Proposed American Privacy Rights Act seeks to establish a comprehensive national framework for data privacy

Proposed American Privacy Rights Act of 2024 seeks to establish national consumer data privacy rights, govern Artificial Intelligence and automated decision-making, impose additional obligations on high-impact social media companies and large data holders, supersede state privacy laws, and allow private right of action.

On April 7, US House of Representatives member Cathy McMorris Rodgers (R-WA) and Senator Maria Cantwell (D-WA) released a draft of an unexpected bipartisan, bicameral federal privacy bill (the American Privacy Rights Act, or “APRA”), aimed at “put[ting] people in control of their own personal data” and “eliminat[ing] the patchwork of state laws by setting one national privacy standard.”¹ If adopted, the APRA would have broad preemptive effect over many provisions of state-level data privacy laws.²  While there is still a long road ahead, the draft was positively discussed in a legislative hearing on April 17, leaving many hopeful it will get passed.³

The APRA applies to businesses subject to the authority of the Federal Trade Commission (“FTC”), common carriers, and nonprofits (together, “Covered Entities”⁴), along with businesses that process covered data⁵ on behalf of or at the direction of Covered Entities (“Service Providers”⁶). The APRA would impose obligations on Covered Entities and Service Providers to minimize processing of covered data⁷ and apply reasonable data security measures.⁸ The APRA also seeks to impose heightened obligations on high-impact social media companies and large data holders.

Additionally, the APRA seeks to create uniform data privacy rights for all persons residing in the US.⁹ These rights include the rights to opt out of targeted advertising¹⁰ and to view, correct, export or delete their data.¹¹ In trend with Europe’s data protection laws (the General Data Protection Regulation (“GDPR”) and Digital Services Act (“DSA”)) and some state privacy laws (e.g., the California Consumer Privacy Act (“CCPA”)), the APRA also requires Covered Entities and Service Providers to provide increased transparency by mandating the inclusion of specific information on data processing, retention, transfers to third parties, security practices, and consumers’ rights in their public facing privacy policies.¹² The text of the APRA is not yet final.

The APRA Seeks to Impose Heightened Obligations on High-Impact Social Media Companies and Large Data Holders

Along with the obligations the APRA would impose on Covered Entities and Service Providers, the APRA would impose additional obligations on high-impact social media companies and large data holders.

The APRA defines a “high-impact social media company” as a Covered Entity that provides an internet-accessible platform where:

• the entity generates at least USD 3 billion in global annual revenue (which includes revenues of the entity’s affiliates);
• the entity has a platform with at least 300 million global monthly active users (for at least 3 of the preceding 12 months); and
• such platform is primarily used by individuals to access or share user-generated content.¹³

If a platform is designated a high-impact social media company, the data it collects from its users’ online activities will be treated as sensitive data even without cross-site tracking.¹⁴ As a result, the APRA’s prohibition on transfers of sensitive data to third parties without affirmative express consent may inhibit the ability of such platforms to use first party data on its users’ online activities for targeted advertising.¹⁵

The APRA also seeks to impose heightened transparency obligations on “large data holders,” defined as Covered Entities or Service Providers that had a gross revenue of at least USD 250 million in the most recent calendar year and collected, processed, retained or transferred:

• the covered data of over 5 million individuals; 15 million portable devices that identify, or are linked or reasonably linkable to one or more individuals; and 35 million connected devices that identify, or are linked or reasonably linkable to one or more individuals; or
• the sensitive data of over 200 thousand individuals; 300 thousand portable devices that identify, or are linked or reasonably linkable to one or more individuals; and 700 thousand connected devices that identify, or are linked or reasonably linkable to one or more individuals.¹⁶

The APRA would require large data holders, among other obligations, to:

• retain and publish on their websites copies of each version of their privacy policy for at least the previous 10 years;¹⁷
• make publicly available on their websites a log that describes the date and nature of each material change to their privacy policy during such 10-year period in a manner that is sufficient for a reasonable individual to understand the effect of each material change;¹⁸ and
• provide a short-form notice (500 words or less) of their covered data practices that is concise, clear, readily accessible, and includes an overview of individual rights.¹⁹

The APRA Seeks to Regulate Automated Decision-Making

The APRA’s enactment will have implications for Artificial Intelligence (“AI”). For example, the data minimization requirement under the APRA²⁰ could affect the development of AI by restricting the volume of data available to AI developers for model training.

The APRA also makes two specific references to AI. The first reference is in the context of preemption: the APRA specifies that it will not preempt state criminal laws on intimate images, including those generated by AI.²¹

The second reference is in the context of “covered algorithms,” which the APRA defines as computational processes (including those derived from AI techniques) that make a decision or facilitate human decision-making by using covered data, which includes “determining the provision of products or services or ranking, ordering, promoting, recommending, amplifying, or similarly determining the delivery or display of information to an individual.”²² Entities using covered algorithms would be subject to several obligations under the APRA, including (i) design evaluation to reduce the risk of the potential harms;²³ (ii) impact assessment;²⁴ and (iii) providing notice and an opportunity to opt out if a covered algorithm is used for “consequential decisions” (i.e., decisions relating to an individual’s access to or equal enjoyment of housing, employment, education enrollment or opportunity, healthcare, insurance, credit, or place of public accommodation).²⁵

New Private Right of Action for Statutory Violations

While the APRA would be enforced by the FTC and state attorneys general,²⁶ it would also give consumers a novel right to enforce the law by filing a civil suit against entities that violate their rights under the APRA.²⁷ In a civil suit, consumers could seek damages, injunctive or declaratory relief, and reasonable legal and litigation costs.²⁸ Specifically, individuals could bring a civil action for, among others, violations relating to data minimization, transparency, individual control over covered data, opt out rights, interference with consumer rights, retaliation for exercising their rights under the APRA, and data security practices.²⁹

The APRA would also place limitations on the enforceability of consumer arbitration agreements. Specifically, the APRA provides that arbitration agreements are not enforceable if an individual’s claims allege (i) a violation involving a minor (i.e., under 18); or (ii) substantial privacy harm.³⁰ Substantial privacy harm is considered (i) financial harm greater than $10,000; (ii) physical or mental harm that involves treatment of a physical injury; (iii) a highly offensive intrusion on a consumer’s privacy expectations; or (iv) discrimination on the basis of race, color, religion, national origin, sex or disability.³¹ If any of these allegations are present, consumers would not be forced to arbitrate their issues and could instead pursue the claims through litigation.³²

Before suing to recover actual damages (unless there is a substantial privacy harm alleged), consumers would need to provide an entity with written notice.³³ Entities would also be given a chance to cure any violations in actions requesting injunctive relief.³⁴ These provisions may allow businesses to mitigate their liability exposure by quickly acting to address consumer privacy complaints.

State Laws Will Be Preempted

The APRA states that its purposes are to “establish a uniform national data privacy and data security standard”³⁵ and “expressly preempt laws of a State or political subdivision.”³⁶ Under the APRA, subject to limited exceptions, no state could adopt, maintain or enforce any law, regulation, rule or requirement covered or promulgated by the APRA.

The APRA clarifies that certain state laws or provisions would be exempt from preemption, for example: (i) consumer protection laws of general applicability; (ii) civil rights laws; (iii) provisions that address (a) the privacy rights or other protections of employees or students, or (b) notification requirements in the event of a data breach; (iv) contract or tort law; (v) certain criminal and civil laws (e.g., on blackmail, cyberbullying, child abuse); (vi) public safety laws; and (vii) laws that protect the privacy of health information.³⁷

The APRA also provides specific carve outs that would allow a consumer to file suit under the APRA whilst also recovering statutory damages consistent with the Illinois Biometric Information Privacy Act and Genetic Information Privacy Act (if the action involves a violation of affirmative express consent provisions),³⁸ as well as section 1798.150 of the California Civil Code (i.e., the California Consumer Privacy Act) if the action relates to a data breach.³⁹

Key Takeaways

• Broad and preemptive – If passed, the APRA, for the first time, will provide Americans with sweeping federal privacy protections. The APRA will also supersede the state-by-state patchwork of privacy legislation that businesses have become accustomed to, ushering in a new comprehensive and consistent approach with heightened data security and privacy obligations.
• Imposes heightened obligations on high-impact social media companies and large data holders – The APRA requires high-impact social media companies to treat first party browsing data with heightened sensitivity not required of other covered entities. It also imposes stricter transparency obligations on large data holders.
• Regulates some aspects of AI – With the advancement of AI technology at the forefront of discussion at the executive and legislative levels, the APRA establishes statutory obligations for entities utilizing “covered algorithms” (i.e., automated decision-making). These new obligations require that such entities design and assess the impact of their models to minimize the risk of potential harms.
• Provides for a private right of action – The APRA has considerable teeth as the law will be enforceable by not only the FTC and state regulators, but also by everyday citizens who may file suit for perceived violations. The private right of action has proven to be a considerable sticking point in comprehensive data privacy legislation in the US to date. Nonetheless, if passed, businesses may face considerably increased liability exposure.

^{1 See the House Committee on Energy and Commerce’s press release regarding the APRA here: https://energycommerce.house.gov/posts/committee-chairs-rodgers-cantwell-unveil-historic-draft-comprehensive-data-privacy-legislation
2 APRA, Sec. 20(a).
3 Duball, J. (2024, April 17). US House Subcommittee Kicks Off Draft American Privacy Rights Act Consideration. International Association of Privacy Professionals. Available at: https://iapp.org/news/a/us-house-subcommittee-kicks-off-draft-american-privacy-rights-act-consideration/
4 APRA, Sec. 2(10).
5 “Covered data” includes information that identifies, is linked, or is reasonably linked to an individual, including sensitive data such as: government identifiers; health, biometric and genetic information; financial information and credentials; precise geolocation information; private communications; log-in credentials for accounts or devices; nude or lewd photographs or videos; information revealing an individual’s race, ethnicity, national origin, religion, sex, or sexual behavior “in a manner inconsistent with the individual’s reasonable expectation regarding disclosure of such information”; information revealing an individual’s online activities over time and across third party websites, or over time on a high-impact social media site; data about minors; and other data the FTC defines as sensitive. Notably, the scope of “sensitive data” under the APRA is broader than that of Europe’s General Data Protection Regulation. See APRA, Sec. 2(9).
6 APRA, Sec. 2(35).
7 APRA, Sec. 3.
8 APRA, Sec. 9.
9 APRA, Sec. 20(a)(1)(A).
10 APRA, Sec. 6(a)(2).
11 APRA, Sec. 5(a).
12 APRA, Sec. 4. Specifically, the APRA requires that a privacy policy include, at minimum: contact information for the provider and any affiliates to which it may transfer data; the categories of data processed by the provider and the purpose(s) of processing for each such category; information on any transfers to third parties (including data brokers) and the purpose(s) of such transfers; details on data retention practices; a “prominent description” of how an individual can exercise the rights granted to them in sections 5 and 6 of the APRA; a general description of the provider’s data security practices; the effective date of the privacy policy; and whether any covered data is transferred to, processed in, retained in, or otherwise accessible to a foreign adversary. A privacy policy must also be made available in an accessible language and in a manner that is reasonably accessible to and usable by individuals with disabilities.
13 APRA, Sec. 2(11).
14 APRA, Sec. 2(34)(A)(xv).
15 Under the APRA, users must provide “affirmative express consent” (i.e., they must opt-in) to allow transfers of sensitive data to third parties. APRA, Sec. 3(b)(1)).
16 APRA, Sec. 2(25). The APRA excludes from the definition of “large data holders” the entities that collect, process, retain or transfer to a service provider (i) personal mailing or email addresses; (ii) personal telephone numbers; (iii) log-in information of an individual; (iv) if a covered entity is a seller of goods or services, credit, debit, or mobile payment information strictly necessary to initiate, render, bill for, finalize, complete, or otherwise facilitate payments for goods or services.
17 APRA, Sec. 4(f)(1)(A).
18 APRA, Sec. 4(f)(1)(B).
19 APRA, Sec. 4(f)(2).
20 APRA, Sec. 3.
21 APRA, Sec. 20(1)(3)(H)(iv).
22 APRA, Sec. 2(8).
23 Potential harms specifically mentioned in the APRA include discrimination, restrictions on the use of housing, education, employment, healthcare, insurance, or credit opportunities, harm relating to access to and use of a public accommodation, harm to “covered minors” (i.e., individuals under 17), and disparate impact based on political party registration. See APRA, Sec. 13(c)(2).
24 APRA, Sec. 13(c)(2).
25 APRA, Sec. 14.
26 APRA, Sec. 17, Sec. 18.
27 APRA, Sec. 19.
28 APRA, Sec. 19(a)(2).
29 APRA, Sec. 19(a)(1).
30 APRA, Sec. 19(d).
31 APRA, Sec. 2(38).
32 APRA, Sec. 19(d).
33 APRA, Sec. 19(c).
34 APRA, Sec. 19(b).
35 APRA, Sec. 20(a)(1)(A).
36 APRA, Sec. 20(a)(1)(B).
37 APRA, Sec. 20(a)(3).
38 APRA, Sec. 19(a)(2)(B).
39 APRA, Sec. 19(a)(2)(C).}

_{White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.}

_{This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.}

_{© 2024 White & Case LLP}