APRA: New Draft US Federal Privacy Bill Proposed

On April 7, 2024, Washington Senator Maria Cantwell and Washington Representative Cathy McMorris Rodgers jointly proposed a new federal privacy bill that aims to return control of personal data to American consumers.

The bill, known as the American Privacy Rights Act (APRA), proposes comprehensive data privacy protections at a national level, eliminating the inconsistent state laws currently in place. The bipartisan legislation aims to establish clear, enforceable privacy rights for Americans, granting them control over their personal data. 

In the official press release, Chair Cantwell stated that

A federal data privacy law must do two things: it must make privacy a consumer right, and it must give consumers the ability to enforce that right. Working in partnership with Representative McMorris Rodgers, our bill does just that. This bipartisan agreement is the protections Americans deserve in the Information Age.

The APRA restricts companies from excessive data collection and usage, provides individuals with rights to access, correct, delete, and export their data, and allows them to opt out of targeted advertising. Moreover, it introduces stringent protections for sensitive data, requiring explicit consent for third-party transfers, and incorporates provisions to prevent discrimination based on personal information. 

Importantly, the bill empowers Americans to enforce their privacy rights, including suing for damages and opting out of mandatory arbitration in substantial privacy harm cases. It mandates strong data security standards to prevent data breaches and holds companies accountable for protecting consumer data, with exemptions for small businesses not engaged in data selling. 

Chairs Cantwell and Rodgers made the following joint statement: 

This bipartisan, bicameral draft legislation is the best opportunity we’ve had in decades to establish a national data privacy and security standard that gives people the right to control their personal information [...]. This landmark legislation represents the sum of years of good faith efforts in both the House and Senate. It strikes a meaningful balance on issues that are critical to moving comprehensive data privacy legislation through Congress. Americans deserve the right to control their data and we’re hopeful that our colleagues in the House and Senate will join us in getting this legislation signed into law.

Who Does the APRA Apply To?

• Covered Entities: Any entity that determines the purposes and means of collecting, processing, retaining, or transferring covered data. This includes entities subject to the Federal Trade Commission Act, common carriers under the Communications Act of 1934, and non-profit organizations not organized for profit. Small businesses, Federal, State, Tribal, territorial, or local government entities, and certain non-profits focused on preventing or investigating fraud are excluded.
• Service Providers: Entities that collect, process, retain, or transfer covered data for the purpose of performing services or functions on behalf of a covered entity.
• Large Data Holders: Covered entities or service providers with significant annual revenue and large volumes of collected, processed, retained, or transferred data.
• Data Brokers: Covered entities whose principal revenue is derived from processing or transferring covered data not collected directly from individuals.

 What Obligations Does the APRA Establish?

• Data Minimization: Collection, processing, retention, or transfer of data should not exceed what is necessary for the provided or maintained product/service, or for permitted purposes.
• Transparency: Covered entities must have publicly available privacy policies detailing their data practices, including data collection, processing, retention, and security practices.
• Consumer Controls: Covered entities must enable consumers to access, correct, delete, and export their data. Consumers also have the right to opt out of targeted advertising and the transfer of their data.
• Data Security and Protection: Covered entities must establish appropriate data security practices according to the entity’s size, the nature and scope of the data practices, and the state-of-the-art of safeguards.
• Sensitive Data: Requiring affirmative express consent to transfer sensitive data.
• Biometric and Genetic Information: Prohibiting the collection, processing, or retention without affirmative express consent, unless necessary for permitted purposes.

What Are the Penalties for Noncompliance under the APRA?

The APRA does not list explicit details about penalties for noncompliance. However, it mentions that the Federal Trade Commission (FTC), State attorneys general, and consumers can enforce against violations. Typically, enforcement could involve fines, injunctions, or other legal actions.

Who Enforces the APRA?

• Federal Trade Commission (FTC): Primary enforcement authority, with the power to treat violations as unfair or deceptive practices under the FTC Act.
• State Attorneys General: Authorized to enforce the Act, seeking injunctive relief, civil penalties, damages, restitution, or other consumer compensation.
• Individuals: Consumers have the right to file private lawsuits against entities that violate their rights under the Act.