Following the introduction of the EU's General Data Protection Regulation (GDPR) in 2018, the lack of a comparable federal regulation in the United States has led many states to enact their own consumer data privacy protection acts, and many more are set to adopt such laws in the near future. The difficulties associated with complying with this growing patchwork of state laws have caused many to believe that a single federal standard is needed.
The United States has considered and failed to adopt a unifying privacy standard in the past, but Cathy McMorris Rodgers (R – WA) and Maria Cantwell (D – WA) have once again put that option on the table, introducing the American Privacy Rights Act of 2024 (APRA). The APRA, as introduced, is broad, incorporating many of the concepts seen in a variety of consumer data privacy protection measures across different states, but it would also impose new obligations on businesses that are collecting, processing, and transferring data. Many feel it will be an uphill battle to pass the APRA given the timing and the other issues currently facing Congress, but for those tracking privacy legislation, there are some provisions of the ARPA you will want to follow.
To Whom Would the APRA Apply?
As drafted, the APRA imposes obligations on "Covered Entities" (not to be confused with HIPAA’s “Covered Entities”) and "Service Providers," with those roles defined based on the organization's role in handling data. "Covered Entity" is defined in much the same way that the GDPR defines Data Controllers and includes those that decide whether to collect data, as well as how the data will be collected, stored, manipulated, transferred, or destroyed. To be a Covered Entity, the organization must also be subject to the FTC Act, be a common carrier, or be a nonprofit. Service Providers are those entities that process data in accordance with the instructions of a Covered Entity. Parents companies, subsidiaries, or affiliates of a Covered Entity or Service Provider would also be subject to the APRA.
The APRA contains certain exemptions for Small Businesses, which are defined as those businesses whose average annual gross revenue for the three preceding calendar years did not exceed $40,000,000 and that did not annually collect, process, retain, or transfer covered data of more than 200,000 individuals, and those who did not transfer covered data to a third party for revenue or anything else of value. While the revenue threshold appears to be generous toward small businesses, the prohibition on transferring data for anything of value to preserve the exception could prove problematic.
While Small Businesses are exempt, certain specialized entities face heightened obligations under the APRA, including data brokers who exceed stated revenue thresholds and large data holders who exceed revenue thresholds and exceed thresholds of the number of individuals for whom they process data.
What Data Would The APRA Protect?
The APRA is set to apply to any information that identifies, is linked to, or is reasonably linkable to an individual or a device tied to an individual (“Covered Data”). Covered Data specifically excludes de-identified data, publicly available information, and certain other categories of data, such as employee data and inferences drawn from publicly available sources that do not reveal sensitive covered data. In contrast, the current draft does not expressly exclude personal data collected in a business-to-business setting.
The APRA also defines "Sensitive Covered Data" as a subset of Covered Data. Sensitive Covered Data includes the types of data you would expect, such as government-issued identifiers, health data, financial account and payment information, precise geolocation data, log-in credentials, data from or about minors, and biometric identifiers. However, it is also proposed to include a calendar or address book information, phone or text logs, photos, videos or audio recordings intended for private use, video programming viewing information, online activities over time and across websites, and certain other categories of information that current state laws do not associate with heightened standards. This broader category of Sensitive Covered Data will require more restrictive processing across Covered Entities and Service Providers.
What Rights Would The APRA Give Consumers?
The consumer rights under the APRA are consistent with those regularly appearing in the state laws, including the right to know, the right to access, the right to correct, the right to delete, the right to portability, the right to opt out of data transfers, and the right to opt out of targeted advertising. These rights are also subject to some of the typical exceptions, such as the inability to verify the request, threats to security, violation of laws, or inability to comply due to technology or cost. Businesses that are already compliant with consumer privacy rights under the various state laws probably will not see a significant change in their compliance efforts on this front.
How Would The APRA Be Enforced?
The proposed APRA allows three different groups to bring enforcement actions: (i) a new privacy bureau of the FTC that would be established for such enforcement purposes, (ii) authorized state officials, including the state attorneys general, and (iii) individuals who are harmed by an organization's failure to comply with the Act. The right for individuals to bring actions for violations of the APRA is one of the more concerning aspects for many organizations. The private right of action allows for typical types of recovery, such as actual damages and injunctive relief, among others, but it only permits statutory damages in limited circumstances, such as those consistent with the Illinois Biometric Privacy Act and the California Consumer Privacy Act (“CCPA”). Despite the checks and balances for such actions that are included in the current draft of the APRA, this private right of action makes it easy to envision new risks of legal exposure for companies that otherwise are well-intentioned in their security efforts.
Would APRA Preempt State Laws?
As drafted, the APRA would preempt state data privacy laws, subject to several exceptions. Notably, aspects of the CCPA are preserved, along with the Illinois Biometric Information Privacy Act and Genetic Information Privacy Act. Further, the ARPA does not preempt data breach notification statutes or elements of statutes with certain subject matter, such as laws related to student, health, or employee privacy matters and laws addressing electronic surveillance, wire-tapping, and telephone monitoring. These subject matter exceptions to preemption, combined with the data breach notification laws existing in all 50 U.S. states and territories, mean the APRA will still fall short of providing a single nationwide standard for privacy matters.
What Other Obligations Would APRA Impose?
The APRA has several operational requirements that would apply to Covered Entities and Service Providers, many of which are consistent with requirements under various state laws right now. However, there are a few novel obligations. The APRA imposes specific data minimization requirements prohibiting the collection, processing, or transfer of data except as necessary for the purpose for which it was collected. APRA also prohibits Covered Entities and Services Providers from using dark patterns to direct users away from a privacy policy, to make it harder for the individual to exercise the rights granted by the APRA, or to infer consent. Dark patterns are user interfaces designed to undermine the user's autonomy, decision-making, or other choices.
While most state laws currently require businesses to employ reasonable security measures given the circumstances, the APRA requires several specific security requirements such as conducting vulnerability assessments, implementing preventative and corrective measures, adopting appropriate data retention and deletion schedules and procedures, conducting employee training, and implementing appropriate incident response plans. Each Covered Entity must also maintain a written agreement with each Service Provider it engages to process data.
The APRA has also borrowed certain concepts from GDPR, specifying certain permissible reasons for processing data and requiring businesses to designate at least one qualified employee to serve as a privacy or data security officer.
Conclusion
If adopted, the current draft of the APRA would standardize many things regarding data privacy across the U.S., but as currently drafted, it also falls short of being a true single standard. While there remains much debate about whether this comprehensive privacy act will be adopted, it seems reasonable to assume that one is coming eventually. Because of that likelihood, as well as the growing number of comprehensive data privacy protection acts across the states, most businesses would be well served to begin working toward compliance with the typical requirements seen in these laws so that they are well positioned when such an act is adopted for application across the United States.
[View source.]