Analyzing the Latest Changes to the American Privacy Rights Act
The updated text of the American Privacy Rights Act (APRA) discussion draft was released on Tuesday evening, just 36 hours before a pivotal markup in the Innovation, Data, and Commerce Subcommittee of the House Energy and Commerce Committee on May 23. The markup will signal where members stand on the bill and could result in further changes. The original APRA text released by House Energy and Commerce Chair Cathy McMorris Rodgers (R-Wash.) and Senate Commerce Committee Chair Maria Cantwell (D-Wash.) received mixed support from external parties but general support from members of Congress in the subcommittee hearing. The discussion draft was structurally based on the 117th Congress’s American Data Privacy and Protection Act (ADPPA) with several departures.
The latest version seeks to address concerns raised by various stakeholders while preserving the bill’s core principles, along with the delicate compromise reached between Rodgers and Cantwell. While there are many changes, several are worth following before Thursday.
1. Children’s Privacy. The Children and Teens’ Online Privacy Protection Act (COPPA 2.0) was merged into the bill under Title II. In recent years, there has been a continued push for children’s privacy legislation. Adding COPPA 2.0 into the bill could be a strategy to broaden support, especially in the Senate, where the bill was first introduced by Sens. Bill Cassidy (R-La.) and Ed Markey (D-Mass.), and in the House, where Rep. Frank Pallone (D-N.J.) voiced support for more children’s privacy provisions. R Street has advocated that the logical approach to protecting Americans’ privacy is for Congress to pass a comprehensive data privacy and security law, which would protect all Americans, including children. However, R Street has had concerns with aspects of children-specific legislation, such as the Kids Online Safety Act (KOSA). Notably, KOSA is also slated for consideration at the same markup.
2. Handling of Ads. A large concern with the original draft was regarding advertising and uncertainty about what was and was not permitted, which the new language seeks to clarify. At a high level, advertising definitions are revised in the draft to aim for a better balance between beneficial uses of ads and consumer privacy, although this is one section we should continue to analyze closely. For example, the permitted purpose allowing covered data (except sensitive data) to be used for targeted advertising now allows “covered data collected over time and across websites” to also be used in targeted advertising. It also allows specifically for measuring and reporting ads. The definitions of contextual advertising, first-party advertising, and targeting advertising were either added or amended.
3. Data Minimization. The new text adds a permissible purpose for public or peer-reviewed research projects to process and transfer covered data (and sensitive data with affirmative consent) if there is a public interest and the data handling conforms to applicable laws. In the draft discussion, data transferring for scientific research was permitted only if the covered data had been de-identified. The updated version also changes the applicability to service providers to convey that they are not covered by the section.
4. Small Businesses. The small business definition was revised from a static dollar amount threshold to be more adaptive by attaching it to North American Industry Classification System Code 518210’s threshold for technology-related businesses. The definition also relaxed the exclusion that would not allow small businesses to transfer covered data to a third party in exchange for revenue or anything of value. Small businesses can now transfer covered data for limited purposes, such as billing and payment processing, and the draft removes a prior requirement for data held to be deleted or de-identified within 90 days.
5. Data Brokers. This section now includes a “delete my data” mechanism, which would result in registered data brokers deleting all covered data that they did not collect themselves when a consumer submits a request. This requirement was included in the ADPPA but was omitted from the APRA’s discussion draft with only a “do not collect” request. Similarly, in 2023, California passed the “California Delete Act,” which offers a comparable mechanism.
6. Consequential Decision Opt Out. Individuals can opt out of a business using a covered algorithm to make a consequential decision and instead have it made by a human; originally, individuals could opt out entirely. This would consider technological impracticability and cost factors when not complying with a user’s opt-out request.
7. Impact Assessments. Some of the largest changes are related to impact assessments of covered algorithms. Some would still prefer to see these provisions remain out entirely and considered in light of any action on artificial intelligence, given the additional requirements it would place on industry. The new focus is on the use of “certified independent auditors” to conduct an impact assessment that results in a report to the entity, with an alternative being the entity submitting its own assessments to the National Telecommunications and Information Administration. Originally, reports went to the Federal Trade Commission. Notably, the five delineated harms in the original draft for conducting assessments (including two that considered “disparate impact”) are removed and replaced with a new “consequential decision” definition. Similar changes are seen with algorithm design evaluations.
The subcommittee markup is progress toward passing a long-needed comprehensive federal data privacy and security law. However, there will still be a long path forward from full committee consideration to full House and Senate consideration. That process will likely result in additional changes to the text, and R Street is looking forward to continuing to work with the sponsors. Undoubtedly, there will be praise and continued concerns around the text. However, if a federal privacy law ever has the hope of passing, it will require compromise and movement by all to optimally balance the needs of consumers, innovation and industry, and security.