What You Need to Know
- The patchwork of data privacy laws in the U.S. has created significant legal challenges for companies doing business nationwide.
- With Congress taking up the new American Privacy Rights Act, those challenges may soon abate.
- Drawing on data privacy and protection concepts from international regulations and state comprehensive data privacy laws, the APRA creates a unique law that attempts to address contemporary privacy concerns while simultaneously anticipating future technologies.
There are currently 16 states that have enacted individual comprehensive data privacy laws to protect their residents. With approximately 40% of the U.S. population residing in those states, the patchwork of data privacy laws in the U.S. has created significant legal challenges for companies doing business nationwide. However, with Congress taking up the new American Privacy Rights Act (APRA), those challenges may soon abate.
Introduced by Rep. Cathy McMorris Rodgers (R-WA), who chairs the House Energy and Commerce Committee, and Sen. Maria Cantwell (D-WA), who chairs the Senate Commerce, Science and Transportation Committee, the APRA is unique in the current legislative environment in that it is both bi-partisan and bi-cameral. The two sponsors of the APRA hail from Washington State, which is one of the states that have been laboring for years to pass a comprehensive data privacy law in the absence of a federal regulation. With almost one-third of US states slated to have individual comprehensive data privacy laws in effect by 2026, states and federal regulators are continuously adding to the tapestry.
As the focus on protecting personal data continues to grow with the ever-widening adoption of artificial intelligence (AI) tools, exponential increases in the number and breadth of data breaches, and growing awareness of the risk posed by data brokers, the time appears right for a U.S. federal data privacy regulation to succeed in Congress. But is APRA that regulation?
Legislating Data Privacy
The APRA is not the first attempt by Congress to pass a federal data privacy law. In June 2022, Rep. Frank Pallone (D-NJ) introduced the American Data and Privacy Protection Act (ADPPA). The ADPPA met its untimely demise on the House floor. Unlike the APRA, the ADPPA was not bipartisan and lacked certain critical provisions that ultimately doomed its passage. APRA is built upon the foundational privacy principles of data-minimization and transparency, which provides greater rights to individuals while holding data collectors and processors more accountable.
"This landmark legislation gives Americans the right to control where their information goes and who can sell it," said Rep. Rogers in unveiling the Act. "It reins in Big Tech by prohibiting them from tracking, predicting, and manipulating people's behaviors for profit without their knowledge and consent. Americans overwhelmingly want these rights, and they are looking to us, their elected representatives, to act."
The main objectives of the APRA are to: 1) establish foundational uniform national data privacy rights for Americans; 2) give Americans the ability to enforce their data privacy rights; 3) protect Americans' civil rights; 4) hold companies accountable and establish strong data security obligations; and 5) focus on the business of data — not main street business.
Key Provisions
Drawing on data privacy and protection concepts from international regulations and state comprehensive data privacy laws, the APRA creates a unique law that attempts to address contemporary privacy concerns while simultaneously anticipating future technologies.
Scope and Applicability
In its current form, APRA is applicable to any covered entity collecting data that identifies or is reasonably linkable, alone or in combination with other information, to an individual. The term "covered entity" is similar to a data collector or controller, as defined by state laws and EU's General Data Protection Regulation (GDPR). However, the APRA more broadly defines the term, applying it to entities that determine the purpose and means of collecting, processing, retaining or transferring data and are subject to Federal Trade Commission (FTC) Act — essentially reaching every industry. Unlike the ADPPA, "small businesses" — those entities with less than $40 million in annual revenue or that handle data of fewer than 200,000 individuals, are exempt from the ambit of APRA. Unlike many state data privacy laws, most non-profit organizations are subject to APRA. And while APRA does not apply to de-identified data or public records data, it does apply employee data. Currently, California is the only state with a privacy law that extends to employees.
Adhering to the concept of data-minimization, covered entities and "service providers" may only collect data necessary and proportionate to provide the good or service, with a list of enumerated permitted purposes such as protecting data security and preventing fraud or harassment. Service providers are those entities that act on behalf of a covered entity. Unlike many current laws and regulations, APRA extends to service providers most of the same obligations levied upon covered entities. Service providers must now perform their own due diligence based on covered entity's credible disclosures and representations that they adequately implement data-minimization. To this end, the Act grants the Federal Trade Commission (FTC) rulemaking authority to define what is considered "reasonable" for data-minimization purposes.
APRA also introduces definitions for specific controllers requiring additional rules — namely Large Data Holders and High Impact Social Media companies. Large Data Holders are those entities with more than $250 million in annual revenue or handle the data of more than 5 million individuals or the sensitive data of more than 200,000 individuals. High Impact Social Media companies are those entities that provide an internet-accessible platform used to access or share user-generated content with more than $3 billion or more in global annual revenue — including through affiliates — or has more than 300 million monthly active users.
Sensitive Data
APRA considerably expands most current definitions of sensitive data. In addition to customary elements of sensitive data such as medical data, children's data, and biometric data, APRA requires express consent from individuals prior to the transfer of the following types of data:
- Financial account and payment data
- Log-in credentials
- Calendar or address book data
- Phone logs
- Photos and recordings for private use
- Information revealing the sexual behavior of an individual in a manner, inconsistent with the individual's reasonable expectation regarding disclosure of such information
- Information revealing an individual's race, ethnicity, national origin, religion, or sex in a manner inconsistent with the individual's reasonable, expectation regarding disclosure of such information
- Any medium showing a naked or private area of an individual
- Online activities over time and across third-party websites or over time on a high-impact social media site, and
- Any other data the FTC deems to be sensitive.
Notably absent from the definition are union membership and sexual orientation, which are categories that have been deemed sensitive data in many state laws.
Private Right of Action
In the United States, California is the only state with a private right of action contained in its data privacy statutes, permitting consumers to bring a lawsuit directly against companies without going through a state agency or attorney general. Under APRA, consumers, state attorneys general, and the FTC are able to initiate lawsuits against covered entities and service providers that violate the law. Where the ADPPA required consumers to wait two years before they could bring a suit — and only after notifying the FTC and the respective state attorney general's office, the APRA eliminated the waiting period and permits individuals to file suit in federal district court for violations that remain uncured after 30 days. Violations can result in actual damages, injunctive relief, declaratory relief, and reasonable attorney fees and costs. APRA also permits statutory damages for violations of certain state laws, such as [State]'s Genetic Information Nondiscrimination Act, Illinois' Biometric Information Privacy Act, and the California Privacy Rights Act.
Consumer Rights
Almost all state comprehensive privacy laws now offer consumers certain rights to the data that is collected by the covered entity. Likewise, APRA offers consumers a host of rights, including the right to access data collected, to know name of the third party or service provider to whom data was transferred, to correct inaccuracies, to delete, and to export their data. While companies are permitted to deny unreasonable consumer requests, large data holders must disclose the number of requests they receive.
Similar to states like Colorado, Texas, California, and Connecticut, APRA requires companies with consumer-facing websites to allow consumers to opt out of data collection using a centralized, universal, opt-out mechanism. Under APRA, the FTC is tasked with drafting further guidance on methods for implementing the opt-out provision.
Pre-emption
Pre-emption is one of the most hotly debated topics of the APRA — and one that may stand in the way of its passage. Under APRA, individual states cannot maintain their own privacy laws on topics that are already covered by APRA, offering instead a list of exceptions that will remain under the regulatory authority of the states. These exceptions to state pre-emption, include, among others, civil rights laws, contract or tort laws, public safety laws, general consumer protection laws, provisions addressing employees or students, data breach notification laws. Many states — including California, which is both the most populous and the state with the most mature data protection regulations — oppose this type of pre-emption. According to those states in opposition, rather than establishing a baseline for national data privacy regulations, APRA creates a ceiling with individual carve outs for states. Opponents point to GDPR to contrast this point. GDPR is seen as a floor, creating a minimum standard that individual EU member states may strengthen through the establishment of stricter rules with heightened protections for consumers.
Probability of Success
The bi-cameral and bi-partisan nature of this discussion draft is a testament to the times that we live in. Industry leaders, civil society, academia, and even the White House have taken strong positions in favor of enhancing data privacy and protections. Further, significant advancements in AI and new legislation focused on regulating its uses and development point to the legislative intent to establish a consistent nationwide foundation for data collection, processing, and sharing. While the introduction of the APRA is timely, and it seems to have addressed many of the issues that plagued previous legislation, the question remains: will this be enough?
APRA faces numerous hurdles. One of the biggest issues does not necessarily have to do with the Act itself but with the current political climate. Being an election year, gaining support sufficient to pass contentious bills can be extremely difficult. The timing of passage might be problematic as well. At this point, APRA is only a discussion draft. A formal bill or companion bills still needs to be introduced, followed by hearings and possible amendments in committee, which may have their own mark-ups. This process will certainly require close coordination between the Senate and the House to move this along as efficiently as possible. Further, APRA appears to be the last major bill introduced by Rep. McMorris Rodgers, who will be retiring at the end of this session. Whether she is able to whip sufficient support before the session closes with many members on the campaign trail remains a significant open question.
Apart from challenges of timing, many states — particularly those with comprehensive data privacy laws — have yet to voice an official opinion. Senator Ted Cruz (R-TX), ranking member of the Senate Committee on Commerce, Science and Transportation, favors the Texas comprehensive law over the APRA. "I cannot support any data privacy bill that empowers trial lawyers, strengthens Big Tech by imposing crushing new regulatory costs on upstart competitors or gives unprecedented power to the FTC to become referees of internet speech," Sen. Cruz stated.
Moreover, pre-emption remains a significant point of contention. "Americans shouldn't have to settle for a federal privacy law that limits states' ability to advance strong protections in response to emerging threats in policy — particularly when Californians' fundamental stakes are at stake. Congress should set a floor, not a ceiling," said Ashkan Soltani, Executive Director of the California Privacy Protection Agency.
Recent legislative hearings and discussions with stakeholders have made clear that, although most Members of Congress favor a federal data privacy regulation in general — and APRA in particular, there remain some significant questions that need to be addressed. These include whether the broad applicability of APRA could limit innovation and research, whether the broad definition of sensitive data would stifle commerce, and whether an opt-in system rather than an opt-out mechanism for targeted advertising would provide greater protections. Other concerns relate to the protections for minors and suggest an outright ban on targeted advertisement to children.
Finally, APRA will face significant pushback on its timeline for implementation. As written, the Act provides states, covered entities service providers and all others 180 days to implement the provisions once enacted. This is optimistic, at best. Most states with comprehensive data protection laws allow companies a year or more to come into compliance. Those states with comprehensive data laws would need to quickly realign existing agencies and amend regulations to comply with APRA. Companies in states without comprehensive data laws would need to rapidly overhaul their data collection practices, and district courts would need to prepare for a potential full docket of suits under the new law.
APRA, in its current form, likely will not pass. There is tremendous momentum, and there is a good chance that a marked-up version, or new draft bill will pass. However, there are hurdles that likely will impede passage of the current APRA — not the least of which being states' rights advocates railing against pre-emption. It may be worthwhile for drafters to draw inspiration from the GDPR, and consider modifications to the Act to establish a regulatory floor, rather than a ceiling. While this course may not entirely weave the current patchwork into a single tapestry, it would provide a blanket of regulation for the more than two-thirds of states whose residents enjoy no comprehensive data privacy protections.
Originally Published by Law.com.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.