The American Privacy Rights Act – Consolidating the US Privacy Patchwork 

Reading Time: 4 minutes

Authors:  

Paula Swales | Data Protection Advisor

Date: 22 April 2024

US lawmakers unveiled a bipartisan US federal data protection law proposal on April 7, 2024, in what would be the most wide-reaching privacy law since the EU’s General Data Protection Regulation (GDPR). The American Privacy Rights Act of 2024 (APRA), circulated by US Senator Maria Cantwell and US Representative Cathy McMorris, has been introduced to protect the privacy and security of all US residents and to address the patchwork of emerging state privacy laws. 

 This article outlines the key points of APRA, how it differs from its predecessors, reactions to the draft Act to date and next steps for affected organisations. 

 Key Points 

  • Covered entities: APRA would apply to a significant proportion of the US private sector: it would apply to entities that determine the purposes and means of data processing who are also subject to the Federal Trade Commission (FTC) Act. It also places obligations on service providers, akin to the role of ‘Processor’ under the GDPR. Small businesses, governments, and entities who work on behalf of the government would not be subject to APRA. 
  • Covered data: APRA largely follows the GDPR’s approach to defining personal data as information that can be used to identify an individual. APRA differs from GDPR in that it excludes employee data, publicly available information or inferences made from multiple sources of publicly available data. It also proposes a broader definition of sensitive data than GDPR, including, for example, government issued identifiers, financial account numbers, and explicit photos. 
  • National Data Privacy Rights: The draft Act provides all US residents with rights to access, correct, export, or delete their data held by covered entities. It also establishes the right to opt out of certain processing, particularly around transfers and advertising. Organisations would also be required to provide transparency information that describes their data processing.
  • Data Minimisation: The draft Act places significant emphasis on data minimisation, requiring organisations to limit data collection to what is necessary in line with purposes defined in the Act. Furthermore, sensitive personal data may only be shared with the explicit consent of the individual, unless it falls under a specific purpose. 
  • Data Security: Covered entities and service providers would be required to implement reasonable data security practices, taking into account the organisation’s size, nature and scope of its data processing activities, the sensitivity and volume of the data processed, and the state of the art of available safeguards. The Act requires that organisations implement specified security practices, such as retention schedules, vulnerability assessments, and staff training. 
  • Executive Responsibility: APRA would require that covered entities appoint at least one privacy and security officer, responsible for implementing and facilitating a privacy program that complies with the Act. There is no obligation for the individual to be independent, which differs from the role of the Data Protection Officer under the GDPR. 
  • Enforcement: The FTC would be responsible for enforcing the Act and would be required to create a bureau, similar in size to its bureaus for consumer protection and competition. State consumer protection officials, including State Attorneys General could also issue sanctions in light of violations of the Act, provided they notify the FTC in advance. Individuals could also bring civil actions against entities for certain violations. 

Response to the draft Act 

This Act is in the very early stages and will likely be modified during its progression through the House and Senate Committees. There have been mixed reactions to the Act thus far. Following the failure of the American Data Privacy and Protection Act (ADPPA), the future of the APRA may depend on whether it addresses the weaknesses of the ADPPA. 

Pre-emption 

One primary obstacle that has prevented the passing of previous federal privacy laws is whether privacy should be regulated at federal or state level. If passed, APRA would invalidate contradictory state laws, potentially nullifying the California Consumer Privacy Act (CCPA). The California Privacy Protection Agency pushed back against the ADPPA in 2022 because of its pre-emption requirements, which are largely mirrored in the APRA, and has already voiced concerns about its retention in the APRA. It remains to be seen whether these will remain in the final Act. 

Children’s Data 

The ADPPA contained provisions related to children’s privacy, which are not included in APRA. For example, the ADPPA would have established a Youth Privacy and Marketing Division at the FTC dedicated to regulating children’s privacy. Though APRA directly references children’s data, including it in the categorisation of sensitive data, it does not go as far as the ADPPA. 

The US Children’s Online Privacy Protection Act (COPPA) is not pre-empted by APRA, leaving a pathway for additional protection for children through an update to that Act. Nevertheless, this has been identified as one area that could be strengthened under the APRA,  exemplified by Congressman Frank Pallone’s statement that “you cannot meaningfully address comprehensive privacy reform without including heightened protections for our nation’s young people.” 

Next Steps 

The APRA remains in the draft stage, and we expect to see a formal Act being put forward in the coming months in either the House or Senate. It should be noted that both Congress and Senate Committees will be moving quickly to progress this Act. The Senate Commerce Committee has announced it will hold a legislative hearing in the coming weeks, while the House Energy and Commerce Committee announced that it would hold a legislative hearing on APRA on April 17th. Despite this, in light of the mixed reactions to the Act and the pending elections later in the year, it remains to be seen whether it will pass into law.  

If it does get passed, the Act will likely differ substantially from what has been prepared to date. In the meantime, states continue to regulate in its absence, with the passing of the Kentucky Consumer Data Protection Act on April 4th and the Maryland Online Data Privacy Act of 2024 on April 6th. In light of this, organisations operating in the US should take this opportunity to review their approach to privacy and to develop a comprehensive privacy program. 

Trilateral Research has longstanding experience of delivering data protection and cyber risk advisory services in everchanging regulatory landscapes, offering Outsourced DPO services and compliance management solutions with an adaptable approach. If you would like to find out more, please get in touch.  

Related posts

Let's discuss your career