The American Privacy Rights Act: What You Need to Know

The American Privacy Rights Act (APRA) has recently taken a significant step forward in the U.S. legislative process. But wait! Don’t get your pAPRty hats out just yet; it’s just the beginning of a long journey.

What is the American Privacy Rights Act?

Cathy McMorris Rodgers, the Chair of the House Energy and Commerce Committee, and Maria Cantwell, the Chair of the Senate Commerce, Science, and Transportation Committee, both from Washington, crafted the American Privacy Rights Act. It proposes a broad range of new federal privacy regulations. These regulations would control how companies handle, store, secure, and distribute the personal information they gather from consumers, both directly and through other methods.

The American Privacy Rights Act: What You Need to Know

Key Provisions

  • Data Minimization and Purpose Limitation: Companies would be required to collect only the data necessary for specific, disclosed purposes and use it solely for those purposes.
  • Consumer Rights: Individuals would have the right to access, correct, delete, and transfer their personal data.
  • Privacy by Design: Organizations would need to incorporate privacy protections into their data processing activities from the outset.
  • Data Broker Regulations: Stricter rules would be placed on data brokers, including opt-out mechanisms and transparency requirements.
  • Enforcement and Penalties: The Federal Trade Commission (FTC) would be the primary enforcement agency, with the possibility of state attorney generals playing a role.

Recent Developments and Key Changes

The latest version of the APRA was released just 36 hours before the subcommittee’s markup session on May 23. This updated draft addresses concerns raised by various stakeholders while preserving the bill’s core principles. Here are some of the significant updates:

  1. Children’s Privacy

The Children and Teens’ Online Privacy Protection Act (COPPA 2.0) was merged into the bill under Title II. This inclusion extends protections to minors up to age 16 and bans targeted advertising to these individuals. However, there is criticism that the version included in APRA is not as robust as the standalone COPPA 2.0.

  1. Handling of Ads

The new draft clarifies concerns about advertising and what is permissible under the law. Definitions of contextual advertising, first-party advertising, and targeted advertising were either added or amended to balance the beneficial uses of ads with consumer privacy. For instance, the draft now allows “covered data collected over time and across websites” to be used in targeted advertising and specifically allows for measuring and reporting ads.

  1. Data Minimization

The new text adds a permissible purpose for public or peer-reviewed research projects to process and transfer covered data (and sensitive data with affirmative consent) if there is a public interest and the data handling conforms to applicable laws. This is a change from the previous draft, which permitted data transfer for scientific research only if the data had been de-identified.

  1. Small Businesses

The small business definition has been revised from a static dollar amount threshold to an adaptive one tied to the North American Industry Classification System Code 518210’s threshold for technology-related businesses. Additionally, small businesses can now transfer covered data for limited purposes such as billing and payment processing, and the requirement to delete or de-identify data within 90 days has been removed.

  1. Data Brokers

This section now includes a “delete my data” mechanism, requiring registered data brokers to delete all covered data they did not collect themselves when a consumer submits a request. This requirement aligns with the 2023 California Delete Act, which offers a similar mechanism.

  1. Consequential Decision Opt-Out

Individuals can opt out of having a business use a covered algorithm to make a consequential decision, opting instead for a human to make the decision. The original draft allowed individuals to opt out entirely. The revised approach considers technological impracticability and cost factors.

  1. Impact Assessments

The largest changes relate to impact assessments of covered algorithms. The new focus is on using “certified independent auditors” to conduct impact assessments resulting in reports to the entity, with an alternative option of submitting assessments to the National Telecommunications and Information Administration. The draft removes the original five delineated harms and replaces them with a new “consequential decision” definition.

Start Getting Value With
Centraleyes for Free

See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days

Learn more about The American Privacy Rights Act

Will APRA Apply to My Business?

APRA will not apply to all businesses. Like state privacy laws in the US, which have thresholds for applicability, the proposed federal privacy law also has criteria. It will apply to all businesses subject to Federal Trade Commission (FTC) oversight that meet the following conditions:

  • Have less than USD 40 million in annual revenue,
  • Process at least 200,000 individuals’ personal data, and
  • Do not sell any personal data.

What is Personal Data Under APRA?

Personal data is defined as any piece of information that could identify an individual. This includes obvious data categories such as name, Social Security Number, email address, or biometric data. It also includes data that could indirectly identify someone, such as purchase behavior or social media behavior.

The proposed protected personal information law further defines sensitive personal information. The definition is expansive, encompassing biometric and health data, private communications, intimate imagery, video viewing activities, national origin, religion or sex, credentials, and more.

Do We Need Consent for Data Collection?

Generally, consent is not required, but there are exceptions. Consent is required for the collection or transfer of biometric data and the transfer of any sensitive data. In all other cases, the law relies on the opt-out principle. Businesses can process data until the user opts out under the prescribed circumstances.

Do We Need a Privacy Policy Under APRA?

Under APRA, a privacy policy is required. It must contain essential elements required by other state consumer data privacy laws, such as the types of data processed, the reasons for processing, with whom it is shared, the data sold and to whom, consumer privacy rights, and more. APRA also requires data brokers to provide information about data transfers.

What Are the APRA Consumer Data Privacy Rights?

All consumers throughout the United States have the right to know, access, delete, opt-out, and data portability. These rights are present in state laws but are granted to all consumers nationwide under APRA. Businesses must designate methods for receiving and honoring these requests.

What is the Opt-Out Right Under APRA?

All U.S. consumers have the right to opt out of the sale of personal data or targeted advertising. The proposed comprehensive privacy legislation aims to promote the opt-out right on a federal level, ensuring its uniform application.

How Does APRA Regulate the Use of Algorithms That Process Personal Data?

If the processed data has any consequences for the consumer, such as employment or loan approval, the business must provide a notice with information about the use of the algorithm and the processing, including an opt-out mechanism. Large data holders using algorithms must conduct annual assessments of their algorithms.

APRA vs. American Data Privacy and Protection Act (ADPPA)

The proposed US privacy law on a federal level differs from the previous American Data Privacy and Protection Act (ADPPA) in scope and enforcement. If passed, APRA will be enforced by the FTC, whereas ADPPA’s enforcement remains unclear. APRA applies only to some businesses and protects consumers, while ADPPA has a broader scope, covering both for-profit and nonprofit organizations, and includes extensive protections for “sensitive covered data.”

APRA vs. General Data Protection Regulation (GDPR)

The APRA differs significantly from the GDPR, although they share many similarities. The major differences are:

  • The GDPR requires opt-in consent, whereas APRA requires only opt-out.
  • The GDPR applies to all businesses and protects data, while APRA applies only to some businesses and protects consumers.

Who Will Enforce the Comprehensive Federal Privacy Bill?

The Federal Trade Commission (FTC) is expected to enforce APRA. Future changes may alter the complex proposed enforcement mechanisms.

Preparing for APRA

Although the APRA has not yet been enacted, businesses should start familiarizing themselves with its provisions to ensure compliance once it becomes law. Key steps include:

  • Reviewing and updating privacy policies and data handling practices.
  • Implementing mechanisms to honor consumer data rights and opt-out requests.
  • Conducting data protection impact assessments, especially for algorithms and automated decision-making processes.
  • Establishing or enhancing data security measures to protect personal information.

The American Privacy Rights Act (APRA) represents a significant advancement in the legislative process toward establishing a comprehensive federal data privacy law in the United States. 

While this progress is noteworthy, don’t get your pAPRty hats out just yet; it’s just the beginning of a long journey. For businesses, understanding the implications, compliance obligations, and consumer rights under APRA is crucial as we move closer to potentially the first-ever U.S. federal privacy law.

Start Getting Value With
Centraleyes for Free

See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days

Looking to learn more about The American Privacy Rights Act?
Skip to content