On April 7, 2024, Rep. Cathy McMorris Rodgers (R-WA), the chair of the US House Committee on Energy and Commerce, and Sen. Maria Cantwell (D-WA), the chair of the US Senate Committee on Commerce, Science, and Transportation, unveiled a discussion draft of the American Privacy Rights Act of 2024 (APRA).

ARPA would establish a national consumer privacy and security standard. It would also have the effect of rendering moot the nearly 20 state consumer privacy laws that have been enacted to date. But APRA has a long, long way to go before it becomes law.

IN DEPTH

SCOPE AND APPLICABILITY

If passed, APRA will apply to companies that determine the purpose and means of processing covered data and that are (i) subject to Federal Trade Commission (FTC) oversight, (ii) common carriers under the Communications Act of 1934 or (iii) a nonprofit organization. However, APRA would not apply to the following:

• “Small businesses”;
• Certain activities of fraud-related nonprofit entities;
• The National Center for Missing & Exploited Children;
• Government entities; or
• Nongovernment entities processing covered data on behalf of government entities in that capacity as covered entities.

A “small business” is an entity whose average annual gross revenue for the prior three years did not exceed $40 million, did not process the covered data of more than 200,000 individuals (with limited exceptions) and did not transfer covered data to a third party in exchange for anything of value.

The inclusion of nonprofits within the scope of APRA is a bit of a surprise given that most state consumer privacy laws exempt nonprofits from their scope.

REGULATED DATA

APRA would regulate “covered data,” which is information that identifies or is reasonably linkable to an individual or a device that identifies or is reasonably linkable to at least one individual. Covered data does not include deidentified data; employee information collected by the employer or their service providers; publicly available information; information available in a library, archive or museum (under certain circumstances); and inferences made exclusively from publicly available information.

SENSITIVE COVERED DATA

Sensitive covered data is a subtype of covered data, and it includes:

• Government-issued identifiers;
• Past or present mental or physical health information;
• Genetic information;
• Financial account numbers;
• Biometric information;
• Precise geolocation information;
• Private communications, including voicemails, emails, texts and direct messages;
• Information relating to an individual under the age of 17; and
• Information revealing an individual’s online activities over time, including across websites, online services not sharing common branding or online services operated by a “covered high-impact social media company.”

Companies would only be permitted to transfer sensitive covered data to third parties if they obtained affirmative express consent or if the transfer was for certain permitted purposes. Biometric and genetic information would be subject to additional restrictions and can only be processed for certain, expressly identified purposes. APRA would also restrict the collection and use of biometric and genetic information, making the continued use of the data by companies rather onerous, including, e.g., strict consent requirements and retention limits.

CONSUMER RIGHTS

APRA would require covered entities to provide consumers with rights that should look familiar, except the right to opt out of “transfers” as described below:

• The right to access that consumer’s covered data in a readable format, or to receive a description of that data if the covered entity no longer has the data;
• The right to correct inaccuracies in covered data;
• The right to delete covered data;
• The right to export covered data. This right would not require a company to export derived data when it would reveal a trade secret or other confidential information; and
• The right to opt out from the transfer of covered data and from targeted advertising. Where a consumer opts out from a “transfer,” the company cannot disclose, release, share, disseminate, make available, sell, rent or license the covered data by any means for any commercial purpose, including compensation. This concept of allowing individuals to opt out of all “transfers” is much broader than what is provided for under existing state laws and seems difficult, if not impossible, to manage from an operational standpoint.

REQUIRED DISCLOSURES

Companies would be required to publish a privacy policy containing:

• Identity and contact information of the company;
• Identities of any affiliates within the same corporate family to which covered data may be transferred, where that affiliate is not under common branding with the covered entity or has different contact information than the covered entity;
• A description of the categories of covered data and purposes of the processing;
• Information about covered data transfers, including categories of service providers and third parties to whom data is transferred, and an express identification of data brokers to whom covered data is transferred;
• The covered entity’s data retention practices related to covered data;
• A general description of the data security practices of the entity;
• A description of how the individual can exercise their data subject rights;
• The effective date of the privacy policy; and
• A statement as to whether the covered entity transfers, processes or retains covered data in or otherwise makes covered data accessible to a foreign adversary (as identified by the US secretary of commerce).

DATA MINIMIZATION

Under APRA’s data minimization requirement, companies would not be allowed to process covered data beyond what is necessary, proportionate and limited to provide or maintain a specific product or service requested by the individual or to reasonably communicate with the individual. In particular, covered data could only be processed for certain permitted purposes, including to:

• Protect data security;
• Respond to an ongoing or imminent security incident;
• Prevent or respond to fraud;
• Comply with legal obligations;
• Prepare or defend legal claims;
• Transfer to law enforcement pursuant to a lawful warrant or subpoena;
• Conduct market research;
• Develop or enhance the company’s products or services, or conduct internal research to improve a product or service by using deidentified data;
• Transfer assets as part of a merger, acquisition or bankruptcy; or
• Provide first party or contextual advertising or, where the consumer has not opted out, targeted advertising.

APRA also would prohibit the use of “dark patterns” to divert a consumer’s attention from a required notice, impair a consumer’s ability to access their rights or facilitate an individual’s consent where required under APRA.

Under APRA, companies would be required to conduct written evaluations of algorithms using covered data prior to deploying the algorithms. The evaluation must be shared with the FTC and address the design, structure and inputs of the algorithm to reduce potential harm. The concept of “potential harm” is not limited to any specific types of harm and includes harms related to:

• Minors under 17 years of age;
• Advertising or determining access (or restrictions) related to housing, education, employment, healthcare, insurance or credit opportunities;
• Determining access (or restrictions) to places or public accommodations, particularly in relation to protected characteristics;
• Disparate impact on the basis of race, color, religion, national origin, sex or disability status; or
• Disparate impact based on political party registration status.

LARGE DATA HOLDERS

APRA includes additional requirements for “large data holders.” With some exceptions for conduit-type service providers (e.g., mail and payment services), large data holders are companies with an annual gross revenue of at least $250 million in the most recent calendar year that also collected, processed, retained or transferred covered data of at least five million individuals, 15 million portable connected devices reasonably linkable to at least one individual, and 35 million connected devices reasonably linkable to at least one individual; or collected, processed, retained or transferred the sensitive covered data of at least 200,000 individuals, 300,000 portable connected devices reasonably linkable to at least one individual, and 700,000 connected devices reasonably linkable to at least one individual.

Large data holders would be required to publish on their website a copy of each previous version of their privacy policy, along with a log of the material changes going back 10 years. Large data holders would also be required to provide a short-form privacy notice that includes an overview of individual rights and disclosures to reasonably draw attention to data practices that may be unexpected or that involve sensitive covered data. This short-form notice would have to be fewer than 500 words long.

Large data holders would also be required to conduct an annual impact assessment for any covered algorithm that poses a consequential risk of a potential harm described above. This assessment would include the following:

• A detailed description of the algorithm;
• A statement of the purpose and use of the algorithm;
• A detailed description of the data used by the algorithm;
• A description of the algorithm’s outputs;
• An assessment of the necessity and proportionality of the covered algorithm for its stated purpose; and
• A detailed description of the steps taken to mitigate the potential harms evaluated by covered entities.

DATA BROKERS

APRA also includes specific requirements for “data brokers.” Data brokers are covered entities that either:

1. Earn at least 50 percent of their revenue from processing or transferring covered data that was not collected directly by the company from the relevant individual; or
2. Earn any revenue from processing or transferring covered data of more than five million individuals that was not collected directly by the company from the relevant individual.

Data brokers would be required to maintain a publicly accessible website with a notice that the entity is a data broker and that individuals may exercise their data subject rights, with instructions for doing so. Data brokers would not be allowed to advertise or market access to covered data if the access is for a variety of purposes, including stalking, harassing, committing fraud, identity theft or unfair or deceptive acts or practices.

Data brokers would also be required to register with the FTC each year if they acted as a data broker with respect to at least 5,000 individuals or devices reasonably linkable to an individual in the previous year.

ENFORCEMENT

APRA would primarily be enforced by the FTC or state privacy regulators (attorneys general or otherwise) but does include a limited private right of action. The FTC would be required to establish a new bureau for the purpose of enforcing APRA.

Individuals could bring claims seeking actual damages, injunctive relief, declaratory relief, and reasonable attorney’s fees and litigation costs in certain, limited instances, including allegations that a company:

• Transferred sensitive covered data without affirmative express consent;
• Processed biometric or genetic information improperly;
• Provided inadequate privacy policy disclosures or failed to meet notification requirements;
• Failed to provide, recognize or operationalize data subject rights requests;
• Failed to provide opt-out rights or engaged in dark patterns;
• Retaliated through discriminatory pricing, quality or service levels;
• Failed to maintain reasonable security;
• Failed to exercise reasonable due diligence in selecting a service provider or transferring covered data to a third party;
• Failed to honor Do Not Collect requests as a data broker;
• Discriminated against individuals on the basis of race, color, religion, national origin, sex or disability; or
• Failed to provide, recognize or operationalize a consumer’s decision to opt out of the use of a covered algorithm.

Before filing suit, an individual would need to provide 30 days’ written notice to the company, identifying specific, alleged violations of APRA and give the company an opportunity to cure that violation.

EFFECTIVE DATE

APRA would be effective 180 days after its enactment. That is not a lot of time for companies to implement the sea change of requirements that APRA would usher in. However, as discussed below, the prospects of APRA becoming law are relatively low.

PREEMPTION

If passed, APRA would expressly preempt most state privacy laws, transforming the patchwork system of state privacy laws into a single set of federal requirements. While preemption would simplify corporate compliance burdens, APRA is more operationally complex in many ways than the existing patchwork of state laws.

There are carveouts in APRA’s preemption provision for various specific laws, rules, regulations and requirements. Notably, employment-related health or medical privacy requirements are not preempted, which likely means that the California Consumer Privacy Act provisions as applied to employees and much of Washington’s My Health My Data Act would survive. In addition, APRA would not change the privacy requirements of other federal laws, including most notably requirements under the Health Insurance Portability and Accountability Act, the Gramm-Leach-Bliley Act or the Fair Credit Reporting Act.

SO, YOU’RE SAYING THERE’S A CHANCE?

While APRA does have bicameral and bipartisan support, it is lacking key support – on both sides of the aisle – from legislators who previously supported other federal privacy proposals and who need to support APRA for it to have a real chance to pass.

Complicating matters further is the fact that it is a presidential election year. Historically, unless one party controls the legislature, very little impact legislation is passed in that setting, and there is nothing to signal that APRA will be an exception. For example, the inclusion of a private right of action in APRA will likely be a nonstarter for many in the House, while the state preemption provisions will jeopardize support of legislators from states that have enacted state consumer privacy laws, especially the support of California’s legislators.

[View source.]