What’s in the Proposed American Privacy Rights Act?

Robinson+Cole Data Privacy + Security Insider
Contact

Congress is once again entertaining federal privacy legislation. The American Privacy Rights Act (APRA) was introduced by Senate Commerce Committee Chair Maria Cantwell (D-WA) and House Energy and Commerce Chair Cathy McMorris Rodgers (R-WA).

Unlike current laws, the APRA would apply to both commercial enterprises and nonprofit organizations, as well as common carriers regulated by the Federal Communications Commission (FCC). The law would have a broad scope but provide a conditional exemption for small businesses with less than $40 million in revenue and data on fewer than 200,000 consumers. However, this exemption would not apply if the small business transfers data to third parties for value. The APRA would require data minimization, i.e., prohibiting covered entities from collecting more personal information than is strictly necessary for the stated purpose.

The APRA defines sensitive data broadly as data related to government identifiers, health, biometrics, genetics, financial accounts and payments, precise geolocation, log-in credentials, private communications, revealed sexual behavior, calendar or address book data, phone logs, photos and recordings for private use, intimate imagery, video viewing activity, race, ethnicity, national origin, religion or sex, online activities over time and across third-party websites, information about a minor under the age of 17, and other data the FCC defines as sensitive covered data by regulation. Sensitive data would require affirmative express consent before transfer to third parties. Those meeting the definition of “covered entities would need to give clear disclosures and easy opt-out options.

Notably, the APRA is a departure from the current federal standard set by the Children’s Online Privacy Protection Act (COPPA), which places the cutoff at 13.

The APRA would require algorithmic bias impact assessments for “covered algorithms” that make consequential decisions. It would also prohibit discriminatory use of data. “Large data holders” and “covered high-impact social media companies” would face additional obligations around reporting, algorithm audits, and designated privacy/security officers.

While privacy professionals across the country will collectively groan at a law other than HIPAA using the term “covered entity,” the simplicity of a single standard rather than the current patchwork of state laws may just be worth the headache of two federal privacy laws using the same term with different definitions. However, it remains to be seen whether the APRA will make it to the Congress floor. We’ve reported in the past about attempts at a federal standard that ended up stalling in committee.

You can read the full APRA draft here.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.

© Robinson+Cole Data Privacy + Security Insider

Written by:

Robinson+Cole Data Privacy + Security Insider
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Robinson+Cole Data Privacy + Security Insider on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide