News
The American Privacy Rights Act: What do you need to know
June 4th, 2024
On April 7 we received the unexpected announcement of a new comprehensive federal bill on privacy and data security, the American Privacy Rights Act (“APRA”). The APRA follows the steps of the 2022 American Data Privacy and Protection Act (ADPPA), which failed to advance to the House or Senate.
The purpose of this bill is to create a unified standard that overcomes the burdens resulting from the current fragmented regulatory landscape. With 17 state privacy laws already approved, and several others at different points of the legislative process, the APRA has been welcomed by lawmakers.
Scope
The APRA would apply to “covered entities” that collect or otherwise process “covered data.”
What is a “covered entity” ?
A covered entity is a business subject to the FTC (Federal Trade Commission), a common carrier or a non-profit, that determines the purposes and the means of the processing of covered data.
Excluded from the scope are “small businesses”. To be considered a small business, a company should not exceed the thresholds set by the North American Industry Classification System Code 518210 during the 3 previous years; not collect or process covered data of more than 200.000 individuals annually (unless for payment purposes); and not transfer covered data to a third party for any revenue or other compensation in the 3 previous years.
Additionally, the APRA provides for more stringent requirements for “large data holders,” including the performance of privacy impact assessments.
What is “covered data”?
Aligning with State privacy laws, the definition of covered data refers to information “(…) that identifies or is linked or reasonably linkable, alone or in combination with other information, to an individual or a device that identifies or is linked or reasonably linkable to 1 or more individuals.”
Importantly, de-identified data and employee data are not included in this concept. Also excluded are inferences made exclusively from multiple independent sources of publicly available information if such inferences do not reveal sensitive covered data and are not combined with covered data. The latter has been heavily criticised by the California Privacy Protection Agency (CCPA).
Within the concept of covered data, there are some categories of information subject to heightened protection: sensitive covered data, biometric information, and genetic information. The processing of these data generally requires “affirmative express consent” from the consumer.
Despite the concept of sensitive covered data being quite broad, it has been subject to criticism for omitting some categories of data which are present in State privacy laws. This is the case sexual orientation, union membership, and immigration status.
Focus on data minimization:
The collection or otherwise processing of covered data is allowed for determined purposes:
• To provide or maintain: (i) a product or service requested by the consumer (e.g., billing or shipping) or (ii) a communication reasonably expected by the consumer (excluding advertisement); or
• For one of the listed purposes that are permitted in the APRA, including:
o Compliance with a legal obligation, exercise of a legal claim or transfer to authorities, mergers, or acquisitions;
o Market research, de-identification of covered data for product enhancement or internal research/analytics, or provide first-party advertising or contextual advertising (except for sensitive covered data);
o Protect data security, or prevent and address fraud, harassment, or security incidents; or
o Conduct a public or peer-reviewed scientific, historical or statistical research.
Protection for individuals:
The APRA establishes a protective framework for individuals through the recognition of rights and the implementation of privacy principles:
• Individuals have the right to access, correct, delete, as well as the right to portability of their data. Additionally, they have the possibility to opt-out of data transfers to third parties and to opt-out of targeted advertising. Furthermore, the APRA provides for a private right of action for violations of its provisions.
• Affirmative express consent is required in some cases, such as the transference of sensitive covered information.
• Privacy by design, with mandatory policies, practices, and procedures to mitigate privacy risks.
• Transparency, requiring covered entities and service providers to draft their own privacy policies and make them publicly available;
Despite the possibility of the APRA providing certain level of protection, several stakeholders, including a coalition of 15 US attorneys general and the California Privacy Protection Agency (CPPA), have been quick to show their disagreement with different points of the draft:
Data brokers
While the APRA regulates data brokers, it does so in a manner less protective for consumers than the California Consumer Privacy Act (CCPA). Indeed, the APRA does not allow individuals to use third parties to exercise their rights against data brokers. Also, and in contrast with the CCPA, there is a cap on data brokers’ liability, with no fines for not registering or not attending individual requests. The CPPA has also highlighted the insufficient transparency regarding the type of data collected by data brokers, particularly in the case of minors’ data.
Weakened enforcement
The approval of the APRA would eliminate the CPPA, which has been increasingly active in the enforcement of privacy laws, in favor of a new State authority. Additionally, and despite increased the powers for the FTC, the CCPPA considers that the APRA would weaken enforcement through the provision of safe harbors to businesses.
Effect on other privacy-related laws and regulations
Perhaps the more controversial topic is the broad preemption that will extend to State privacy laws with some exceptions. The CPPA invited lawmakers to “consider comprehensive federal privacy legislation that truly protects Americans’ privacy by setting a floor, not a ceiling” on privacy rights, pointing out that the APRA would be a depart from previous federal privacy legislation, which “has set a baseline and allowed states to develop stronger protections”.
Nevertheless, some laws, regulations and provisions will not be affected by the preemption:
• Federal laws, and some of their related regulations.
• Some State laws, such as general consumer laws or provisions related to health information.
• Several key provisions related to health, healthcare, and health research:
o HIPAA (Health Information Portability and Accountability), including Regulations promulgated pursuant to Section 246 (c) of HIPAA;
o CFR, including the regulations related to protection of human subjects under part 46 of title 45 CFR; 21 CFR Parts 6, 50 and 56, or personal data used or shared in research conducted in accordance with the requirements set forth in this chapter, or other research conducted in accordance with applicable law;
o Regulations and agreements related to information collected as part of research pursuant to GCP.
o FTC Breach Notification Rule.
Next steps
The House Energy and Commerce Subcommittee on Innovation, Data, and Commerce voted in favor of the modified draft and the text has been forwarded to the full committee of the House for consideration. It is still uncertain, however, whether the APRA will be approved before the elections or not, and the extent of the changes that may be introduced to the final text.