The United States has long been without a comprehensive federal privacy law, leaving consumers vulnerable and lacking control over their personal information. However, a recent development suggests a significant step towards change. On April 7, 2024,the House Committee on Energy and Commerce and the Senate Committee on Commerce, Science, and Transportation jointly unveiled a draft of the American Privacy Rights Act (APRA).This bipartisan legislation has the potential to be a watershed moment, establishing a comprehensive federal framework for data privacy and protection, empowering citizens to control their personal information.
The APRA marks a significant shift from the current patchwork of state-level data privacy laws. By creating a unified national standard, the Act aims to simplify compliance for businesses and provide clearer data protection rights for consumers. It allows individuals with a range of data privacy rights and establishes strong enforcement mechanisms to hold violators accountable.
Scope and Definitions
- Covered Entities: The Act applies to businesses that determine how data is collected, used, and stored, and are subject to the Federal Trade Commission (FTC) Act. This includes common carriers and certain non-profit organizations. Notably, small businesses, government entities, and specific organizations like the NCMEC are exempted.
- Covered Data: The APRA defines covered data as any information that identifies or is linked to an individual or device. This excludes anonymized data, employee data, publicly available information, non-sensitive inferences drawn from public data (when not combined with covered data), and information held by libraries, archives, and museums.
Key Provisions of the APRA
- Consumer Control Over Data: The APRA empowers consumers with control over their personal information. This includes the right to access, correct, delete, and restrict the sale or transfer of their data. Also, consumers can opt out of targeted advertising and certain data processing activities.
- Data Minimization and Transparency: The APRA emphasizes data minimization, requiring companies to collect and process data only as necessary for their services. The draft law also mandates transparency by requiring companies to make their privacy policies easily understandable and publicly accessible that outlines data collection practices, purposes of data use, third-party involvement, data retention periods, and security measures. Additionally, consumers have the right to be informed about their control options and opt-out rights.
- Biometric information, genetic data, and other sensitive data require explicit affirmative consent for collection or transfer, with exceptions for specific permitted purposes.
- Permitted purposes for data collection include data security, legal compliance, product recalls, market research, product improvement, fraud prevention, and incident response.
- The FTC will issue guidance to assist entities in complying with data minimization requirements.
- Stronger Protections for Sensitive Data: The APRA defines sensitive data more broadly than previous proposals. This includes data revealing an individual's online activities across websites or online services, as well as biometric and genetic information. Explicit consent is required for the collection and transfer of sensitive data.
- Focus on Data Security: The APRA outlines data security measures for companies handling consumer data. These measures must be proportionate to the amount and sensitivity of the data involved. Businesses are obligated to implement robust data security practices commensurate with the size and sensitivity of the data they handle. This includes vulnerability assessments, risk mitigation strategies, and the designation of data security officers.
- Prohibitions and Protections: The APRA prohibits the use of "dark patterns" - deceptive design practices aimed at manipulating users into waiving their rights or providing unwanted consent. Moreover, entities cannot retaliate against individuals for exercising their rights under the Act, nor can they condition service provision on the waiver of these rights. The Act also safeguards the integrity of loyalty programs and market research by requiring affirmative express consent for participation.
- Stricter Regulations for Service Providers and Third Party: The APRA holds service providers accountable for adhering to the instructions of the entities they serve. They must actively assist entities in complying with the Act and maintain robust data security practices. Also, entities are obligated to conduct due diligence when selecting service providers and transferring data to third parties.
- Data Brokers: The APRA establishes specific requirements for data brokers. They are required to maintain a publicly accessible website where individuals can exercise their control rights and opt-out of data sales. The FTC will create a data broker registry and issue guidance for the design and operation of these websites.
- Enforcement by Multiple Entities: The APRA creates a multifaceted enforcement structure. The Federal Trade Commission (FTC) is tasked with creating a new bureau to enforce the law, while state attorneys general and individual consumers also have the right to take legal action for violations.
- Algorithmic Impact Assessments: Large data holders and entities that rely on algorithms for significant decisions like employment or credit approval must conduct impact assessments and evaluations to identify and mitigate potential biases. Consumers retain the right to opt out of such algorithmic decision-making processes.
- Civil Rights and Algorithms: The APRA prohibits discriminatory data practices based on protected characteristics like race, religion, or disability, with some exceptions. Large data holders and businesses that use algorithms for consequential decisions (decisions impacting housing, employment, education, healthcare, etc.) must conduct assessments and evaluations to identify potential bias and ensure fairness. Consumers will also have the right to opt-out of such algorithmic decision-making.
The Road Ahead for APRA
While APRA has bipartisan support, it is still under development. Here's what to watch for:
- Congressional Approval: The House and Senate need to pass the bill before it becomes law
- Revisions and Amendments: The bill might undergo further revisions before final approval
- Enforcement Timeline: Even if passed, there might be a delay before enforcement begins
Veda Dalvi
Hello, I'm Veda, the Legal Analyst with a knack for decoding the complex world of laws. A coffee aficionado and a lover of sunsets, oceans and the cosmos. Let's navigate the Legal Universe together!