Breaking Down the American Privacy Rights Act Discussion Draft

This analysis is based on breaking news and was updated on April 8. To connect with the author, please e-mail [email protected].

On April 7, House Energy and Commerce Committee Chair Cathy McMorris Rodgers (R-Wash.) and Senate Commerce Committee Chair Maria Cantwell (D-Wash.) released a discussion draft of a new proposal, the American Privacy Rights Act of 2024 (APRA) to achieve a comprehensive federal data privacy and security law.

This development is significant for two main reasons. First, the need for a comprehensive data privacy and security law is more important now than ever. The number of states passing their own privacy laws continues to increase, creating a patchwork of state privacy laws, each with their own compliance, red tape, and associated costs. Foreign adversaries continue to collect and exploit data against Americans, while most of us still lack even basic privacy protections despite rising data risks. Second, while the American Data Privacy and Protection Act (ADPPA) from the 117th Congress had strong support and passed House committee, Sen. Cantwell voiced her opposition to the legislation numerous times. It is noteworthy that both leaders have identified areas for agreement and introduced a new, comprehensive data privacy proposal.

The discussion draft of the APRA is largely based on the ADPPA, but it makes a number of significant changes. First, where the discussion draft and the ADPPA are similar: Both provide consumer privacy rights, rely on data minimization, have preemption, include a private right of action, allow for both federal and state enforcement, advance security measures, and provide for rulemaking by the Federal Trade Commission (FTC). However, there are also dozens of changes worth paying attention to:

• Preemption: This remains one of the most important features of a federal privacy proposal given the increasing number of state laws and the challenges with compliance, especially for small and medium-sized businesses. The APRA provides for preemption with an additional “purpose” section that states the bill is to “establish a uniform national data privacy and data security standard in the United States” and alters several of the provisions to help address concerns that the ADPPA might not have sufficiently preempted state-level laws.

• Algorithm Impact Assessments: The APRA requires impact assessments for covered algorithms when they pose a “consequential risk,” with five delineated categories for when they must be conducted. These include when they pertain to:
  • covered minors;
  • housing, education, employment, health care, insurance, or credit opportunities;
  • public accommodations based on protected characteristics;
  • disparate impacts based on race, color, religion, and sex; and
  • disparate impact based on political party registration.

On the other hand, the ADPPA provided for impact assessments of covered algorithms that “pose a consequential risk of harm,” but there were concerns with how broad the assessments could become without a definition, questioning whether it would limit innovation. The APRA also provides for a consequential decision opt-out mechanism, which pertains to a narrower class than those applying to impact assessments. In addition, design evaluations are a feature of both.

• Executive Responsibility: This is a modified section in the APRA where covered entities would be required to designate a qualified employee to serve as a privacy or data security officer, but it does not need to be a new hire or a standalone position. However, large data holders as defined in the bill (gross revenue over $250 million and surpassing thresholds for certain data on individuals or devices) would be required to have both roles and adhere to additional specific responsibilities.

• Predispute Arbitration Agreements: Both the APRA and the ADPPA contain provisions for agreements to arbitrate a dispute that did not arise at the time of making the agreement. Under the APRA, these would not be valid for minors or for claims resulting in “substantial privacy harms,” a new term in the proposed legislation that applies to other sections as well. It refers to an alleged financial harm of $10,000 or more, or a physical or mental harm that involves health-related treatment, physical injury, discrimination based on protected classes, and “highly offensive intrusion into the privacy expectations of a reasonable individual under the circumstances.” This section in the APRA is much broader than the ADPPA, but follows Sen. Cantwell’s long-standing support for the ability of individuals to go to court to rectify harms, if they desire. Under the same section (“enforcement by individuals”), there is also a change to require notice when an individual wishes to bring an action for actual damages in court.

• Data Brokers: Formerly called “third-party collecting entities” under the ADPPA, the new compromise in the APRA simply calls them data brokers. While the thresholds for being counted as one remain the same and the registry continues, there are new requirements like prohibited practices. Some abuses by data brokers have demonstrated negative aspects of the industry, but at the same time, not all data brokers are the same and some support legitimate needs.

• FTC Involvement: The FTC continues to have authority to provide guidance, rulemaking, and enforcement. A new aspect in the APRA requires the FTC to submit a plan to Congress on an annual basis around their policy priorities and project rulemaking proceedings, among other aspects, to ensure more oversight of the agency. The FTC is also required to end its far-reaching 2022 rulemaking on commercial surveillance and data privacy.

Other notable details in the APRA worth including: 

1. A carveout for nonprofits engaging in preventing fraud.
2. A revised small business definition to remove a percentage of revenue nexus to data exchanges.
3. Limiting state enforcement to only one agency in the event a state has multiple interested agencies.
4. New criteria for large data holders around portable connected devices.
5. Revised and additional categories of sensitive data.
6. Revised data minimization standards and the categories of permitted purposes for collection to 15 total, including a broader carveout for criminal activity.
7. Revised standards around minors.
8. A new privacy-enhancing technology pilot program that offers an incentive for participation.

This initial analysis is based upon a discussion draft. Congresswoman Rodgers and Sen. Cantwell should be applauded for their continued dedication to finding a solution to data privacy and security. R Street has long supported a federal comprehensive data privacy and security law and will monitor additional legislative activity as input from other legislators, civil society groups, industry, academics, and many others is taken into account as the American Privacy Rights Act moves forward.