Bipartisan Federal Privacy Bill Introduced
Last week, a bipartisan coalition in Congress introduced the American Privacy Rights Act (“APRA”), a draft federal privacy bill. The APRA represents the latest effort to create a federal consumer data privacy law after its predecessor, the American Data Privacy and Protection Act (“ADPPA”), stalled out. The bill would, if passed, provide a federal privacy law framework, pre-empting the various state privacy laws that have proliferated in the absence of a federal statute.
For businesses that were already complying with state data privacy laws, the APRA would represent a potential streamlining of privacy compliance obligations. The APRA’s pre-emption provisions would render the sixteen (16) competing state-level privacy laws obsolete. For businesses that were not already taking the necessary steps to comply with those state laws, however, the APRA would establish entirely new compliance requirements. Given the complexity of the compliance requirements, and their broad applicability, it is essential that businesses retain attorneys who have experience in privacy law matters.
Please note that the APRA is likely to undergo further amendment as it proceeds through the legislative process. This blog details the requirements set forth in the most current version of the APRA available at the time of posting.
What Compliance Requirements Does the APRA Contain?
Many of the APRA consumer data privacy requirements mirror those already contained in existing state laws. However, there are some key differences. It should be noted, if the current iteration of the bill passes, it would specifically preempt all existing state data privacy laws. Among other things, the APRA would require businesses to draft a privacy policy that discloses the following (which is not intended as an exhaustive list):
· The categories of information collected;
· The length of time each category of data is kept and the criteria used to determine when to delete that data;
· The names of any third parties to whom data is shared/sold;
· The categories of data transferred to third parties;
· The purpose of any such transfers to third parties; and
· A description of how consumers may exercise their privacy rights.
In connection with the foregoing, the APRA would require businesses to provide consumers with the following privacy rights (which is not an exhaustive list):
· The right to access data collected or processed, to know the name of any third party or service provider to which the data was transferred and the purpose of the transfer;
· The right to correct inaccurate or incomplete data;
· The right to delete consumer data; and
· The right to opt out from the sale/sharing of data.
In addition to the foregoing, the APRA establishes additional, stricter, obligations for entities referred to as “Large Data Holders.” Large Data Holders are defined as entities that: (a) earn $250,000,000 or more in annual revenue; and (b) collect, process, retain, or transfer: (i) data of more than 5,000,000 individuals (or 15,000,00 portable devices or 35,000,000 connected devices that are linkable to individuals); or (ii) sensitive data of more than 200,000 individuals (or 300,000 portable devices or 700,000 connected devices).
Why Do Federal Privacy Law Requirements Matter to Your Business?
Congress’ goal in introducing the APRA is to create a single set of uniform rules for businesses to follow. If the APRA passes, this would circumvent the patchwork of state requirements that is in place today. These changes will not be onerous for those businesses that are already compliant with existing state laws. However, the APRA would still require those businesses to adjust their existing practices to some extent. Further, for many businesses that were exempt from state data privacy laws, the APRA would require the implementation of a new assortment of compliance policies and procedures.
It is important to note that the APRA diverges from some state data privacy laws in that it establishes a private right of action for citizens in cases of a data breach. This could result in increased exposure to liability for businesses that fail to comply with the requirements of the APRA. As such, it is advisable to obtain guidance from attorneys experienced with privacy law compliance. Please note, the above offers only a brief overview of some of the legal issues involved in connection with APRA compliance.
[View source.]