APRA Faces Opposition Due to Privacy Concerns
After being proposed on April 7, 2024, the APRA (American Privacy Rights Act) is now facing opposition due to privacy concerns. The criticisms mainly revolve around how it could potentially lower the standards set by existing state laws like the California Consumer Privacy Act (CCPA) or around children’s privacy. Opponents of this new bipartisan law argue that APRA might weaken enforcement mechanisms, reduce the scope of data categories protected under privacy laws, and prevent states from innovating and adapting their own regulations to address emerging privacy issues effectively. In a previous post, we discussed the main points of the APRA in the form of a short summary.
On April 16, 2024, the California Privacy Protection Agency (CPPA) issued a letter to the Chairs of the House Energy & Commerce Committee and the Innovation, Data, and Commerce Subcommittee,which outlined several reasons against adopting the American Privacy Rights Act (APRA), compared to the existing California Consumer Privacy Act (CCPA). In the official announcement on the CCPA’S official website, Executive Director Ashkan Soltani stated that
this is a time when we need to be forward-thinking about the challenges posed by the evolution of technology, and support states’ ability to adopt new laws to address emerging privacy threats. The CPPA supports a federal law that sets the floor for these protections, but as drafted, APRA seeks to set the ceiling. This could freeze protections in place for decades.
Here are the main points of the letter sent by the CPPA:
- Weakening Existing Protections:
- APRA seeks to weaken protections related to data brokers compared to the California Delete Act. While the Delete Act allows consumers to request deletion of their data in a single step, APRA only provides a "Do Not Collect" request that still permits data brokers to retain and potentially sell consumer information.
- It also caps penalties for data brokers' noncompliance at about $10,000 per year, which could undermine overall enforcement compared to the stronger provisions in California's Delete Act .
- In short, "APRA would lock the country into a standard that hinders California’s rulemaking innovation" and could strip "the California Privacy Protection Agency of its existing powers, which includes the ability to audit and bring actions against non-compliant businesses". Furthermore, “the California Delete Act, adopted last year, gives consumers the right to request that their personal information held by all registered data brokers be deleted, in a single step. If the consumer requests such deletion, businesses are also prevented from selling or sharing new personal information. And if a deletion request cannot be verified, the data broker must honor the request as an opt out of sale or sharing. Instead, APRA provides for a global data broker “Do Not Collect” request, which would still allow data brokers to retain and sell consumers’ information—which is a significant security risk.”
- Exclusion of Sensitive Categories:
- APRA lacks critical protections for categories like sexual orientation, union membership, and immigration status, leaving significant gaps. For instance, it exempts inferences made from publicly available information, unless they directly reveal or are combined with other sensitive covered data.
- Overriding State Authority:
- APRA could strip the California Privacy Protection Agency of its existing powers, such as the ability to audit and bring actions against non-compliant businesses. This undermines a model that has been effective at addressing privacy concerns at the state level.
- Stifling Innovation in Privacy Regulation:
- By creating a national standard, APRA may prevent states from adopting regulations that address emerging technologies. The approach could make the compliance landscape more complex for consumers, particularly vulnerable groups, by requiring them to navigate numerous different compliance procedures set by different businesses because "a federal privacy law with sweeping preemption language could freeze protections for the next thirty years" and "shift the burden of compliance to consumers, specifically seniors, parents of young children, and other underserved groups who do not have the resources to navigate hundreds, if not thousands, of different processes."
On April 17, 2024, Energy and Commerce Committee Ranking Member, Frank Pallone, Jr., delivered an opening remark at a legislative hearing in which he outlined reasons why the American Privacy Rights Act (APRA) should not be adopted without further enhancements. The reasons are summarized below:
- Children's Privacy: Although the APRA recognizes the sensitivity of children's information, it lacks specific protections that were included in the previous American Data Privacy and Protection Act (ADPPA). For instance, Frank Pallone suggested that APRA should explicitly prohibit targeted advertising to children and incorporate privacy by design practices for children's data.
- Data Minimization: Although Mr. Pallone supported the move towards data minimization in APRA, which limits the collection and use of personal data to what is necessary, he mentioned that this principle needs to be strengthened to ensure that unnecessary data collection – especially by applications that do not need such data to function – is avoided.
- Consumer Control over Data: APRA should enable consumers to have more control over their data, such as the ability to access, correct, delete, or port their data. It should also allow consumers to opt out of targeted advertising and restrict data brokers from collecting their personal information without explicit consent.
- Robust Enforcement and Regulatory Improvements: There's a need for creating a Youth Privacy Division at the FTC, as proposed, to enhance enforcement and oversight, specifically focused on protecting children’s privacy online
- Algorithmic Accountability: Frank Pallone pointed out that privacy laws should evolve to include provisions on algorithmic accountability and discrimination, given the advancements in AI technologies since the ADPPA was originally introduced. He suggested that current legislation may not sufficiently address the potential misuse of AI in decision-making processes that could impact civil rights.
Key Takeaway
- The criticism of both parties mentioned above highlight significant apprehensions about the potential dilution of privacy protections if APRA were to be adopted.
- There are still some areas where the APRA could be improved to provide more comprehensive protections, particularly for vulnerable groups such as children, and to adapt to the technological landscape that continues to evolve.
- The APRA has the potential to lower the privacy standards set by the CCPA, reducing the ability of states to innovate and adapt to new privacy challenges, and to weaken the enforcement mechanisms that are crucial for protecting consumer privacy.