What the American Privacy Rights Act Could Mean for Data Privacy

Could the United States finally be getting a long-awaited federal data privacy law? On April 7, House Committee on Energy and Commerce Chair Cathy McMorris Rodgers (R-WA) and Senate Committee on Commerce, Science, and Transportation Chair Maria Cantwell (D-WA) announced new draft legislation: the American Privacy Rights Act (APRA).  

The bipartisan, bicameral APRA would give Americans data privacy rights and protections at the federal level. For now, the US has a patchwork of state laws, rather than a single national law governing data privacy.  

If the APRA does become federal law, how will it impact the way companies amassing large amounts do business? What will it mean for individuals’ data privacy rights?  

Potential Federal Privacy Law 

The US is behind on data privacy regulation. More than 100 countries have data privacy laws in place. The General Data Protection Regulation (GDPR), often held up as the gold standard for data privacy, went into effect in 2018 in the European Union.  

“There’s a lot going on with digital policy at a federal level right now: AI, … kids’ safety, TikTok, and data transfers to China. And in all of those discussions, one theme has emerged and that is those policy initiatives don’t make a lot of sense without foundational privacy legislation,” says J. Trevor Hughes, president and CEO of the International Association of Privacy Professionals (IAPP).  

Related:Tech in Perspective: What Went Wrong and What We Learned

Preemption of State Law   

A total of 15 states have comprehensive privacy laws, according to the IAPP. The APRA would preempt these existing state laws, according to the draft legislation. Preemption of state law would create uniform standards for data privacy across the country.  

Does this preemption set a floor or a ceiling for states? Can state legislators enact data privacy legislation that goes beyond what is laid out in the APRA, or will they be restricted by the federal law? 

Ashkan Soltani, the executive director of the California Privacy Protection Agency (CPPA), released a statement calling for the legislation to be a floor. The California Consumer Privacy Act was implemented in 2018, and it has been amended and extended since then, according to the CPPA.  

“Americans shouldn’t have to settle for a federal privacy law that limits states’ ability to advance strong protections in response to rapid changes in technology and emerging threats in policy -- particularly when Californians’ fundamental rights are at stake. Congress should set a floor, not a ceiling,” Soltani said in his statement.  

Related:Zero-Trust Architecture: What You Need to Know

Doing Business Under the APRA 

For companies that collect and monetize consumer data, the APRA could mean making changes to the way they do business. The APRA sets out requirements for issues like data minimization, transparency, consumer choice and rights, data protection, and executive responsibility.  

“It basically means that now they’re going to be able to collect less data: good for consumers and not so good if you're a company that needs all that data,” Antonio Sanchez, principal cybersecurity evangelist at Fortra, a cybersecurity and automation software company, tells InformationWeek.  

The draft legislation drills down to data privacy at an operational level. For example, it requires covered entities to appoint a privacy or data security officer or officers. 

“There is a real sense that a significant part of managing a modern privacy program is not found in the rules themselves but in the operation that gives life to those rules,” says Hughes.  

If the APRA goes into effect, covered entities will have 180 days to comply with its requirements. Non-compliance after that timeline could be met with enforcement action. “The FTC is set to get really significant enforcement capabilities under this draft; not only enforcement capabilities but resources and staff to give life to that enforcement,” says Hughes.  
While the APRA aims to take a comprehensive approach to data privacy regulation, there are some concerns in the privacy community. For example, Sanchez considers the term “high-impact social media” vague.  

Related:Executive Order to Target Data Sold to US Foes

“I’d like to see the [words] ‘high impact’ be removed because you’re either a social media company that's collecting all this information or you’re not,” he explains.  

That vagueness could leave room for loopholes, according to Sanchez. What happens if a parent company is considered “high impact”, but it owns companies that don’t fit that label? “I’m … interested in seeing how … those organizations that are making lucrative amounts of money on this stuff find ways to be able to get around it … acquiring that data from foreign entities for instance,” he says.  

What happens once data crosses borders? Answering that question is tricky, but it is one that is up for discussion, particularly as TikTok continues to be in the hot seat.  

Data Privacy for Consumers  

The APRA not only addresses the way covered entities must handle data privacy, it also places power in the hands of consumers. “Under a federal law now they will have the ability to access their information, to edit their information, and correct it, to … ask for their information to be deleted,” Hughes explains. If consumers have their rights under the APRA violated, the law will give them private right of action.  

The draft legislation defines “substantial privacy harm” as “any alleged financial harm of not less than $10,000.” “That’s a fairly high bar for a private right of action. I think between preemption and the private right of action, what we see is a negotiated result,” says Hughes.  

Outlook for the APRA 

We have been here before. The American Data Privacy and Protection Act (ADPPA) would have created federal privacy regulations, but it ultimately languished. Will the APRA make it across the finish line? 

Hughes points out that political capital and time are limited resources. “I can't imagine these two committee chairs would be introducing this bill unless they had some sense that there was a road to passage and the president’s signature that made sense,” he says. “It’s just incomprehensible that they would use up that much political capital for what otherwise would be a losing effort.” 

While there may be a road to passage, that doesn’t mean it is one without potential obstacles.  

“The fact that it's an election year and Congress has had a tough time doing many important things, any important thing this year. All of those are reasons that this might not get across, but I think there were also a lot of … indicators … that are at play that suggest that this bill may be viable,” Hughes adds.  

As is often the case, technology moves faster than legislation. The need for data privacy regulation is clear, and it is possible that the APRA, or a future attempt at federal legislation, could be just the beginning. “Every time there’s been a massive technology shift, the government has at the federal level created an agency, not just laws but an agency of regulation,” says Davi Ottenheimer, vice president of trust and digital ethics for Inrupt, a company co-founded by World Wide Web inventor Sir Tim Berners-Lee.  

Even if the APRA does not become federal law, data privacy is not going away. It has national attention and bipartisan support. “Without question we will have privacy law the United States eventually, and it may very well be this bill,” says Hughes.