Why APRA is a Step in the Right Direction, and What Can Be Done to Make It Even Better

In a recent LinkedIn post, privacy professional Omer Tene opines that the recently-introduced American Privacy Rights Act of 2024 (APRA) has a “fatal flaw.” The problem, says Tene, is that the APRA requires companies to have a legal basis for collecting and using personal information. In his view, the need for a legal basis is what is wrong with Europe’s General Data Protection Regulation (GDPR) and is inconsistent with the approach of a free country where business conduct is presumed to be legal and the government typically proceeds by telling companies what is prohibited rather than what is permitted.

It is worth engaging the ongoing privacy debate in the US at this philosophical level. Tene is to be commended for surfacing a deep-seated concern of many privacy professionals and companies about efforts to reign in data abuses. But the real issue with APRA is slightly different than he describes, and could be addressed with a regulatory addition to the proposed law.

Both GDPR and the proposed APRA embrace a legal basis privacy regime. This means in general that companies are not permitted to collect and use personal information unless they have a good reason. Under the GDPR, that “good reason” is their legal basis for “data processing,” which is the European term of art for collecting and using personal information. “Processing shall be lawful,” says Article 6 of GDPR, “only if and to the extent that at least one of the following applies,” and what follows is a list of legal bases for data processing.

The key bases are fulfillment of a contract, consent, and legitimate interest. Under fulfillment of a contract, processing is lawful only if it is “necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.” Under consent, processing is lawful only if “the data subject has given consent to the processing of his or her personal data for one or more specific purposes.” Under legitimate interest, processing is lawful only if it is “necessary for the purposes of the legitimate interests pursued by the controller or by a third party…”

Importantly, GDPR’s legitimate interest standard creates a balancing test where data processing in pursuit of a company’s legitimate interests still would not be lawful when these interests are “overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.”

APRA is also a legal basis regime, but it proceeds differently. Section 3 of APRA says that companies may not “collect, process, retain, or transfer [personal] data, beyond what is necessary, proportionate, and limited to provide or maintain…” And what follows is a list of permissible purposes that include providing a service, preventing fraud, complying with legal requests, engaging in first-party advertising, providing network or physical security, and responding to public safety incidents.

Contrary to Tene’s suggestion, banning data collection and use except for permissible purposes is not un-American. It is not even foreign to US privacy law. It is embodied in perhaps the oldest privacy law in the US, the Fair Credit Reporting Act from 1970. This law names specific data practices and labels them as lawful. It allows consumer reporting agencies to collect and process personal information only for one of several listed permissible purposes, including credit, insurance, and employment screening.

The American Data Privacy and Protection Act (ADPPA), a previous attempt at comprehensive privacy legislation that passed the House Energy and Commerce Committee in 2021 with an impressive bipartisan vote of 52-3, also takes a list approach. It says companies “may not collect, process, or transfer” personal information unless “reasonably necessary and proportionate” to provide a requested service or fulfill one of a list of “permissible purposes.”

Shifting the burden from permitted-unless-forbidden to forbidden-unless-permitted has important symbolic and practical importance, and for this reason the APRA is a step forward. The symbolic role is a signal that privacy is a fundamental right. The zone of privacy that covers personal data means that exploiting that data for a business purpose is, in general, a privacy violation. It can be made legitimate, but some demonstration must be given for why what in general is a privacy violation is, in a particular case, an exception.

The practical effect is that if a particular use does not have a legal justification, companies can be told to stop that data practice and adopt a different way of doing business. This is what happened in the EU when the European Court of Justice ruled that Meta could not justify its data practices under contractual necessity or legitimate interest. Meta proposed changing its business practices to allow a paid service without targeted ads in an attempt to satisfy the demands of consent as a legal basis for data processing. EU data protection authorities have determined that this “pay or consent” model will, "in most cases," not comply with the requirements for obtaining valid consent.

But there is an important difference between the legal basis approach in GDPR and the permissible purposes approach in APRA. APRA lists approved purposes. GDPR allows companies to collect and use data to satisfy a legitimate interest, where this interest overrides the privacy interests at stake. As Joseph Jerome says in a perceptive analysis of APRA for Tech Policy Press, “A list of purposes is not the same as a balancing test.”

What Tene and many companies and privacy professionals appear to be really worried about is the lack of flexibility in the permissible purposes approach. It is one thing to say, as FCRA does, that companies may not construct and maintain consumer reporting databases unless it is for one of a series of defined and approved purposes. It is another to expand this approach to the entire economy and purport to have created an exhaustive list of valuable purposes for any company engaged in any line of business into the indefinite future. One need not be a fan of the tech industry’s endless invocation of innovation as a talisman to ward off the evil spirit of regulation to recognize that new beneficial uses of data will appear that are not on any list constructed today.

What’s the way forward? Two paths present themselves. One is to write into the statute a forward-looking standard like legitimate interest and allow the collection and use of personal data when a company can show the interest overrides privacy concerns. That’s the way the European system is set up. But under it, few companies have availed themselves of this legal basis. And it is unclear how to review a company’s assertion that a particular data use would pass a balancing test.

A second way forward is to authorize the Federal Trade Commission (FTC), through notice and rulemaking, to add new purposes to the list of permissible purposes in the statute. APRA gestures in this direction with its mandate that the FTC “shall issue guidance regarding what is reasonably necessary and proportionate to comply with” the statute’s restriction to permissible purposes. But issuing guidance, as Jerome also notes, is not the same as rulemaking. And even if guidance is upgraded to rulemaking, the FTC would still be limited to interpreting what the current list of permissible purposes means. This would be an improvement, but it would not be sufficient to future-proof the statute.

The APRA should be amended to allow FTC rulemaking both to provide binding guidance to companies about what data practices are allowed under the statutory list of permissible purposes, and also to expand the list as business models and technical capacities evolve over time. There should be no need to return to Congress every time companies develop a new and valuable use of data that can bring value to consumers and the public without threatening privacy rights. The agency, on its own motion or in response to a petition, can determine whether a new data use is acceptable. This would mean that companies could not simply engage in a new data practice without getting approval from the FTC. But such a required process is one way of enforcing the policy decision that privacy is a fundamental right.

Congress has a long history of making major policy decisions and then delegating more specific questions to expert regulatory agencies. Many are concerned about this delegation of authority to agencies, and the Supreme Court might ultimately rein it in. This might speak against its political feasibility, but for now it is still a legitimate tool in the Congressional legislative toolbox. This practical use of the power of agency rulemaking under Congressional supervision might resolve some of the concerns from privacy professionals and companies about the lack of flexibility in the proposed APRA.