On April 7, 2024, Representative Cathy McMorris Rogers (R-WA) and Senator Maria Cantwell (D-WA) announced that Congress will once again consider a comprehensive federal data privacy bill that, if passed, would dramatically alter the privacy landscape across the United States.
The draft proposal, titled the American Privacy Rights Act of 2024 (APRA), includes concepts and language from its predecessor, the American Data Privacy and Protection Act (ADPPA). However, the APRA has incorporated important changes intended to win support that the ADPPA lacked, including a new approach to a private right of action for individuals. Like the ADPPA, the APRA draws on the California Consumer Privacy Act (CCPA) and other state comprehensive privacy laws, which it would largely preempt. The Federal Trade Commission (FTC), which would share enforcement authority with the states, would be directed to enact a variety of rules to effectuate the law, and create a new bureau to enforce it.
The announcement of the proposal was accompanied by the release of a discussion draft, and key aspects are summarized below.
Key Provisions
Covered Entities:
- The APRA applies to businesses that “determine the purposes and means of processing covered data.” This includes businesses already subject to the authority of the FTC, as well as common carriers and nonprofits.
- Service providers that collect, process, retain, or transfer covered data “on behalf of, and at the direction of, a covered entity” would also be subject to many, but not all, of the requirements. Covered entities would need to exercise reasonable due diligence when selecting a service provider.
- Small businesses would be exempt from the APRA’s requirements if they have less than $40 million in annual revenue, process covered data of less than 200,000 individuals (with exceptions), and do not earn revenue from the transfer of covered data to third parties.
- The APRA has additional requirements for covered entities that are large data holders that meet certain thresholds (e.g., those with over $250,000,000 annual revenue that process data of more than five million individuals), data brokers, or covered high-impact social media companies, described below.
Covered Data:
- Covered data includes information that “identifies or is linked or reasonably linkable” to an individual or device, either alone or in combination with other information.
- De-identified data, employee information, publicly available information, certain library information, and certain inferences derived from publicly available information are excluded from the definition.
- “Sensitive covered data” would receive heightened protections, as discussed further below. This definition is broad, and includes, among other categories of data, information about minors (defined as individuals under age 17), health information, biometric information, financial and payment information, and precise geolocation information. Notably, sensitive covered data also includes online activities over time and across third party websites; calendar information, address book information, phone or text logs, photos, audio recordings, or videos intended for private use; and race, ethnicity, national origin, religion, or sex in a manner inconsistent with the individual’s reasonable expectations regarding disclosure of such information.
Data Minimization:
- Covered entities and service providers operating on their behalf would be prohibited from collecting, processing, retaining, or transferring data beyond what is necessary, proportionate, or limited to provide or maintain a product or service requested by an individual, or to provide a communication reasonably anticipated in the context of the relationship. (ADPPA would have permitted these activities for what was “reasonably necessary”; APRA removes the word “reasonably.”) Processing of personal data would also be permissible if included in a list of 15 permitted purposes (e.g., protecting data security, defending claims). Some notable observations:
- Covered entities would not be able to use sensitive data for advertising, even first party or contextual advertising.
- Covered entities would be able to use non-sensitive, covered data for targeted advertising only if individuals have not opted out.
- Businesses would need to obtain affirmative express consent for the collection or transfer of biometric or genetic information, but for other sensitive data, businesses would only need to obtain affirmative express consent for the transfer of sensitive data.
Transparency:
- Businesses would need to update their privacy policies to provide a variety of information, including categories of third parties and the names of any data brokers that receive covered data.
- Businesses would need to notify users of any material changes before they occur and provide a means for consumers to opt out.
- Large data holders would also need to publish their privacy policies from the past 10 years.
Data Security:
- Covered entities and their service providers would need to establish data security practices that are appropriate to their size, the nature and scope of their data practices, the volume and sensitivity of the data they process, and the state of the art of safeguards. They would be required to assess vulnerabilities and mitigate reasonably foreseeable risks to consumer data, adhere to a retention schedule, train employees with access to covered data, and implement incident response procedures. The FTC would have the authority to issue a rule in this area.
Consumer Rights:
- Consumers would be given the right to access, correct, delete, and port their data.
- As compared with the ADPPA and existing state comprehensive privacy laws, the APRA would provide for much shorter time periods for complying with consumer requests. Large data holders or data brokers would have 15 calendar days, and other covered entities, 30 calendar days, to comply with the consumer’s request.
- Users would also have the right to opt out of covered data transfers and targeted advertising. The FTC would be directed to create specifications for a centralized opt-out mechanism, like the Global Privacy Control, which covered entities would be required to honor.
Dark Patterns:
- The APRA would prohibit the use of dark patterns that interfere with a consumer’s ability to receive notice of a business’s privacy practices, restrict their consent, or effectuate their consumer rights.
Executive Responsibility:
- Covered entities would be required to designate at least one privacy or data security officer.
- Large data holders would need to designate separate privacy and data security officers. Additionally, they, along with the CEOs of large data holders, would be required to annually certify to the FTC that the entity maintains internal controls and reporting structures in compliance with the APRA.
Covered High-Impact Social Media Companies:
- Covered entities that provide a platform that a) generates $3 billion or more in global annual revenue (including the revenue generated by any affiliate) b) has 300 million or more global monthly active users for at least three of the preceding 12 months, and c) is primarily used by individuals to access or share user-generated content would be deemed Covered High-Impact Social Media Companies.
- Such entities would be prohibited from offering a “bona fide loyalty program” which is permissible for other covered entities.
- Information collected from high-impact social media companies over time must be treated as sensitive covered data.
- Because targeted advertising is prohibited on the basis of sensitive covered data, high-impact social media companies would largely be prohibited from conducting targeted advertising.
Data Brokers:
- Data brokers—covered entities whose principal source of revenue is derived from processing or transferring covered data that the covered entity did not collect directly from the individuals linked or linkable to such covered data—would be required to publish special notices to consumers and register with the FTC.
- Data brokers would also need to honor “Do Not Collect” requests managed via a centralized opt-out mechanism established by the FTC.
Algorithms:
- Covered entities would not be permitted to process covered data in a way that discriminates based on certain protected characteristics, with some exceptions (e.g., testing to prevent discrimination).
- Large data holders would need to conduct annual algorithm impact assessments when there is a “consequential risk of harm” to certain groups (e.g., minors) or related to certain outcomes (e.g., major life events).
- Entities using algorithms that make or facilitate consequential decisions (to be defined in future FTC rulemaking) would need to provide consumers with notice and the opportunity to opt out. This requirement is a notable new addition; it was not in the ADPPA.
- Many of the requirements relating to algorithms do not appear to be limited to “covered entities” and are likely to directly impact companies in the artificial intelligence space, including, for example, small businesses.
Enforcement:
- The APRA would be enforceable by the FTC, state attorneys general, chief consumer protection officers of states, or other authorized officers of a state.
- The APRA provides for a private right of action for various provisions, including requirements related to sensitive data opt-ins, consumer rights, and “consequential decision” algorithm opt-outs.
- Individuals would be permitted to bring an action to recover actual damages, injunctive relief, declaratory relief, and reasonable attorney fees and costs. Any amount that a court orders an entity to pay would be offset by any amount the person received from an action brought against the entity for the same violation by the FTC or a state regulator.
- The bill would preserve certain statutory damages available under the Illinois Biometric Information Privacy Act (BIPA), Illinois’s Genetic Information Privacy Act, and the security breach section of the CCPA.
- Entities would be provided an opportunity to cure in actions requesting injunctive relief and written notice in actions seeking actual damages, except for actions alleging a “substantial privacy harm” (financial harm of at least $10,000; or certain physical or mental harms to an individual).
- Moreover, the bill would not allow mandatory arbitration to resolve disputes involving substantial privacy harms or privacy of minors under 18.
Preemption:
- The APRA would preempt state privacy laws “covered by” this legislation, notably including the increasing number of comprehensive state privacy laws. However, the draft explicitly states that preemption would not apply to certain sectoral state privacy laws, such as data breach notification laws, state student privacy laws, and laws that protect the privacy of health information (including the Washington My Health My Data Act).
- BIPA would likely be preempted as its subject matter and the requirements it imposes are largely covered by APRA, though, as noted above, the bill would preserve certain statutory damages available under BIPA.
- The APRA does not cover employee data, so presumably CCPA provisions with respect to employee data would not be preempted.
- The APRA would not preempt sectoral federal privacy laws, such as the Children’s Online Privacy Protection Act (COPPA) and the Gramm-Leach-Bliley Act.
Next Steps
The House Innovation, Data, and Commerce Subcommittee will host a hearing on Wednesday, April 17, regarding the APRA and other data privacy legislative proposals.
One Piece in Shifting Landscape
The APRA is the latest in a series of legislative proposals that could markedly shift privacy and data security obligations for entities that collect and process personal information.
At the federal level, Congress is also considering bills related to minor’s online privacy and safety (e.g., H.R. 7891, H.R. 7890), algorithmic accountability (e.g., H.R. 5628), and data brokers (e.g., H.R. 4311). Notably, the APRA removed the ADPPA’s requirement for parental consent to transfer minor’s data, which suggests that APRA could be paired with one or more of the federal bills on the topic.
In 2022, the FTC initiated a “Commercial Surveillance and Data Security” rulemaking. The APRA, if passed, would terminate that rulemaking. The FTC has also proposed amendments to its COPPA Rule.
At the state level, legislatures continue to propose and pass comprehensive privacy legislation, such as the Maryland Online Data Privacy Act of 2024. As discussed, those laws would be preempted if the APRA becomes law. States are also passing laws addressing focused issues, such as the My Health My Data Act in Washington and the social media laws in Utah and Florida.
And internationally, the European Union’s Artificial Intelligence Act is in the final stages before officially becoming law.
Wilson Sonsini Goodrich & Rosati routinely helps companies navigate complex privacy and data security issues. We will continue to monitor legislative developments to assist clients with their policy stances and compliance efforts. For more information, please contact Maneesha Mithal, Christopher Olsen, Brett Weinstein, Rebecca Weitzel Garcia, or any member of the firm’s privacy and cybersecurity practice.