What Is the American Privacy Rights Act, and Who Supports It?

(Andrey-Emelyanenko/Shutterstock)

The American Privacy Rights Act of 2024 (APRA), a proposed federal data privacy law that was introduced last month by Congresswomen from Washington State, is currently making its way through both halls of Congress. If approved and signed into law by President Biden–which is no guarantee–the APRA would represent a monumental shift in data privacy.

The APRA is a proposed new data privacy law introduced on April 7 by U.S. Senator Maria Cantwell (D-WA) and U.S. Representative Cathy McMorris Rodgers (R-WA). If enacted, the APRA would give implement a national data privacy standard, giving American citizens new federal rights regarding how data about them is collected, stored, and used. It would also eliminate the patchwork of state data privacy laws, which currently number at least a dozen (and counting).

According to a summary of the bill provided by Sen. Cantell’s office, the APRA would set regulations on how “covered entities” (mostly large businesses) can interact with “covered data,” or private data that’s linked to a person or a device.

What APRA Covers

The law requires covered entities to receive “affirmative express consent” from people before transferring any sensitive privacy data about them to a third party (with some exceptions for security and legal obligations). Biometric and genetic data has even stronger protections.

(La1n/Shutterstock)

People would gain the right to know what data companies have stored about them, and even to receive copies of that data. It would also require companies to, upon an individual’s request, disclose the names of any entities the company has transferred their data to. People would also have the right to have their private data permanently deleted by covered entities, and any errors in the data must also be corrected at the request of individuals within a set period of time.

There’s a “data minimization” aspect to the APRA that prohibits companies from collecting data that is not “necessary” or “proportionate” to the purpose for which the data is collected. The APRA would also introduce new transparency requirements for companies to publicly post their data privacy policies. If a company changes its privacy policy, it must give people the option to opt out. The law would also require companies to implement certain minimum data security standards.

The APRA ostensibly is about data, but AI is also covered a bit. Companies must evaluate their “covered algorithms” before deploying it and provide that evaluation to the FTC and the public. Companies must also adhere to people’s request to opt out of the use of any algorithm related to housing, employment, education, health care, insurance, credit, or access to places of public accommodation.

The APRA would be enforced by a new bureau operating under the Federal Trade Commission (FTC). State attorneys general would also be able to enforce the new law. It would also allow individuals to file private lawsuits against companies that violate the law.

There are several important exceptions in the APRA. For instance, small businesses, defined as having less than $40 million in annual revenue or collecting data on 200,000 or fewer individuals (as long as they’re not in the data-selling business themselves), are exempt from the APRA’s requirements. Governmental agencies and organizations working for them are also exempt, in addition to non-profit organizations whose main purpose is fraud-fighting, as well. The National Center for Missing and Exploited Children gets a carve-out, too.

Large companies (defined as having $250 million or more in revenues or having data on 5 million or more individuals) have additional requirements under the APRA regarding the retention period for their privacy policies, providing metrics on privacy-related requests, hiring of privacy and a security officers, conducting regular security audits and privacy assessments, and using AI.

Covered data under the APRA is defined as health information; biometric information; genetic information; financial account and payment data; precise geolocation information; log-in credentials; private communications; information revealing sexual behavior; calendar or address book data, phone logs, photos and recordings for private use; any medium showing a naked or private area of an individual; video programming viewing information; an individual’s race, ethnicity, national origin, religion, or sex; online activities over time and across third party websites, or over time on a high-impact social media site; information about a covered minor; and other data the FTC defines as sensitive covered data by rule.

The APRA would also establish a pilot program for using privacy-enhancing technology, and any company participating in that pilot would gain a “rebuttable presumption of compliance with the data security requirements.”

Reactions to APRA

“This landmark legislation gives Americans the right to control where their information goes and who can sell it,” Rodgers said in a press release. “It reins in Big Tech by prohibiting them from tracking, predicting, and manipulating people’s behaviors for profit without their knowledge and consent.”

Several prominent names in business and tech are throwing their support behind the APRA. Brad Smith, the vice chair and president at Microsoft, called the APRA “a good deal” that would give all consumers in the US “robust rights and protections.”

“This is a thoughtful draft and a positive step towards a comprehensive federal privacy legislation,” said Chris Mohr, president of the Software Information and Industry Association.

“These policies put Americans back in charge of their data and reduce incentives to abuse the American consumer and our kids,” said Kara Frederick, the director of the Tech Policy Center at The Heritage Foundation.

(one photo/Shutterstock)

Not everyone is convinced, however. In a New York Post opinion piece, Taylor Barkley, the director of public policy at the Abundance Institute, says the new law would hurt tech startups and strengthen the cloud bigs.

“An all-but-certain side effect of APRA is that it could make it dramatically harder for tech startups to get off the ground and for small businesses to compete–while providing yet another competitive advantage to already massive companies like Meta and Amazon,” Barkley wrote.

Another critic of the APRA is Omer Tene, a partner at a Boston law firm, who says the “data minimization” requirement is a mess and probably a violation of the U.S. Constitution.

“Conceptually, US privacy law–indeed *any* US law–is based on the premise that everything is permitted unless explicitly outlawed. It’s a free country. You are allowed to collect/process data (really, more broadly, to do *anything*) unless the law limits it,” Tene writes in a LinkedIn post. “APRA would shift our default from everything allowed to everything prohibited. You can process data only ‘to provide or maintain a specific product or service requested by the individual.’”

The National Retail Federation  also chimed in yesterday, saying the APRA would invite “drive-by” lawsuits that hurt small businesses, similar to what happened with the Americans with Disability Act (ADA). “…[T]rial lawyers will be incentivized to go after small businesses to collect quick settlements,” it wrote.

While the APRA appears to have momentum, it’s too soon to tell whether it has enough backing to get it across the finish line. Most people agree that the U.S. needs some type of national security law, but it’s unclear if this law, which the Washington Post called “a sprawling plan,” will be the one.

Related Items:

Will New Government Guidelines Spur Adoption of Privacy-Preserving Tech?

How to Help Your Data Teams Put Privacy First

MOAB Puts a Bow on Data Privacy Week