American Privacy Rights Act: A Primer for Business

Was it the recent series of natural phenomena – from a 4.8 magnitude earthquake to the solar eclipse – that prompted Congress to move on a bipartisan, bicameral federal privacy bill?

We can’t say with certainty that these recent phenomena led to the resurgence of interest in such a bill, but we can outline for you what we believe to be, at first glance, the most compelling elements of the American Privacy Rights Act of 2024 (APRA).

APRA, introduced on April 7 by House Energy & Commerce Committee Chair Cathy McMorris Rodgers and Senate Commerce Committee Chair Maria Cantwell, would create a U.S. baseline for requirements that a business would need to fulfill when processing consumer data. And though the contents of a federal privacy bill have been debated for decades, this new proposal comes at an interesting time.

• The bill surfaced during a presidential election year, butting up against other potentially controversial, competing priorities. While the most recent draft of a federal privacy bill (American Data Privacy and Protection Act, or H.R. 8152) surfaced two years ago, APRA is a bicameral, bipartisan effort that invokes the “two corners” – both House and Senate subcommittees for data privacy and tech policy issues. 
• This bill complements the Federal Trade Commission’s (FTC) recent vigilance regarding businesses’ actions toward processing sensitive consumer data and seems to subject businesses to heightened scrutiny that would fulfill the FTC’s consumer protection and data privacy, security, and retention objectives.

The bill requires that companies:

• Provide consumers with rights over their data (including deletion, edits, portability)
• Allow consumers to opt-out of data processing and use, including targeted ads
• Ensure consumer data is restricted to specific uses that are expected by the reasonable consumer (data minimization and purpose limitation)
• Conduct privacy impact assessments in circumstances involving large data holders and covered algorithms
• Ensure that additional protections are present regarding sensitive covered data
• Mitigate any discriminations associated with the provision or denial of services, when processing covered data

When it comes to enforcement, the bill includes a private right of action allowing individuals, in addition to the FTC and state attorneys general, to sue, but it has a preemption provision that would dislodge the current 15+ state patchwork of state consumer privacy laws.

It is important to note that the bill may remain contentious and heavily debated in many other areas also, such as publicly available information, the role of the states, and future rulemaking, among others.

General Application 

In general, the threshold and scope of APRA’s coverage is different from current practice and excludes a number of smaller business types. Notably however, the FTC could choose to enforce against nonprofits and common carriers (which may be problematic given that the bill doesn’t specify how large or small a nonprofit would need to be, to be subject to the bill). 

In addition, small businesses (defined in the bill as making <$40 million over three years or processing the data of fewer than 200,000 individuals annually) are exempt. This diverges from how state consumer privacy laws define small businesses. For example, California’s consumer privacy law brings in scope entities that make $25 million in annual revenue or process the data of more than 100,000 individuals and excludes nonprofits.

Privacy Impact Assessments

APRA includes the need for businesses to study and assess the risks of processing sensitive data and higher-risk applications of the data. “Large data holders,” “high-impact social media companies,” and “data brokers” are expected to fulfill additional requirements, including completing a “privacy impact assessment,” based on the volume of their data scope and processing. 

Large data holders who use a “covered algorithm” in a manner that poses a consequential risk of harm to an individual or a group would be required to produce an impact assessment. All covered entities who knowingly develop a covered algorithm would be required to evaluate the design, structure, and inputs of such algorithms prior to deployment in interstate commerce.

At present, state consumer privacy laws vary in their approach to impact assessments. While some states (e.g., CO and CA) make impact assessments a requirement of specific higher-risk use cases or entities, other states (e.g., VA) allow for impact assessments to be voluntary.

Children and Teen Data

APRA leaves the Children’s Online Privacy Protection Act (COPPA) intact. The bill adds blanket protections on information “about” (including from) an individual who is defined as a “covered minor” ages 13 to 17 and would therefore preempt existing state teen privacy laws. 

However, the new data minimization expectations around processing activities focused on covered minors may lead to important changes for online services that have mixed and teen audiences. There are also new algorithmic impact assessments required for online services that process data of covered minors.

Heightened Data Security Expectations

APRA-covered entities subject to a previous sectoral federal privacy law (e.g., GLBA, HIPAA, FCRA, FERPA) may comply with the requirements of the sectoral law in place of the APRA requirements. However, section 9 concerning data security and protections of covered data appears to apply to all APRA-covered entities, regardless of their current sectoral obligations. 

At present, most state consumer privacy laws have entity-level exemptions for compliance with the federal sectoral laws and also include heightened data security requirements.

Strengthening Independent Accountability

Section 15 of the bill requires the FTC to approve compliance guidelines and allows companies to self-certify compliance with the guidelines so long as they identify an independent third-party accountability organization in the marketplace to help ensure they meet the guidelines. Some state consumer privacy laws already include similar language (e.g., the Tennessee Information Protection Act’s provisions on independent accountability and processing requirements in alignment with the Cross Border Privacy Rules program). 

These provisions are also similar to the Children’s Online Privacy Protection Act (COPPA) provisions recognizing non-governmental safe harbor programs as a means to strengthen compliance. Under COPPA, the FTC recognizes safe harbor programs that ensure program participants comply with COPPA and with the FTC’s COPPA Rule. (BBB National Programs was the first entity the FTC approved as a COPPA safe harbor.) 

Independent accountability will also play an important role in verifying practices focused on businesses conducting internal privacy impact assessments and the algorithmic impact assessment provisions.

Emerging Privacy Tech Pilot 

The bill creates a new pilot program for testing privacy-enhancing technology, which will likely ramp up the need for new technology, statistical models, and artificial intelligence to support the responsible sharing of consumer data. The opportunity for a pilot program could help many industries struggling with third-party data processing and use of highly regulated sensitive data to better cope with the realities of new regulations and laws in the consumer privacy space. 

Impact, Alignment, and the Role of Self-Regulation 

Industry self-regulation is an important anchor for the grounding principles of the bill – establishing trust and guidance, when and where there remains confusion in the marketplace. At a time when the federal bill could breed uncertainty for industry on how and when to act (especially as it concerns the overlaps across federal vs. state consumer privacy requirements), self-regulation and co-regulation are key to making accountability a commitment for the marketplace. 

As mentioned, Section 15 of the bill provides for FTC-approved compliance guidelines and includes a role for an independent organization to assess the covered entity's privacy practices. While fairly barebones, Section 15 further underscores the need for independent accountability.

And because the bill does not apply to small and medium-sized businesses (under $40 million in revenue and/or under a certain volume of data processing), independent self-regulatory bodies can be important levers for SMEs that want to leverage the best practices set forth in the federal data privacy law but have limited support in doing so. 

By leaning on independent accountability agents such as BBB National Programs, businesses, nonprofits, and other entities subject to the scope of the federal bill and/or existing consumer privacy laws and regulations can find a needed, well-regarded, and longstanding source of advice and best practices.