Overview

Two key members of Congress unveiled the latest iteration of a proposed nationwide comprehensive privacy and data protection bill this past week. House Energy and Commerce Chair Cathy McMorris Rodgers (R-WA) and Senate Commerce, Science, and Transportation Chair Maria Cantwell (D-WA) introduced the American Privacy Rights Act (APRA) that would establish national consumer data privacy rights, set standards for data security, and largely eliminate the existing patchwork of state comprehensive data privacy laws that have come into effect during the past decade. It would also empower the Federal Trade Commission (FTC) and state attorneys general (State AGs) to enforce the law, as well as include a private right of action for individuals to sue entities for violations of APRA, something that is currently only partially available through the California Consumer Privacy Act.

Congress has tried several times during the past decade to introduce and pass comprehensive privacy legislation, especially as more than a dozen states have now enacted their own privacy laws. It remains to be seen whether this bill, which is still a discussion draft, will become law this year, particularly given November’s presidential election and other legislative priorities. The House Energy and Commerce Committee has scheduled a hearing to discuss the current draft on Wednesday April 17.

The APRA’s provisions largely align with the structure and content of other major US and global privacy laws, including the European Union General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA). Current provisions that are largely familiar to these other frameworks include:

• Covered Entities: The APRA defines Covered Entities as “any entity that determines the purpose and means of collecting, processing, retaining, or transferring covered data and is subject to the FTC Act, including common carriers and certain nonprofits. Small businesses, governments, entities working on behalf of governments, the National Center for Missing and Exploited Children (NCMEC), and, except for data security obligations, fraud-fighting non-profits are excluded.”
• Covered Data: The APRA defines Covered Data as “information that identifies or is linked or reasonably linkable to an individual or device. It does not include de-identified data, employee data, publicly available information, inferences made from multiple sources of publicly available information that do not meet the definition of sensitive covered data and are not combined with covered data, and information in a library, archive, or museum collection subject to specific limitations.”
• Data Minimization: Covered Entities must not collect or process Covered Data beyond what is necessary, proportionate, or limited.^[1]
• Transparency: Covered Entities must provide notice of all privacy practices to customers and employees.^[2]
• Data Subject Access Rights: Covered Entities must establish processes to honor customer requests to access, delete, or export Covered Data, barring exceptions for legal and regulatory reasons.^[3]
• Interference with Consumer Rights: Covered Entities are not permitted to use dark patterns to divert individuals’ attention from notice and consent choices that they are allowed to exercise under the law.^[4]
• Service Providers and Third Parties: Covered Entities are required to ask service providers to adhere to instructions in fulfilling APRA obligations. Service providers must cease data practices where they have “actual knowledge” that a Covered Entity has violated the APRA and they must allow independent assessors to assess their security practices.^[5]
• Data Brokers: The APRA requires that data brokers identify themselves as such on their websites and provide tools for individuals to exercise their opt-out rights related to data broker processing of Covered Data. Data brokers must also on their websites provide a link to a new data broker registry website maintained by the FTC. ^[6]
• Prohibition on Denial of Service and Waiver of Rights: The APRA prohibits Covered Entities from retaliating against individuals for exercising their rights under it, including by denying or charging different rates for goods or services.^[7]

The APRA includes other provisions that are generally not common to current global privacy laws, particularly in the United States.

• Data Security and Protection of Covered Data: The APRA would require Covered Entities and service providers to establish data security practices appropriate to the entity’s size, as well as scope, volume and sensitivity of the Covered Data processed. The APRA goes into more specific detail than what we have generally seen in other state laws including calling for Covered Entities at a minimum to 1) conduct vulnerability assessments; 2) conduct regular security risk assessments; 3) draft data retention schedules; 4) require security training, and 5) implement incident response procedures. ^[8]
• Executive Responsibility: The APRA would require Covered Entities to designate one or more employees to serve as privacy or data security officers. Covered entities designated as “Large Data Holders^[9]” would be required to designate both types of officers as well as conduct privacy impact assessments every other year.^[10]
• Opt-out Rights for Consequential Decisions: The APRA requires Covered Entities using covered algorithms for consequential decisions^[11] to provide notice of such use and an opportunity for consumers to opt-out.

Such notice must be:

• Clear, conspicuous, and not misleading and must provide meaningful information on how the covered algorithm makes or facilitates a consequential decision, including the range of potential outcomes;
• Provided in each language where the entity provides a product or service subject to the use of such covered algorithm or carries out activities related to such product or service; and
• Reasonably accessible to and usable by individuals with disabilities.

The APRA requires impact assessments for these algorithms when they pose a “consequential risk,” further defined by the following categories:

• Covered minors;
• Housing, education, employment, health care, insurance, or credit opportunities;
• Public accommodations based on protected characteristics;
• Disparate impacts based on race, color, religion, and sex; and
• Disparate impact based on political party registration.^[12]

Enforcement/Governance

The APRA directs the FTC to establish a new bureau, comparable to its existing Bureaus of Enforcement and Competition, which will be responsible for enforcing the law. APRA violations will be treated as “unfair or deceptive acts” under Section 5 of the FTC Act.

However, the law will require the FTC to terminate its rulemaking on “Commercial Surveillance and Data Security,” first introduced in 2022. The APRA also authorizes State AGs to enforce the law based on violations in their respective jurisdictions. State AGs must notify the FTC prior to initiating an action under APRA and APRA directs the Government Accountability Office to study the practice of hiring external counsel by State AGs.

As explained above, the APRA also provides for a private right of action, enabling enforcement by individuals via lawsuits for violations of the APRA.

Additionally, the APRA would apply to common carriers as defined by Title II of the Communications Act. The FTC would replace the Federal Communications Commission as the primary regulator to these entities in regards to data privacy and security issues.

Next Steps

Paul Hastings will be watching the debate of this law very closely as there is the potential for changes during the markup and amendment process that happens in both legislative bodies’ committees and on their floors. If it is passed and signed by President Biden, we will provide further detailed analysis on what our clients should be doing to prepare for its enforcement.

Organizations that have already had to take steps to mature their privacy programs in the past several years due to the GDPR, CCPA, and state laws will need to make enhancements to their programs, particularly around governance and addressing the provisions around algorithm processing of Covered Data. However, they will be able to build on existing efforts and not have to revamp their current practices. Those organizations that have yet to have the need to comply with major privacy laws will need to think about the personal data they collect and process, assess any current privacy practices, and start to think long-term about building a privacy program that can comply with the APRA and reduce their privacy risk footprint. It should also be noted that data, which is already covered by existing Federal privacy laws such as the Gramm Leach Bliley Act, the Health Insurance Portability and Accountability Act, and the Children’s Online Privacy Protection Act, would be exempt from the APRA.

^[1] APRA Section 3(a)(1)

^[2] APRA Section 4

^[3] APRA Section 5

^[4] APRA Section 6

^[5] APRA Section 11

^[6] APRA Section 12

^[7] APRA Section 8

^[8] APRA Section 9

^[9] Large Data Holder is defined as a “covered entity or service provider that in the most recent calendar year (1) had an annual gross revenue of $250,000,000 and (2) collected, processed, retained or transferred either the (a) covered data of more than 5,000,000 individuals, 15,000,000 portable connected devices, and 35,000,000 connected devices or (b) the sensitive covered data of more than 200,000 individuals, 300,000 portable connected devices, and 700,000 connected devices.”

^[10] APRA Section 10

^[11] The APRA defines “consequential decision” as a determination or offer, including through advertisement, that uses covered data and relates to an individual’s or a class of individuals’ access to or equal enjoyment of housing, employment, education enrollment or opportunity, healthcare, insurance, or credit opportunities, or access to, or restriction on the use of any place of public accommodation.

^[12] APRA Section 13(c)