This analysis is based on breaking news and was updated on April 8. To connect with the author, please e-mail [email protected].

On April 7, House Energy and Commerce Committee Chair Cathy McMorris Rodgers (R-Wash.) and Senate Commerce Committee Chair Maria Cantwell (D-Wash.) released a discussion draft of a new proposal, the American Privacy Rights Act of 2024 (APRA) to achieve a comprehensive federal data privacy and security law.

This development is significant for two main reasons. First, the need for a comprehensive data privacy and security law is more important now than ever. The number of states passing their own privacy laws continues to increase, creating a patchwork of state privacy laws, each with their own compliance, red tape, and associated costs. Foreign adversaries continue to collect and exploit data against Americans, while most of us still lack even basic privacy protections despite rising data risks. Second, while the American Data Privacy and Protection Act (ADPPA) from the 117th Congress had strong support and passed House committee, Sen. Cantwell voiced her opposition to the legislation numerous times. It is noteworthy that both leaders have identified areas for agreement and introduced a new, comprehensive data privacy proposal.

The discussion draft of the APRA is largely based on the ADPPA, but it makes a number of significant changes. First, where the discussion draft and the ADPPA are similar: Both provide consumer privacy rights, rely on data minimization, have preemption, include a private right of action, allow for both federal and state enforcement, advance security measures, and provide for rulemaking by the Federal Trade Commission (FTC). However, there are also dozens of changes worth paying attention to:

On the other hand, the ADPPA provided for impact assessments of covered algorithms that “pose a consequential risk of harm,” but there were concerns with how broad the assessments could become without a definition, questioning whether it would limit innovation. The APRA also provides for a consequential decision opt-out mechanism, which pertains to a narrower class than those applying to impact assessments. In addition, design evaluations are a feature of both.

Other notable details in the APRA worth including: 

  1. A carveout for nonprofits engaging in preventing fraud.
  2. A revised small business definition to remove a percentage of revenue nexus to data exchanges.
  3. Limiting state enforcement to only one agency in the event a state has multiple interested agencies.
  4. New criteria for large data holders around portable connected devices.
  5. Revised and additional categories of sensitive data.
  6. Revised data minimization standards and the categories of permitted purposes for collection to 15 total, including a broader carveout for criminal activity.
  7. Revised standards around minors.
  8. A new privacy-enhancing technology pilot program that offers an incentive for participation.

This initial analysis is based upon a discussion draft. Congresswoman Rodgers and Sen. Cantwell should be applauded for their continued dedication to finding a solution to data privacy and security. R Street has long supported a federal comprehensive data privacy and security law and will monitor additional legislative activity as input from other legislators, civil society groups, industry, academics, and many others is taken into account as the American Privacy Rights Act moves forward.

Get the latest in cybersecurity research and commentary in your inbox.