Intro to the American Privacy Rights Act
Just days after the data privacy world descended on Washington D.C. for IAPP’s Global Privacy Summit 2024, Congress shocked everyone by releasing a draft of a new prospective federal data privacy law, the American Privacy Rights Act (APRA). While the introduction of a federal privacy law is nothing new, the timing of the APRA emerging in an election year without much prior buzz within Washington has given the draft a palpable energy that has many feeling this time will end differently.
However, the privacy community should not get wrapped up in the aura of breaking news, as it won’t be time to celebrate until a law officially passes. The American Data Privacy and Protection Act (ADPPA) went through a similar cycle just two years ago, in 2022. Nothing is guaranteed, and despite optimism the chances the APRA becomes the privacy law we have all been waiting for remain low.
In fact, one of the ADPPA’s main sponsors, Cathy McMorris Rodgers (R-WA), also sponsored the failed ADPPA. For the APRA, McMorris Rodgers has reached across the aisle in her home state of Washington to secure support from Senator Maria Cantwell (D), who has been vocal about the need for privacy and AI laws in the face of surging innovation.
Despite the ADPPA’s failure to even advance to the House floor for a vote, privacy experts are noting that the APRA shares many similarities with the previous bill. Here is a quick rundown of the highs and lows of the initial draft.
American Privacy Rights Act: The Positives
For one, the APRA will preempt the existing patchwork of state-level laws, which has become messier and messier with the rapid pass states are passing regulation. While some, like Kentucky, have favored a safe formulaic approach seen in early privacy adopters like Virginia, other states like New Jersey and Maryland have opted to do their own thing entirely, a valiant but complicating effort for businesses trying to stay compliant within the U.S.
Beyond simplifying the privacy landscape, a welcome development for businesses and lawyers alike, the APRA would demand:
- Strict data minimization requirements, including 15 permitted data collection purposes
- Opt-in consent for sensitive data transfers, as well as the collection of biometric data
- Privacy policies that list third party categories and data broker transfers
- Opt-out rights for when targeted advertising is included
- Naming of a data privacy/security officer
- Lowering DSR handling timeline to 30 days
- Short form privacy notices no more than 500 words
- Establishes a clear set of data rights for citizens/residents
- Private right of action
- Applicable to nonprofits
There is a lot to like here, including finally taking pages out of the EU’s GDPR playbook in limiting data subject request handling to 30 days instead of the typical 45 days most states provide, as well as requiring the appointment of a Data Protection Officer-esque position to help oversee compliance. Why those things have largely been absent from state laws remains a mystery, but they are easily rectified.
Opt-ins for sensitive data collection and transfers remains similar to the standard most states have implicitly agreed on, although the individual right to see the third parties their data was shared with is something that only recent state laws like Delaware’s and Oregon’s have included.
Lastly, the private right of action within the bill is massive, as only California’s CCPA provides individuals the right to bring lawsuits against companies noncompliant with data privacy regulations. The fact that the right is in the draft at all shows lawmakers are trying to enact meaningful legislation, and not just cater to lobbyists who have helped water down a litany of state bills.
American Privacy Rights Act: The Questionable
Preemption is a double-edged sword. While preempting weak privacy laws like Utah’s or Tennessee’s is a benefit, preempting strong regulation like in California will be detrimental. California Congressional representatives were instrumental in killing the ADPPA, as they raised concerns over the bill diluting the privacy rights of Californians.
That issue remains present in the APRA, especially given that the law’s scope does not cover employee information, a key tenet and differentiating feature of the CCPA. While this element may not end up with preemption, it still creates a barrier for the bill to pass.
Some additional elements of the APRA worth critiquing include:
- Lack of a singular privacy focus
- 30-day cure period (TBD whether permanent or not)
- Definition of children set as those “under 17 years old” (children’s data remains less covered here as a revised version of COPPA has heavy bipartisan support and should get done)
- DPIAs and algorithm assessments only for “large data holders”
- Looser applicability thresholds
Whether determined by revenue or population thresholds, most state privacy laws adhering to one or the other set the amounts at $25 million in annual revenue or processing the data of 100,000 consumers within a state, respectively. The APRA raises both of those thresholds to $40 million annually or processing/collecting/transferring the data of +200,000 residents.
The definition of a large data holder means an organization making at least $250 million in annual revenue or handling the data of +5 million people.
With small businesses exempt and higher revenue thresholds, the bill in some ways reads as another attempt to control Big Tech (even more evident by the inclusion of language surrounding “high impact social media companies"). Even with data rights established on a somewhat progressive scale, the most stringent requirements would only apply to a select number of organizations nationwide.
American Privacy Rights Act: The Rest
As noted above, the APRA has numerous privacy-adjacent sections within, ranging from data breach notice rules to regulations around algorithmic bias. The presence of these topics–especially given the exemptions for several state data breach laws–complicates the bill and increases the chances it runs up against legislative backlash.
California lawmakers have already expressed concerns over issues like preemption, and some Republican lawmakers don’t seem set on this draft being close to passable either (a private right of action was a nonstarter for state laws coming out of Red states, so that may present major challenges here as well).
This is obviously an urgent matter, given the APRA would take action just 180 days after enactment, but even for an issue with bipartisan support, the path ahead is rocky and far from a guarantee.
Likewise, the bill includes sections that were likely put there to satisfy various stakeholders, but lack a practical path to enforceability. In the same vein as California’s proposed Delete Act establishing a universal method for issuing data subject requests, the APRA seeks to establish a data broker registry as well as something similar to a universal acknowledgment of opt-out mechanisms.
Those statutes have proved challenging to enact outside of California, as there are no other states that have successfully implemented them yet and a national data broker registry would require immense resources to maintain, well outside the scope of the FTC and state AGs.
Regardless of various issues with the draft, clear and additional requirements for service providers and third parties are a welcome sight, and campaigning for a broad adoption of privacy programs across industries is well overdue in 2024.
Approaching the American Privacy Rights Act
With hearings on the APRA and COPPA 2.0 already set for the House of Representatives, the momentum for privacy is here, and that alone is cause for celebration.
Given its short enactment timeline and a pressing need to push legislation to the floor for votes before the 2024 Election Cycle picks up in ferocity, we’ll likely know the fate of the American Privacy Rights Act within the next two months, meaning the law could be effective by 2025 if it does pass.
What are the chances that actually happens? Right now, given the initial released draft will be altered by both Democrats and Republicans–as it should be, given its failed ADPPA skeleton–and require multiple waves of bipartisan support, the APRA is probably looking at less than a 50-50 shot of passing.
And yet, its sudden announcement gives us a window into the psyche of American privacy and what could become law one day, making it invaluable to examine. For a more complete section-by-section breakdown, check out privacy expert Luiza Jarovsky’s guide here.
If you’ve gone through the bill and are wondering how your privacy program needs to adapt, the first step for any company should be putting together a continuous and comprehensive data map to see where your data lies and what obligations you may have under regulations.
Not convinced a continuous and comprehensive data map can be done quickly and affordably? Then you haven’t heard about MineOS. Check out our unique data mapping solution and real stories of how customers are leveraging our platform to strengthen their privacy programs here and here.