Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

USA: Bill for American Privacy Rights Act unveiled

On April 7, 2024, U.S. Representative Cathy Rodgers and U.S. Senator Maria Cantwell unveiled the American Privacy Rights Act 2024. In particular, Rodgers and Cantwell stated: "this bipartisan, bicameral draft legislation is the best opportunity we've had in decades to establish a national data privacy and security standard that gives people the right to control their personal information."

Definitions and scope

The bill defines 'covered data' as information that identifies or is linked or reasonably linkable, alone or in combination with other information, to an individual or a device that identifies or is linked or reasonably linkable to one or more individuals.

A 'covered entity' means:

  • an entity that, alone, or jointly with others, determines the purposes and means of collecting, processing, retaining, or transferring covered data and:
    • is subject to the Federal Trade Commission Act (FTC Act);
    • is a common carrier subject to Title II of the Communications Act; or
    • certain non-profit organizations; and
  • includes any entity that controls, is controlled by, is under common control with, or shares common branding with another covered entity.

A 'covered entity' does not include:

  • a Federal, State, Tribal, territorial, or local government entity; or
  • entities that are collecting, processing, retaining, or transferring covered data on behalf of an above entity;
  • a small business;
  • the National Center for Missing and Exploited Children; or
  • a non-profit organization whose primary mission is to prevent, investigate, or deter fraud.

Principles of processing

The bill highlights principles of personal data processing, including data minimization, and transparency. Specifically, on data minimization, the bill details greater protections for sensitive, biometric, and genetic information, with affirmative express consent required for the transfer of sensitive information to third parties. Likewise, regarding transparency, the bill stipulates that covered entities must publish an easily readable, and readily accessible privacy policy on data collection, processing, retention, and transfer activities. Covered entities are also required to establish, implement, and maintain reasonable data security practices to protect the confidentiality, integrity, and accessibility of covered data, and protect covered data against unauthorized access.

Consumer rights

In addition, the bill provides for consumer rights including the right to access, correct, delete, and data portability. The bill also notes the right to opt out of covered data transfers and targeted advertising, alongside a centralized mechanism for consent to and opting out from data transfers and targeted advertising. Entities that use a covered algorithm to make or facilitate a consequential decision must provide notice to individuals subject to the covered algorithm, and an opportunity for the individual to opt out of the use of the covered algorithm.

Obligations

Covered entities are required to designate privacy or data security officers, with different requirements applicable to large data holders. Large data holders are also specifically required to conduct a privacy impact assessment. Large data holders must also conduct an algorithm impact assessment two years after the enactment of the bill, the contents of which are detailed by the bill. Service providers specifically must adhere to the instructions of covered entities, pursuant to a contract concluded between them. Third parties must not process, retain, or transfer third-party data for a purpose other than that for which the covered entity or service provider made a disclosure.

Meanwhile, data brokers are subject to a series of requirements and prohibitions on advertising or marketing the access to or transfer of covered data, or misrepresenting their business practices. Notably, the bill details that the Federal Trade Commission (FTC) will establish a data broker registry under the bill.

Enforcement

The bill positions the FTC as responsible for enforcing its provisions, namely by a bureau established within the FTC, and that violations of the bill will be considered an unfair or deceptive act or practices pursuant to the FTC Act. However, the bill clarifies that a state Attorney General, the chief consumer protection officer of a state, or an officer or office of the state authorized to enforce privacy or data security laws may also bring a civil action. Notably, the bill provides that consumers may file private lawsuits against entities that violate their rights under the bill. 

With regard to state privacy legislation, the bill expressly states that its purposes are to establish a uniform national data privacy and data security standard, and expressly pre-empts state laws.

However, the bill provides that it does not pre-empt state laws, rules, regulations, or requirements applicable to:

  • consumer protection laws of general applicability, such as laws regulating deceptive, unfair, or unconscionable practices;
  • civil rights laws;
  • provisions of laws that address the privacy rights or other protections of employees or employee information;
  • provisions of laws that address the privacy rights or other protections of students or student information; and
  • provisions of laws that address data breach notification requirements.

Entities that comply with federal privacy laws including the Gramm-Leach-Bliley Act (GLBA) and Health Insurance Portability and Accountability Act (HIPAA) are considered to be compliant with the provisions of the bill where the above legislation applies.

You can read the press release here, the bill here, and a summary of the bill here.

Update: May 24, 2024

On May 23, 2024, the House Energy and Commerce Committee published a blog announcing that the discussion draft of the bill was forwarded, without amendment, to the full committee by a voice vote. 

You can read the bill here and the blog post here.

Update: May 31, 2024

On May 31, 2024, the U.S. Congressional Research Service (CRS) published a summary of the APRA.

What is the legislative history of the APRA?

In particular, the CRS provided that the APRA was introduced on April 7, 2024, incorporating elements of the American Data Privacy and Protection Act (ADPPA). The CRS noted that updates by the House Energy and Commerce Committee to the APRA, which includes a new Title II, amending COPPA. Other amendments include creating a centralized mechanism for individuals to request that data brokers delete their personal information and prohibiting covered entities from targeting advertisements to children under the age of 17 years.

The CRS summary outlines how the amended APRA differs from the original draft introduced on April 7, 2024, how the APRA would amend COPPA, and how the language compares with previous bills that sought to amend COPPA. For example, the CRS summary notes that the APRA would amend COPPA to include a ban on transferring sensitive covered data, which includes information about a covered minor, without affirmative express consent, and a prohibition on targeted advertising to minors. The APRA would also amend COPPA to include data minimization requirements, though such requirements differ from previous legislative attempts to amend COPPA.

What are the future challenges to the APRA?

The CRS summary provides that although the APRA has garnered bipartisan support, issues remain surrounding the private right of action and whether the APRA should pre-empt state privacy laws. For instance, the CRS summary details that the California Privacy Protection Agency (CPPA) was critical of the APRA for pre-empting state privacy laws and that the APRA should set a 'floor' for privacy rights rather than a 'ceiling.' The U.S. Chamber of Commerce has also criticized the APRA for taking too narrow an approach to pre-emption. Finally, the CRS summary suggests that the expansive reach of the APRA's savings clauses may give rise to litigation seeking to clarify whether various state privacy laws qualify as one of the categories of statutes exempt from pre-emption.

You can read the CRS summary here.