On April 7, Senate Commerce Committee Chair Maria Cantwell (D-WA) and House Energy and Commerce Committee Chair Cathy McMorris Rodgers (R-WA) released the text of the American Privacy Rights Act (APRA), a bipartisan and bicameral draft piece of legislation to establish a federal data privacy standard. This announcement marks the latest push in the long-stalled effort to pass a federal data privacy law. With a growing number of states enacting their own data privacy laws, and consumers increasingly concerned about their personal data privacy protections, Chair Cantwell and Chair Rodgers argue that this bill balances the concerns raised through various legislative hearings while providing consumers with comprehensive data privacy protections.

However, the bill is currently facing pushback from Senate Commerce Ranking Member Ted Cruz (R-TX). In an initial statement, Ranking Member Cruz said he “cannot support any data privacy bill that empowers trial lawyers, strengthens Big Tech by imposing crushing new regulatory costs on upstart competitors or gives unprecedented power to the FTC to become referees of internet speech and DEI compliance.”

House Financial Services Chair Patrick McHenry (R-NC) also told reporters, “the Financial Services Committee is going to insist on our jurisdiction being respected …There’s an opportunity for us to link our efforts to update financial data privacy, where we actually currently have a data privacy law that needs to be updated—link that with this package.” Chair McHenry has indicated that crypto legislation and his financial services industry-focused privacy legislation, the Data Privacy Act of 2023, are among his top priorities. He is currently considering a variety of vehicles to move these bills by the end of the year.

The bill expands on the American Data Privacy Protection Act (ADPPA), which passed the House Energy and Commerce Committee in 2022. The package ultimately stalled due to concerns from California Democrats and Chair Cantwell regarding its preemption of existing state data privacy laws. Similar to ADPPA, APRA would preempt state data privacy laws, a concession Chair Cantwell made because she believes APRA adopts the strongest provisions of those laws. The new bill would also limit the type of data companies can collect and use, and it would allow for individuals to sue over privacy breaches. Individuals could immediately sue companies for alleged violations, as opposed to the two-year delay for a private right of action contemplated under the ADPPA.

Below is a summary of the relevant sections in the current discussion draft of the bill. Further revisions are expected, and committee-prepared section-by-section is available here.

APRA Summary

DEFINITIONS

The bill provides numerous definitions, including descriptions of entities that must comply with its provisions and those that are exempt:

• Small Businesses: Non-covered entities that have $40 million or less in annual revenue and collect, process, retain or transfer the covered data of 200,000 or fewer individuals. To be classified as a small business, an entity must not earn revenue from the transfer of covered data to third parties.

• Covered Entities: Entities that determine “the purpose and means of collecting, processing, retaining, or transferring covered data.” Covered entities must also be subject to the Federal Trade Commission Act. Small businesses, governments, entities working on behalf of governments and other narrowly defined organizations are exempt.

• Large Data Holders: Covered entities that earn $250 million or more in annual revenue. Large data holders also collect, process, retain or transfer the covered data of more than 5 million individuals or the sensitive data of more than 200,000 individuals.

APRA also includes definitions for the types of personal data, designating between covered data and sensitive covered data:

• Covered Data: Includes information that identifies or is linked to an individual or device. Covered data excludes: (1) de-identified data, (2) employee data, (3) publicly available information, and (4) inferences made from multiple sources of publicly available information that do not meet the definition of sensitive covered data and are not combined with covered data, and information in a library, archive or museum collection subject to specific limitations.

• Sensitive Covered Data: A subset of covered data that includes government identifiers, health information, biometric information, genetic information, financial account and payment data, precise geolocation information, log-in credentials, private communications and other types of private information.

CONSUMER CONTROLS AND PRIVATE RIGHT OF ACTION

Under APRA, consumers can access their covered data that is collected, processed or retained by a covered entity after submitting a verifiable request. Covered entities must also provide the name of a third party or service provider to whom their data was transferred and the reasons for the transfer. Consumers can request covered entities to correct inaccurate covered data, delete covered data or export covered data. The bill details that covered entities can deny an individual’s request if it would: (1) be demonstrably impossible; (2) require deleting data necessary to perform a contract; (3) require the release of trade secrets; or (4) prevent the maintenance of a confidential record of opt-out rights.

The bill also grants consumers opt-out rights for the transfer of non-sensitive covered data and for the use of personal information for targeted advertising. APRA directs the Federal Trade Commission (FTC) to issue regulations on the requirements for a “centralized mechanism” for individuals to exercise opt-out rights. Consumers are allowed to bring lawsuits against covered entities six months after the date of enactment, and the bill prohibits mandatory arbitration agreements in the case of a substantial privacy harm or by a violation involving a minor.

RESTRICTIONS AND TRANSPARENCY

The bill prevents covered entities from collecting, processing, retaining or transferring data beyond what is “necessary, proportionate, or limited” for the entity to provide or maintain a product or service. Covered entities are prohibited from transferring covered sensitive data to a third party without an individual’s express consent or, if allowed by a stated permitted purpose, including protecting data security and complying with legal obligations, among others.

Covered entities must also issue publicly available privacy policies with information on their data privacy and security practices. The bill outlines numerous requirements for privacy policies on what data is collected, the purpose for collecting it and general data security practices. Privacy policies must also describe how consumers can opt out of data collection. Covered entities must provide advanced notice of material changes to their policies. Large data holders must retain and publish privacy policies from the past decade and provide a short-term notice of their covered data practices, in addition to other increased compliance.

The bill includes a section on data brokers, requiring the FTC to establish a data broker registry, with data brokers affecting the data of 5,000 or more individuals required to register each calendar year. The FTC’s registry must also include a “do not collect” mechanism for consumers. The bill also requires data brokers to maintain a public website that allows individuals to exercise their opt-out rights, including a link to the FTC’s data broker registry.

PREEMPTION AND COMPLIANCE WITH EXISTING LAWS

APRA would preempt most comprehensive state data privacy laws, including the landmark California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). The bill provides a narrow list of state law preemption carveouts, including laws on data breach notification, health data and provisions of laws that address banking and financial records, among others.

Potential Concerns Specific to the Financial Services Industry

The talking points for the legislation state that financial services entities covered by the Gramm-Leach-Bliley Act and in compliance with the law, will be deemed to be in compliance with the data security provisions in the bill. However, the legislation could arguably prompt additional reporting requirements. Furthermore, as written it is not unambiguous that financial service providers are exempt from all aspects of the potential law. There are several exceptions related to the collection, processing, retention, transfer or security of covered data that could add onerous or duplicative requirements.

Next Steps

As mentioned, the proposal is already facing opposition, raising questions about its prospects. Notably, neither Senate Commerce Committee Ranking Member Cruz nor House Energy and Commerce Committee Ranking Member Frank Pallone (D-NJ) are co-sponsors of the bill. Ranking Member Pallone was quick to announce his qualified support for the measure, calling it a “very strong discussion draft” that should be strengthened with provisions related to children’s privacy. Without a four-corner agreement from the leaders on the committees of jurisdiction, it will be difficult for either committee to quickly process the bill.

With the November elections quickly approaching, Congress is also running out of time, and the political will, to pass significant legislation overhauling data privacy rules. Chair Rodgers’ upcoming retirement could also play a role in whether the bill advances and the potential for the balance of power in Washington to shift after the election. However, Chair Cantwell views the closing window of opportunity as a strength for the proponents, telling reporters, “a deadline is a good thing.”

Both committees are expected to move quickly. The House Energy and Commerce Committee has announced it will hold a legislative hearing on APRA and several other data privacy proposals on April 17, and the Senate Commerce Committee will hold a legislative hearing in the coming weeks. Full committee markups could happen within the next month.

One area that may influence the bill’s fate is how members handle the current lack of provisions regarding children’s data privacy. Two children’s data privacy measures in the Senate—the Children and Teens’ Online Privacy Protection Act (COPPA 2.0), led by Sens. Ed Markey (D-MA) and Bill Cassidy (R-LA), and the Kids Online Safety Act (KOSA), championed by Sens. Richard Blumenthal (D-CT) and Marsha Blackburn (R-TN)—have already advanced through the Senate Commerce Committee and could see action on the Senate floor. A bipartisan group of lawmakers including Reps. Gus Bilirakis (R-FL) and Kathy Castor (D-FL) recently introduced companion legislation to KOSA in the House, and Reps. Castor and Tim Walberg (R-MI) introduced companion legislation to COPPA 2.0. The House Energy and Commerce Committee will consider both bills at the upcoming legislative hearing.

Additionally, Chair McHenry’s comments could reinvigorate jurisdictional questions and tensions among committees in the House. In a statement responding to McHenry’s comments, Chair Rodgers said, “I look forward to working with Chair McHenry and welcome his feedback as we move this legislation through our regular order process.”