Earlier this week, the House Committee on Energy and Commerce Chair Cathy McMorris Rodgers (R-WA) and Senate Committee on Commerce, Science and Transportation Chair Maria Cantwell (D-WA) released a discussion draft of the American Privacy Rights Act of 2024 (APRA). The bill is in the early stages of the legislative process and will face the same challenges that have waylaid previous federal privacy bills. However, this bicameral, bipartisan legislation marks a significant milestone towards the potential passage of a comprehensive federal privacy law.
The discussion draft borrows familiar components from many current and forthcoming state privacy laws and extends them nationwide. It also addresses issues like a private right of action, artificial intelligence (AI) governance, and the scope of the Federal Trade Commission's (FTC) authority. Here’s what you should know:
Breadth of coverage
The APRA generally covers any company that is subject to the broad reach of the FTC Act. The APRA also would cover common carriers as defined by the Communications Act of 1934, and most nonprofits.
Small businesses are exempt from the APRA, unless the business generates revenue from sharing covered data with third parties. So too are government agencies, entities working on behalf of governments, and fraud-fighting nonprofits. Larger businesses collecting high volumes of data—deemed “large data holders”—are subject to heightened restrictions.
The definition of data regulated by the APRA—deemed “covered data”—is substantially similar to definitions in current privacy laws in California, Europe and beyond. “Covered data” is defined as “any information that identifies or is linked or reasonably linkable, alone or in combination with other information, to an individual or a device.” In addition to excluding de-identified data and publicly available information, the APRA excludes employee data, thereby aligning itself with the majority of state consumer privacy laws, except California’s.
As with current state consumer privacy laws, the APRA sets apart certain types of data as sensitive, and affords such data additional protections and obligations. Sensitive covered data includes a range of personal information similar to those in state consumers privacy laws such as government identification numbers, health information, and sensitive demographic information like race and ethnicity. However, the APRA definition goes further in several respects. Most notably, its definition of sensitive covered data includes any information about children under age 17, and information captured by cookies or other tracking technologies that reveals an individual’s online activities over time and across third-party websites or major social media sites.
Entities would be considered to be in compliance with the APRA if they already followed other federal privacy laws like the Gramm-Leach-Bliley Act, Heath Information Portability and Accountability Act, Fair Credit Reporting Act and Family Educational Rights Privacy Act, but only with respect to the data subject to the requirements of those laws. Those entities in compliance with other specific federal data security requirements would also be deemed in compliance with the ARPA’s data security obligations. It remains to be seen how exactly the draft's distinction between the regulated status of the entity and its data will be interpreted.
Familiar obligations
The APRA would impose requirements concerning data minimization, transparency, privacy rights and security that are currently offered across several states.
- Data minimization: Covered entities could collect and use covered data only as necessary and proportionate to (i) provide or maintain a requested product or service, (ii) send a reasonably anticipated communication, or (iii) for one of 15 other expressly permitted purposes. The FTC would be tasked with issuing guidance concerning data minimization compliance.
- Transparency: Covered entities would be required to publicly disclose their data collection and usage practices through detailed long- and short-form privacy policies, with similar content requirements as state consumer privacy laws.
- Data subject privacy rights: The APRA would provide familiar consumer privacy rights of access, correction, deletion, data portability and non-discrimination. Consumers would also have the right to opt out of targeted advertising, data transfers and algorithm-based decisions related to housing, employment, education, health care, insurance, credit or access to public accommodations. Expanding on several state laws, the APRA would allow consumers to selectively opt-out of data collections, retention or transfers through a browser-based or centralized mechanism. The FTC would be tasked with issuing guidance concerning such mechanisms.
- Affirmative express consent: Covered entities would need to obtain affirmative express consent before collecting biometric and genetic information, and before transferring sensitive data (unless allowed by a permitted purpose).
- Data governance and reporting: Covered entities would be required to designate one or more employees to serve as a privacy or data security officer. Large data holders would have to designate both a privacy and a data security officer, and would be required to file annual certifications with the FTC and conduct biennial privacy impact assessments.
- Data security: Covered entities would also be required to establish data security practices appropriate to their entity’s size, the nature and scope of the data practices, the volume and sensitivity of the data, and state of the art of safeguards.
A focus on AI governance
One of the APRA’s noteworthy features is its focus on AI. Covered entities would be required to ensure their data collection, processing or transfer practices do not discriminate based on race, color, national origin, sex or disability. The APRA would also require entities to evaluate an algorithm’s design before deploying it in interstate commerce. Large data holders would need to conduct annual impact assessments of potentially harmful algorithms.
The debate over preemption
A pivotal aspect of the APRA is its preemption of state laws. State attorneys general could enforce the APRA, but it would replace the current patchwork of state regulations and create a uniform national data privacy standard. The preemption clause has stirred debate now and in the past: The APRA’s predecessor, the American Data Privacy and Protection Act, failed when major components of California’s Congressional delegation rebelled and then-Speaker Nancy Pelosi refused to bring the bill to the floor, the APRA has already received criticism from the Executive Director of the California Privacy Protection Agency. Further, several state attorneys general have called for the APRA to allow states flexibility to enact more expansive privacy requirements in the future.
Enforcement, including a private right of action
The APRA would establish a Bureau of Privacy within the FTC to enforce its provisions. Violations would be considered unfair or deceptive acts under the FTC Act. The FTC would provide consumer redress via a Privacy and Security Victims Relief Fund. In addition, state attorneys general would be permitted to seek injunctive relief, monetary damages, and attorneys’ fees or other litigation costs after informing the FTC.
The APRA also includes a private right of action in which individuals could seek injunctive relief, declaratory relief, monetary damages, and attorneys’ fees or other litigation costs. Lawsuits based on “significant privacy harm” or those involving minors would be exempt from mandatory arbitration provisions. Notably, any court-awarded compensation to an individual plaintiff could be offset by recovery for the same violation by the FTC or state enforcers.
The APRA preserves certain state statutory remedies, including those for Illinois residents under the Biometric Information Privacy Act and Genetic Information Privacy Act, and for California residents consistent with the CCPA’s private right of action for data breaches. The APRA provides covered entities an opportunity to “cure” potential violations in some actions seeking injunctive relief or actual damages.
What’s next?
Though in its infancy, the APRA discussion draft represents a significant step towards a national data privacy framework in the United States. Whether it can succeed will depend upon bipartisan coordination in a presidential election year and careful navigation of controversial issues such as preemption and the presence of a private right of action. As the APRA progresses through the legislative process, Manatt will closely monitor its developments and offer guidance in an evolving regulatory landscape. Meanwhile, businesses should also remain vigilant about their compliance obligations under the growing number of state laws focused on general data privacy, health data, children’s data and uses of AI.
For more information and resources about Manatt's Privacy and Data Security Practice, please visit here.