Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

USA: American Privacy Rights Act - what you need to know

On April 7, 2024, U.S. Representative Cathy Rodgers and U.S. Senator Maria Cantwell unveiled the American Privacy Rights Act 2024 (the Bill) which would establish national consumer data privacy rights and set standards for data security. The Bill has bipartisan and bicameral support and is the first comprehensive US federal privacy bill to be unveiled since the American Data Privacy and Protection Act (ADPPA). In this article, OneTrust DataGuidance Research breaks down the main provisions of the Bill, with expert comments provided by Starr Drum, Shareholder at Polsinelli PC, and Michelle Schaap, Partner at CSG Law.

Bloomberg Creative/Bloomberg Creative Photos via Getty Images

Definitions and scope

The Bill does not explicitly define its scope of ability but instead clarifies entities and data that will be covered through its definitions. To this end, the Bill defines 'covered data' as information that identifies or is linked or reasonably linkable, alone or in combination with other information, to an individual or a device that identifies or is linked or reasonably linkable to one or more individuals. Notably, the Bill details different types of data that will not be classified as covered data including de-identified data, employee information, and publicly available information.

In relation to entities that will be subject to the Bill, the Bill defines 'covered entity' as:

  • an entity that, alone, or jointly with others, determines the purposes and means of collecting, processing, retaining, or transferring covered data; and
    • is subject to the Federal Trade Commission Act (the FTC Act);
    • is a common carrier subject to Title II of the Communications Act; or
    • certain non-profit organizations; and
  • includes any entity that controls, is controlled by, is under common control with, or shares common branding with another covered entity.

Importantly, 'covered entity' does not include:

  • a Federal, State, Tribal, territorial, or local government entity;
  • entities that are collecting, processing, retaining, or transferring covered data on behalf of the above entities where they are acting as a service provider to the government entity;
  •  a small business;
  • the National Center for Missing and Exploited Children; or
  • a non-profit organization whose primary mission is to prevent, investigate, or deter fraud.

Of equal note, is the definition of 'large data holder,' which refers to a covered entity or service provider that, in the most recent calendar year had an annual gross revenue of not less than $250 million and collected, processed, retained, or transferred:

  • the covered data of more than: (i) five million individuals; (ii) 15 million portable connected devices that identify or are linked or reasonably linkable to one or more individuals; and (iii) 35 million connected devices that identify or are linked or reasonable linkable to one or more individuals; or
  • the sensitive covered data of more than: (i) 200,000 individuals; (ii) 300,000 portable connected devices that identify or are linked or reasonably linkable to one or more individuals; and (iii) 700,000 connected devices that identify or are linked or reasonably linkable to one or more individuals.

However, the Bill highlights that a covered entity or service provider will not be considered as a large data holder solely on account of collecting, processing, retaining, or transferring to a service provider the following;

  • personal mailing or email addresses;
  • personal telephone numbers;
  • log-in information of an individual or device to allow the individual or device to log in to an account administered by the covered entity; or
  • in the case of a covered entity that is a seller of goods or services (other than an entity that facilitates payment), credit, debit, or mobile payment information is strictly necessary to initiate, render, bill for, finalize, complete, or otherwise facilitate payments for goods or services.

Small businesses, on the other hand, are entities:

  • whose average annual gross revenues for the three preceding calendar years did not exceed $40 million;
  • that, on average, did not annually collect, process, retain, or transfer the covered data of more than 200,000 individuals for any purpose other than certain specified purposes; and
  • that did not transfer covered data to a third party in exchange for revenue or anything of value.

In line with the above, a service provider constitutes an entity that collects, processes, retains, or transfers covered data for the purpose of performing one or more services or functions on behalf of, and at the direction of, a covered entity.

The Bill more generally provides several definitions including 'biometric information,' 'data broker,' 'dark patterns,' 'covered minors,' 'de-identified data,' 'employee' as well as 'employee information,' 'genetic information,' 'precise geo-location information,' and 'publicly available information.' Among the notable include 'sensitive data,' which includes specific forms of covered data such as:

  • government identifiers;
  • health information;
  • biometric information;
  • genetic information;
  • financial account and payment data;
  • precise geolocation information;
  • log-in credentials;
  • private communications;
  • information revealing sexual behavior;
  • calendar or address book data, phone logs, photos, and recordings for private use;
  • an individual's race, ethnicity, national origin, religion, or sex, in a manner inconsistent with a reasonable expectation of disclosure;
  • online activities over time and across third-party websites, or over time on a high-impact social media site; and
  • information about a covered minor.  

Considering the scope of the Bill as compared to the ADPPA, Starr clarified that "Aside from the differences in preemption scope and the timing on the availability of pursuing private rights of action (six months after passage of the bill versus a two-year delay under the ADPPA), the bill interestingly carves out nonprofits that are engaged in the prevention, investigation, or deterrence of fraud, an exemption that did not appear in the ADPPA."

Along a similar line, Michelle noted that "the other notable difference proposed by this law [in comparison to] most (not all) states' privacy laws is that not-for-profits are not exempt (with limited exception). This is similar to the prior proposed federal law (ADPPA)."

Data minimization

The Bill prohibits covered entities and/or service providers from engaging in the collection, processing, retention, or transfer of covered data:

  • beyond what is necessary, proportionate, and limited to provide or maintain a specific product or service requested by the individual or a communication reasonably anticipated within the context of the relationship; or
  • for a purpose other than a 'permitted purpose.'

Similar to the ADPPA, the Bill provides a list of 15 permitted purposes for collecting, processing, retaining, or transferring covered data by a covered entity or service provider, provided that the covered entity or service provider can demonstrate that the collection, processing, retention, or transferring is necessary, proportionate, and limited to such purpose. The permitted purposes include:

  • protecting data security;
  • complying with legal obligations;
  • effectuating a product recall or fulfilling a warranty;
  • conducting market research (which requires affirmative express consent for consumer participation);
  • de-identifying data for use in product improvement and research;
  • preventing fraud and harassment;
  • responding to ongoing or imminent security incidents or public safety incidents; and
  • processing previously collected non-sensitive covered data for advertising

The Bill emphasizes that the Federal Trade Commission (FTC) will provide guidance on determining what is reasonably necessary and proportionate to comply with the data minimization section outlined in the Bill.

Sensitive, biometric, and genetic data

Importantly, the Bill details greater protections for sensitive, biometric, and genetic information, requiring affirmative express consent for the transfer of sensitive information to third parties, where not expressly provided under the permitted purposes. Equally, the Bill stipulates that covered entities or service providers must not collect, process, or retain such data without affirmative express consent, unless specific exceptions apply. In relation to the retention of biometric or genetic information, the Bill required that the same not be retained beyond the purpose for which affirmative express consent was provided, or within three years of the individual's last interaction with the covered entity or service provider, whichever occurs first, unless exemptions apply.

With regard to express consent, the Bill stipulates that a covered entity must provide an individual with a means to withdraw affirmative express consent, which is clear and conspicuous; and as easy for a reasonable individual to use as the mechanism by which the individual provided affirmative express consent.

Transparency

The Bill requires covered entities and service providers to make publicly available a privacy policy. The privacy policy must be clear, conspicuous, not misleading, easy-to-read, and readily accessible. Importantly, the privacy policy must provide a detailed and accurate representation of the covered entity or service provider's data collection, processing, retention, and transfer activities. In relation to language requirement, the Bill stipulates that the privacy policy must be made available to the public in each language in which the covered entity or service provider provides a product or service that is subject to the privacy policy, or carries out activities related to such product or service. More generally, the Bill outlines requirements for use by individuals with disabilities and material changes to the privacy policy.

With regard to specific content, privacy policies are required to, at a minimum, include:

  • the identity and the contact information of:
    • the covered entity or service provider to which the privacy policy applies; and
    • any affiliate within the same corporate structure to which data may have been transferred that is not under common branding, or has different contact information than the covered entity or service provider;
  • the categories of covered data collected, processed, or retained;
  • the processing purposes for each such category of covered data;
  • whether the covered entity or service provider transfers covered data and, if so:
    • each category of service provider or third party to which the covered data was transferred;
    • the name of each data broker to which covered data was transferred; and
    • the purposes for which such data is transferred;
  • the length of time each category of covered data will be retained, and if it is not possible to identify, the criteria used to determine the length of time;
  • a prominent description of how an individual can exercise the rights described in the Bill;
  • a general description of the data security practices;
  • the effective date of the privacy policy; and
  • whether any covered data is transferred to, processed in, retained in, or otherwise accessible to a foreign adversary.

Large data holders

The Bill establishes specific transparency requirements for large data holders as defined above. Such data holders must retain and publish on their website a copy of each previous version of their privacy policy for not less than 10 years, and make a log publicly available on their website, in a clear, conspicuous, and readily accessible manner. This log should describe the date and nature of each material change during such a 10-year period in a manner that is sufficient for a reasonable individual to understand the effect of each material change.

In addition to the privacy policy requirements above, large data holders must provide a short form notice of their covered data practices in a manner that:

  • is concise, clear, conspicuous, and not misleading;
  • is readily accessible to the individual, based on the way an individual interacts with the large data holder and its products or services and what is reasonably anticipated within the context of the relationship between the individual and the large data holder;
  • includes an overview of individual rights and disclosures to reasonably draw attention to data practices that may be unexpected or that involve sensitive covered data; and
  • is not more than 500 words in length.

In addition, the Bill outlines that information on large data holder metrics must be provided in the privacy policy or on a publicly accessible website of the large data holder that is accessible from a hyperlink included in the privacy policy. For each calendar year for which an entity is considered a large data holder, the metrics reporting must include:

  • the number of verified access requests;
  • the number of verified deletion requests;
  • the number of requests to opt out of covered data transfers; and
  • the number of requests to opt out of targeted advertising.

For each category of requests described above, the large data holder must provide the number of requests complied with in whole or in part and the average number of days within which they responded to the requests.

Dark patterns

Covered entities are prohibited from using dark patterns to:

  • divert an individual's attention from any notice required under the Bill
  • impair an individual's ability to exercise any right under the Bill; and
  • obtain, infer, or facilitate an individual's consent for any action that requires consent.

In addition, the bill establishes rules around the exercising of a right through the use of any false, fictitious, fraudulent, or materially misleading statement or representation. Any agreement by an individual that is obtained, inferred, or facilitated through dark patterns will not be considered consent for any purpose.

Data security

Another key element of the Bill is the establishment of data security practices. The Bill requires that a covered entity and service provider establish, implement, and maintain reasonable data security practices to protect the confidentiality, integrity, and accessibility of covered data, and against unauthorized access.

When determining appropriate data security measures, the Bill notes that practices must be appropriate to:

  • the size and complexity of the covered entity or service provider;
  • the nature and scope of the covered entity's or the service provider's collecting, processing, retaining, or transferring of covered data, taking into account such covered entity's or service provider's changing business operations with respect to covered data;
  • the volume, nature, and sensitivity of the covered data at issue; and
  • the state-of-the-art (and limitations thereof) in administrative, technical, and physical safeguards for protecting such covered data.

Specifically, the data security practices must include, for each respective entity's own system, at a minimum, the following practices:

  • vulnerabilities assessments;
  • preventative and corrective action;
  • preventative and corrective actions;
  • information retention and disposal;
  • retention schedule;
  • employee training; and
  • incident responses.

Privacy and data security officers

The Bill requires covered entities or service providers to designate one or more qualified employees to serve as privacy or data security officers. These privacy or data security officers are required to, at a minimum, implement data privacy and data security programs to safeguard the privacy and security of covered data in compliance with the requirements of the Bill and facilitate the covered entity or service provider's ongoing compliance with the Bill.

Larger data holder

Notably, large data holders are required to designate one qualified employee to serve as a privacy officer and one qualified employee to serve as a data security officer. In addition, starting on the first year after the date of enactment of the Bill, the CEO of a large data holder – or, the highest ranking officer if there is no CEO, and each privacy officer and data security officer must annually certify to the FTC that they maintain:

  • internal controls reasonably designed to comply with the Bill; and
  • internal reporting structures ensure that such certifying officers are involved in, and responsible for, decisions that impact their compliance with the Bill.

In addition, the Bill stipulates that large data holders must adopt internal reporting structures. Namely, at least one of the officers, either directly or through a supervised designee, must:

  • establish processes to periodically review and update the privacy and security policies, practices, and procedures, as necessary;
  • conduct biennial and comprehensive audits to ensure the policies, practices, and procedures comply with the Bill and, upon request, make them available to the FTC;
  • develop a program to educate and train employees about the requirements of the Bill;
  • maintain updated, accurate, clear, and understandable records of material privacy and data security practices; and
  • serve as the point of contact between the large data holder and enforcement authorities.

Assessments (privacy and algorithmic)

Privacy Impact Assessments

The Bill requires larger data holders to conduct a Privacy Impact Assessment (PIA) that weighs the benefits of the entity's covered data collection, processing, retention, and transfer practices against the potential adverse consequences of such practices to individual privacy. The Bill clarifies that PIAs should be conducted no later than one year after the date of enactment of the Bill or one year after the date when the entity becomes a large data holder, whichever is earlier, and biennially thereafter.

A PIA must be:

  • reasonable and appropriate in scope given:
    • the nature and volume of the covered data collected, processed, retained, or transferred by the large data holder; and
    • the potential risks posed to the privacy of individuals by the collection, processing, retention, and transfer of covered data by the large data holder;
  • documented in written form and maintained by the large data holder, unless rendered out of date by a subsequent assessment conducted under the Bill; and
  • approved by the privacy officer of the large data holder.

The Bill also includes additional factors to include in assessing the privacy risks.

Covered algorithmic impact assessments

Large data holders that use a covered algorithm in a manner that poses a consequential risk of harm identified, as defined under the Bill, to an individual or group of individuals and use such covered algorithm, solely or in part, to collect, process, or transfer covered data, must conduct an impact assessment of such algorithm. Large data holders, notwithstanding any other provision of law, no later than two years after the date of enactment of the Bill, must conduct such assessment, and annually thereafter.

The impact assessment must provide:

  • a detailed description of the design process and methodologies of the algorithm;
  • a statement of the purpose and proposed uses of the algorithm;
  • a detailed description of the data used by the algorithm;
  • a description of the outputs produced by the algorithm;
  • an assessment of the necessity and proportionality of the algorithm in relation to its stated purpose; and
  • a detailed description of steps taken or that will be taken to mitigate potential harm from the algorithm to an individual or group of individuals.

Furthermore, the Bill also requires, notwithstanding any other provision of law and not later than two years after the date of enactment of the Bill, that a covered entity or service provider that knowingly develops a covered algorithm must, prior to deploying the covered algorithm in interstate commerce, evaluate the design, structure, and inputs of the covered algorithm, to reduce the risk of the potential harms identified under the Bill.

The Bill lists other considerations including:

  • focus;
  • availability; and
  • limitation on enforcement.

The Bill provides that the FTC must, not later than two years after the date of its enactment, in consultation with the Secretary of Commerce, publish guidance regarding compliance with this section of the Bill.

Consumer rights

The Bill provides consumers with the rights to access, correction, deletion, and data portability of covered data, along with procedural requirements for time, frequency, and cost.

Regarding the right to access, individuals have the right to access:

  • the covered data of an individual collected, processed, or retained by the covered entity or any service provider of the covered entity;
  • the name of any third party or service provider to whom the covered entity has transferred the covered data;
  • categories of sources from which the covered data was collected; and
  • a description of the purpose for which the covered entity transferred the covered data of the individual to a third party or service provider.

The covered data must be accessible in a format that may be naturally read by a human or an accurate representation of the covered data of the individual where it is no longer in the possession of the covered entity or a service provider.

The right to correct and delete applies to covered data of the individual that is collected, processed, or retained by the covered entity, and to covered data that has been transferred, with third parties or services providers needing to be notified of the correction or deletion request. Equally, the right to data portability requires, to the extent technically feasible, the exporting of covered data in a format that can be naturally read by a human and in a portable, structured, interoperable, and machine-readable format. The Bill does, however, provide an exception to the right to data portability where derived data would result in the release of trade secrets or other proprietary or confidential data.

Right to opt-out

The Bill introduces a right to opt-out of transfers of non-sensitive covered data and targeted advertising. The covered entity must provide:

  • an individual with a clear and conspicuous means to opt out;
  • allow an individual to make an opt-out designation through a centralized consent and opt-out mechanism as described in the Bill; and
  • abide by any such opt-out designation made by an individual and communicate the same to all relevant service providers.

In line with the centralized consent and opt-out mechanism, the Bill confirms that no later than two years after the date of its enactment, the FTC, in consultation with the Secretary of Commerce, will promulgate regulations to establish requirements and technical specifications of the centralized mechanism for individuals to exercise the opt-out rights that:

  • ensures the opt-out preference signal:
    • is user-friendly, clearly described, and easy to use;
    • does not require the provision of additional information beyond what is reasonably necessary to indicate such preference;
    • clearly represents an individual's preference and is free of defaults constraining or presupposing preferences;
    • is provided in any language that products or services are offered in;
    • is reasonably accessible to and usable by individuals with disabilities; and
    • does not conflict with other commonly used privacy settings or tools;
  • provides a mechanism for the individual to selectively opt-out, without affecting the individual's preferences with respect to other entities or disabling opt out preference signal globally;
  • states that the individual should see up to two choices corresponding to the right to opt out of advertising and data transfers; and
  • ensures that the opt-out preference signal applies neutrally.

Consequential decision

Entities that use a covered algorithm to make or facilitate a consequential decision must provide notice to individuals subject to the use of the covered algorithm and provide the opportunity to opt-out from the use of the covered algorithm. The notice should:

  • be clear and conspicuous;
  • provide meaningful information about how the covered algorithm makes or facilitates a consequential decision, including the range of potential outcomes;
  • be provided in each language the entity provides a product or service subject to the covered algorithm or carries out activities related to such product or service; and
  • be reasonably accessible to and usable by disabled individuals.

The Bill defines a 'consequential decision' as a determination or an offer, including through advertisement, that uses covered data and relates to access to or equal enjoyment of housing, employment, education enrollment or opportunity, healthcare, insurance, or credit opportunities, or access to, or restrictions on the use of, any place of public accommodation.

Retaliation

The Bill clarifies that covered entities may not retaliate against individuals for exercising any rights under the Bill. This includes denying or charging different prices and/or rates of products or services. However, covered entities are permitted to offer bona fide loyalty programs, a financial incentive to participate in market research, or decline a product or service where the collection and processing of covered data is strictly necessary for the function of the product or service. Covered entities must obtain the consumer's affirmative express consent for participation in a bona fide loyalty program and for the transfer of any covered data collected pursuant to such a loyalty program.

Procedural requirements

Notably, the Bill stipulates that the first three requests made during any 12-month period should be free of charge, allowing a reasonable fee for requests beyond the initial three requests. Interestingly, the bill provided different response timeframes for covered entities and large data holders. Large data holders are required to respond to verified requests within 15 days of receipt, while covered entities have 30 days to respond to such requests. The Bill also provides for one extension, considering the complexity and number of the requests within the allotted time period, i.e., 15 days for large data holders and 30 days for covered entities. The covered entity or large data holder must nevertheless inform the individual of the extension within the initial response period, together with the reason for the extension.

Covered entities must also verify whether the individual making the request is being made by the subject of the covered data or is an individual authorized to make the request on their behalf. Where the covered entity cannot make the required verification, it may request additional information to verify the identity of the individual, but must not process, retain, or transfer such additional information for any other purpose.

In relation to language requirements, covered entities must facilitate the ability to make requests in any language in which the covered entity provides a product or service, and have mechanisms that are readily accessible and useable by individuals disabilities to make requests.

Exceptions

The Bill also outlines exceptions in which a covered entity would not be required to comply with a consumer request as outlined above, including if the covered entity:

  • cannot verify the individual making the request is the individual whose covered data is the subject of the requests or an individual authorized to make the request;
  • determines the exercise of the right would require access to another individual's sensitive covered data;
  • determines the exercise of the right would require the correction or deletion of covered data subject to a warrant, lawfully executed subpoena, or litigation hold notice in connection with such warrant or subpoena;
  • would violate its professional ethical obligations;
  • reasonably believes that the request is made in furtherance of criminal activity, except with respect to health information; or
  • reasonably believes that complying with the request would threaten data security.

Building on the above, covered entities may also decline, with adequate explanation, a consumer request, where compliance would, among other things:

  • be demonstrably impossible due to technology or cost;
  • delete covered data reasonably necessary for the performance of a contract;
  • require the release of trade secrets or other privileged, proprietary, or confidential business information; or
  • prevent a covered entity from being able to maintain a confidential record of opt-out requests.

In the event a covered entity makes a permissive exception, they must partially comply with the remainder of the request if partial compliance is possible and not unduly burdensome.

Vendor management

Covered entities that transfer covered data to service providers or third parties will not be considered in violation of the Bill where: (i) the covered entity transferred the covered data to the service provider or third party in compliance with the requirements of the Bill; and (ii) at the time of transferring the covered data, did not have actual knowledge or reason to believe the service provider or third party intended to violate the bill.

Service providers

The Bill outlines specific requirements for vendor management. In particular, service providers must: (i) adhere to the instructions of a covered entity; (ii) assist covered entities in fulfilling their obligations with regard to consumer rights; (iii) make available to the covered entity information necessary to demonstrate compliance with the requirements of the Bill; (iv) develop, implement, and maintain reasonable administrative, technical, and physical safeguards to protect the security and confidentiality of covered data processed; and (v) delete or return, as directed, all covered data as soon as practicable after end of the provision of services, unless otherwise required by law. The Bill also permits service providers to generally engage another service provider after exercising reasonable due diligence in selecting such other service provider, providing such covered entity with written notice of the engagement, and pursuant to a written contract that requires such other additional service provider to satisfy the requirements of the Bill with respect to covered data.

Covered entities and service provider's relationships must be governed by contract, governing the service provider's collection, processing, retention, or transfer performed on the covered entity's behalf, including:

  • instructions for collecting, processing, retaining, or transferring data;
  • the nature and purpose of the collection, processing, retention, or transfer;
  • the type of data subject to collection, processing, retention, or transfer;
  • the duration of the processing or retention; and
  • the rights and obligations of both parties.

In addition, the Bill outlines prohibitions which must also be listed within the contract. Importantly, the Bill confirms that the contract does not relieve the service provider of any of the requirements under the Bill.

Third parties

Third parties are not permitted to process, retain, or transfer third-party data for a purpose other than in the case of sensitive covered data, if an individual gave affirmative express consent to, or, in the case of non-sensitive covered data, if the covered entity or service provider made a disclosure.

Data brokers

Data brokers are subject to a series of requirements including:

  • establishing and maintaining a publicly accessible website; and
  • having a clear, conspicuous, not misleading, and readily accessible notice, which is reasonably accessible to and usable by individuals with disabilities, outlining:
    • the entity is a data broker;
    • individual's consumer rights under the Bill; and
    • a link to the data broker website to be established by the FTC.

The Bill also sets out prohibited practices for data brokers and requires data broker registration with the FTC no later than January 31 of each calendar year, where an entity acted as a data broker with respect to more than 5,000 individuals or devices that identify or are linked or reasonably linkable to an individual.

The FTC will establish and maintain on a publicly available website a searchable registry of data brokers that are registered. The registry will allow members of the public to:

  • Search for and identify data brokers.
  • Include the information for each data broker.
  • Include a mechanism by which an individual may submit a request to registered data brokers as a 'Do Not Collect' directive. To this end, any registered data broker must ensure that the data broker no longer collects covered data related to such individual without the affirmative express consent of such individual, except insofar as the data broker is acting as a service provider.

Importantly, the Bill provides that data brokers that violate the section on data brokers will be liable for civil penalties under Section 5 of the FTC Act.

Enforcement

The Bill positions the FTC as responsible for enforcing its provisions, namely by the establishment of a bureau within the FTC aimed at assisting the FTC in exercising its authority under the Bill and related authorities. The bureau is expected to be established, staffed, and fully operational no later than one year after the date of enactment of the Bill. The Bill confirms that violations will be considered an unfair or deceptive act or practices pursuant to the FTC Act. However, the Bill clarifies that a State Attorneys General, the chief consumer protection officer of a state, or an officer or office of the state authorized to enforce privacy or data security laws may also bring a civil action in specified circumstances.

Starr further clarified that "State enforcement officers can bring actions on behalf of their state and its residents, but where a state has multiple enforcement offices, only one can pursue enforcement against the same defendant for the same violation."

Michelle also pointed out that "the question is whether states' representatives, when considering the bill, will consider its individual constituents' concerns (who one would expect to be in support, generally, of privacy rights) or will be swayed by business community leaders who may express concerns regarding certain provisions of the bill in particularly."

Notably, the Bill provides that consumers may file private lawsuits against entities that violate their rights under the Bill. The Bill also clarifies how the private right of action applies in relation to biometric and genetic information and relief provided under the Biometric Information Privacy Act (BIPA), as well as the Genetic Information Privacy Act in Illinois, and also explores data security relief pursuant to §1789.150 of the California Civil Code.

With regard to the private right of action, Michelle explains "for individuals, the proposed law creates a private cause of action – which is not included in most states' privacy laws adopted to date. For this reason alone, this draft may garner strong support from individuals (and the plaintiffs' bar, too). For businesses, however, this may create a huge exposure, beyond current litigation, to individual and class actions. Even with a 30 day right to cure, companies may face far greater exposure under this law, then they currently do even in states that have adopted privacy laws already.

Further, for 'small' businesses, many of which are not subject to several states' privacy laws, more of those companies may be subject to this law. While the $40 million annual gross revenue threshold here is higher than the California threshold for the CCPA and CPRA at $25 million, the number of consumers' data collected is arguably lower than many current states' laws. For example, the privacy laws adopted by Colorado and New Jersey apply to businesses that collect and/or control the processing of covered data of 100,000 or more consumers in the subject states. The threshold for the bill, while adding a revenue component absent from the states' laws, applies to businesses controlling the information of 200,000 US consumers (not for just one particular state). As such, while a small business might not meet the Colorado threshold if were controlling the data of only 25,000 residents, it may well fall under the federal law if it were controlling the data of 10,000 residents across 30 states.

Still, some businesses (especially those already subject to and in compliance with their state's(s') privacy laws), may see a single, over-arching federal privacy law as a welcome relief to avoid the expense of tracking new states' laws (which could otherwise mean at least 30 additional individual states' privacy laws based on current numbers absent a federal law) and having separate website policies and processes for residents of different states."

Importantly, subject to the presence of substantial privacy harm, an action for injunctive relief may be brought by an individual only if, prior to initiating such action, the individual provides to the entity 30 days' written notice identifying the specific provisions the individual alleges have been or are being violated. In the event a cure is possible, if, within the 30 days, the entity cures the noticed violation and provides the individual with an express written statement that the violation has been cured and that no such further violation shall occur, an action for injunctive relief shall not be permitted.

On the point of substantial privacy harm, Starr highlighted that "the scope of what constitutes a 'substantial privacy harm' is broadly defined and eliminates the notice requirement and cure opportunity. This combined with the availability of attorney's fees and costs for prevailing plaintiffs could create a flood of private actions with varying levels of merit."

State law pre-emption

With regard to state privacy legislation, the Bill expressly states that its purposes are to establish a uniform national data privacy and data security standard, and expressly pre-empts state laws.

In relation to state pre-emption, Michelle commented "the bi-partisan bill would again seek to supersede states' privacy laws (which was one of the reasons the prior federal privacy legislation, ADPPA, failed). As readers may recall, California refused to support the prior legislation if it would supersede states' privacy laws, such as the California Consumer Privacy Act, as amended by the California Privacy Rights Act. Whether various states (including Colorado, Virginia, Connecticut, Utah, Tennessee and New Jersey, to name a few) that have since adopted (and in several states, already effective) will support this federal bill is yet to be seen."

Also on the point of pre-emption, Starr highlighted that "the pre-emption in large part of the ever-growing patchwork of state privacy laws should help businesses focus their compliance efforts and reduce the increasingly unruly length of state-specific privacy notices. On the less positive side for businesses, the Act allows individuals to unilaterally revoke their otherwise binding arbitration agreements in certain contexts and does not pre-empt some of the more onerous state statutory penalties such as those under the CCPA, BIPA, and state wiretapping statutes."

Nevertheless, the bill provides that it does not pre-empt state laws, rules, regulations, or requirements applicable to, among others:

  • consumer protection laws of general applicability, such as laws regulating deceptive, unfair, or unconscionable practices;
  • civil rights laws;
  • provisions of laws that address the privacy rights or other protections of employees or employee information;
  • provisions of laws that address the privacy rights or other protections of students or student information; and
  • provisions of laws that address data breach notification requirements.

On the above, Michelle elucidated that "to attempt to appease the tug of war between the states' privacy laws and this proposed federal legislation, this new bill would in part pre-empt state laws, while still allowing states to adopt (more restrictive) rules regarding sensitive data, such as health and/or financial data. Specifically, the law does not preempt states' general consumer protection laws which protect against deceptive, unfair or unconscionable trade practices, civil rights laws, nor does it pre-empt laws which protect employees or employee information (which would seem to leave intact the aspects of the CCPA and CPRA mandates as they relate to employee data), student information and data breach notification requirements.

The draft legislation states that 'no State… may adopt, maintain, enforce or continue in effect any law, … covered by the provisions of this Act…' However, the devil will be in the details, as Section 20 further states that the Act would not pre-empt states' laws addressing banking or financial records, social security numbers (SSN) credit cards, etc. Given that the Act does speak to the need for specific opt-in consent before a covered entity can process sensitive information, including SSNs or financial accounts plus access credentials, then it would seem similar state laws would be preempted. Confirmation and clarity will be important. States will still have a role in enforcement (sharing this role with the FTC), which should help to garner states' support."

Furthermore, entities that comply with federal privacy laws, including the Gramm-Leach-Bliley Act (GLBA), Health Insurance Portability and Accountability Act (HIPAA), Fair Credit Report Act (FCRA), and Family Educational Rights and Privacy Act, are considered to be compliant with the provisions of the Bill where the above legislation applies. The Bill also states that it does not relieve or change any obligation under the Children's Online Privacy Protection Act (COPPA).

Next steps

If adopted, the Bill will take effect 180 days after the date of enactment unless otherwise specified in the Bill.  Starr concluded that "There has already been commentary from both sides of the aisle, industry interests, and state regulators about potential concerns and desired changes to the draft. Getting a bill of this magnitude passed in an election year will likely be an uphill battle."

Harry Chambers Senior Privacy Analyst
[email protected]
Bahar Toto Privacy Analyst
[email protected]

With comments provided by:

Starr Drum Shareholder
[email protected]
Polsinelli PC, Alabama

Michelle Schaap Partner
[email protected]
CSG Law, New Jersey