Congress is once again entertaining federal privacy legislation. The American Privacy Rights Act (APRA) was introduced by Senate Commerce Committee Chair Maria Cantwell (D-WA) and House Energy and Commerce Chair Cathy McMorris Rodgers (R-WA).
Unlike current laws, the APRA would apply to both commercial enterprises and nonprofit organizations, as well as common carriers regulated by the Federal Communications Commission (FCC). The law would have a broad scope but provide a conditional exemption for small businesses with less than $40 million in revenue and data on fewer than 200,000 consumers. However, this exemption would not apply if the small business transfers data to third parties for value. The APRA would require data minimization, i.e., prohibiting covered entities from collecting more personal information than is strictly necessary for the stated purpose.
The APRA defines sensitive data broadly as data related to government identifiers, health, biometrics, genetics, financial accounts and payments, precise geolocation, log-in credentials, private communications, revealed sexual behavior, calendar or address book data, phone logs, photos and recordings for private use, intimate imagery, video viewing activity, race, ethnicity, national origin, religion or sex, online activities over time and across third-party websites, information about a minor under the age of 17, and other data the FCC defines as sensitive covered data by regulation. Sensitive data would require affirmative express consent before transfer to third parties. Those meeting the definition of “covered entities would need to give clear disclosures and easy opt-out options.
Notably, the APRA is a departure from the current federal standard set by the Children’s Online Privacy Protection Act (COPPA), which places the cutoff at 13.
The APRA would require algorithmic bias impact assessments for “covered algorithms” that make consequential decisions. It would also prohibit discriminatory use of data. “Large data holders” and “covered high-impact social media companies” would face additional obligations around reporting, algorithm audits, and designated privacy/security officers.
While privacy professionals across the country will collectively groan at a law other than HIPAA using the term “covered entity,” the simplicity of a single standard rather than the current patchwork of state laws may just be worth the headache of two federal privacy laws using the same term with different definitions. However, it remains to be seen whether the APRA will make it to the Congress floor. We’ve reported in the past about attempts at a federal standard that ended up stalling in committee.
You can read the full APRA draft here.
[View source.]