The American Privacy Rights Act of 2024 (APRA)



What is the American Privacy Rights Act of 2024 (APRA)?

The American Privacy Rights Act of 2024 (APRA) is a proposed federal data privacy law that makes privacy a consumer right, and gives consumers the ability to enforce that right. The bipartisan proposal was introduced in April 2024 by Senator Maria Cantwell (D-WA), and Representative Cathy McMorris Rodgers (R-WA).

APRA sets clear, national data privacy rights and protections for Americans, eliminates the existing patchwork of state comprehensive data privacy laws, and establishes robust enforcement mechanisms to hold violators accountable, including a private right of action for individuals.

There are opportunities for experts with Sarbanes-Oxley knowledge and experience.

According to Section 10. Executive Responsibility:

(B) ANNUAL CERTIFICATION.—

(i) IN GENERAL.— Beginning 1 year after the date of enactment of this Act, the chief executive officer of a large data holder (or, if the large data holder does not have a chief executive officer, the highest ranking officer of the large data holder) and each privacy officer and data security officer of such large data holder designated under subparagraph (A) shall annually certify to the Commission, in a manner specified by the Commission, that the large data holder maintains:

(I) internal controls reasonably designed to comply with this Act; and

(II) internal reporting structures (as described in subparagraph (C)) to ensure that such certifying officers are involved in, and responsible for, decisions that impact compliance by the large data holder with this Act.

(ii) REQUIREMENTS. A certification submitted under clause (i) shall be based on a review of the effectiveness of a large data holder’s internal controls and reporting structures that is conducted by the certifying officers not more than 90 days before the submission of the certification.


The EU's General Data Protection Regulation (GDPR) and the American Privacy Rights Act of 2024 (APRA)

The EU's General Data Protection Regulation (GDPR) represents a significant milestone in the harmonization of data protection laws across the European Union (EU). Before its implementation, the landscape of data protection in Europe was marked by a patchwork of national laws, each with its own specific requirements and standards. This fragmented regulatory environment posed several challenges for both businesses and individuals.

Following the introduction of the GDPR, the lack of a comparable US federal regulation has led many states to enact (or to plan to enact) their own data privacy protection laws. The challenges associated with complying with this patchwork of state laws have led to the need for a single US federal standard.


In both legal acts there are significant extraterritorial implications:

The GDPR applies to all organizations processing personal data of individuals residing in the EU, regardless of where the organization is based. It applies to organizations outside the EU if they offer goods or services to, or monitor the behavior of, EU residents.

The APRA also has extraterritorial implications if a non-U.S. entity processes personal data of U.S. residents, similar to the GDPR.


Both regulations emphasize similar core principles such as:

1. Data Minimization: Collect only the data necessary for a specific purpose.

2. Purpose Limitation: Use data only for the purposes explicitly stated at the time of collection.

3. Transparency: Inform individuals about data collection practices and purposes.

4. Security: Implement appropriate security measures to protect personal data.


Both GDPR and APRA provide individuals with rights over their personal data, including:

1. Right to Access: Individuals can request access to their personal data held by organizations.

2. Right to Rectification: Individuals can correct inaccurate or incomplete data.

3. Right to Erasure (Right to be Forgotten): Individuals can request the deletion of their personal data under certain conditions.

4. Right to Data Portability: Individuals can obtain and reuse their personal data across different services.

Data protection equivalence in the EU refers to the recognition that a non-EU country provides an adequate level of data protection comparable to that offered within the European Union. When a country is deemed to have "adequate" data protection standards, personal data can flow freely between the EU and that country without additional safeguards.

In the EU, the European Commission is responsible for assessing and deciding whether a non-EU country, a territory, or a specific sector within a country ensures an adequate level of data protection. The European Commission will assess whether APRA provides protections that are "essentially equivalent" to those in GDPR. This includes not only the rights provided but also how they are enforced and the remedies available to individuals.


Understanding the American Privacy Rights Act of 2024 (APRA).

We must start with some important definitions:

Covered entity is any entity that determines the purpose and means of collecting, processing, retaining, or transferring covered data and is subject to the FTC Act, including common carriers and certain nonprofits. Small businesses, governments, entities working on behalf of governments, the National Center for Missing and Exploited Children (NCMEC), and, except for data security obligations, fraud-fighting non-profits are excluded.

Covered data is information that identifies or is linked or reasonably linkable to an individual or device. It does not include de-identified data, employee data, publicly available information, inferences made from multiple sources of publicly available information that do not meet the definition of sensitive covered data and are not combined with covered data, and information in a library, archive, or museum collection subject to specific limitations.

Publicly available information is information that has lawfully been made available to the general public. It does not include derived data that reveals sensitive covered data, biometric or genetic information, covered data combined with publicly available information, or obscene or nonconsensual intimate images.

Sensitive covered data is a subset of covered data that includes government identifiers; health information; biometric information; genetic information; financial account and payment data; precise geolocation information; log-in credentials; private communications; information revealing sexual behavior; calendar or address book data, phone logs, photos and recordings for private use; any medium showing a naked or private area of an individual; video programming viewing information; an individual’s race, ethnicity, national origin, religion, or sex, in a manner inconsistent with a reasonable expectation of disclosure; online activities over time and across third party websites, or over time on a high-impact social media site; information about a covered minor; and other data the FTC defines as sensitive covered data by rule.

Large data holders are covered entities that have $250,000,000 or more in annual revenue; collect, process, retain, or transfer the covered data of more than 5,000,000 individuals (or 15,000,000 portable devices or 35,000,000 connected devices that are linkable to an individual) or the sensitive data of more than 200,000 individuals (or 300,000 portable devices or 700,000 connected devices).

Small businesses are businesses that have $40,000,000 or less in annual revenue; collect, process, retain, or transfer the covered data of 200,000 or fewer individuals (not including credit card swipe and other transient data); and do not earn revenue from the transfer of covered data to third parties. Small businesses are exempt from the requirements of the Act.

Targeted advertising is displaying an online advertisement based on known or predicted preferences or interests associated with an individual or device identified by a unique identifier. It does not include advertisements in response to an individual’s specific request for information; first-party advertising; contextual advertising; or processing data for measurement.


Understanding Data Minimization in the proposed American Privacy Rights Act of 2024 (APRA).

1. Covered entities and service providers operating on their behalf shall not collect, process, retain, or transfer data beyond what is necessary, proportionate, or limited to provide or maintain a product or service requested by an individual, or provide a communication reasonably anticipated in the context of the relationship, or a permitted purpose.

2. A covered entity cannot collect or transfer to a third party biometric or genetic information without the individual’s affirmative express consent, unless expressly allowed by a stated permitted purpose. There are strict retention limitations on biometric and genetic information.

3. A covered entity cannot transfer sensitive data to a third party without the individual’s affirmative express consent, unless expressly allowed by a stated permitted purpose.

4. Permitted purposes include protecting data security; complying with legal obligations; effectuating a product recall or fulfilling a warranty; conducting market research (which requires affirmative express consent for consumer participation); de-identifying data for use in product improvement and research; preventing fraud and harassment; responding to ongoing or imminent security incidents or public safety incidents; processing previously collected nonsensitive covered data for advertising.

5. Permitted purposes are narrower for the collection and transfer of biometric and genetic information.

6. The FTC shall issue guidance regarding what is reasonably necessary and proportionate to comply with data minimization under this Act.

7. Nothing in the Act shall be construed to diminish First Amendment freedoms.


Understanding Transparency in the proposed American Privacy Rights Act of 2024 (APRA).

1. Covered entities and service providers must have publicly available privacy policies detailing their data privacy and security practices.

2. The privacy policies must identify the entity; disclose the categories of data collected, processed, or retained; the purposes for the data processing; the categories of service providers and third parties to which data is transferred; the name of any data brokers to which data is transferred; the length of time data is retained; data security practices; and the effective date of the privacy policy.

3. Privacy policies must prominently describe how consumers can exercise their individual controls and opt-out rights. The policy must be accessible in multiple languages and to people with disabilities.

4. When a covered entity makes a material change to its policy, it must provide advanced notice and means to opt out of the processing or transfer of previously collected data.

5. Large data holders are subject to additional requirements pursuant to retaining and publishing their privacy policies from the past 10 years and also provide a short-form notice of their policies.


Understanding Consumer Controls Over Covered Data in the proposed American Privacy Rights Act of 2024 (APRA).

1. After submitting a verifiable request, consumers have the right to access their covered data that is collected, processed, or retained by a covered entity and to know the name of any third party or service provider to which the data was transferred and the purpose of the transfer.

2. Upon a verified request, a covered entity must correct inaccurate or incomplete covered data with respect to an individual.

3. Upon a verified request, a covered entity must delete the covered data of an individual.

4. Upon a verified request, a covered entity must export covered data pertaining to an individual to the extent technically feasible.

5. Covered entities must comply with individual control rights within specified timeframes, and large data holders must report metrics related to the requests they process.

6. Covered entities must ensure that rights are accessible to individuals living with disabilities and available in any language in which the entity provides a product or service.

7. The FTC is directed to issue guidance for this section.

8. Covered entities shall deny an individual’s request if it would require access to data about another individual; interfere with lawful legal process; violate another law; and other exceptions.

9. Covered entities may deny an individual’s request if the request would be demonstrably impossible; would require deleting data necessary to perform a contract; would require the release of trade secrets; or would prevent the maintenance of a confidential record of opt-out rights. The FTC may promulgate rules to expand the situations where an entity may deny a request.


Understanding Opt-Out Rights and the Centralized Opt-Out Mechanism in the proposed American Privacy Rights Act of 2024 (APRA).

1. A consumer has the right to opt out of the transfer of non-sensitive covered data.

2. A consumer has the right to opt out of the use of their personal information for targeted advertising.

3. The FTC is directed to issue regulations to establish the requirements and technical specifications for a centralized mechanism for individuals to exercise the opt-out rights.


More about the proposed American Privacy Rights Act of 2024 (APRA).

INTERFERENCE WITH CONSUMER RIGHTS:

1. Covered entities are prohibited from using dark patterns to divert an individual’s attention from notice required by the Act, impair the exercise of any right under the Act, or to obtain consent under the Act.

2. A covered entity shall not condition the exercise of a right described in this Act through the use of any false, fictitious, fraudulent, or materially misleading statement or representation.


PROHIBITION ON DENIAL OF SERVICE AND WAIVER OF RIGHTS:

1. Covered entities may not retaliate against individuals for exercising their rights under the Act, including by denying or charging different rates for goods or services.

2. Covered entities may offer bona fide loyalty programs or market research opportunities to consumers.

3. Covered entities must obtain the consumer’s affirmative express consent for participation in a bona fide loyalty program and for the transfer of any covered data collected pursuant to a bona fide loyalty program.


DATA SECURITY AND PROTECTION OF COVERED DATA:

1. Covered entities and service providers must establish data security practices that are appropriate to the entity’s size, the nature and scope of the data practices, the volume and sensitivity of the data, and the state of the art of safeguards.

2. Covered entities and service providers must assess vulnerabilities and mitigate reasonably foreseeable risks to consumer data. The FTC shall enact rules to interpret this section in consultation with the Department of Commerce.

EXECUTIVE RESPONSIBILITY:

1. All covered entities must designate one or more covered employees to serve as privacy or data security officers.

2. Large data holders are required to designate both a privacy and a data security officer.

3. Large data holders are also directed to file with the FTC annual certifications of internal controls designed to comply with the Act and internal reporting structures for compliance with the Act.

4. Large data holders must conduct privacy impact assessments on a biennial basis.


SERVICE PROVIDERS AND THIRD PARTIES:

1. Service providers must adhere to the instructions of a covered entity and assist the entity in fulfilling its obligations under the Act.

2. Service providers must cease data practices where they have actual knowledge that a covered entity is in violation of this Act.

3. Service providers must maintain the security and confidentiality of covered data and allow for independent assessors to assess their security practices.

4. Covered entities must exercise due diligence in the selection of service providers and in deciding to transfer covered data to a third party, and the FTC is directed to issue guidance regarding compliance with the due diligence requirements.

5. Third parties may only process, retain, and transfer data received from another entity for a purpose consistent with what the covered entity disclosed in its privacy policy; or, for sensitive covered data, a purpose for which the consumer provided affirmative express consent.

DATA BROKERS:

1. Data brokers must maintain a public website that identifies the entity as a data broker; includes a tool for individuals to exercise their individual controls and opt-out rights; and includes a link to the FTC’s data broker registry website. The website must be reasonably accessible for individuals with disabilities.

2. Data brokers are prohibited from advertising data for the purpose of stalking or fraudulent purposes and are prohibited from misrepresenting their business practices.

3. The FTC is directed to establish a data broker registry, and data brokers affecting the data of 5,000 or more individuals must register each calendar year. The registry must include a “do not collect” mechanism for consumers to use. The FTC shall also issue guidance regarding the content of a data broker’s website.


CIVIL RIGHTS AND ALGORITHMS:

1. Collecting, processing, retaining, or transferring covered data in a manner that discriminates on the basis of race, color, religion, national origin, sex, or disability is prohibited. Exceptions are provided for the purposes of self-testing to prevent unlawful discrimination, diversifying an applicant or customer pool, or advertising economic opportunities or benefits to underrepresented populations.

2. Large data holders that use covered algorithms in a manner that poses a consequential risk of harm must conduct an impact assessment and must provide the assessment to the FTC and make it publicly available.

3. Covered entities that design a covered algorithm shall conduct an evaluation prior to deploying the algorithm and must provide the evaluation to the FTC and make it publicly available. The FTC may issue rules on the submission of impact statements and when to exclude low or minimal risk algorithms from this section’s requirements.


OPT-OUT RIGHTS FOR CONSEQUENTIAL DECISIONS:

Entities that use covered algorithms for consequential decisions related to housing, employment, education, health care, insurance, credit, or access to places of public accommodation must offer consumers a right to opt out of use of such an algorithm. The FTC may issue guidance regarding compliance with this section.


COMMISSION-APPROVED COMPLIANCE GUIDELINES:

1. The FTC shall approve compliance guidelines related to the handling of covered data that would apply to covered entities but not large data holders or data brokers.

2. Applications for compliance guidelines must meet or exceed the requirements of this Act and shall identify an independent organization responsible for administering the guidelines.

3. The FTC is directed to approve or deny applications within one year and may withdraw approval of guidelines if they no longer meet the requirements of this Act.

4. Participation in FTC-approved guidelines entitles a covered entity to a rebuttable presumption of compliance with the Act.


PRIVACY-ENHANCING AUDITS PILOT PROGRAM:

1. Establishes a pilot program at the FTC for entities to deploy privacy-enhancing technologies.

2. Entities can petition to be accepted with a specific privacy-enhancing technology that meets or exceeds the data security requirements of this Act.

3. Participation in the pilot program entitles a covered entity to a rebuttable presumption of compliance with the data security requirements of this Act for a private right of action related to a data breach.

4. Covered entities participating in guidelines must self-certify compliance and identify the independent organization overseeing their compliance.


ENFORCEMENT BY THE FEDERAL TRADE COMMISSION:

1. The Act provides for FTC enforcement.

2. The FTC is directed to establish a new bureau comparable to the Bureaus of Consumer Protection and Competition to carry out its authority under the Act.

3. Violations of the Act will be treated as violations of a rule defining an unfair or deceptive practice under the FTC Act.

4. A Privacy and Security Victims Relief Fund is established from which the FTC may provide consumer redress.

5. The FTC is directed to issue a report to Congress detailing its enforcement and administration of the Act.


ENFORCEMENT BY STATES ATTORNEYS GENERAL:

1. The Act authorizes enforcement by State attorneys general, chief consumer protection officers, and other officers of a State in Federal district court.

2. States may seek injunctive relief; civil penalties, damages, restitution, or other consumer compensation; attorneys’ fees and other litigation costs; and other relief, as appropriate.

3. State attorneys general must notify the FTC prior to initiating an action under this Act.

4. The Government Accountability Office (GAO) is directed to study the practice of hiring external counsel by State attorneys general.


ENFORCEMENT BY INDIVIDUALS:

1. Consumers may file private lawsuits against entities that violate their rights under this Act.

2. An action for a substantial privacy harm or by a minor shall not be subject to mandatory arbitration.

3. A person bringing an action may recover actual damages, injunctive relief, declaratory relief, and reasonable attorney fees and costs. Any amount that a court orders an entity to pay may be offset by recovery for the same violation pursuant to an FTC or State action.

4. A person may recover statutory damages consistent with Illinois’s Biometric Information Privacy Act and Genetic Information Privacy Act for an action involving a violation of the affirmative express consent provisions for biometric and genetic information where the conduct occurred substantially and primarily in Illinois.

5. A person who is a resident of California may recover statutory damages consistent with the California Privacy Rights Act for an action related a data breach.

6. Entities are provided an opportunity to cure in actions requesting injunctive relief and written notice in actions seeking actual damages, except for actions for a substantial privacy harm.


PREEMPTION:

1. State laws covered by the Act are preempted, with the exception of an enumerated list of state laws: consumer protection laws; civil rights laws; provisions of laws that address the privacy of employees; provisions of laws that address privacy of students; provisions of laws that address data breach notification; contract or tort laws; criminal laws unrelated to data privacy; criminal and civil laws on cyberstalking and blackmail; public safety laws unrelated to privacy; provisions of laws that address public records laws; provisions of laws that address banking and financial records; provisions of laws that address electronic surveillance and wiretapping; provisions of laws that address unsolicited email and phone laws; provisions of laws that address health care, health information, and medical information; provisions of laws governing the confidentiality of library records; and provisions of laws that address encryption.

2. Federal laws, including laws regarding information security breaches of common carriers and antitrust laws, are not limited except where specified in the Act.

3. Entities subject to and in compliance with other specified Federal privacy laws, including the Gramm-Leach-Bliley Act and HIPAA, shall be deemed in compliance with the related provisions of this Act other than data security. Entities subject to and in compliance with other Federal data security requirements shall be deemed in compliance with the data security section of this Act.

4. Federal and State common law and statutory causes of action for civil relief are preserved under this Act.

5. FCC privacy laws and regulations shall not apply to covered entities with respect to privacy and data security or the collection, processing, retention, or transferring of covered data, PII, customer proprietary network information, personal information, or its equivalent, with the exception of 47 U.S.C. 222(b), (d), and (g); international treaty obligations; and mitigation measures and actions taken pursuant to Executive Order 13913.

EFFECTIVE DATE:

The Act shall take effect 180 days after enactment.


April 19, 2024 - What Others Are Saying

Brad Smith, Vice Chair and President, Microsoft: “Consumers and business across the United States have long deserved clear, strong, and comprehensive privacy protections. The privacy bill unveiled by Chairs Cantwell and McMorris Rodgers is a good deal. Their willingness to work across party lines on an issue of common cause has led to a bill that would give all consumers in the U.S. robust rights and protections. It would also provide clarity by establishing a national standard. We applaud Senator Maria Cantwell and Representative Cathy McMorris Rodgers for their bipartisan leadership, support their efforts to pass a comprehensive federal privacy law, and look forward to working with the committees as the bill moves forward.”

Julie Brill, Chief Privacy Officer and Corporate Vice President, Microsoft: “The U.S. has long deserved to join the rest of the world in establishing comprehensive privacy legislation. We applaud Senator Cantwell and Representative McMorris Rodgers for their bi-partisan efforts to introduce a comprehensive federal privacy bill.”