Understanding the American Privacy Rights Act (APRA) Bill: Key Insights for Lawyers
image created by Dall-e in response to prompt digital privacy law for the United States
This week saw movement in regard to the American Privacy Rights Act (APRA)—quite possibly our best hope for a unified federal data privacy law—from the Energy and Commerce subcommittee (House) to the Committee on Commerce Science and Transportation (Senate) on May 23, 2024. As digital landscapes evolve, the need for comprehensive federal privacy legislation has never been more critical. The introduction of the American Privacy Rights Act (APRA), a bipartisan and bicameral bill, signifies a major stride toward robust national privacy standards. It also represents a significant shift towards a more regulated digital economy. For lawyers, understanding the nuances of APRA is crucial—not only to ensure compliance but also to safeguard the interests of our clients in a landscape that values privacy more than ever.
Background on APRA
APRA was proposed by Representative Cathy McMorris Rodgers (R-WA) and Senator Maria Cantwell (D-WA). The bill aims to establish uniform data privacy rights across the United States, effectively creating the nation's first comprehensive federal data privacy law. As of its latest status, APRA is under active discussion in Congress, emphasizing its potential to replace the patchwork of state privacy laws with a unified federal standard.
Scope and Application
APRA, which borrows heavily from the language of the American Data Privacy and Protection Act (ADPPA),1 casts a wide net, regulating entities under the FTC's jurisdiction. This includes common carriers and certain nonprofits, applying to both "covered data" and "sensitive covered data." Covered entitles under the Bill includes most individuals, commercial entities, and nonprofit companies that “determine the purposes and means of collecting, processing, and retaining or transferring covered data” which includes whether they determine these issues alone or with others.2 Small business are exempt under this definition. Covered data is defined as information that “identifies or is linked or reasonably linkable” to an individual.3 Sensitive covered data has additional protections. It is defined as items such as government-issued identifiers, genetic information, health information, financial information, precise geolocation information, and information about an individual under the age of 17. However, the FTC would have the authority to expand the categories of sensitive covered data.4
Consumer Rights and Entity Obligations
A cornerstone of APRA is the enhancement of consumer rights. Entities are required to adhere to principles of data minimization, ensuring data collection and processing are necessary and proportionate to the services provided. Legal advisors need to ensure that their clients' data practices align with these requirements, especially in obtaining explicit consent for sensitive data processing.
Interaction with COPPA
While the American Privacy Rights Act (APRA) sets broad privacy standards, it does not directly amend or integrate the Children’s Online Privacy Protection Act (COPPA)5, which specifically protects children under 13 from privacy breaches online. Instead, APRA maintains that entities must remain compliant with COPPA when dealing with children's data, ensuring that no provisions within APRA exempt entities from the existing obligations of COPPA. In other words, APRA’s protections should bolster those in COPPA, and entities must comply with both. This alignment underscores the continued importance of COPPA's stringent requirements for parental consent and data handling for children's information in the digital age.
Enforcement and Penalties
There are multiple enforcement mechanisms under APRA:
Federal Trade Commission (FTC): the FTC would have authority to oversee and enforce APRA’s provisions. This includes issuing regulations, conducting investigations, and imposing penalties.
State Attorneys General: would be entitled to initiate civil actions, seek civil penalties, and recover damages and legal fees for residents affected by violations of APRA. They are required to notify the FTC before commencing actions, fostering a coordinated enforcement approach.
Private Right of Action: APRA would give individuals who have been injured the right to sue directly for certain privacy violations, particularly those involving substantial privacy harm. Remedies include injunctive relief and damages.
Privacy in the Age of Technology
APRA addresses modern challenges by requiring entities to conduct impact assessments for algorithms that might affect consumer rights significantly. As lawyers and legal professionals we must be prepared to guide our clients through these assessments, ensuring that algorithms do not result in unintended discrimination or privacy breaches.6
Conclusion
Although this bill is not yet law, it provides an indication of what we can likely expect from the federal government in regard to a comprehensive framework of digital privacy laws. We will update this information as appropriate
For Further information, check out these sites:
The American Privacy Rights Act DRAFT
Id.
Id.
The Children's Online Privacy Protection Act (COPPA) was passed on October 21, 1998, and it took effect on April 21, 2000. This law was passed to protect children's privacy online, especially the collection of personal information from children under 13 years of age without parental consent. https://www.ftc.gov/business-guidance/privacy-security/childrens-privacy
If this law passes we will publish an article regarding how to accomplish this.