The U.S. is taking another swing at a federal data privacy law with the American Privacy Rights Act, or APRA. While there’s no guarantee that the APRA will become the law of the land, it’s still worthwhile to study in order to see what requirements organizations may be subject to as well as what potential future data privacy laws may resemble. Here, we’ll cover the law’s basic requirements as well as its likelihood of passage.

What Is the American Privacy Rights Act (APRA)?

On April 7th, Congress unveiled a bipartisan, bicameral comprehensive data privacy rights bill—the APRA.

Specifically, the APRA was put forth by House Energy and Commerce Chair Cathy McMorris Rodgers (R-WA) and Senate Commerce, Science, and Transportation Chair Maria Cantwell (D-WA). In essence, the law:

• Would serve as a federal comprehensive data privacy law, preempting most state laws (more on that later).

• Create privacy rights and protections for ALL Americans—not just those living in key states, participating in certain industries, or belonging to certain groups.

• Establish robust enforcement mechanisms to hold violators accountable, including enforcement via the Federal Trade Commission (FTC), state attorneys general, and—notably—a private right of action for individuals.

Who Does the APRA Apply To?

Covered entities under the APRA include any entity that collects, processes, retains, or transfers personal data (or has it done for them) and who is subject to the FTC Act. So, the APRA would be quite broad; however, it does have some major exemptions.

APRA Exemptions

Unlike most state data privacy laws, the APRA does not apply to small businesses, which it defines as those businesses:

• With $40M or less in annual revenue;
• That collect, process, retain, or transfer the covered data of 200,000 or fewer individuals; and
• That do not earn revenue from transferring covered data to third parties (i.e., data brokers).

In addition to small businesses, governments, entities working on behalf of governments, the National Center for Missing and Exploited Children (NCMEC), and fraud-fighting non-profits are excluded.

If you’re compliant with certain federal laws like the Gramm-Leach-Bliley Act and HIPAA, then congratulations; the APRA already considers you to be compliant.

Furthermore, the APRA only covers data that can be reasonably linked to an individual or device. That excludes de-identified data, employee data, publicly available information, and so on.

Primary APRA Requirements

Organizations will recognize that the APRA tracks the basic requirements of most data privacy laws, but there are some notable departures. We’ll cover the major features below.

Data Subject Rights

For the most part, the APRA provides a set of data subject rights that maps to other U.S. privacy laws, including:

• The right to know what data has been collected.
• The right to access that data.
• The right to correct data.
• The right to delete data.
• The right to receive that data in a portable format.
• The right to opt out of targeted advertising and profiling.

New “Large Data Holder” Category

Arguably the most interesting aspect of the APRA is its distinct category for “Large Data Holders.” Large Data Holders are defined as those organizations that:

• Have $250 million or more in annual revenue;
• Collect, process, retain, or transfer the covered data of more than 5 million individuals (or 15 million portable devices or 35 million connected devices that are linkable to an individual); or
• Collect, process, retain, or transfer the sensitive data of more than 200,000 individuals (or 300,000 portable devices or 700,000 connected devices).

Large Data Holders are subject to stricter requirements under the APRA, including:

• Publishing the last 10 years of their privacy policies and offering a short form of their policies.
• Providing a report to the FTC on their subject rights requests processing.
• Retaining a data privacy officer and a data security officer on staff.
• Filing an annual report to the FTC regarding their internal controls.
• Conducting privacy impact assessments at least once every two years.
• Conducting privacy impact assessments on their algorithms and providing both the public and the FTC with those assessments.

Sensitive Data

Like most data privacy regulations, the APRA includes a separate category for sensitive data. Unlike most regulations, its definition is fairly broad. It includes:

• Government identifiers;
• Health information;
• Biometric information;
• Genetic information;
• Financial account and payment data;
• Precise geolocation information;
• Log-in credentials;
• Private communications;
• Information revealing sexual behavior;
• Calendar or address book data, phone logs, photos, and recordings for private use;
• Any medium showing a naked or private area of an individual;
• Video programming viewing information;
• An individual’s race, ethnicity, national origin, religion, or sex, in a manner inconsistent with a reasonable expectation of disclosure;
• Online activities over time and across third-party websites, or over time on a high-impact social media site;
• Information about a covered minor; and
• Other data the FTC defines as sensitive covered data by rule.

If you’re familiar with other state privacy laws, you’ll notice a few standout items. Notably, third-party tracking is explicitly called out, as well as “private communications,” which could conceivably cover any number of messages. As for the reference to “video programming viewing information,” that may be a reference to the VPPA, a decades-old law that protects video viewing habits and which has been used recently by the plaintiffs’ bar to sue any number of businesses that feature video content on their website.

Sensitive data is, as is usually the case, limited to certain use cases under the APRA. Furthermore, consumers must affirmatively opt into its collection and use. Non-sensitive covered data can be collected and processed so long as consumers are given notice and the ability to withdraw consent.

Required Data Privacy/Security Officer

In contrast to many U.S. data privacy laws, the APRA takes a leaf from the GDPR’s book and requires businesses to establish a data privacy and/or security officer role. This role isn’t exactly comparable to the GDPR’s data privacy officer role, at least not in the draft’s current form—it doesn’t specify what these officers’ duties would be.

All covered entities are required to have a data privacy officer OR a security officer, but entities that qualify as Large Data Holders must have both.

Data Broker Registration

In a fairly novel requirement for data privacy regulations, the APRA would regulate data brokers specifically.

The APRA empowers the FTC to create a data broker registry, which requires annual registration for data brokers that “affect” the data of more than 5,000 individuals. On this site, consumers can withdraw their consent for data brokers’ data collection.

Under the APRA, data brokers will need to maintain a website that identifies themselves as data brokers, provides a tool for subject rights and opt-out requests, and links to the FTC’s data broker registry.

Multi-Pronged Enforcement With a Private Right of Action

There are a few different mechanisms for the APRA to be enforced. It could be enforced:

• Via the FTC, which will treat violations as unfair or deceptive trade practices.
• Via states attorneys general, who may seek injunctive relief; civil penalties, damages, restitution, or other consumer compensation; attorneys’ fees and other litigation costs; and other relief, as appropriate.
• Via private citizens, who may sue organizations that violate their rights under the act.

Of these three, the last route of enforcement is by far the least common. There’s a good chance that this private right of action will become a focus during committee discussions.

Will the APRA Become Law?

It’s difficult to say, but we can say with certainty that there is a long legislative journey for the APRA.

Some may be familiar with the American Data Privacy and Protection Act, or ADPPA—it was similar to the APRA in several ways and had made it much farther along the legislative process. Ultimately, it failed to pass and remains inactive as of this writing.

For the unfamiliar, the U.S. legislative process flows like so:

1. A representative of the House or Senate sponsors a bill
2. The bill is then studied in an appropriate committee (e.g. the House Energy and Commerce Committee or the Senate Commerce, Science, and Transportation Committee).
3. The bill is then brought to the House or Senate floor for a vote.
4. If it passes, then the bill moves to the opposite body—that could be the Senate or the House, depending upon which body introduced the bill.
5. It’s studied and voted on again in the opposite body.
6. A committee of House and Senate members meets to work on any differences between the House and Senate versions of the bill.
7. The bill returns to the House and Senate for final approval.
8. The President signs the bill into law or vetoes it.

The ADPPA had made it all the way to step three but was never brought up for a vote—and that was considered a big deal for a comprehensive data privacy law.

In contrast, the APRA has only gotten to step one as of this writing. So, while it’s appropriate to be excited about its potential, it’s important to be realistic about its chances and what fate it’ll face in committee.

Crucially, the APRA suffers from the same fatal flaw that stalled the ADPPA; preemption. The whole point of a federal comprehensive data privacy law is that it replaces (i.e. preempts) the mishmash of state privacy laws. But it also replaces laws that offer arguably stronger consumer protections, such as the CCPA/CPRA.

Californian privacy stakeholders have already voiced concern that the bill strips protections away from Californians. California Privacy Protection Agency (CPPA) Executive Director Ashkan Soltani said in a statement:

Americans shouldn’t have to settle for a federal privacy law that limits states’ ability to advance strong protections in response to rapid changes in technology and emerging threats in policy – particularly when Californians’ fundamental rights are at stake. Congress should set a floor, not a ceiling.

California swings a lot of weight in Congress, so this could be a significant challenge for the bill.

Whether the APRA becomes the law of the land as-is, undergoes significant changes, is replaced by a future bill, or never passes at all, organizations will need to find efficiencies in their compliance efforts. Data privacy platforms like Osano enable you to automate, streamline, and manage your privacy program without extraneous time and effort.