Will the U.S. finally join most developed nations and pass a comprehensive federal privacy law? Some believe this may be the year that the U.S. does just that.
Calls for passage of a comprehensive U.S. federal privacy law have come not just from privacy activists – many in industry want it as well. The challenges of complying with the current labyrinth of state privacy laws has caused significant frustration among many businesses, leading to complicated compliance programs, unpredictability, and friction in developing a “one size fits all” approach to privacy in the U.S. Further, organizations have had to struggle with awkward consumer relations where privacy rights often depend upon an individual’s state of residence. While a federal comprehensive privacy law will certainly bring more businesses into the fold and require additional compliance measures for most covered businesses, the flipside is that a federal privacy law could pave the way for businesses to streamline and standardize their U.S. approach to privacy.
On April 7, House Committee on Energy and Commerce Chair Cathy McMorris Rodgers (R-Wash.), and Senate Committee on Commerce, Science and Transportation Chair Maria Cantwell (D-Wash.), unveiled a discussion draft of the American Privacy Rights Act (APRA), a proposed comprehensive federal privacy law that would provide all Americans with broad privacy rights, preempt the maze of comprehensive state privacy laws, implement transparency requirements and restrictions on covered businesses’ processing of personal data, and establish robust and clear enforcement mechanisms. The APRA is a renewed effort following failure of the American Data Privacy and Protection Act to gain traction roughly two years ago.
In a press release accompanying unveiling of the APRA draft, Chair Rodgers and Cantwell noted, “This bipartisan, bicameral draft legislation is the best opportunity we’ve had in decades to establish a national data privacy and security standard that gives people the right to control their personal information.”
“A federal data privacy law must do two things: it must make privacy a consumer right, and it must give consumers the ability to enforce that right” said Chair Cantwell. "This landmark legislation gives Americans the right to control where their information goes and who can sell it. It reins in Big Tech by prohibiting them from tracking, predicting, and manipulating people’s behaviors for profit without their knowledge and consent. Americans overwhelmingly want these rights, and they are looking to us, their elected representatives, to act" said Chair Rodgers.
A High-Level Look at the American Privacy Rights Act
Applicability
In contrast to most current state privacy laws, the APRA would apply to both commercial businesses as well as nonprofit organizations. However, “small businesses,” meaning those businesses with average annual revenue of $40 million or less during the preceding three (3) years that do not collect personal data of more than 200,000 individuals and do not sell personal data, would be exempt from the APRA. The APRA would also not apply to government entities.
Consumer Privacy Rights
The APRA would create a broad set of consumer rights with respect to their personal data (referred to as “covered data” in the APRA), including the right to access, correct, delete, and export their data, as well as opt out of targeted advertising and data transfers, and would provide individuals with the right to opt out of the use of algorithms for consequential decisions.
Business Obligations
Covered businesses would be required to designate one or more employees to serve as a privacy or data security officer, meet transparency (such as posting detailed privacy policies), data security, and data minimization requirements under the APRA, and would be prohibited from collecting or transferring “sensitive covered data” (such as biometric or genetic information) to third parties unless the business first obtained the consumer’s affirmative express consent. The APRA would also prohibit covered businesses from using consumers’ personal data to discriminate against consumers.
Data brokers would be specifically regulated by the APRA, and would be required to maintain a public website that identifies the entity as a data broker and includes tools for consumers to exercise their consumer controls and opt-out rights. The FTC would also be directed to create a data broker registry (with registration requirements for certain data brokers), which would include mechanisms for consumers to opt-out of collection of their personal data.
Enforcement
FTC: The APRA provides for enforcement by the Federal Trade Commission (FTC), which would be directed to establish a new bureau in order to carry out its enforcement authority under the APRA.
State Attorneys General: State attorneys general, chief consumer protection officers, and other similar state officers would have authority under the APRA to enforce the APRA.
Private Right of Action: Notably, the APRA would allow individual consumers to file private lawsuits directly against covered businesses that violate their rights under the APRA, allowing recovery for actual damages, injunctive relief, declaratory relief, and reasonable attorney fees and costs. In addition, consumers would be permitted to recover statutory damages consistent with Illinois’ Biometric Information Privacy Act and Genetic Information Privacy Act for an action involving a violation of the affirmative express consent provisions for biometric and genetic information where the conduct occurred substantially and primarily in Illinois, and California residents would be permitted to recover statutory damages consistent with the California Consumer Privacy Act for certain data breaches.
Preemption
Comprehensive state privacy laws, such as the California Consumer Privacy Act, would be preempted by the APRA. However, other state laws are exempt from the APRA’s preemption provisions, such as laws related to consumer protection, civil rights, employee privacy, student privacy, data breach notification, banking and financial records, electronic surveillance and wiretapping, unsolicited email and phone, health care, health information, medical information, and various other laws.
Additionally, a number of federal laws, such as the Children’s Online Privacy Protection Act (COPPA), would remain in effect, and entities subject to and in compliance with the Gramm-Leach-Bliley Act (GLBA) and the Health Insurance Portability and Accountability Act (HIPAA) would be deemed in compliance with the APRA.
Automated Decision Making and AI
The APRA would regulate and require specific impact assessments relating to the use of certain algorithms for decision relating to (A) facilitating, advertising for, or determining access to, or restriction on the use of, housing, education, employment, healthcare, insurance, or credit opportunities; (B) determining access to, or restrictions on the use of, any place of public accommodation; (C) disparate impact on the basis of protected class characteristics or membership; or (D) disparate impact on the basis of political party registration status. Additionally, businesses would be required to provide notice of, and permit individuals to opt-out of, the use of certain algorithms for such consequential decisions.
What’s Next?
While many additional steps remain before the APRA becomes law, its bipartisan support certainly elevates its chances of passage.
Areas of contention will undoubtedly revolve around several key topics including the private right of action and the preemption of comprehensive state privacy laws. A private right of action would more than likely bring a barrage of private lawsuits against companies, which industry lobbyists are sure to rally against. State regulators will predictably be opposed to the APRA preemption provisions. Executive Director of the California Privacy Protection Agency (which enforces the California Consumer Privacy Act), Ashkan Soltani, has already released statements expressing disappointment with the APRA’s proposed approach to preemption.
The first hearing has already been held by the House Energy & Commerce Committee’s Subcommittee on Innovation, Data and Commerce, and although some Members expressed concerns on the draft legislation, there was less focus on stifling innovation and more discussion about actual harms caused by unregulated data collection and that federal privacy legislation is long overdue.