Congressional privacy leaders propose the American Privacy Rights Act, the latest federal comprehensive privacy legislation

On April 7, 2024, Senate Commerce Committee Chair Maria Cantwell, and House Energy and Commerce Committee Chair Cathy McMorris Rodgers, unveiled the American Privacy Rights Act of 2024 (APRA), a comprehensive privacy bill that, if enacted, would set significant data privacy and security standards across the US. Importantly, the APRA would largely preempt similar comprehensive privacy laws enacted by individual states in the last few years. The APRA would also provide individuals with a limited private right of action to seek monetary and other relief for certain violations by covered entities. If this bill were to become law, it would become effective 180 days after enactment.

Prospects for passage

While the APRA is bipartisan and bicameral, with the support of both Senator Cantwell and Representative McMorris Rodgers, there are several obstacles facing passage in the current Congress. In June 2022, Senator Cantwell did not bring an earlier iteration of the APRA, the American Data Privacy and Protection Act (ADPPA), for consideration in committee. The earlier ADPPA was supported by the former Commerce Committee Ranking Member, Senator Roger F. Wicker, but it remains to be seen whether Senator Ted Cruz, the current Ranking Member on Commerce, will support the APRA. Senator Cruz’s initial statement suggested that he has significant concerns that the APRA may have “the same flaws as” the ADPPA, provide the Federal Trade Commission (FTC) with too much power, empower trial lawyers, and strengthen Big Tech.[1]

Similarly, Representative McMorris Rodgers does not have the full blessing of her Democratic counterpart in the House, Representative Frank Pallone.[2] Even if the two chairs can convince their bipartisan counterparts to join their efforts, or get the bill through their respective committees without the support of their ranking members, they still need their respective party leaders to bring it to the floor for full consideration in both chambers.

While Majority Leader Chuck Schumer has signaled in the past that he will consider a bipartisan, bicameral effort, he did not make any initial statements on the APRA, and his session days to bring this to the floor are few, as there are limited days in session between now and the August recess. Following the August recess, we may see little legislative work before the presidential election. After the election, members will likely be focused on the National Defense Authorization Act and appropriations bills; both items have been used as vehicles to carry other legislation. Although APRA will likely have an uphill battle to fit into that mix, retirements and the lame-duck session have sometimes yielded bipartisan compromises.

Scope

The APRA would regulate the collection, processing, retention, and transfer of “covered data” by certain entities. Covered data is defined as “information that identifies or is linked or reasonably linkable, alone or in combination with other information, to an individual or a device that identifies or is linked or reasonably linkable to one or more individuals” residing in the US.

The APRA includes heightened protections for “sensitive covered data,” which is defined broadly and includes, among other information: government identifiers; certain personal information revealing the race, ethnicity, national origin, religion, or sex of an individual in a manner inconsistent with an individual’s reasonable expectations; account/device log-in credentials; financial account or payment card information; precise geolocation information; an individual’s private communications; media and calendar and address book information; information regarding an individual under the age of 17; health information; “biometric information”; and “genetic information.”

The APRA would apply to “covered entities” defined as “any entity that, alone or jointly with others, determines the purposes and means of collecting, processing, retaining, or transferring covered data.” Covered entities include entities subject to FTC jurisdiction under the FTC Act, “common carriers” as defined by the Communications Act of 1934, and nonprofits. The APRA also imposes obligations on “service providers” that perform functions on behalf of covered entities and “third parties” that receive covered data from any entity, except those that are service providers with respect to that covered data.

Exemptions

The bill does not offer any entity-level exemptions for covered entities subject to certain existing federal laws and regulations. Rather, it exempts from most obligations data which is processed in compliance with, among others, the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, and the Health Insurance Portability and Accountability Act of 1996. Notably, there is no exemption for compliance with the parental consent requirements of the Children’s Online Privacy Protection Act of 1998.

The APRA also exempts “small businesses,” which are defined as entities that, (i) had annual average gross revenue for the previous three calendar years of less than $40 million, (ii) subject to certain exceptions, collected, processed, retained, or transferred covered data of less than, on average, 200,000 individuals per year, and (iii) did not transfer covered data to a third party in exchange for revenue or anything of value.

In addition, certain nonprofits whose primary purpose is to deter fraud are also excluded from the definition of “covered entity.”

Alongside these exemptions, the APRA also excludes certain types of data from its definition of covered data, including “de-identified data,” “employee information” (including applicant information), and “publicly available information.”

Compliance obligations

Covered entities (and service providers, where noted) have extensive obligations under the APRA, including the following:

• Data minimization: Covered entities (and service providers acting on their behalf) must adhere to data minimization principles, including limiting data processing activities to those that are necessary and proportionate to provide a product or service, to communicate with an individual as reasonably expected, or for other purposes permitted by the APRA.


• Consent: Covered entities (and service providers acting on their behalf) must obtain affirmative express consent (and permit individuals to withdraw consent) for certain processing activities, including the processing of biometric or genetic information (use of either of these data types is subject to additional obligations) and the transfer of sensitive covered data to a third party.


• Privacy policy: Each covered entity and service provider must publicly provide a privacy policy that covers their data activities and complies with specific content requirements.


• Privacy rights: Covered entities must honor individuals’ requests to access, export, correct, and delete their covered data, subject to certain exceptions. In addition, the APRA includes prohibitions on a covered entity’s use of “dark patterns” in implementing various obligations under the APRA, such as the obligation to provide notices and implement processes used to honor individual rights requests. Separately, a covered entity may not retaliate against an individual for exercising the individual’s rights under the APRA and may not process covered data in a discriminatory manner.


• Opt-out rights: Covered entities must provide individuals the means to exercise rights to opt out of covered data transfers and of targeted advertising, including through opt-out mechanisms authorized by subsequent regulations promulgated by the FTC.


• Service providers and third parties: A covered entity must exercise reasonable due diligence in selecting a service provider and in deciding to transfer covered data to a third party. In addition, a covered entity must enter into a contract with a service provider that imposes specified obligations on the service provider.


• Data security: Each covered entity and service provider must have reasonable data security practices, in line with guidelines provided under the APRA and any further guidance issued by the FTC. In support of this requirement, the APRA mandates that the FTC establish a pilot program to encourage the use of Privacy-Enhancing Technologies.


• Officer designations: Covered entities and service providers must designate at least one qualified employee to serve as either a privacy officer or a data security officer who is responsible for implementing and maintaining an APRA-compliant data privacy and security program.


• AI-related obligations: Covered entities would be required to submit algorithmic impact assessments and algorithm design evaluations to federal authorities and the public.

Additional obligations for data brokers and large data holders

The APRA imposes heightened obligations on entities, including covered entities and service providers, characterized as “large data holders,” which must meet monetary and other thresholds to be characterized as such. The obligations include more rigorous transparency requirements, requirements to conduct impact assessments, and certification requirements.

In addition, the APRA creates requirements for “data brokers,” which are covered entities whose “principal source of revenue” comes from processing or transferring covered data that the broker did not directly collect. Data brokers are specifically prohibited from marketing their business as facilitating certain illegal or anti-consumer activities, including misrepresenting data broker business practices. Data brokers are also required to provide specific notices identifying themselves as data brokers, to register with the FTC (which is required under the APRA to publish a public data broker registry) if they meet certain thresholds, and to comply with “do not collect” requests. Under the APRA, the FTC is charged with creating a data broker registry mechanism that allows individuals to submit “do not collect” requests to data brokers (subject to certain exceptions).

Enforcement

Under the bill, the FTC has the power to enforce the APRA. States may also enforce the APRA against covered entities and service providers, including seeking injunctions, civil penalties, damages, and attorneys’ fees, following notice to the FTC.

In addition, the APRA provides individuals with a limited private right of action, through which an individual is allowed to receive actual damages, injunctive relief, declaratory relief, and reasonable attorneys’ fees. Entities are entitled to notice and/or a right to cure for certain actions unless the alleged offenses involve substantial privacy harm. Such individual actions must be brought in federal court and are therefore subject, among other things, to federal standing requirements.

Preemption

The APRA specifically states that, if enacted, it would preempt state comprehensive privacy laws. However, the bill also states that it would not preempt several other types of state laws that may otherwise be relevant, including data breach reporting laws, consumer protection laws, and employee privacy laws. Notably, by not preempting state consumer protection laws (or otherwise amending the FTC Act), the APRA would allow claims of unfair and deceptive trade practices, which has been a primary enforcement vehicle.

In addition, while the APRA would preempt comprehensive state privacy laws, the bill would explicitly allow for relief under Illinois’ Biometric Information Privacy Act, Illinois’ Genetic Information Privacy Act, and for data breach violations under the California Consumer Privacy Act.

Conclusion

In the face of the increasing number of individual state privacy laws, many in Congress are seeking common ground to enact federal legislation. Although the APRA is not likely to pass in the current Congress, the bipartisan effort suggests that negotiations on such fraught topics as preemption and private right of action have made progress since last year’s ADPPA and may find their way into future comprehensive federal legislation.

For more information, please reach out to the authors or your usual DLA Piper contact.


^{[1] See, e.g., Jedidiah Bracy, “Stakeholders react to draft American Privacy Rights Act,” The Privacy Advisor, April 9, 2024 (available at: https://iapp.org/news/a/stakeholders-react-to-draft-american-privacy-rights-act/ (linking to Cruz’s statement on X, available at: https://twitter.com/omaseddiq/status/1777378822100263270)).
[2] Pallone seems to want additional protections for children. https://democrats-energycommerce.house.gov/media/press-releases/pallone-release-american-privacy-rights-act-discussion-draft}