AMERICAN PRIVACY RIGHTS ACT OF 2024: DECODING THE DRAFT LEGISLATION

INTRODUCTION:

On 7 April 2024, House Committee on Energy and Commerce Chair Cathy McMorris Rodgers, R-Wash., and Senate Committee on Commerce, Science and Transportation Chair Maria Cantwell, D-Wash. unveiled a discussion draft of the American Privacy Rights Act (APRA). This bipartisan and bicameral draft law aims to set up a national standard for data privacy. The announcement signals a renewed effort to pass a federal data privacy law, which has been delayed for a long time.

The draft legislation is aimed at addressing the evolving challenges and concerns relating to data privacy in the digital era and persistent threat of misuse of personal data, thus providing greater control to consumers over their personal data. In this blog, we will unveil the key provisions of the draft legislation to understand its effectiveness in addressing the privacy issue of the consumers.  

APRA SUMMARY:

Section 1 of the bill contains the short title. It says that this Act may be cited as the ‘American Privacy Rights Act of 2024.’  

DEFINITIONS:

Section 2 contains numerous definitions, including definitions of the entities to which this bill will apply and those which are exempted. Some important terms that are defined under the bill are:

• Affirmative express consent: Section- 2(1) of the draft legislation states that the term ‘affirmative express consent’ means an individual’s clear and specific authorization for an act or practice, given in response to a request from a covered entity. The request must be provided to individual in a clear disclosure, include descriptions of the requested actions, and be written in easy-to-understand language. Also, entity must state about the specific categories of covered data that the covered entity shall collect, process, retain, or transfer to fulfill the request.

Furthermore, the individual must be informed of their rights related to consent, and the request must be accessible to individuals with disabilities and available in all relevant

languages. Importantly, consent cannot be inferred from inaction or continued use of a service or product.

• Collect; Collection: Section 2(3) of the draft bill says that the terms ‘‘collect and ‘‘collection’’ mean buying, renting, gathering, obtaining, receiving, accessing, or otherwise acquiring covered data by any means.  

• Covered data: Section 2(9) of the draft bill states that ‘covered data’ refers to information that directly identifies or is connected to an individual or device. However, it does not include: (1) data that has been de-identified, (2) employee data, (3) publicly available information, (4) inferences drawn from multiple publicly available sources that don’t qualify as sensitive covered data and are not mixed with covered data, as well as information contained within library, archive, or museum collections, with certain restrictions.

• Covered entities: Covered entities are those entities that define the purpose and means of collecting, processing, retaining, or transferring covered data. Furthermore, Covered entities are also required to adhere to the regulations outlined in the Federal Trade Commission Act. However, exemptions apply to small businesses, governmental bodies, entities acting on behalf of governments, and other specifically defined organizations. This is similar to ‘controller’ under the General Data Protection Regulation (GDPR).

• Covered minor: This refers to an individual under the age of 17.

• Dark pattern: The term ‘‘dark patterns’’ means a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making, or choice.

• Sensitive covered data: Section 2(34) of the draft legislation defines ‘sensitive covered data’ as such data that includes government identifiers, health information, biometric information, genetic information, financial account and payment data, precise geolocation information, log-in credentials, private communications and other types of private information.

DATA MINIMIZATION AND TRANSPARENCY:

Section 3 provides that covered entities and service providers operating on their behalf would be prohibited from collecting, processing, retaining, or transferring data beyond what is necessary, proportionate, or limited to provide or maintain a product or service requested by an individual, or to provide a communication reasonably anticipated in the context of the relationship. Furthermore, it says that the covered entities would be able to use non-sensitive, covered data for targeted advertising only if individuals have not opted out.

Section 4 of the bill mandates that businesses would need to update their privacy policies to provide a variety of information, including categories of third parties and the names of any data brokers that receive covered data. Furthermore, businesses would need to notify users of any material changes before they occur and provide a means for consumers to opt out of the processing or transfer of such previously collected covered data pursuant to such material change.

THE RIGHTS OF THE INDIVIDUAL UNDER APRA:

Under Section 5 of the draft bill, individuals have extensive control over their covered data. Upon receiving a verified request from an individual, a covered entity must grant access, correction, deletion, and portability rights. This includes providing data in a readable format, disclosing recipients and purposes of transfer, allowing corrections and deletions, and facilitating data export. The first three requests are free, with specific time frames for completion. Verification of identity is required, with possible extensions and requests for additional information. However, exceptions exist to individual rights, including cases where verification isn’t possible or access to sensitive data of others is needed. Permissive exceptions may apply when compliance is impractical. The Commission can establish additional exceptions to protect rights and ease burdens on covered entities.

Furthermore, under Section 6, individuals have opt-out rights regarding their covered data. They can opt out of data transfers and targeted advertising. Additionally, it says that within two years, the Commission will establish regulations for a centralized opt-out mechanism, ensuring user-friendly interfaces and language accessibility.

DATA SECURITY MANDATES FOR COVERED ENTITIES:

Section 9 mandates that covered entities and service providers must establish reasonable data security practices to protect covered data. These practices should consider factors like entity size, data volume, and technological advancements. Specific requirements include vulnerability assessments, preventive/corrective actions, data disposal, retention schedules,

employee training, and incident response procedures. The Commission can issue technology-neutral regulations to enforce these standards.

EXECUTIVE RESPONSIBILITY:

Section 10 provides that covered entities must appoint at least one officer responsible for privacy or data security. Large data holders must designate separate officers for privacy and data security. Furthermore, these entities, along with the CEOs of large data holders, must annually certify to the FTC that they maintain internal controls and reporting structures in accordance with the APRA.

OBLIGATIONS OF SERVICE PROVIDERS AND THIRD PARTIES:

Section 11 outlines obligations for service providers and third parties regarding covered data. Service providers are required to strictly adhere to the instructions provided by covered entities regarding the collection, processing, retention, or transfer of service provider data. They must refrain from handling covered data if they are aware of any violation of the Act by the covered entity. Additionally, service providers are obligated to assist covered entities in responding to consumer rights requests and must provide necessary compliance information upon request.  

Furthermore, it says that contracts between covered entities and service providers must clearly outline data processing procedures, including instructions, purpose, data type, duration, and the rights and obligations of both parties. Importantly, these contracts cannot absolve either party of their obligations under the Act and must explicitly prohibit certain data processing practices. Third parties, on the other hand, are limited to processing, retaining, or transferring third-party data only for purposes specified by the covered entity. The bill mandates that due diligence is required when selecting service providers or transferring data to third parties.  

CIVIL RIGHTS AND ALGORITHMS:  

Section 13 of the draft bill addresses civil rights protections and mandates that algorithms of data processing should not be in a way that is discriminatory in nature. It prohibits discrimination in data processing based on certain characteristics such as race, colour, sex, religion or disability. However, exceptions include self-testing for discrimination prevention and marketing to underrepresented groups. It further provides that large data holders using algorithms posing harm risks must conduct impact assessments if there is a significant risk of harm to specific categories, such as minors, or concerning particular consequences, such as significant life events.

ENFORCEMENT OF THE APRA:

The APRA empowers the FTC, state attorneys general, and designated state officers to enforce it. It grants individuals the right to pursue legal action for damages, injunctive relief, and attorney fees. Court-ordered payments by entities would be offset by amounts received from similar actions by the FTC or state regulators.

The APRA includes a preemption provision to establish a uniform privacy and security standard nationwide, easing interstate business obligations. Exceptions to this provision include state-level consumer protection laws, civil rights laws, and laws related to employee privacy rights or protections. Additionally, exceptions are made for federal laws such as the Gramm-Leach-Bliley Act (GLBA) and the Health Insurance Portability and Accountability Act (HIPAA), among others, which include privacy and security regulations.

WHAT TO EXPECT NEXT?

The APRA faces hurdles ahead, but Representatives Rodgers and Senator Cantwell see it as a crucial step for national data privacy and security. If approved, it would take effect 180 days post-enactment, with the FTC evaluating its impact after four years. Meanwhile, as states pass privacy laws, covered businesses must stay alert.  

CONCLUSION:

The American Privacy Rights Act of 2024 (APRA) represents a significant stride towards establishing a comprehensive framework for data privacy and security at the national level. Despite facing challenges, the bipartisan effort led by Representatives Rodgers and Senator Cantwell underscores its importance. If enacted, the APRA could usher in a new era of consumer data protection, providing clarity and consistency in an increasingly digital world.