Many attempts have been made to introduce country-wide privacy legislation in the USA, but have all failed, until now. Hopes for a federal US privacy law are up with the introduction of the American Privacy Rights Act, a new privacy bill that aims to protect the privacy of US citizens on the federal level and could preempt state-level privacy laws such as the California CPRA.
The draft bill was approached positively during the Committee hearing, and was approved by the Subcommittee on Data, Innovation, and Commerce on May 23rd, leading many to believe that there is a good chance the new bill will become law.
If passed, the draft bill would cover more organizations and impose new obligations, such as giving individuals the right to opt out of targeted advertising and requiring organizations to have a privacy policy.
Curious about whether the draft bill would apply to you and how you can comply? Read on to find out.
Note on APRA's status: At the time of writing this article, the bill has been approved by a subcommittee, but it's important to note that it still needs to pass through the full committee and both houses of Congress before potentially becoming law. The article will be updated as the situation evolves.
What is the American Privacy Rights Act (APRA) 2024?
On April 7th, 2024, Maria Cantwell, chair of the U.S. Senate Committee on Commerce, Science and Transportation, and Cathy McMorris Rodgers, Chair of the House Committee on Energy and Commerce, introduced the American Privacy Rights Act Bill, a bipartisan effort to strengthen privacy protection for all Americans’ data.
The new Bill aims to give all Americans more control over their data by introducing new rights, such as the right to opt out of targeted advertising and access personal data.
Furthermore, the bill imposes strict obligations on organizations, such as implementing appropriate data security measures and prohibiting the use of personal data to discriminate against individuals.
Another aim of the new bill is to harmonize and consistently apply privacy protections across the United States. For instance, most major states have their own privacy laws, such as California’s CPRA or Florida’s Digital Bill of Rights, and they often differ in key areas.
Check our comparative guidance on US state privacy laws to learn more:
We should note that the Draft Bill is subject to revisions, and the final Act, if approved, will be different.
As of writing this article, the last revision to the Draft Act was made on 23rd May 2024. It introduced changes such as amending the COPPA(Children’s Online Privacy Protection Act of 1998) and new obligations such as establishing a centralized mechanism for consumers to request that data brokers erase their data.
Key definitions under the APRA
Like state-level privacy laws, APRA defines what data is covered by the Act, what entities should comply with it, and what entities and/or personal data are excluded from its scope.
Covered Data is defined in Section 2.9 of the Draft Act as any information that directly identifies, is linked to, or is reasonably linkable to a specific person or a device. This definition is broadly similar to the EU GDPR’s definition of personal data, and the Act only applies to such data.
Data excluded from the scope of APRA include de-identified data, employee information, and publicly available information.
Covered Entities are defined in Section 2.10 of the Act as organizations that decide for what purposes data is collected and processed and by what means it is collected and processed.
For example, if your website has a ‘Contact Us’ form, and you decide what data this form captures, you will likely be considered a “Covered Entity” under the APRA.
Furthermore, the Draft Act also defines other terms such as “publicly available information,” “large data holder,” “small business,” and “sensitive covered data,” which includes data types such as health information, government identifiers, payment data, information revealing sexual behavior, and precise geolocation information.
Does the American Privacy Rights Act (APRA) apply to you?
As noted above, a “covered entity” is broadly defined under the Act and refers to organizations that “determines the purpose and means of collecting, processing, retaining, or transferring covered data.” An entity must be subject to the Federal Trade Commission Act for the applicability of the APRA.
However, if you are a small business, you can rely on the small business exemption and not be subject to the American Privacy Rights Act. Indeed, APRA won’t apply to you if you fulfill the three following criteria:
- Your annual gross revenue for the period of 3 preceding years is 40 million $ or less;
- You collect and process the personal data of fewer than 200,000 individuals
- You did not transfer covered data to a third party in exchange for revenue or anything of value.
APRA will likely apply unless you fulfill all three criteria above and fall under the small business exemption.
APRA breakdown: exemptions, obligations, enforcement
What are the exemptions from the scope of the APRA?
Certain types of data and organizations are exempt from the scope of the APRA.
Section 2.10 (iii) of the Draft Act explains that entities such as government agencies, small businesses, and certain non-profit organizations are excluded from the Act's scope, as are employment information, de-identified data, and publicly available information, as explained in section 2.9.
What are the main obligations of Covered Entities under the APRA?
The Draft Act imposes various obligations on covered entities:
- Implementing an opt-out mechanism for targeted advertising: Section 6.2 of the Act requires that organizations provide users with a mechanism to opt out of targeted advertising. This mechanism should be clear and conspicuous, and the organization should notify its service providers of a consumer’s opt-out request.
- Obtaining express consent before transferring sensitive data to third parties: Section 3. (b) of the Act requires covered entities to obtain express consent before transferring sensitive covered data to third parties. For instance, if you collect payment data and card information and intend to transfer it to a third party using it for its own purposes, you will likely need express consent.
- Displaying a compliant privacy policy: The Act requires that covered entities provide consumers with a privacy policy, which should include information such as the covered entity's identity and contact information, what data it collects, for what purposes, and for how long it will store it. Importantly, the privacy policy should be provided in a clear, conspicuous, not misleading, easy-to-read, and readily accessible manner.
- Appointing a privacy officer: Under section 10, a covered entity must appoint an employee to act as a privacy or security officer.
- Implementing appropriate organizational and security measures: Section 9 of the draft Act requires that covered entities implement appropriate data security practices to maintain personal data availability, integrity, and confidentiality.
Who can enforce the American Privacy Rights Act (APRA)?
Under sections 17 and 18 of the draft Act, the Federal Trade Commission (FTC) and the attorney generals (AGs) can take enforcement action against covered entities violating the Act.
- Section 17 states that any violations of the APRA shall be treated as an unfair or deceptive practice as defined under the FTC Act, and the FTC shall take enforcement action against such violations.
- Section 18 states that the AGs can bring actions to seek injunctive relief, damages, and penalties against covered entities that violate the Act.
Can individuals take action against businesses violating the APRA? Section 19 of the Act provides individuals with a private right of action against entities violating the draft Act's provisions. Under this Section, individuals may file a lawsuit to recover damages or seek injunctive and/or declaratory reliefs against entities that do not comply with APRA.
Although the private right of action was not discussed during the subcommittee stage, it will likely be a point of contention during the full committee stage. Republican leadership currently opposes it and will likely try to remove it from the scope of the APRA.
Businesses should closely monitor the legislative process's next stages to determine whether a private right of action remains included in the law.
Does APRA preempt state-level privacy laws?
Section 20 of the Act emphasizes the Act’s overarching aim to establish a uniform data privacy law and states that the draft Act preempts all state privacy laws. Since this draft version would effectively replace the existing state-level privacy laws with the APRA, it has received backlash from certain states with their own privacy laws.
For example, the California Attorney General(AG) and 15 other AGs wrote a letter to the Congressional leadership asking them to remove this pre-emption clause from the APRA. This section will likely be a contentious issue during the full committee debate and may be subject to change.
Under the current version, there are exceptions to this preemption. For instance, state privacy laws that address the protection of student information, contract law, and tort law are not affected.
How Didomi can help you comply with the APRA
Attorney Generals, the FTC, and consumers (for now) will all be able to take legal action if you fail to comply with the draft Act.
Considering that three actors may bring your non-compliance with the APRA to the spotlight, it is important that you understand and comply with the APRA requirements if it becomes law.
One key obligation is to implement an opt-out mechanism so your customers can exercise their data subject rights, such as opting out of targeted advertising and data transfer. Additionally, you must obtain consent before sharing sensitive data and display a privacy policy to inform consumers.
Our Consent Management Platform (CMP) helps you easily set up an opt-out mechanism for your customers. Once APRA is signed into law, it will come into effect 180 days later. Get ready now:
{{discover-the-didomi-cmp}}
APRA: Frequently Asked Questions (FAQ)
When will the APRA come into force?
If the APRA becomes law, it will come into effect 180 after it is enacted.
Can individuals bring a private right of action against organizations?
Yes. Individuals can file a lawsuit if an entity fails to comply with the Draft American Privacy Rights Act’s requirements, such as providing the right to opt out of targeted advertising or access and/or delete their personal data. Individuals may seek actual damages or may also apply for injunctive relief.
However, some Republican leaders oppose the Act's provisions for private rights of action. Consequently, it is to be determined whether this will be removed from the scope of APRA.
What is the right to opt out of covered algorithms?
If an entity uses a covered algorithm to make a consequential decision, such as an individual’s access to equal enjoyment of housing, employment, healthcare, or education, the entity shall provide the individual with the right to opt out of such algorithms.
Are service providers subject to the draft APRA Bill?
According to section 2.10.b of the Act, service providers are excluded from the scope of the Act.
What is sensitive data under the American Privacy Rights Act (APRA)?
Section 2(34) of the Act lists the sensitive covered data, including, but not limited to, Government-issued identifiers, health information, biometric information, payment data, and precise geolocation information.
What is the deadline to comply with consumers' requests, such as the right to access data?
Organizations must respond to a consumer's request to exercise their rights within 30 days after receiving the request.