The Proposed American Privacy Rights Act: 5 Things to Know
Introduction
This article discusses the five (5) things you should know about the proposed American Privacy Rights Act of 2024 (APRA). The APRA would establish nationwide uniform consumer data privacy rights, partially regulate Artificial Intelligence (AI), and create new rules for high-impact social media companies and large data holders. Furthermore, this proposed federal law would preempt the growing patchwork of state privacy laws and provide for a private right of legal action.
Privacy: Something We Can All Agree On?
In April the United States (US) witnessed a rare act of bipartisanship in an election year: Representative Cathy McMorris Rodgers (R-WA) and Senator Maria Cantwell (D-WA) published a draft of a bicameral federal privacy bill; namely, the American Privacy Rights Act, or APRA. They stated the bill seeks to “put people in control of their own personal data” and “eliminate the patchwork of state laws by setting one national privacy standard.” If passed, the APRA would broadly preempt many state data protection laws.
1. Who and What is Covered?
Who is Covered?
The APRA applies to “Covered Entities”, which are businesses already subject to the authority of the Federal Trade Commission (FTC), as well as common carriers and not-for-profit organizations. To analogize to European Union (EU) law, a Covered Entity resembles the “Controller” concept under the General Data Protection Regulation (GDPR).
Additionally, the APRA applies to “Service Providers”, which are organizations that process covered data on behalf of or at the direction of Covered Entities. Service Providers resemble “Processors” under the GDPR.
The APRA would impose obligations on Covered Entities and Service Providers to minimize the amount of processing of covered data (Sec. 3.) and apply “reasonable” data security measures (Sec. 9). The APRA also seeks to impose heightened obligations on high-impact social media companies and large data holders.
What is Covered?
The APRA defines “Covered Data” similarly to personally identifiable information (PII) as in other government laws; specifically, Covered Data “means information that identifies or is linked or reasonably linkable, alone or in combination with other information, to an individual or a device that identifies or is linked or reasonably linkable to 1 or more individuals.”
Certain information is expressly excluded from the definition of Covered Data, including de-identified data, employee data, publicly available information, inferences made exclusively from multiple independent sources of publicly available information, and information in the collection of a library, archive, or museum under express conditions. (Sec. 2(9)).
Individual Privacy Rights
The APRA also seeks to create a common baseline for data privacy rights for all natural persons residing in the US, regardless of their status as US citizens. These “Individuals” shall enjoy the right to opt out of targeted advertising and to view, correct, export or delete their data, which are rights already guaranteed in the EU and other countries. Following the GDPR and the EU Digital Service Act, the APRA also obligates Covered Entities and Service Providers to provide better transparency by requiring public-facing privacy disclosure about practices including data processing, retention, transfers to third parties, security practices, and consumers’ rights (Sec. 4).
Although these rules would provide far greater privacy protection to people in the US, the APRA remains in draft form and is unlikely to become law during a presidential election year.
The APRA would be the first nationwide federal privacy law.
2. What Are the Potential Business Obligations?
In addition to the obligations for Covered Entities and Service Providers, the APRA would impose additional requirements on “high-impact social media companies” and “large data holders”.
High-Impact Social Media Companies
The APRA defines a “covered high-impact social media company” as a Covered Entity that provides an internet-accessible platform where:
The entity generates at least $3 billion in global annual revenue (including revenues of any affiliates);
The entity has a platform with at least 300 million global monthly active users (for at least 3 of the preceding 12 months); and
The platform is primarily used by individuals to access or share user-generated content. (Sec. 2(11)).
For platforms designated as a covered high-impact social media company, the data it collects on users will be treated as “sensitive data”, even when data are not tracked across websites (Sec. 2(34)(A)(xv)). Consequently, affirmative express consent would be required before any business could transfer such sensitive data to third parties. This would significantly change current practices for targeted advertising in the US.
Large Data Holders
The APRA also would require greater transparency obligations for “large data holders”. Large data holders are Covered Entities or Service Providers with a gross revenue of at least $250 million in the most recent calendar year and who collect, process, retain, or transfer the covered data of:
Over 5 million individuals
15 million portable connected devices that identify or are linked or reasonably linkable to one (1) or more individuals; and
35 million connected devices that identify or are linked or reasonable linkable to one (1) or more individuals;
Or the sensitive data of:
Over 200,000 individuals;
300,000 portable devices that identify, or are linked or reasonably linkable to one or more individuals; and
700,000 connected devices that identify, or are linked or reasonably linkable to one or more individuals.
Among other obligations, the APRA would require large data holders to do the following:
Retain and publish on their websites copies of each version of their privacy policy for at least the previous 10 years;
Publish on their websites a log that describes the date and nature of each material change to their privacy policy during such 10-year period in a manner that is sufficient for a reasonable individual to understand the effect of each material change; and
Provide a short-form notice (500 words or less) of their covered data practices that is concise, clear, readily accessible, and includes an overview of individual rights. (Sec. 4(f)).
Data Security
The data security language under Section 9 of the APRA reflects the trend of copying concepts and language from the EU GDPR. Specifically, all Covered Entities and Service Providers, regardless of size, must “establish, implement, and maintain reasonable data security practices to protect … the confidentiality, integrity, and accessibility of covered data” and to protect “covered data against unauthorized access.” (Sec. 9(a)(1) emphasis added).
Moreover, entities may shape appropriate data security practices based on the following considerations:
The size and complexity of the covered entity or service provider;
The nature and scope of the covered entity’s or the service provider’s collecting, processing, retaining, or transferring of covered data, taking into account such covered entity’s or service provider’s changing business operations with respect to covered data;
The volume, nature, and sensitivity of the covered data at issue; and
The state-of-the-art (and limitations thereof) in administrative, technical, and physical safeguards for protecting such covered data. (Sec. 9(a)(2)).
Specific Data Security Requirements
Organizations would be legally obligated to provide the following minimum security controls:
Vulnerability assessments;
Preventative and corrective action (including audits);
Information and retention policies and practices;
Data retention schedules;
Training; and
Incident response plans.
In sum, if enacted, the APRA would create a host of new obligations on all US organizations that collect, process, and dispose of “covered data”.
Prohibition on “Dark Patterns”
Dark Patterns are defined as “a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision making, or choice.” (Sec. 2(14). In short, if you consider the manipulative way user cookie notices are currently presented in the US, it would become illegal to present users with an unnecessarily complicated consent process. For example, no more time consuming and irritating process of unchecking every “legitimate interest” toggle, and no more distracting and more appealingly colored “Accept All” buttons next to an almost invisible “Reject All” button.
Entities would be required to document and demonstrate sound data privacy and security practices.
3. Partial Regulation of Artificial Intelligence
If enacted in its current form, the APRA would have implications for Artificial Intelligence (“AI”). For example, the data minimization requirement under the APRA could affect the development of AI by restricting the volume of data available to AI developers for model training (see Sec. 3, Data Minimization).
Preemption
The APRA makes two explicit references to AI, with the first addressing federal preemption. The APRA provides that it will not preempt state criminal laws on intimate images, including those generated by AI (Sec. 20(1)(3)(H)(iv).
Covered Algorithms
The second reference discusses “covered algorithms,” which “means a computational process, including one derived from machine learning, statistics, or other data processing or artificial intelligence techniques, that makes a decision or facilitates human decision making by using covered data, which includes determining the provision of products or services or ranking, ordering, promoting, recommending, amplifying, or similarly determining the delivery or display of information to an individual.” (Sec. 2(8))
Entities that use covered algorithms would be subject to, among other obligations, the following:
Design evaluation to reduce the risk of the potential harms;
Impact assessments, and
Providing notice and an opportunity to opt out if a covered algorithm is used for “consequential decisions” (i.e., decisions relating to an individual’s access to or equal enjoyment of housing, employment, education enrollment or opportunity, healthcare, insurance, credit, or place of public accommodation). (Sec. 14)
This language appears to follow the lead of the EU AI Act, which came into effect in 2024, and demonstrates again the influence of the EU as a first mover that shapes global privacy and data protection law.
4. New Enforcement Mechanisms
New Private Right of Action
Although the APRA would be enforced by the FTC and state attorneys general, the law would also give Individuals a novel right of enforcement via a civil suit against offending entities. Unsurprisingly, the US Chamber of Commerce opposes this provision.
In a civil lawsuit, Individuals could seek damages, injunctive or declaratory relief, and reasonable legal and litigation costs (Sec. 19(a)(2)). Specifically, individuals could bring a civil action for, among other things, violations relating to data minimization, transparency, individual control over covered data, opt out rights, interference with consumer rights, retaliation for exercising their rights under the APRA, and data security practices (Sec. 19(a)(1).
Limits on Arbitration
The APRA would limit the enforceability of consumer arbitration agreements. Under the APRA. arbitration agreements would not be enforceable if a claims alleges
A violation involving a minor (i.e., under 18); or
Substantial privacy harm.
Substantial privacy harm includes the following:
Financial harm greater than $10,000
Physical or mental harm that involves treatment of a physical injury;
A highly offensive intrusion on a consumer’s privacy expectations; or
Discrimination on the basis of race, color, religion, national origin, sex or disability.
If these types of complaints are alleged, Individuals would not be forced to arbitrate their issues and could instead pursue the claims through normal litigation.
Notice Requirement
Before exercising a private right of action to recover damages, except in the case of substantial privacy harm, Individuals would be required to provide an organization with written notice. Organizations would also enjoy an opportunity to cure the alleged privacy violation in actions that request injunctive relief. These provisions permit businesses to mitigate their liability exposure by quickly responding to consumer complaints and improving privacy practices.
State Preemption
The APRA states that its purposes are to “establish a uniform national data privacy and data security standard” and to “expressly preempt laws of a State or political subdivision.” Subject to a few exceptions, no US state could adopt, maintain or enforce any law, regulation, rule or requirement covered or promulgated by the APRA. The US Chamber of Commerce expressed a favorable opinion of standardizing privacy law across the country, but it pointed out several flaws in the language of the bill that open the door to preemption challenges.
Under the APRA, a number of state laws, or portions thereof, would be exempt from preemption. These include the following:
Consumer protection laws of general applicability;
Civil rights laws;
Provisions that address (1) the privacy rights or other protections of employees or students, or (2) notification requirements in the event of a data breach;
Contract or tort law;
Certain criminal and civil laws (e.g., on blackmail, cyberbullying, child abuse);
Public safety laws; and
Laws that protect the privacy of health information. (Sec. 20(a)(3)).
The APRA also provides certain carve outs that would enable the continuation of consumer lawsuits under the Illinois Biometric Information Privacy Act and Genetic Information Privacy Act and Section 1798.150 of the California Consumer Privacy Act if the action relates to a data breach. (Sec. 19(a)(2)(B) and (C)).
Companies should take proactive steps to get ahead of pending compliance requirements.
5. Key Takeaways
Broad Application
For the first time, the APRA would provide people in the US with broad federal privacy protections. The APRA would supersede the current state-by-state patchwork of privacy legislation, which is constantly growing and adding complexity to businesses. Thus, Americans have an opportunity to enjoy a comprehensive and consistent approach to data privacy with greater data security and privacy obligations for entities that collect their personal information.
New Obligations on High-Impact Social Media Companies and Large Data Holders
The APRA would obligate high-impact social media companies to treat first-party browsing data with greater sensitivity, which is not required for smaller Covered Entities. The law would also provide more stringent transparency obligations on large data holders.
Some AI Regulation
AI is at the forefront of everyone’s mind. The APRA would establish legal requirements for entities that use “covered algorithms” (i.e., automated decision-making systems). These entities would be required to design and assess the impact of their AI systems and learning models to minimize the risk of harm to all users.
Private Right of Action
Privacy laws have been historically criticized for their lack of teeth. By including a private right of action in the US, the APRA would be enforced not only by the FTC and state regulators, but also by everyday people who could bring suit to remedy perceived violations. To date, the private right of action has been a contentious issue in the US. But people are speaking, and Congress seems to be listening. If passed, businesses may face a significant increase in potential liability exposure. All the more reason to develop a sound data privacy and governance, risk, and compliance program.
Conclusion
If your organization does not yet have a person advising you on privacy and data protection matters, and if your data privacy or data governance, risk, and compliance (GRC) programs have room to grow and mature, then 1 Global Data Protection Advisors (1GDPA) can help. Reach out for a free consultation at any time.
Sources
Committee Chairs Rodgers, Cantwell Unveil Historic Draft Comprehensive Data Privacy Legislation, 7 April 2024, energycommerce.house.gov
American Privacy Rights Act of 2024, Discussion Draft
U.S. Chamber Letter on the “American Privacy Rights Act”, US Chamber of Commerce
