Cantwell opposed the ADPPA and criticized the proposal’s approach to a private right of action, even after it passed the House committee in a 53–2 vote.
On Scope
The APRA applies to entities that determine the purposes and means of collecting, processing, retaining, or transferring covered data and are subject to the Federal Trade Commission (FTC) Act, are considered common carriers as defined by the Communications Act of 1934 (47 U.S.C. 201–231), or are certain nonprofits. Generally, small businesses (such as those that generate less than $40,000,000 in revenue annually, process the covered data of less than 200,000 consumers, and do not earn revenue from the transfer of covered data to third parties), governments, and entities working on behalf of governments are exempt from compliance.
The APRA follows Europe’s approach to covered data and defines it as information that identifies, is linked, or is reasonably linkable to an individual or device and excludes, for instance, deidentified data, employee data, and publicly available information. However, the draft diverges from Europe's General Data Protection Regulation (GDPR) by proposing a broader definition of sensitive information. Under the APRA, sensitive information includes data revealing an individual’s online activities over time and across websites or online services that do not share common branding, or overtime on any website or online service operated by a covered high-impact social media company. The novelty does not stop here, because the APRA introduces a new term of art: “high-impact social media company”—covered entities operating platforms that host user-generated content, generating $3,000,000,000 or more in global annual revenue, and servicing 300,000,000 or more global monthly active users.
On Data Minimization and Transparency
The APRA outlines regulations for covered entities and their service providers concerning data collection, processing, retention, and transfer. Like ADPPA, it emphasizes data minimization, requiring activities to be necessary and proportionate to delivering requested services or communications or for clearly defined permitted purposes. Specifically, the draft restricts the collection and transfer of biometric and genetic information to cases with explicit consent from the consumer. The transfer of sensitive data also requires explicit consent, unless it falls under a permitted purpose. The FTC is tasked with issuing guidance on adhering to data minimization principles.
The draft law mandates that covered entities and their service providers must make their privacy policies publicly accessible, detailing their data privacy and security measures. These policies must include information about the entity, the types of data collected, processed, or retained, the purposes of the processing, entities (including data brokers) to whom data is transferred, data retention duration, security practices, and the policy's effective date. Additionally, privacy policies should clearly explain how consumers can manage their data and opt-out rights, be available in multiple languages, and be accessible to individuals with disabilities. If there are significant changes to the policy, entities must notify consumers in advance and provide an option to opt out of data processing or transfer. Larger data holders face extra obligations to make available their policies from the previous decade.
On Consumer Rights
Under the proposed APRA, consumers have the right to access, correct, delete, and export their data, know to whom their data is transferred and why, and have their requests fulfilled within specified timeframes. Consumers also have the right to access services in any language in which the covered entity provides a product or service and in accessible formats. In addition, consumers have the right to opt out of the transfer of non-sensitive covered data and the use of their personal information for targeted advertising. Covered entities are prohibited from retaliating against or refusing service to consumers who choose to assert their rights under the APRA.
On Security Protocols
Covered entities and service providers are required to implement data security measures that correspond with their size, scope, extent of their data handling activities, the amount and sensitivity of the data involved, and the current standard of protective measures. They must also evaluate potential vulnerabilities and take reasonable steps to reduce any risks to consumer data that can be anticipated. Every covered entity subject to the APRA must appoint a privacy or data security officer, and large data holders are expected to appoint both a privacy and a data security officer on top of filing for annual certifications of internal controls with the FTC and conducting biennial privacy impact assessments.
On Service Providers, Third Parties, and Data Brokers
The APRA emphasizes that service providers adhere strictly to the directives of covered entities and cease operations if aware of any violations of the law. Additionally, it underscores the necessity for service providers to maintain rigorous data security and confidentiality, including allowing independent security assessments. Covered entities must carefully select service providers and ensure data transfers comply with strict due diligence requirements. Furthermore, third parties are restricted to processing data solely for purposes disclosed in privacy policies or explicitly consented to by consumers, particularly concerning sensitive data.
In addition, the APRA requires data brokers to operate a public website that identifies them as data brokers, incorporates tools for individuals to manage their data privacy rights including opt-outs, and provides a link to a data broker registry, which the FTC is tasked with creating. Also, data brokers are forbidden from using data for stalking, fraud, or misrepresenting their business practices. This registry will feature a "Do Not Collect" option for consumers, a great step from the “Do Not Track” web browser setting of 2009 that lacked enforceability.
On Enforcement
When Sen. Cantwell opposed ADPPA, she said that the proposed law was weak on enforcement. The APRA is enforceable by three entities: the FTC, state attorney generals, and consumers.
The FTC is directed to create a new bureau, akin to its Bureaus of Enforcement and Competition, to enforce the law. Violations are to be regarded as infringements against rules that prevent unfair or deceptive practices, as per the FTC Act. Furthermore, the law would create a Privacy and Security Victims Relief Fund to facilitate consumer compensation, and the FTC is required to report to Congress on its enforcement and administrative activities regarding the Act. While the FTC is entrusted with enforcement, the APRA effectively terminates the agency’s rulemaking on commercial surveillance and data security, a role that the FTC took on to fill the void created by the absence of a comprehensive federal privacy law.
Also, the APRA empowers state attorneys general, chief consumer protection officers, and other state officials to enforce its provisions in Federal district court. They can pursue various legal remedies including injunctions, civil penalties, damages, restitution, and compensation for consumers. Before taking legal action under this proposed law, state attorneys general are required to inform the FTC.
Most notably, consumers under the APRA will have the right to initiate private lawsuits against covered entities that infringe upon their privacy rights, an enforcement method championed by the Democrat supporters of the proposal. Lawsuits based on significant privacy harm or involving minors are exempt from mandatory arbitration. Plaintiffs can seek actual damages, injunctive relief, declaratory relief, and the reimbursement of reasonable legal fees and expenses. Any court-awarded compensation to a plaintiff can be reduced by any compensation they've already received for the same violation from the FTC or state actions. Additionally, for violations involving the unauthorized use of biometric and genetic information in Illinois, claimants can seek statutory damages as per Illinois’s BIPA. California residents can claim statutory damages for data breaches in line with California’s CCPA. The draft law allows covered entities to rectify violations when injunctive relief is sought and requires written notification for actions pursuing actual damages, barring those involving significant privacy harm.
On Preemption
APRA would preempt comprehensive state privacy laws—a provision backed by the Republican supporters of the law. Preemption was a major reason that key groups, including many Democrats, opposed ADPPA. Sen. Cantwell told the Spokesman-Review that while APRA would preempt state laws such as those in California, Illinois, and Washington, it adopts their strongest provisions. “We are preserving those standards that California and Illinois and Washington have,” she said. There are also exceptions to preemption enumerated in the draft, including for consumer protection laws, civil rights laws, and other statutes that have bearing on privacy. Federal laws, especially those concerning information security breaches, antitrust, and other specified privacy regulations like the GLBA, HIPAA, FERPA, and COPPA are not preempted by the APRA, with exceptions. Both Federal and state legal remedies for civil relief are maintained.
What’s next for the APRA?
The introduction of the APRA marks a significant step towards establishing a comprehensive federal privacy law in the United States, aiming to fill a long-standing void felt by consumers who remain one of the last global populations not covered by a national privacy law. The bipartisan and bicameral nature of the APRA sets a solid foundation for its advancement, though there are already detractors.
The structural and thematic similarities between the APRA and ADPPA suggest a strategic effort to build upon the legislative groundwork laid by the latter, incorporating broad preemption, privacy rights of action, and foundational privacy protections. Further analysis should consider how definitions and other provisions of the APRA differ from ADPPA, and the implications of such differences.
As the APRA moves forward, it will be crucial to monitor the legislative process, especially any amendments or negotiations that may arise to address stakeholder concerns during committee reviews and public hearings. Furthermore, the response from the business community, privacy advocates, and the general public will likely shape the discourse and influence the final contours of the law.
Ultimately, the APRA's success will hinge on its ability to harmonize the diverse interests of all stakeholders involved, ensuring robust privacy protections for consumers while fostering innovation and growth in the digital economy. The coming months will be pivotal in determining whether the APRA can achieve the delicate balance necessary to become the landmark in US privacy legislation.
RELATED READING:
