Data security continues to be a hot topic among companies and consumers alike in 2024 as cyber incidents and their associated costs continue to reach record highs. With several of the biggest data breaches in history occurring over the last few years, public awareness about data privacy has grown, and so too has the average consumer’s understanding, and wariness, of how companies acquire, use, and profit from their personal information.

While several states have passed legislation addressing consumer data concerns, Congress is working to address them on the federal level with a universal data privacy bill. Such legislation has been a talking point for years but is now gaining traction in the form of the American Privacy Rights Act of 2024 (APRA), a bipartisan bill proposed in April of this year that’s designed to set a universal standard for data privacy in the US. 

The proposed bill follows the American Data Privacy and Protection Act (ADPPA), Congress’ most recent attempt at a universal data privacy bill. The ADPPA was introduced in 2022 and garnered bipartisan support but ultimately did not pass into law. Despite its failure, the ADPPA offered a strong framework upon which the APRA was built, and the hope now is that the alterations and improvements made will be enough for the bill to make it through the House and Senate to provide comprehensive data privacy rights to all Americans.

What is Proposed in the American Privacy Rights Act of 2024?  

One of the APRA’s primary objectives is to strengthen data protection for the American consumer by giving them greater control over if, when, and how their data is used. To achieve those objectives, the bill proposes the following:

• Consumers will have the right to access the private data collected by companies and organizations (referred to as “covered entities”), and to correct or delete that data as they choose.
• Consumers will be provided with a straightforward mechanism to opt out of targeted ads, algorithmic practices, and the processing and use of their private data.
• Data minimization will be emphasized. Greater restrictions will be placed on data collecting practices, requiring covered entities to maintain a specific and expected purpose for any data they collect and process.
• Individuals have the private right of action under the APRA to sue covered entities for alleged violations.

Providing the consumer with greater control over their data privacy requires a higher standard of obligation to the entities that process and use that data. The APRA looks to impose those obligations through the following: 

• Covered entities must make a customer’s collected data accessible upon request within a given window of time, and they must make it possible to move, copy, and transfer that data easily.
• A centralized opt-out mechanism will be established by the Federal Trade Commission (FTC) which covered entities must provide to consumers in a manner that’s easy to understand and transparent.
• Covered entities collecting, processing, and using data must inform consumers of their activities in a “clear, conspicuous, not misleading, easy-to-read, and readily accessible manner”.
• The title of privacy or data security officer must be designated to one employee who is qualified to ensure the success of the covered entity’s data privacy program and maintain APRA compliance.
• Covered entities are prohibited from interfering with consumer rights and from discriminating against a customer based on their data preferences.  

Under the APRA, certain covered entities will be considered “large data holders” and will be subject to further transparency requirements. Large data holders are largely defined by their gross revenue and the number of individuals whose private data they collect, process, retain and transfer annually. Those that meet the established thresholds will be required to do the following:

• Provide consumers with a “concise, clear, and conspicuous and not misleading" short form notice of its data practices in no more than 500 words.
• Retain and publish all iterations of their privacy policy from the past 10 years with a clear, conspicuous, and readily accessible log of all changes that have been made over that period.
• Conduct impact assessments to determine the potential impact on privacy their data processing practices may have, and to outline the steps taken to mitigate risk and avoid harm when using algorithmic practices.
• Designate two qualified employees to take on the positions of privacy officer and data security officer. 

There is far more to this proposed bill, but these points offer some of the biggest takeaways and help to highlight the main purposes of a comprehensive data privacy plan. Federal data privacy laws can help to not only provide greater data protection to all Americans, but to simplify compliance for companies navigating the various state-level data privacy laws that currently exist.    

Where Does the APRA Currently Stand?

A draft of the APRA was released by House Energy & Commerce Committee Chair Cathy McMorris Rodgers (R-Wash.) and Senate Commerce Committee Chair Maria Cantwell (D-Wash.) on April 7, 2024. By mid-May it had already undergone some changes, including some proposed amendments to the Children’s Online Privacy Protection Act of 1998 that will allow the APRA to better protect minors online. On June 27, a markup of the bill was scheduled by the House Committee on Energy and Commerce was cancelled last minute. The next steps for the APRA are unclear, but committee leaders have stated that they remain dedicated to moving the bill forward. 

As crucial and non-partisan as this bill may be, it should be expected that a piece of proposed legislation as broad, sweeping, and significant as a universal data privacy plan is going to require extensive review and revision before it finally gets adopted into law. There are some notable hurdles with the bill at the moment, including the private right to action clause, which is a source of intense debate among certain legislators and one of the reasons why the ADPPA failed.

Another reason why the ADPPA did not pass was preemption language that concerned representatives from states that already have data privacy laws in place, such as the California Consumer Privacy Act. Those already enforcing these laws did not want their legislation to be overtaken or altered by federal laws they perceived as weaker than their own. This issue may be a significant hurdle for the APRA, as well. 

Conclusion

While the APRA is still in its early stages, there is bipartisan support for both the bill and the issues it addresses. On top of that, the ADPPA bill after which the APRA was modeled was the most successful data privacy plan proposed to congress thus far, and the APRA is designed to address some of the issues that led to its predecessor’s failure. That should offer hope to those concerned about their data privacy and the data privacy of their fellow citizens.