Comprehensive American Privacy Rights Act Introduced in Congress

A groundbreaking bipartisan proposal, the American Privacy Rights Act (APRA), was introduced late Sunday by Senate Commerce Committee Chair Maria Cantwell (D-Wash.) and House Energy and Commerce Committee Chair Cathy McMorris Rodgers (R-Wash.), offering consumers unprecedented control over their personal data usage.

If passed, the APRA would set a national standard for data collection, usage, and transfer on the Internet. Under the bill, consumers would gain the right to opt out of certain data practices like targeted advertising, as well as the ability to access, delete, and transfer their data between digital services. Violations of the APRA would be enforced by the Federal Trade Commission (FTC), State attorneys general, and consumers.

The APRA would preempt state privacy laws, which has been met with contention by several states, including California, which has a robust privacy law framework. Notably, the bill allows specific state regulations on health or financial data.

Key APRA Discussion Draft’s Provisions

1. Scope. The APRA would apply to a vast range of “Covered Entities” – any entities that determine the purpose and means of collecting, processing, retaining, or transferring personal data and are subject to the FTC Act, including common carriers and certain nonprofits.

The APRA would not apply to small businesses (with <$40MM in annual revenue handling <200k individuals’ data) and some other entities, with the exception of small data brokers.

2. Data Minimization. The APRA imposes a strict principle of data minimization, limiting the scope of allowed data processing to what is reasonably necessary to provide or maintain product or service requested by an individual, or provide a communication reasonably anticipated in the context of the relationship, or a permitted purpose.

Permitted purposes would include protecting data security; complying with legal obligations; effectuating a product recall or fulfilling a warranty; conducting market research (which requires affirmative express consent for consumer participation); de-identifying data for use in product improvement and research; preventing fraud and harassment; responding to ongoing or imminent security incidents or public safety incidents; processing previously collected nonsensitive covered data for advertising.

There are strict retention limitations on biometric and genetic information. Transfers of sensitive data to a third party without the individual’s affirmative express consent is prohibited, unless expressly allowed by a stated permitted purpose.

The FTC is expected to issue guidance on the practical application of the data minimization principle.

3. Transparency. The APRA mandates that Covered Entities and service providers publish their privacy policies, describing, among other things, how customers can exercise their opt-out rights. The policy must be accessible in multiple languages and to people with disabilities.

Large Data Holders (with >$250MM in annual revenue handling >5MM individuals’ data or sensitive data of >200k individuals) are subject to additional requirements pursuant to retaining and publishing their privacy policies from the past 10 years and also provide a short-form notice of their policies (up to 500 words).

4. Consumer Rights Over Data. Consumers would have the right to access their data, including to which third parties it has been transferred, correct, and delete their data.
5. Opt–Out and Centralized Opt-Out Mechanism. Consumers would have the right to opt-out of the transfer of their data, targeted advertising, and consequential algorithmic decision-making. The FTC would develop regulations for the technical requirements for a centralized opt-out mechanism.
6. Data Brokers. Data brokers would need to maintain a public website that identifies the entity as a data broker; includes a tool for individuals to exercise their individual controls and opt-out rights; and includes a link to the FTC’s data broker registry website. The website will need to be reasonably accessible for individuals with disabilities.

The FTC would be directed to establish a data broker registry, and data brokers affecting the data of 5,000 or more individuals must register each calendar year. The registry must include a “do not collect” mechanism for consumers to use. The FTC shall also issue guidance regarding the content of a data broker’s website.

7. Algorithmic Decision-Making (Including AI). Discriminating on the basis of protected characteristics would still be illegal under the APRA, and Large Data Holders that use decision-making algorithms in a manner that poses a consequential risk of harm must conduct an impact assessment and must provide the assessment to the FTC and make it publicly available.

Moreover, developers of decision-making algorithms would need to conduct an evaluation prior to deploying the algorithm and provide the evaluation to the FTC and make it publicly available, as well.

8. Executive Responsibility: All Covered Entities would need to designate at least one employee to serve as a privacy or data security officer. Large Data Holders would need to designate both a privacy and a data security officer. Large Data Holders would also be directed to file with the FTC annual certifications of internal controls designed to comply with the APRA and internal reporting structures for compliance with the APRA. Large Data Holders would also need to conduct privacy impact assessments on a biennial basis.

If passed, the APRA will go into effect 180 days after enactment. It is possible some organizations will request the postponement of the effective date. The proposed APRA also provides a six-month enforcement grace period following the law’s effective date.

Though lauded as historic legislation, its fate remains uncertain amidst the impending November elections and the limited legislative window. The discussion draft is subject to refinement through input from other lawmakers and stakeholders. This proposal marks a milestone in the ongoing effort to establish robust online privacy protections, offering a framework that balances consumer rights with business interests while addressing longstanding regulatory gaps.

Maryland Set to Pass its Comprehensive Privacy Act

Amidst the unexpected movement to pass comprehensive federal legislation, states proceed to pass their own privacy laws. Maryland Online Data Privacy Act of 2024 (MODPA) is set to become one of the latest additions to the state privacy law patchwork. The enrolled act awaits the Governor’s signature.

The MODPA is dubbed as one of the toughest comprehensive privacy laws and is novel in a number of ways. Unlike its predecessors in other states, Maryland bill’s broad data minimization standards have low coverage thresholds, which include businesses that handle personal data on more than 35k consumers or derive 20% of revenue from selling the data of more than 10k consumers. The bill also places a ban on targeted advertising and the sale of data belonging to minors under 18, and sensitive data sales to an individual.

If passed, the MODPA is set to go into effect on October 1, 2025.

California Privacy Protection Agency Issues Enforcement Advisory

On April 1, 2024, the California Privacy Protection Agency (CPPA) released its first enforcement advisory, urging businesses to adhere to the principle of data minimization when handling consumer requests. The advisory stemmed from the CPPA’s observation that some businesses were requesting excessive and unnecessary personal information from consumers in response to requests made under the California Consumer Privacy Act (CCPA).

Data minimization is a fundamental tenet of the CCPA, mandating that covered businesses limit their processing of personal data to what is reasonably necessary and proportionate for the intended purposes of collection or processing. The regulations accompanying the CCPA elaborate on this requirement, outlining that the assessment of necessity and proportionality should consider factors such as:

• The minimum personal information required to fulfill the disclosed processing purpose.
• Potential adverse effects on consumers resulting from the business’s data processing activities.
• Additional safeguards implemented by the business to mitigate potential adverse impacts on consumers.

For instance, when handling requests to opt out of personal information sales or sharing, businesses must refrain from demanding excessive personal information and should only collect what is necessary to process the opt-out request.

For other types of requests, such as access or deletion of personal information, businesses must verify the customer’s identity. However, identity verification regulations stipulate that businesses should, whenever possible, utilize existing consumer information for verification purposes and avoid collecting highly sensitive personal data, such as Social Security numbers or biometric information. If additional information is needed for identity verification, it should be used solely for verification, security, or fraud prevention purposes and promptly discarded after fulfilling the request.

The CPPA’s enforcement advisory provides practical examples to guide businesses in assessing the information required to fulfill opt-out and deletion requests. These examples underscore the critical importance of integrating data minimization principles into all facets of businesses’ privacy compliance strategies, including their procedures for responding to consumer requests.

NEED HELP WITH PRIVACY LAW COMPLIANCE?

The CommLaw Group Can Help!

If your company has questions about its data privacy obligations under state and federal laws or would like to reassess its data collection and processing practices in compliance with state regulation, please contact us:

Linda McReynolds – Tel: 703-714-1318 / E-mail: lgm@commlawgroup.com
Diana James – Tel: 703-663-6757 / E-mail: daj@commlawgroup.com