The American Privacy Rights Act – Is there a Chance? 

Summary 

In April of this year, a bipartisan group of lawmakers introduced the American Privacy Rights Act (APRA) to establish comprehensive national standards national framework for data privacy in the United States. APRA aims to unify data privacy standards across the country. It is intended to enhance consumer control over personal data, enforce data minimization, ensure transparency and consent, mandate robust data security measures, hold companies accountable for algorithmic decisions, protect children’s privacy, prohibit discriminatory data practices, and designate the Federal Trade Commission as the primary enforcement authority. 

Despite bipartisan support, APRA may fail to pass if lawmakers cannot find an appropriate compromise on longstanding disagreements about preemption of state laws, and whether the law should give individuals the right to sue for a violation of the law, i.e. include a private right of action. 

Specific Provisions of APRA 

The bill mandates that most companies (including non-profits) limit the collection, processing, and transfer of personal data to what is reasonably necessary to provide a requested product or service or under other specified circumstances. It would generally prohibits the transfer of personal data without the individual’s affirmative express consent, and also grant data subject rights such as the right to access, correct, and delete one’s personal data. Companies must offer an opt-out mechanism for targeted advertising. 

APRA primarily designates the Federal Trade Commission (FTC) to issue regulations to enforce these security requirements but also grants authority to state attorneys general and state consumer protection officers. Notably, starting two years after the bill takes effect, individuals may bring civil actions for violations, subject to certain notification requirements. 

Preemption of State Laws 

Under APRA, comprehensive state privacy laws, such as the California Consumer Privacy Act, would largely be preempted. This means that federal law would supersede state laws, creating a single set of rules for businesses to follow. Supporters argue that this would reduce the administrative burden and compliance costs associated with navigating varying state regulations, particularly for businesses operating in multiple states.  

Not all state privacy laws would be preempted, however. Proponents of state-level privacy laws to supplement a federal standard have argued that state laws can often provide stronger protections than federal laws. As a result, the preemption provisions of the law have largely been watered down, and broad categories of laws such as consumer protection laws of general applicability, civil rights, and contract law are explicitly not preempted. Finding the appropriate preemption balance will be critical for garnering strong support. 

Private Right of Action 

The inclusion of a private right of action is another critical issue in the debate over the American Privacy Rights Act of 2024. This provision is a significant point of contention between privacy advocates and businesses. 

Privacy advocates that a private right of action is essential for ensuring robust enforcement of privacy rights. Without the ability for individuals to directly sue companies for privacy violations and seek redress for data breaches, businesses may not take compliance seriously.  

Conversely, many businesses and some lawmakers oppose the inclusion of a private right of action, fearing it would lead to a surge in litigation. They argue that this provision could open the floodgates to lawsuits, many of which might be frivolous or opportunistic, placing an undue burden on businesses, especially smaller companies that may lack the resources to defend against numerous lawsuits.  

Children’s Privacy 

Finally, the House has attempted to attach updates to the Children’s Online Privacy Protection Act (COPPA) with APRA, which could complicate passage. 

COPPA enacted in 1998, gives parents control over the information collected from their children online. It requires websites and online services aimed at children under 13 to obtain verifiable parental consent before collecting, using, or disclosing personal information from children. The law also mandates that these websites and services post clear privacy policies, maintain the confidentiality, security, and integrity of the information collected from children, and provide parents with access to their child’s data. 

APRA specifically incorporates updates to COPPA, reinforcing and expanding many of its provisions. For example, APRA would extend COPPA’s requirements to a broader range of digital services and platforms, and reforms knowledge requirements to put more liability on platforms when they should infer they are collecting information from a minor. These provisions could result in some additional support among privacy advocates, but they could also drive opposition from critics who worry the bill places undue burdens on businesses. 

Conclusion 

With stringent requirements for data collection, usage, and security, APRA would give individuals greater control over their personal information. However passage is far from clear, and we can’t expect longstanding disagreements over the shape and scope of a federal privacy framework to gain any attention till 2025 given the presidential election. 

Become a privacy pro and advance your career! Attend in-depth training about state and sector specific privacy law initiatives by joining PRIVATECH for CIPP/US training in November. Early bird registration is open – CLICK HERE to learn more.