American Privacy Rights Act: An Overview Of The Landmark Privacy Legislation Being Considered By Congress

In April, Senate Commerce Committee Chair Maria Cantwell (D-WA) and House Energy and Commerce Committee Chair Cathy McMorris Rodgers (R-WA) jointly released the text of the American Privacy Rights Act (APRA), a draft piece of legislation to establish a federal data privacy standard. The bill expands on last session's American Data Privacy Protection Act (ADPPA), which passed the House Energy and Commerce Committee in 2022. The adoption of APRA would be a watershed moment in the US privacy landscape. In particular, APRA would supplant the growing patchwork of comprehensive state privacy statutes by adopting a single federal standard.

The draft legislation would apply to any entity that (1) alone or jointly with others, determines the purposes and means of collecting, processing, retaining, or transferring covered data and (2) is subject to the Federal Trade Commission Act, is a common carrier subject to Title II of the Communications Act, or is a non-profit. However, "small businesses," would be exempt if they had $40 million or less of average annual revenue for the preceding three years, do not collect personal data of more than 200,000 individuals, and do not sell personal data.

Preemption

Similar to ADPPA, APRA would preempt comprehensive state data privacy laws, with the exception of an enumerated list of current state laws, including consumer protection laws of general applicability, and laws addressing employee privacy, student privacy, and data breach notification. APRA would also broadly exempt "any data subject to" and in compliance with the requirements of Title V of the Gramm-Leach-Bliley Act (15 U.S.C. 6801 et seq.) (GLBA); however, APRA does not specify whether state GLBA laws would likewise be preempted. As a result, for some entities, APRA may create a new layer of compliance requirements, requiring those entities already subject to state-implemented GLBA privacy regimes to also be subject to oversight by the Federal Trade Commission.

Consumer Rights

Similar to the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), and other state privacy laws, APRA would limit the type of data companies can collect and use, as well as establish several privacy rights for consumers. APRA defines "covered data" as information that identifies, links, or is reasonably linkable to an individual or device that identifies one or more individuals, excluding deidentified data, employee data, or publicly available information. Under the bill, consumers would have rights to:

• access,
• correction,
• deletion,
• portability, and,
• the right to opt-out of targeted advertising and data transfers.

Moreover, the bill would prohibit the transfer of sensitive covered data to third parties without the consumer's affirmative express consent, and a covered entity would be required to provide a clear and conspicuous means to withdraw such affirmative consent.

Under CCPA/CPRA, businesses are required to provide a clear and conspicuous link on the business's internet homepage titled "Limit the Use of Sensitive Personal Information" that enables a consumer, or a person authorized by the consumer, to limit the use or disclosure of a consumer's sensitive personal information to the use that is necessary to perform the services or provide the goods that are reasonably expected by an average consumer. As currently drafted, APRA's opt-in requirements will create a more rigorous standard for businesses to meet than CCPA/CPRA's opt-out requirements.

Data Security and Protection of Covered Data

Under APRA, similar to CCPA/CPRA, covered entities must establish, implement, and maintain data security practices that are appropriate to the entity's size, the nature and scope of the entity's data practices, the volume, nature, and sensitivity of the data, and state-of-the-art administrative, technical, and physical safeguards. The legislation provides a list of specific practices that covered entities must follow. For example, covered entities must routinely identify and assess any reasonably foreseeable risk to each system maintained by the covered entity and must take preventative and corrective action to mitigate any such risk.

Enforcement and Penalties

The draft legislation provides for several enforcement mechanisms, including by the FTC, state attorneys general, and a private right of action. The FTC is directed to establish, within one year after APRA's enactment, a new bureau to carry out its authority under APRA. APRA also authorizes enforcement by state attorneys general, chief consumer protection officers, and other state officers in federal district court.

Notably, APRA allows individuals to initiate a civil action against an entity that violates their rights. In such cases, individuals may recover actual damages, injunctive relief, declaratory relief, and reasonable attorney fees and costs. Individuals also retain the right to sue under Illinois's Biometric Information Privacy Act, and Genetic Information Act, and the California Privacy Rights Act. The legislation provides entities with a 30-day period to cure prior to lawsuits seeking injunctive relief and a 30-day notice period prior to lawsuits seeking actual damages. However, the 30-day cure and notice periods do not apply in actions involving a substantial privacy harm.

APRA's private right of action goes well beyond current privacy laws in the United States, whether the GLBA or nearly all state privacy statutes that do not permit private actions. Indeed, APRA's private right of action surpasses the private right of actions in CCPA and CPRA, each of which only permits private actions for breaches of data security requirements.

FTC Regulations

If enacted, the FTC will be required to issue guidance on several aspects of the legislation, including compliance with due diligence requirements, compliance with opt-out rights for consequential decisions, the scope of the preemption provisions, and the breadth of the data disclosures necessary for required short-form privacy notices.

After years of gridlock in Congress over nationwide data privacy regulation, APRA is the first bicameral, bipartisan draft legislation to invoke serious consideration among legislators. Accordingly, businesses should continue to rigorously assess the purposes, necessity, and potential impact of collecting, processing, sharing, and selling consumer data. Steptoe will continue to monitor congressional action in connection with this draft legislation.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.