The Doom of the American Privacy Rights Act
Since the U.S. Congress introduced the American Privacy Rights Act (APRA) in April, the data privacy landscape has already shifted. Three more states have seen privacy laws finalized–Maryland, Minnesota, Rhode Island–and Vermont’s House-back bill became a historical casualty when Governor Phil Scott vetoed the law over its inclusion of a private right of action.
Of note, Maryland and Minnesota’s laws are both stronger than APRA in various places, an awkward reality given the first reaction to the bill was an argument over preemption.
Those arguments have persisted and heightened after various consumer protections were removed from the most recent draft of APRA, meaning the law is likely to end up in the graveyard. More on that below, but first let’s dive into why preemption is such a big deal.
The Importance of Preemption
Preemption means that a federal law is able to supersede state and local laws, basically rendering previous state laws on that topic meaningless. For data privacy, this is important because states like California have advanced the issue quite far over the past half-decade, and a federal law threatens that consumer progress.
Tom Kemp, a well-respected voice and author within the field and one of the stewards of the CPRA amendment to California’s CCPA regulation, blasted the initial version of the law, asking “Why do 40 million Californians need to lose their robust rights that are expanding every year through constant iteration so the entire nation can be given lesser rights that would let data brokers — one of the biggest privacy issues we face — run amok?”
(And to note, Kemp also succinctly runs down how APRA would kill California’s DELETE Act, the next step in making it easier than ever for individuals to exercise their data rights, in favor of a broader and less protective mechanism.)
This disparity is the crux of why the previous federal data privacy bill, the American Data Privacy & Protection Act (ADPPA), died before even advancing out of committee. Two years later, Congress is trying again due to the added pressure of over a dozen new state laws and rising consumer concerns over how AI uses data.
Now that we’re going through the process again with the APRA, there has been attempted political compromise in possibly making it a “loose preemption,” which would give state laws more room to stand on their own feet opposite APRA. Of course, Republicans are strongly against this, which immediately puts the bill into a lose-lose situation.
Draft Revisions Remove Key Elements of APRA
And yet somehow, that is not even the biggest problem facing APRA, as political compromises have turned the bill into a pinata that neither side is happy with far beyond the matter of preemption.
The bill hit the public in April as a “draft discussion,” meaning many of the details were up for debate. However, it had a good core, including strong data minimization requirements, algorithmic discrimination requirements, broad civil rights and opt-out rights sections, a federalized set of data rights for consumers, and most surprisingly, a private right of action.
That version of the bill, despite not having universal support, did have many proponents, although not folks like Ted Cruz (R-Texas). After the bill moved out of subcommittee and into the US House Committee on Energy and Commerce, revisions aimed at garnering more Republican support.
In late June, a new iteration of the bill was released to the public. Notably, the private right of action (the ability enabling individuals to sue organizations over noncompliance) was watered down, and the “civil rights and algorithms” and “consequential decision opt-out” sections had been removed.
Civil rights organizations and data privacy experts expressed dismay over these changes, noting huge loopholes for how companies collect data and the sweeping decrease in consumer protections present in the revised bill.
Evan Greer, director of the digital rights nonprofit Fight for the Future, said in an interview, "This was the one comprehensive privacy bill that had a real chance of passing and now Congress has effectively gutted it as part of a backroom deal to appease right wing extremists."
Why is it so bad that those sections disappeared? Without them, algorithms can operate unchecked, a major problem as AI uses more data and can create deeper insights from that data than ever.
Without access to opt-outs for consequential decision-making, an individual’s fate for things like job searches, housing, and loan applications lie at the mercy of AI, no longer protected from the bias (and in many cases, the whim) implicit in these systems. That doesn’t benefit anyone, and it particularly harms minority groups.
Why the Bill Feels Doomed
The backlash snowballed and rattled the Republican-heavy committee, as a public mark-up of the bill on June 27th was canceled just six minutes before scheduled to begin.
In the two weeks since, APRA has actually advanced as an official House bill, HR 8818. And yet, a sense of hopelessness looms on the APRA’s chances of passing or making any actual impact on data privacy in America.
Part of this divide exists because each side of the aisle views a federal data privacy law differently. “Pro-business” Republicans do not want to stymy innovation at all, which tends to favor weaker overall regulations. Tellingly, the US Chamber of Commerce, publicly espoused in April a fear that "a federal floor … [might] encourage states to pass more restrictive privacy laws."
That explains why a strong preemption is in APRA, as Republicans aim to set “a ceiling” that untangles the state patchwork and sets some digital rights for consumers, without doing (supposed) damage to the business community (an echo that has weakened many state privacy bills as lobbyists convince state representatives that businesses will suffer immensely beyond a certain level of compliance requirements).
Democrats and representatives from states with progressive data privacy laws, like California, Maryland, and Minnesota, have long aimed for a federal bill to instead set “a floor” that states are free to expand upon as they see fit.
Even as the U.S. desperately needs data privacy legislation, as it is currently the only G20 member without a comprehensive federal law on the books, this unmoving philosophical difference is the death knell for APRA.
With the House set to go on a month-long recess after August 1 and the November elections coming after another month-long recess in October, we are realistically down to a few weeks to work this stalemate out before 2025.
Thanks to public comments made by Ted Cruz last week, the Senate is similarly split on the APRA’s viability, another roadblock in the bill’s journey.
If by some miracle it does manage to pass both houses, the compromises have already defanged it to the point that the law is barely worth having for the public.
How it Affects Businesses
APRA or no APRA, the 20 current state-level data privacy laws make compliance challenging for any business. Not sure how to put your privacy program’s best foot forward? We have the tools to help.