The American Privacy Rights Act of 2024

Please download the detailed alert here.

On April 7^th, the House Committee on Energy and Commerce Chair Cathy McMorris Rodgers and Senate Committee on Commerce, Science, and Transportation Chair Maria Cantwell unveiled the text of the American Privacy Rights Act (“APRA”), the latest push for federal privacy law. This is a major step forward for data privacy regulation in the United States, which is one of the last remaining developed countries with no comprehensive, overarching data privacy law. Other countries’ data privacy laws, including the EU’s renowned General Data Protection Regulation (GDPR), implemented in 2018, have similarly been drafted to protect data amidst evolving technology. Although the bill is in the early stages of the legislative process, the strong bicameral and bipartisan support signals the best opportunity in decades to “establish a national data privacy and security standard that gives people the right to control their personal information.”

The objectives of APRA include data minimization, transparency, and empowering individual citizens with control over their own data

The bill sets a new federal standard for data security, requiring covered entities to be more vigilant and transparent about how they use consumer data.

• The first clear objective of the bill is to provide standards for data minimization, which would require covered entities to collect and use data only for necessary and limited purposes and prohibit the transfer of sensitive covered data to third parties without a consumer’s express consent.
• The second objective requires each covered entity make publicly available a clear, conspicuous, and easy-to-read privacy policy that details the entity’s data collection, processing, retention, and transfer activities.
• The third objective requires covered entities to provide consumers who have submitted a request with: access to their covered data, the option to delete their covered data that was collected or retained by the covered entity, and to know the name of any third party or service provider to which the data was transferred and the purpose of the transfer.

In an effort to establish a uniform national data privacy and security standard in the United States, APRA is intended to supersede all state data privacy laws. The bill states that no State may adopt or continue in effect any law that is covered by the provisions of APRA, but provides certain exceptions to this preemption, stating that APRA “shall not be construed to supplant” state laws regarding consumer protection, civil rights, contract or tort statutes, or criminal data privacy laws.

Currently, 15 U.S. states have their own comprehensive data privacy laws, with California, Delaware, and Oregon having the strongest. However, in recent years, state-level momentum for data privacy bills sharply increased, in part due to the lack of cohesion at the federal level.

APRA will apply to “covered entities”

APRA outlines the “covered entities” that will be subject to the regulation. The bill defines a covered entity as any entity that determines the purposes and means of collecting, processing, retaining, or transferring covered data AND—

• is subject to the Federal Trade Commission Act;
• is a common carrier subject to title II of the Communications Act of 1934; or
• is a non-profit.

A covered entity also includes any entity that controls, is controlled by, or is under common control with another covered entity.

The draft lists entities that will not be covered by the legislation, including: government entities, entities that are collecting covered data on behalf of the government, small businesses, and other listed organizations.

APRA protects data that can be used to identify individuals

The draft defines “covered data” as information that can identify or be used to identify an individual.

This purposefully encompasses a vast amount of data, and the draft makes explicit exclusions to covered data:

• “de-identified” data, i.e. data from which all personally identifiable information has been removed to protect individual privacy;
• employee information;
• publicly available information;
• inferences made exclusively from multiple independent sources of publicly available information; and
• information in the collection of a library, archive, or museum.

These exclusions work to exclude data that already adequately protects a person’s individual identity and data that is already public knowledge.

Both The FTC and individual states will be enforcing APRA

The bill provides for enforcement of APRA by both the Federal Trade Commission (FTC) and by individual states. For FTC enforcement, the bill creates a new bureau within the FTC specifically to assist in enforcing the measures of the bill.

The bill treats a violation of its provisions as an unfair or deceptive act under the Federal Trade Commission Act, potentially resulting in civil penalties. As for state enforcement, the bill empowers state attorney generals or other state agents to bring civil actions in federal court if the state “has reason to believe that an interest of the residents of that State has been or is adversely affected” by an entity that violates APRA.

Individuals may also file private lawsuits for damages or injunctive relief against an entity that violates certain provisions of APRA.

Implications and Considerations for Businesses

The enforcement mechanisms in APRA, allowing enforcement of its provisions by the FTC, states, and private individuals, will likely lead to several new compliance standards and potential litigation for companies collecting or retaining covered data. For global companies who are accustomed to foreign states’ data privacy laws, such as the GDPR, and are already following good data privacy practices, compliance with APRA should not require major changes. However, because the U.S. is famously more litigious, companies should be mindful of APRA’s requirements and monitor how APRA litigation develops.

The rise of artificial intelligence has resulted in increased attention towards data and data privacy in the U.S.. Recent government initiatives to protect Americans’ personal data signal that, as these technologies continue to develop, companies doing business in the U.S. should continue to surveil the evolving legal landscape.