The American Privacy Rights Act (“APRA”) is the most recent effort by Congress to create a comprehensive consumer privacy law. Senator Maria Cantwell (D-WA) and Representative Cathy McMorris Rodgers (R-WA) introduced the bill in April, and the U.S. House Committee on Energy and Commerce Subcommittee on Data, Innovation and Commerce unanimously approved an updated draft of the bill on May 23, 2024. On June 25, 2024, members formally introduced a fourth draft of APRA in the House of Representatives as H.R. 8818. Although sponsors have not formally introduced the bill in the Senate, Senator Cantwell stressed the need for federal privacy legislation in the Senate Committee on Commerce, Science and Transportation July 11 hearing. In the hearing, however, Senator Ted Cruz (R-TX) expressed reservations about APRA as currently drafted. The U.S. does have several federal privacy laws, but they are sectoral and so only regulate certain industries. APRA would more broadly regulate data privacy practices across industries.

APRA has gained more traction in Congress than earlier attempts to pass a federal privacy law because of mounting pressure to establish a uniform privacy framework and to bridge the gap in federal regulation. Since 2018, 20 states have passed their own comprehensive consumer privacy laws, many of which are already in effect. Although most state privacy laws follow a basic framework, their nuances have created a patchwork of privacy legislation for business compliance. If Congress adopts APRA, the law will standardize individual privacy rights and obligations for businesses and nonprofits. The current draft contains several provisions that deviate from state privacy laws with significant implications for businesses and nonprofits.

APRA Definitions

APRA would regulate how “covered entities” collect, process, retain and transfer “covered data” and “sensitive covered data.” The bill defines covered data as data that is linked to or is reasonably linkable to an individual. Sensitive covered data is covered data that falls within 18 categories of information that receive heightened protection, including health data, biometric data, genetic data, precise geolocation data and information about children under 17. Finally, APRA defines “covered entities” as entities that determine the purposes and means of collecting, processing, retaining or transferring covered data and are businesses or nonprofit organizations. Small businesses are exempted; the bill defines small businesses as those whose gross annual revenues have not exceeded $40,000,000 for three years, do not annually handle the data of more than 200,000 individuals for reasons other than payment and do not generate revenue from transferring data to third parties. It is important to note that APRA’s applicability to those nonprofits whose gross receipts exceed $40,000,000 for three years would be a significant departure from the scope of the majority of state privacy laws. So far, only Oregon, Colorado and Maryland have extended their privacy laws to regulate nonprofits.

Covered Entities and Their Obligations Under APRA

There are five compliance requirements for covered entities if APRA becomes law: (1) data minimization, (2) privacy by design, (3) transparency, (4) reasonable data security and (5) appointment of a privacy and data security officer. Each obligation is described in detail below.

1. Data Minimization

Under APRA’s data minimization requirement, covered entities would be obligated to limit the collection, processing, retention and transfer of covered data to instances where it is reasonably necessary and proportionate to providing the products or services that consumers request. The bill also specifies 17 permitted purposes for which covered entities may collect, process, retain or transfer data if they can demonstrate that their use of that data is necessary, proportionate and limited to one of the listed purposes. If a covered entity seeks to transfer an individual’s sensitive covered data, it must obtain their affirmative express consent. Affirmative express consent is also required when covered entities seek to collect, process, retain or transfer biometric or genetic information. APRA would require the Federal Trade Commission (“FTC”), within 180 days of its enactment, to issue guidance regarding what is necessary, proportionate and limited to comply with the law’s data minimization requirements.

2. Privacy by Design

APRA’s privacy by design provision would require covered entities to adopt reasonable policies, practices and procedures. The policies must lay out how the entity will identify, assess and mitigate privacy risks to minors, individuals with disabilities and people over the age of 65. Covered entities must also address how to mitigate privacy risks in the design, development and implementation of products or services in their policies. Moreover, reasonable policies and practices under the privacy by design provision must include internal training to ensure compliance and mitigate privacy risks. APRA states that in crafting privacy by design policies, covered entities should consider such factors as the nature and scope of the activities they are engaged in, the sensitivity of the data they are using, the volume of data, the number of individuals the data relates to and the cost of implementation versus the privacy risks. If APRA becomes law, the FTC will issue further guidance within a year of the law’s enactment addressing reasonable practices, policies and procedures.

3. Transparency

APRA’s transparency provision would require covered entities to adopt clear and publicly available privacy policies that describe their data collection, processing, retention and transfer. Covered entities would be required to provide contact information that consumers could use to make privacy inquiries. Privacy policies would also need to disclose the categories of covered data that covered entities collect, process and use, and the purposes for collecting that data. If an entity plans to transfer covered data to third parties, it must include that information in its privacy policy along with the name of each data broker it will share data with and the purposes for sharing the data. Privacy policies should also include information as to how long an entity will retain each category of covered data that it collects. If a covered entity has knowledge that it has collected data from covered minors, its privacy policy must have a description of how the entity treats covered data of minors differently than data from other individuals. Finally, APRA would require entities to describe in their privacy policies how consumers can exercise their data privacy rights and include a description of their data security practices.

4. Reasonable Data Security

APRA would also require covered entities to establish and maintain reasonable data security practices. What practices are “reasonable” should be determined based on an entity’s size and complexity, the nature and scope of data handling and how much data it handles. At a minimum, covered entities would be required to assess vulnerabilities in systems that collect, process and store data, take preventive and corrective action to mitigate privacy risks, evaluate preventive actions in light of the development of new technology, delete data that is no longer necessary, develop a data retention schedule, train employees on safeguarding covered data and adopt procedures for responding to data security breaches.

5. Privacy and Data Security Officers

Finally, APRA would require covered entities to appoint designated privacy and data security officers to implement data privacy programs which safeguard covered data and facilitate compliance with APRA.

Data Privacy Rights for Consumers

If enacted, APRA would grant consumers the right to data portability and rights to access, correct and delete their covered data. Consumers would also have the right to opt-out of the transfer of their data to third parties and the transfer of their data for the purpose of targeted advertising. The bill includes a provision that would require the FTC, within two years of the law’s enactment, to develop a single interface where consumers can exercise their opt-out rights. Through this interface, consumers would indicate whether they want to opt-out of certain kinds of processing for all applicable entities, rather than communicating their preferences to each individual entity.

Most existing comprehensive state privacy laws include the rights that APRA would grant to consumers. However, the set of rights that APRA provides is underinclusive compared to some state laws. For example, several comprehensive state privacy laws give consumers the right to opt-in to sensitive data processing and opt-out of automated decision-making, rights the current version of APRA does not include. Although the second APRA draft included a provision that would have allowed consumers to opt-out of having consequential decisions made by algorithms, drafters removed the provision in the third draft. States that offer consumers more robust data privacy rights have voiced concerns about what APRA would mean for their residents, who would lose rights under APRA’s preemption provision (discussed below). In May, the California Attorney General led a coalition of 15 attorneys general in urging Congress to change the preemption provision in the APRA draft. The current APRA draft would preempt comprehensive state privacy laws, but the states that oppose the provision seek to have it replaced with a preemption clause that would set a regulatory floor instead of a ceiling.

COPPA 2.0 and Children’s Privacy Protections

The current version of APRA includes provisions to update the Children’s Online Privacy Protection Act of 1998 (“COPPA”) to strengthen children’s privacy. Title II of APRA, called COPPA 2.0, would update how COPPA applies in the educational context and require the FTC to evaluate whether it is feasible to create a verifiable consent mechanism for operators providing a joint service to children. Other updates to COPPA include more specific definitions of personal information and the explicit extension of applicability to mobile applications directed towards children. Most significantly, COPPA 2.0 would update the law’s general applicability standard. The current version of COPPA uses an actual knowledge standard, meaning that only entities which are directly targeting children are subject to the law. COPPA 2.0 would change the actual knowledge standard to “actual knowledge or knowledge fairly implied on the basis of objective circumstances.” Ultimately, this change in language could expand COPPA’s applicability to entities that have been able to skirt the actual knowledge standard by not explicitly directing their services towards children. If adopted, the FTC will issue guidance on the new standard. Notably, the draft language of COPPA 2.0 does not raise the current age of protection from 13. However, if the language of the most recent draft of APRA is enacted, minors will have more privacy protections under other general provisions because the definition of sensitive covered data includes the data of children under 17. Additionally, APRA’s prohibition on targeted advertising to children under 17 and restrictions on the transfer of the covered data of minors would further expand children’s privacy protections.

Prohibited Conduct under APRA

Businesses and nonprofits should be particularly aware of certain prohibitions in the draft bill. First, the bill would prohibit covered entities from using “dark patterns” to divert consumer attention from legally required notices, impair their ability to exercise their data privacy rights or obtain consent where it is required, such as for the transfer of sensitive covered data. Second, covered entities would not be permitted to deny services to or retaliate against customers through pricing if they choose to exercise their rights under APRA. Notably, the first and second drafts of the legislation included a prohibition on the collection, processing, retention or transfer of data in ways that unlawfully discriminate on the basis of race, color, religion, national origin, sex or disability, but the most recent version of the bill does not contain such a provision.

Enforcement and the Private Right of Action

The APRA draft provides for enforcement against covered entities that do not comply with the law at three levels: by the FTC, by states, and by individuals.

1. Enforcement by the FTC

If enacted, APRA would empower the FTC to enforce the provisions of the law and treat violations as unfair or deceptive trade practices under the FTC Act. The draft bill would also direct the FTC, within 180 days of the law’s enactment, to establish a new bureau to conduct enforcement of APRA. Additionally, the FTC would establish a relief fund for victims of privacy and security violations to provide consumers redress where appropriate. Covered entities would have the opportunity to apply to the FTC for approval of their compliance guidelines. If the FTC approves an entity’s guidelines, then that entity would be entitled to publicly self-certify compliance with APRA and would have a rebuttable presumption of compliance with the act.

2. Enforcement by State Attorneys General

At the state level, attorneys general and other state officers would have the power under APRA to enforce the law in federal court. APRA would permit states to seek injunctive relief, penalties, damages, restitution and other appropriate relief.

3. Enforcement by Individuals

The current version of APRA would also give consumers a private right of action against covered entities that violate their data privacy rights. Through this private right of action, individuals could recover damages, injunctive relief, declaratory relief and reasonable fees from violators. However, before bringing an action for injunctive relief, individuals must provide entities with notice identifying the provision they allege has been violated, and the entities have 60 days to cure the alleged violation and notify the individual of any actions taken. APRA would also entitle covered entities to settle with individuals who send them written notice of an alleged violation.

Preemption of State Privacy Laws

APRA contains a provision that would preempt state privacy laws and would prohibit states from adopting, maintaining and enforcing privacy law provisions covered by APRA. In addition, the bill would preempt state laws that provide protections for children or teens and conflict with APRA. However, APRA would not preempt state level consumer protection laws, civil rights laws, provisions protecting employee or student privacy, data breach notification laws and several other laws and provisions that are either sector-specific or that do not conflict with APRA. APRA would also preserve federal privacy laws that are in place, such as the Gramm-Leach-Bliley Act (“GLBA”), the Health Insurance Portability and Accountability Act (“HIPAA”), the Fair Credit Reporting Act (“FCRA”), and the Family Educational Rights and Privacy Act (“FERPA”) among others.

Conclusion

If APRA becomes law, it will drastically change consumer privacy regulation in the U.S. and eliminate the patchwork of comprehensive state privacy laws. Under APRA, covered entities would only need to familiarize themselves with a single consumer privacy law, rather than assessing their compliance state by state. APRA would also expand the applicability of consumer privacy laws to nonprofits, which states have typically exempted from their laws. Another unique feature of APRA, its private right of action, would expose covered entities to liability for data privacy violations. So far, no state has enacted a comprehensive privacy law that gives consumers a comparable right to sue entities that violate their data privacy rights.

As Congress continues to weigh APRA, we will monitor the bill’s progress and the changes lawmakers make to its language, as well as other developments in consumer privacy laws, state and federal. Casting additional uncertainty over both the language of APRA and the work of the FTC in establishing privacy guidelines is the U.S. Supreme Court’s June 2024 landmark administrative law decision in Loper Bright Enterprises v. Raimondo, 603 U.S. ___ (2024), overruling the 40-year-old judicial deference to administrative action established in Chevron U.S.A., Inc. v. Natural Resources Defense Council, Inc., 467 U.S. 837 (1984) on the grounds that it conflicts with the Administrative Procedure Act.

We are available to assist in drafting website privacy policies consistent with the evolving requirements.

This Insight accurately reflects the provisions of the draft APRA bill as of June 25, 2024, and will be updated when and if the bill becomes law.