The American Privacy Rights Act of 2024 (APRA)

In today’s digital age, privacy is paramount, and to achieve a comprehensive federal data privacy and security law, the American Privacy Rights Act of 2024 (APRA) is a new proposal that was released as a discussion draft on April 7 by the chairs of the House Energy and Commerce Committee, Cathy McMorris Rodgers (R-Wash.), and the Senate Commerce Committee, Maria Cantwell (D-Wash.). This groundbreaking legislation grants individuals greater control over their information while imposing stringent guidelines on data handling practices. APRA mandates transparency, accountability, and security measures to safeguard sensitive data, ensuring that businesses prioritize privacy in their operations.

The Bill does not explicitly define its scope of ability but instead clarifies entities and data that will be covered through its definitions.
Entities Covered:
The scope of the proposed APRA is broad. Entities subject to the APRA would include any that
(1) is subject to the FTC Act (including common carriers and certain subsets of nonprofits); and
(2) collects, processes, keeps, transfers, or otherwise uses personal data.

Types of Data Covered:
The law encompasses personal data, defined as information finding or linkable to an individual or their device.

Exception

Excluded Entities:
Certain small businesses or nonprofits primarily focused on preventing, investigating, or deterring fraud are exempted from the APRA’s requirements.

Excluded Data:
The law excludes specific types of data from its scope. This includes de-identified data, employee information, and publicly available information, among other narrow subsets of non-identifiable data.

Covered Data

Covered data in APRA includes identifiable information, excluding de-identified data, employee records, publicly available information, certain inferences, and specific library, archive, or museum collections. These exclusions clarify APRA’s scope, ensuring targeted data protection measures.

Sensitive, biometric, and genetic data

APRA mandates explicit consent for transferring sensitive, biometric, and genetic data to third parties unless allowed. Entities can’t collect or keep such data without consent, except for specific cases. Biometric or genetic data retention is limited to consent purposes or three years post-interaction. Withdrawal of consent must be clear and accessible.

Service provider

The term “service provider” means an entity that collects, processes, keeps, or transfers covered data for the purpose of performing one or more services or functions on behalf of, and at the direction of, a covered entity.

Affirmative Express Consent

Under APRA, affirmative express consent requires clear authorization in response to specific requests from covered entities or their service providers. Criteria include clear disclosures of practices needing consent, data categories involved, and explanations of consent rights. Crucially, consent cannot be assumed from individual inaction or continued product/service usage.

Data Minimization and Security

APRA places a strong emphasis on data minimization, ensuring that data collection, processing, retention, and transfer are limited to necessary and proportionate purposes. Stringent rules govern the handling of sensitive data, such as biometric and genetic information, with affirmative express consent needed for any transfer. Moreover, covered entities and service providers must implement robust data security practices to protect consumer data from unauthorized access or breaches.

Transparency and Control

APRA requires covered entities and service providers to share clear, accessible privacy policies detailing data practices. Policies must cover data collection, processing, retention, and transfers. Available in relevant languages, they include identity, data categories, processing purposes, transfers, retention periods, individual rights, security practices, effective date, and any ties to foreign adversaries.

Dark Patterns

APRA prohibits covered entities from using dark patterns, which distract from required notices, impair individual rights, or manipulate consent. Any agreements obtained through such tactics are not considered valid consent under the legislation.

Consumer Rights

The Bill provides consumers with the following rights of covered data, along with procedural requirements for time, frequency, and cost.

1. Right to access
2. Right to correction
3. Right to deletion
4. Right to data portability
5. Right to opt-out

Assessments (Privacy & Algorithmic)

Under the APRA, larger data holders must conduct Privacy Impact Assessments (PIAs) biennially to evaluate risks to individual privacy, with added assessments for impactful algorithms. These assessments detail algorithm design, purpose, data usage, and mitigation strategies for potential harm. The FTC will offer compliance guidance within two years, ensuring robust assessment practices.

The FTC enforces APRA, with a bureau set up within a year. States and consumers can also take legal action. Small businesses may face more scrutiny, but some see a federal law as a relief from managing multiple state laws. Plaintiffs need to give a 30-day notice for injunctive relief, except in cases of substantial privacy harm, which could lead to many lawsuits.

The American Privacy Rights Act of 2024 (APRA) differs from other US data protection regulations by incorporating features from the California Consumer Privacy Act (CCPA), such as

1. Provisions for individuals to address data breaches through a private right of action.
2. APRA also emphasizes consent as a fundamental protection and extends its coverage to a wide array of personal data, ensuring comprehensive safeguarding across digital platforms.
3. APRA shares similarities with the European General Data Protection Regulation (GDPR) about the definition of covered data. It introduces unique criteria for sensitive information, particularly concerning online activity.
4. Additionally, APRA introduces the concept of ‘high-impact social media companies,’ defined by specific revenue and user thresholds, to address emerging privacy challenges.

The American Privacy Rights Act of 2024 (APRA) marks a significant milestone in data privacy legislation, setting forth robust rights for consumers and stringent standards for transparency and security. As a privacy compliance software provider, we recognize the importance of safeguarding individual data and guiding businesses toward responsible innovation. With APRA, businesses are empowered to uphold data privacy and security principles, fostering trust and integrity in the digital landscape. Together, let’s continue working towards a safer online environment, where privacy rights are respected and protected for all.