In April 2024, US legislators released a discussion draft of the American Privacy Rights Act (APRA). Building upon last year's American Data Privacy and Protection Act (ADPPA), which failed to pass, the APRA aims to become the first federal data privacy legislation in the United States.

Breaking down the APRA

The APRA applies to “covered entities”: organizations with the purpose and means of collecting, processing, retaining, or transferring covered data, and that are subject to the FTC Act.

However, entities with less than $40 million in annual revenue, process the personal data of up to 200,000 individuals and do not sell any personal data are exempt from the Act - which generally includes most small businesses. The APRA also does not apply to certain non-profits, public sector entities, and government service providers.

Some of the key parts of the proposed law include:

Consumer rights: the ability to access, correct, delete, and export personal data. There are also provisions for opting out of data collection and targeted advertising.
Data security requirements: covered entities and service providers must implement reasonable security practices.
National registry of data brokers: to monitor their data management.
Designation of privacy officers: within all organisations.
Heightened protections for sensitive data: covering 18 categories, including biometrics, precise geolocation, private communications, and online activity.
Obligations for high-impact social media companies: data collected from users' online activities by social media companies with annual revenue of at least $3 billion and whose platforms are primarily used for accessing or sharing user-generated content, will be treated as sensitive data.
Enforcement mechanisms: include a private right of action for individuals, FTC enforcement, and roles for State Attorney Generals.
Preemption: federal law will take precedence over conflicting state laws, with limited exceptions.
Exemptions for de-identified data: de-identified data is excluded from the definition of personal data under the APRA.

What are the concerns with the APRA?

While promising, the APRA has sparked debates around its potential implementation and effectiveness.

One major issue is the right of action. There are worries that consumers may be forced into private arbitration, which could prevent class action lawsuits and limit the enforceability of consumer rights.

Advocacy groups are also concerned about potential loopholes with data brokers that could undermine the privacy protections intended by the APRA. If government contractors are exempt, it could lead to broad interpretations that allow data brokers to sell sensitive information to the government without stringent oversight. For instance, Clearview AI previously claimed exemption from Illinois’ biometric law using a similar contractor exception.

As the sensitivity of data is often context-specific, the lack of nuance within the Act’s definition could impact its level of protection. While the APRA lists 18 categories of sensitive data, it does not include other sensitive categories such as immigration status, union membership, and employment history.

The exceptions for biometric information and loyalty programs also raise red flags. The current definition of biometric information may not cover data used for sentiment, demographic, and emotion analysis.

Also, loyalty programs - which can sell data with opt-in consent - create a disparity where privacy becomes a commodity, which may disproportionately affect lower-income consumers.

The pre-emption factor also raises tensions between federal and state regulations: if a state law conflicts with the APRA, the federal law will take precedence. Although the current form of pre-emption appears relatively limited, its full implications remain unclear. It could prevent stronger future regulations from being enacted and undermine existing robust state privacy laws - a concern recently highlighted by The California Privacy Protection Agency.

Impact on data privacy in the US and global harmonization

While there are still several challenges the Act will need to address, a federal privacy Act could still have a widescale positive impact, enhancing consumer trust and providing legal clarity for businesses across the nation. A unified legal framework simplifies the US legal landscape and gives equal protection for consumers across states.

The law could also help the US align with other global privacy standards, particularly the GDPR. Following data privacy battles around EU-US data transfers and the invalidation of Privacy Shield, a robust US federal privacy law could reassure European regulators about data protection in the US, and ease operations for multinational organizations. By aligning privacy standards, especially around data minimization and consumer rights, the law could both reduce barriers for European companies and push US companies to enhance privacy measures.

While the APRA introduces significant provisions for data security, consumer rights, and enforcement, there are still many unknowns and potential weaknesses that need to be addressed. Despite these uncertainties, businesses and security professionals must prepare for its potential impact and align with emerging federal privacy standards. Proactive preparation will help ensure compliance and safeguard consumer trust in a rapidly evolving privacy landscape.