Bipartisan Group of Lawmakers Unveils Federal Privacy Bill
Over the weekend, a bipartisan and bicameral group in Congress unveiled a privacy proposal—The American Privacy Rights Act of 2024 (APRA)—along with a brief summary. The APRA builds on existing privacy frameworks at the state level with requirements covering transparency and consumer rights. But the APRA makes significant changes, such as adding an expansive private right of action, prescriptive security obligations, data broker registration (and opt-out rights), and onerous obligations on larger companies.
Any bill, let alone one as consequential as a privacy bill, faces an uphill battle during a presidential election year. But, unlike 2022’s failed American Data Privacy and Protection Act, the APRA has two significant factors working in its favor. First, it is backed by key congressional leaders: Sen. Maria Cantwell (D-Washington) and Rep. Cathy McMorris Rodgers (R-Washington), chairs of the committees that would take up the bill. Second, state efforts have shown that privacy is increasingly a nonpartisan issue with deep blue Oregon, dark red Kentucky, and many states in between unanimously (or nearly so) passing comprehensive privacy laws.
Key Points
The bill covers a lot of ground (and 140 pages), but the key takeaways are that the APRA contains:
- Strong data minimization requirements that restrict collection and use
- Prescriptive data security requirements
- Increased obligations for larger companies (including executive certifications, impact assessments, and algorithm reviews)
- Broad preemption that nullifies state biometric and comprehensive privacy laws, except the APRA leaves intact those portions of privacy laws governing employee data (e.g., the Illinois Biometric Information Privacy Act and California Consumer Privacy Act) and healthcare privacy (e.g., Washington’s My Health My Data Act)
- Robust private right of action, paired with state and federal enforcement, and a limited right to cure
- Significant limits on data brokers via registration requirement and opt-out right
- Limited time to prepare because the law takes effect 180 days after enactment
- Extensive rulemaking by the Federal Trade Commission (FTC)
Scope and Effective Date
The APRA regulates covered entities’ processing of covered data and will become effective 180 days after the bill is enacted into law.
A covered entity is an entity that controls the processing of covered data and is either a common carrier or subject to the FTC Act. This includes nonprofits (other than those who are engaged in preventing fraud) but not small businesses, which the APRA defines as any business that (1) has average revenues less than $40 million in the three preceding calendar years, (2) processes covered data on fewer than 200,000 people, and (3) does not sell covered data.
The bill also introduces two subsets of covered entities who are subject to additional obligations: large data holders and data brokers. A “large data holder” is an entity with more than $250 million in revenue that processes significant amounts of covered data. A “data broker” is a covered entity that (1) earns more than 50% of its revenue from processing covered data it did not collect directly from the individual or (2) processes covered data on more than five million people with whom it does not have a direct relationship.
The APRA’s term for “personal information” is “covered data.” Covered data means information that identifies, is linked to, or is reasonably linkable to an individual or a device tied to a person. [The addition of a tie to a device is novel.] But covered data does not include de-identified data, employee/applicant information (like every other state except California), and publicly available information (or, in limited cases, inferences drawn from such data).
General Obligations and Restrictions
The APRA imposes obligations that apply to all covered entities and often service providers. Several sections stand out because they depart from existing frameworks. They include provisions that:
- Strengthen data minimization. The APRA introduces stricter restrictions on processing. Companies can only process covered data reasonably necessary to provide the requested product/service or send expected communications. But there are exceptions for situations such as data security, legal compliance, and targeted advertising.
- Expand restrictions for sensitive data. In comparison to state laws, the APRA defines sensitive data more broadly by including details such as private communications, contents of mobile devices (like calendar or address book phone or text logs, and audio/visual media), intimate photos, and activities across unaffiliated websites (e.g., cookie data). Such information is subject to the bill’s stringent data minimization requirements—rather than the state law approach of opt in or opt out. The APRA also restricts transfers (a disclosure for value or a commercial purpose—i.e., sale) of sensitive covered data: a covered entity must obtain the individual’s consent prior to the transfer, unless an exception applies (e.g., data security). This consent requirement, when applied to cookie data, seems in tension with the right to opt out of targeted advertising.
- Add prescriptive security requirements. Companies must implement reasonable safeguards to protect covered data and defend against unauthorized access. This includes, unlike state laws, adopting specific practices such as assessing reasonably foreseeable risks, implementing corrective actions to mitigate those risks, creating a retention schedule, and maintaining an incident response plan.
- Establish privacy and security officials. A covered entity must designate a privacy officer or security officer responsible for implementing privacy and security programs as well as facilitating compliance with the APRA.
- Limit data brokers. The FTC will establish a data broker registry through which individuals can direct brokers to not collect their information. Data brokers with covered data on at least 5,000 people (or devices that identify or could be linked to an individual) must register with the FTC. All data brokers must establish a website and display there (and on any mobile applications) a notice that (1) links to the FTC’s registry, (2) acknowledges they are a data broker, and (3) explains the individual's rights (access, correction, deletion, portability, and opt outs).
- Introduce civil rights protections. Companies cannot process covered data in a manner that results in making goods/services unavailable based on protected categories (race, color, religion, national origin, sex, or disability), except to (1) test for discrimination, (2) diversify a customer pool, or (3) advertise economic opportunities to underrepresented populations.
- Provide safe harbor. Companies who are not data brokers or large data holders can request the FTC approve “compliance guidelines” describing how the company will comply with all (or some) of the APRA and which independent organization will assess the company’s compliance. A company that complies with approved guidelines is entitled to a rebuttable presumption of compliance with the applicable portions of the APRA.
Other provisions expand or build upon existing frameworks. These include requirements to:
- Publish a privacy policy. The policy requirements are more robust than state law. For example, the privacy policy must include the purpose for processing each category, the names of any data broker recipients, and whether any covered data is accessible to a “foreign adversary.”
- Offer users control. Individuals have access, correction, deletion, and portability rights (on a condensed timeline compared to state laws). The access right is broader than under state laws: a company must, in addition to the standard fare, provide the names of third parties and service providers who receive covered data.
- Provide opt-out option. Individuals have the right to opt out of targeted ads and transfers (basically, a sale) of covered data. But remember the transfer of sensitive covered data requires consent. There is no requirement yet for universal opt-out signals—but it is a topic for rulemaking. Additionally, when a company uses algorithms to make or facilitate “consequential decisions” (e.g., offers/determinations regarding housing, employment, education, or insurance), the company must share meaningful details about the process—including the range of outcomes—and provide an opportunity to opt out.
- Limit service providers (aka “Processors”). Service providers are subject to similar restrictions and contractual requirements as state laws. But, in a unique twist, service providers must also have a privacy policy.
- Restrict third parties. There are limits on how a third party can use covered data. A third party is a company that (1) receives covered data from another entity, (2) is not a service provider with respect to such information, and (3) does not receive the data from a company with whom it shares branding and common ownership/control. A third party can only process sensitive covered data for the purposes consented to by the individual. Similarly, the third party can only process other covered data for the purposes described in the covered entity’s privacy policy.
- Obtain affirmative consent. Like state laws, consent requires the individual take affirmative action (i.e., no implied consent). But the APRA adds additional obligations by requiring the company to make specific disclosures. These disclosures include what rights apply, what covered data will be processed, and whether the activity is necessary to fulfill a request or another purpose. A company cannot rely on dark patterns to obtain consent.
- Inform consumers of material policy changes. The APRA relaxes the FTC’s requirements regarding retroactively applying material changes to a privacy policy. Companies no longer are required to get consent before applying changes retroactively. It is sufficient to provide notice of the change and an opportunity to opt out of having the change apply to previously collected data.
Large Data Holder Obligations
The APRA imposes extra obligations on large data holders, including requirements to:
- Conduct privacy impact assessments. The requirements for privacy impact assessments are both broader and narrower than state laws. While only large data holders are required to conduct privacy impact assessments, they must do so every two years and address all processing (while state laws focus on high-risk activities).
- Expand privacy policies. Large data holders must post a short-form notice (under 500 words), publish their privacy policies from the last 10 years, and share the date and nature of material changes during that period.
- Conduct algorithm testing. A large data holder using an algorithm to make decisions or facilitate human decisions (i.e., not fully automated) must (1) conduct an annual impact assessment if the algorithm poses a consequential risk of harm to individuals (e.g., impacting minors, impacting access to housing or insurance, or creating disparate impact based on protected categories) and (2) evaluate every algorithm’s design, structure, and data to reduce the risk of such harms. The company must share those results with the FTC (and, upon request, with Congress).
- Involve executives. Large data holders need one person as a privacy officer and another person as a security officer. Additionally, such companies must (1) submit an annual certification from their CEO, privacy officer, and security officer regarding controls and internal compliance and (2) establish an internal compliance program, e.g., audits, training, and record keeping.
Preemption
The APRA wipes the slate (mostly) clean by preempting state laws addressing provisions addressed by the bill, including comprehensive privacy laws and biometric/genetic privacy laws. There are three significant exceptions: (1) privacy laws (or portions thereof) governing employee data; (2) data breach notification laws; and (3) laws governing health information, which seemingly saves Washington’s My Health My Data Act.
Enforcement
State and federal officials can enforce the APRA, but so can individuals through a private right of action that significantly curtails preexisting arbitration requirements.
The FTC enforces the APRA as a violation of the FTC Act’s prohibition on unfair/deceptive practices and is granted a new power: the ability to seek civil penalties for privacy violations. Additionally, certain state officials—state attorneys general, chief consumer protection officers, or other officials empowered to enforce privacy/security laws—can bring claims, but only in federal court. Those officials must notify the FTC (generally before filing their lawsuit) and cannot assert violations that the FTC is already pursuing in court.
There is an extremely broad private right of action covering most of the APRA’s obligations. Individuals can sue when a company:
- retaliates against individuals for exercising their rights;
- processes covered data in a manner that makes unavailable the equal enjoyment of goods/services on the basis of protected categories; or
- fails to:
- obtain consent to transfer sensitive data to third party;
- get consent to process biometric or genetic information
- provide a privacy policy, provide notice of retroactive changes to the policy, or offer/honor an opt out of such retroactive changes;
- honor individual rights;
- offer or honor the opportunity to opt out of transfers, targeted ads, or consequential decisions made using an algorithm;
- maintain adequate security and such failure is the basis for a data breach claim;
- conduct due diligence in selecting a service provider or electing to transfer covered data to a third party; or
- honor a do-not-collect request if the company is a data broker.
Plaintiffs can seek actual damages, injunctive relief, declaratory relief, and attorneys’ fees. Advance notice of claims for injunctive and damages claims is required unless a plaintiff alleges $10,000 or more in damages (the APRA does not specify if this is individual or collective damages) or certain mental or physical harms. Assuming advance notice is required, a plaintiff cannot file an injunctive claim if the company cures the violation within 30 days of that notice. But the ability to merely plead sufficient damages (and $10,000 is no high bar) could practically eliminate the advance notice requirement—and with it nullify the right to cure.
The APRA severely limits the applicability of arbitration provisions. It preempts arbitration requirements for allegations involving (1) minors, (2) damages of at least $10,000; or (3) certain mental/physical harms. Such a low damages trigger will make it easy for plaintiffs to preempt any otherwise applicable arbitration provisions. Additionally, the APRA requires that federal courts determine whether arbitration provisions apply when the claim does not involve minors, meet the damages threshold, or involve covered mental/physical harms—even if the arbitration agreement delegates that power to an arbiter.
FTC Rulemaking
Although the bill would terminate the FTC’s 2022 privacy rulemaking, the FTC would be empowered (and sometimes required) to issue rules on a large swath of the APRA and “guidance” on other portions. Some of the rulemaking topics include adding categories of sensitive data, establishing new exceptions to fulfilling individuals’ requests, creating a central mechanism for opt-out requests (e.g., Global Privacy Control), developing “process-based” rules for security, and creating processes for large data holders to submit algorithm assessments (as well as excluding from review low-risk uses).
The FTC is invited (or required) to share guidance on data minimization, short-form notices, validating individual’s requests, service providers and third parties, civil rights, algorithm reviews, opt outs from consequential decisions using algorithms, and the interplay between other federal privacy/security laws and the APRA.
Next Steps
There is a long road ahead with not much time. The current proposal is a “discussion draft.” Congressional staffers noted that conversations with other lawmakers are ongoing, and it is likely that the supporters will work on building a coalition through stakeholder meetings before formally introducing the legislation later this month. But Rep. McMorris Rodgers is not waiting for a formal bill to start the legislative process; she already set a subcommittee hearing on APRA (and nine other privacy proposals) for Wednesday, April 17. This is likely just one of many committee hearings before APRA is considered for a floor vote.
For a piece of legislation this complex and far reaching, time is short. Congress likely needs to pass APRA before nationwide elections on November 5, 2024. Significant legislation is unlikely to gain traction after the election but before the new Congress is sworn in on January 3, 2025 (a period of time commonly known as the “lame-duck session”).