Bipartisan American Privacy Right Act Legislation Represents Another Attempt to Streamline Privacy Rights and Control of Personal Data
On Sunday, April 7, 2024, a bipartisan discussion draft of the American Privacy Rights Act (“the APRA”) was presented by House Committee on Energy and Commerce Chair Cathy McMorris Rodgers, R-Wash., and Senate Committee on Commerce, Science and Transportation Chair Maria Cantwell, D-Wash., in support of a further attempt to address the absence of a comprehensive national privacy law in the United States.
The bill aims to give Americans the right to control and protect their personal information with national enforceable data privacy rights. Like many state privacy laws, the APRA would proscribe unnecessary and discriminatory processing of personal data, protect sensitive information and biometric privacy, require transparent and public data collection policies, and require “reasonable” data security practices and procedures. The bill also preempts nonsectoral state privacy laws; state laws applicable to employees and employee information are exempted.
Based upon the current working draft, some takeaways that distinguish the APRA bill from its (unpassed) predecessor, the American Data Privacy and Protection Act (ADPPA), and Senator Cantwell’s prior privacy bill, Consumer Online Privacy Rights Act (COPRA), include:
- Like the ADPPA, the APRA would not apply to government entities or their service providers; uniquely, the APRA would apply to nonprofit organizations and commercial enterprises. Small business with less than USD 40 million in revenue and data on fewer than 200,000 consumers generally are exempted when acting as covered entities (akin to “controllers” under the European Union’s General Data Protection Regulation (GDPR) law), but not when acting as service providers (GDPR’s “processors”).
- If passed, the law would be enforceable by the U.S. Federal Trade Commission, state attorneys general, the chief consumer protection officer of each state, and state consumer protection agencies.
- Significantly, however, the APRA also provides a private right of action to individuals to enforce some, but not all, of the provisions; individuals may seek actual damages, injunctive relief, declaratory relief, and reasonable attorney and litigation fees and costs. Notably, the draft presently does not appear to allow for statutory damages for most violations, except certain statutory damages which are expressly referenced under the Illinois Biometric Information Privacy Act and Genetic Information Privacy Act, and the security breach section of the California Consumer Privacy Act.
- The current draft also places limitations on the enforceability of consumer arbitration agreements, making them unenforceable if certain situations apply, including those involving a minor or substantial privacy harm involving damages greater than $10,000.
- The “covered data” protected by the APRA broadly includes information that “identifies or is linked or reasonably linkable, alone or in combination with other information, to an individual or a device that identifies or is linked or reasonably linkable to 1 or more individuals." An “individual” is any resident of the U.S.
Since the bill’s introduction, it has garnered support from news and media outlets, technology companies like Microsoft, and other organizations. While it will be some time before it is clear whether the current may become law, the bipartisan support of these two committee chairs makes “this bill worthy of more attention than other U.S. bills” according to the International Association of Privacy Professionals (IAPP).
We will continue to monitor this renewed effort to pass national privacy legislation and evaluate its potential impact on the cyber insurance industry.