On April 7, 2024, U.S. Sen. Maria Cantwell (D-WA) and U.S. Rep. Cathy McMorris Rodgers (R-WA) released a discussion draft of the latest federal privacy proposal, known as American Privacy Rights Act (“APRA” or the “Act”). The APRA builds upon the American Data Privacy and Protection Act (“ADPPA”), which was introduced as H.R. 8152 in the 117th Congress and advanced out of the House Energy and Commerce Committee but did not become law. As the latest iteration of a federal privacy proposal, the APRA signals that some members of Congress continue to seek to create a federal standard in the wake of—and in spite of—the ever-growing patchwork of state privacy laws. Some of the principal topics are summarized below:
- Covered Entities – APRA applies to entities that determine the purposes and means of collecting, processing, retaining, or transferring covered data. Covered entities are limited to businesses subject to the Federal Trade Commission Act, common carriers subject to title II of the Communications Act, and most nonprofits. However, if a non-profit’s primary mission is to prevent, investigate, or deter fraud, for example, it is exempt from the APRA. Public sector entities and government service providers are also generally exempt, as are small businesses—defined in part as those whose average annual gross revenues for the three preceding calendar years did not (1) exceed $40 million, (2) process more than 200,000 individuals’ covered data (for other than payment purposes), or (3) exchange covered data for something of value. Special obligations apply to covered entities who are large data holders (those with annual gross revenue of at least $250 million, and process either (1) covered data of five million individuals, or 15 million portable devices or 35 million connected devices that are linkable to an individual; or (2) sensitive data of 200,000 individuals, or 300,00 portable devices or 700,000 connected devices that are linkable to an individual), high-impact social media companies (those with annual gross revenue of at least $3 billion, having at least 300 million global monthly active users, and whose platforms constitute products or services primarily used for accessing or sharing user-generated content) or data brokers (those whose principal source of revenue is derived from processing or transferring covered data that they themselves did not collect directly from individuals). Entities that act as data brokers with respect to more than 5,000 individuals or devices must register with the FTC. Service providers acting on behalf of a covered entity have many of the same obligations as covered entities.
- Covered Data – The APRA defines “covered data” as information that identifies, or is linked or reasonably linkable, alone or in combination with other information to an individual or a device.[1] The APRA expressly excludes “de-identified data,” “employee information,” and “publicly available information” from its definition of covered data. It also excludes inferences made exclusively from multiple independent sources of publicly available information, provided that such inferences do not reveal information about an individual that meets the definition of sensitive covered data (see below) with respect to an individual; and are not combined with covered data. Finally, it does not pertain to information housed in certain facilities (such as libraries) that meet certain data protection requirements.
- Sensitive Covered Data – The APRA defines sensitive covered data by type, listing 18 specific categories of data—g., government-issued identifiers, precise geolocation information, health data, biometric information, genetic information, information about minors (anyone under the age of 17), cross-site tracking data, certain protected class data, and certain financial information. The definition also contains a provision that includes “any other covered data … that the [FTC] determines to be sensitive covered data through a rulemaking ….” Other categories cover information historically protected in the U.S. as common law privacy torts or by specific statutes, such as private communications, nude photos, video viewing related data, sexual behavior, and information intended for private use.
- Material Scope and Data Minimization – A key element of the APRA generally prohibits covered entities from collecting, processing, retaining, or transferring covered data beyond what is necessary, proportionate, and limited to provide or maintain a specific product or service or a “reasonably anticipated” communication. The APRA permits the collection, processing, retention and transfer of covered data for 15 “permitted purposes”—g., to comply with a legal obligation, to effectuate a product recall, to conduct market research—provided the covered entity can demonstrate that the collection, processing, retention, or transfer is necessary, proportionate, and limited to the statutorily permitted purpose.
- Consent – Affirmative express consent is not a general basis for processing covered data, but it is specifically required in the following circumstances:
- to transfer sensitive covered data to a third party;
- to collect, process, or retain biometric information or genetic information;
- to transfer biometric information or genetic information to a third party;
- to collect, process, retain, or transfer covered data for market research;
- to secure participation in bona fide loyalty programs;
- to retain covered data after it is required to be deleted or is no longer needed; and
- with respect to the data broker registry, as discussed below
- Individual Rights – APRA grants individuals the rights to access, correct, delete and export covered data. It also requires covered entities to provide individuals with a means to opt out of the transfer of the individual’s covered data and to opt out of targeted advertising (which is defined to largely exempt first-party advertising and contextual advertising). The APRA directs the FTC to promulgate regulations for a centralized consent and opt-out mechanism. Covered entities are prohibited from employing dark patterns to distract individuals or manipulate their consents or otherwise impair them from exercising their APRA rights. To the extent a covered entity uses a covered algorithm to make or facilitate a consequential decision, it must provide notice to any individual subject to use of the covered algorithm and an opportunity for the individual to opt out of such use. Moreover, any data broker that receives a “Do Not Collect” request from an individual must ensure that it no longer collects covered data related to that individual without the affirmative express consent of the individual and must comply with the request within 30 days.
- Accountability – The APRA requires covered entities to designate at least one privacy or data security officer who must implement a data privacy program and data security program and facilitate ongoing compliance with the Act. For large data holders, the APRA requires the designation of two officers: one serving as the privacy officer and one serving as a data security officer. It also requires annual certification to the FTC that the large data holder maintains internal controls reasonably designed to comply with this Act and internal reporting structures to ensure that certifying officers are involved in, and responsible for, decisions that impact compliance. The APRA sets out responsibilities with respect to service providers and third parties as well, including contracting requirements for service providers.
- Risk Assessment – Covered entities, as part of their data security practices, must routinely identify and assess any reasonably foreseeable internal or external risk to, and vulnerability in, each system maintained that collects, processes, retains, or transfers covered data. Large data holders must conduct a privacy impact assessment biennially that weighs the benefits of the entity’s covered data collection, processing, retention and transfer practices against the potential adverse consequences of such practices to individual privacy. Separately, a large data holder must conduct and report to the FTC a covered algorithm impact assessment to the extent it uses a covered algorithm in a manner that poses a consequential risk of harm to an individual or group of individuals. Moreover, prior to deploying a covered algorithm, a covered entity must evaluate the design, structure and inputs of the covered algorithm, including any training data used to develop the covered algorithm, to reduce the risk of the potential harms.
- Incentives – Covered entities that are not large data holders or data brokers may apply to the FTC for approval of compliance guidelines governing their collection, processing, retention and transfer of covered data. A covered entity with compliance guidelines approved by the FTC is entitled to a rebuttable presumption that it is in compliance with the relevant APRA provisions if the covered entity is in compliance with the guidelines. The APRA also requires the FTC to establish a pilot program to encourage private sector use of privacy-enhancing technologies (“PETs”). Any covered entity selected by the FTC to participate in the program shall (1) in enforcement actions by the FTC and the states for violation of APRA’s data security and protection provisions, be deemed to be in compliance with the provisions with respect to any covered data subject to the PET; and (2) in enforcement actions by individuals for violation of APRA’s data security and protection provisions, be entitled to a rebuttable presumption that the covered entity is in compliance with the provisions with respect to any covered data subject to the PET. The Act does not preclude large data holders or data brokers from seeking to participate in the pilot program.
- Enforcement – The APRA directs the FTC to establish a new bureau to assist the FTC in exercising its authority under the Act. Furthermore, a violation of the Act, or a regulation promulgated under the Act, shall be treated as a violation of a rule defining an unfair or deceptive act or practice prescribed under the Federal Trade Commission Act. The APRA authorizes State Attorneys General, chief consumer protection officers, and other authorized officers of the state, upon notifying the FTC, to bring civil actions in the name of the State, or as parens patriae on behalf of the residents of the State.
- Private Right of Action – The APRA permits an individual to bring a civil action in federal district court against an entity for violations of certain provisions, specifically those addressing:
- the data minimization provisions regarding sensitive covered data, biometric information, and genetic information (but other data minimization requirements are notably not in scope for the private right of action);
- transparency obligations relating to privacy policies and any material changes thereto;
- the rights to access, correct, delete, and export covered data;
- the rights to opt out of covered data transfers, targeted advertising, and the use of an opt-out mechanism;
- the use of dark patterns;
- prohibition on denial of service and waiver of rights;
- the establishment of data security practices, to the extent a data breach arises from a violation of those practices;
- the duty to exercise due diligence in selecting service providers or deciding to transfer covered data to third parties;
- the obligation of data brokers to honor “Do Not Collect” requests;
- civil rights obligations; and
- uses of covered algorithms to make or facilitate consequential decisions.
Preemption – The APRA preempts any laws, regulations, rules or requirements of a state or political subdivision that are “covered by” the provisions of the Act or any implementing rules, regulations or requirements. APRA also contains a long list of exceptions to the general preemption provision, including data breach notification laws and laws that address electronic surveillance, wiretapping and telephone monitoring. The APRA also contains provisions regarding federal law preservation and the application of other federal privacy requirements. In particular, the Act does not change any obligation that a person may have under the Children’s Online Privacy Protection Act. In addition, a covered entity that is required to comply with certain listed laws and regulations (e.g., the Gramm-Leach-Bliley Act and the Health Insurance Portability and Accountability Act), and is in compliance with the data privacy requirements of such laws and regulations, shall be deemed to be in compliance with the related provisions of APRA, except with respect to data security and protection requirements, and exclusively with respect to any data subject to the requirements of such laws and regulations.
- California and Illinois Carve-Outs – In a civil action alleging unauthorized access of covered information, the court may award a prevailing plaintiff who is a resident of California the same relief as set forth in the California Consumer Privacy Act. In a civil action brought for a violation of the APRA where the conduct underlying the violation occurred primarily and substantially in Illinois, the court may award a prevailing plaintiff the same relief as set forth in Illinois’ Biometric Information Privacy Act or the Genetic Information Privacy Act.
The above summary is not meant to be exhaustive. Read a section-by-section summary of the discussion draft released in conjunction with Rep. McMorris Rodgers’ announcement of the draft bill.
[1] References to “data” throughout this article are presumed to be “covered data” if not otherwise indicated.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code