On April 8, 2024, U.S. Representative Rodgers (R-WA) and Senator Cantwell (D-WA) released the draft American Privacy Rights Act (“APRA”). The original draft bill was updated shortly before going through a subcommittee markup on May 23, 2024. It was then approved for full committee consideration. The bill represents a sweeping attempt at comprehensive federal data privacy legislation that would significantly expand existing regimes.
APRA will apply to “covered entities”, being entities that are subject to the Federal Trade Commission Act or common carriers subject to Title II of the Communications Act. It will also apply to some non-profit organizations. However, it will not apply to service providers or small businesses when certain requirements are met. There are also exceptions for government entities as well as individuals acting at their own direction and in a non-commercial context.
Privacy Rules
The bill includes rights and obligations that privacy practitioners will recognize from existing state and international privacy rights regimes, such as controller/processor arrangements (“covered entities” and “service providers” in the APRA parlance), transparency obligations, and consumer rights. The proposed Children’s Online Privacy Protection Act (COPPA 2.0) has also been added to the updated bill.
Expanded Rights and Obligations
Though it uses familiar concepts, the APRA is significantly more expansive than existing privacy regulations. Here are just a few examples:
- Detailed Consent Requirements: The law would impose detailed disclosure requirements for obtaining consent. Consent will entail an affirmative act by an individual which clearly communicates the individual’s authorization. Consent requests will need to be presented in clear, conspicuous, and standalone disclosures. These requests will have to detail each act or practice requiring consent, clearly distinguishing between necessary actions and those for other purposes, while specifying the categories of data involved. The language used will need to be easy to understand, with a prominent heading for clarity. Individuals’ rights related to consent will have to be explained, and the request will have to be accessible to people with disabilities and available in all languages in which the entity provides services. Additionally, the option to refuse consent will need to be as prominent and require no more than one additional step as the option to consent.
- Expanded Sensitive Data Scope: APRA seeks to broaden the scope of sensitive data. It will include new areas such as online activities, youth data of individuals under 17 years, video viewing data, and a wide variety of information related to private communications such as such as voicemails, emails, texts, direct messages, or information identifying the parties to such communications, information contained in telephone bills, and metadata relating to voice communications, such as numbers dialed, location of the callers, and the like.
- Broader Targeted Advertising Definition: A broader definition of targeted advertising is contemplated. It will involve showing an online ad to an individual or a group of individuals identified by unique identifiers. The ad will be selected based on covered data collected or inferred from online activities of an individual in certain circumstances to predict their preferences or interests.
- Enhanced Consumer Opt-Out Rights: APRA will create a consumer right to opt out of “transfers”, which will be broader than existing “sale” opt-outs. “Transfer” will encompass disclosure, release, sharing, disseminating, making available, selling, renting, or licensing covered data, orally, in writing, electronically, or by any other means for consideration of any kind or for a commercial purpose.
- Faster Consumer Rights Processing: APRA will require more rapid processing of consumer rights requests than existing state laws. Large data holders and data brokers will need to respond within 30 calendar days, while other covered entities will be required to do so within 45 calendar days.
The bill would also create security obligations and require covered entities to designate privacy / data security officers.
Certain types of companies – specifically, “large data holders,” “high-impact social media companies,” and “data brokers” – would face heightened obligations. As just one example, CEOs of “large data holders” (companies grossing more than $250 million annually and meeting certain processing thresholds) would need to certify to the Federal Trade Commission (FTC) on an annual basis that they have internal controls and reporting structures designed to comply with the APRA.
Authority and Enforcement
Two additional aspects of the draft bill drawing significant attention are federal preemption and enforcement:
- Preemption: As part of the goal of creating a national uniform standard, the APRA would expressly preempt and displace any state law provisions covered by the APRA. Many stakeholders applaud a single federal law, given the increasing complexities with managing the state-law regulatory patchwork. Some, however, such as the California Privacy Protection Agency in a news release and letter, argue that federal law should set a floor, not a ceiling. In other words, federal law should set minimum standards, but states should be allowed to set stricter or different requirements.
- Enforcement: The APRA would allow enforcement by the FTC, State Attorneys General, and private litigants for significant portions of the law. Of note, the APRA would require the FTC to create a new bureau dedicated to enforcing the APRA. And while the threat of private class-action litigation could be significant to businesses, it bears mentioning that monetary recovery would be limited to actual damages.
Given its expansive provisions and definitions, if the APRA moves forwards, businesses will need to revisit and adjust their U.S. privacy compliance efforts. Keep an eye on VeraSafe’s blog and LinkedIn feed for updates regarding APRA’s progress.
Related topics: US Privacy Laws, Privacy News
You may also like:
Data Privacy Framework: Frequently Asked Questions
CIPA vs. Chatbots: Can Websites Be Sued for Eavesdropping?
Business Impacts of the Nevada Health Privacy Law
