The American Privacy Rights Act: The Federal US Data Privacy Bill's Essentials

Even though the American Privacy Rights Act (APRA) hasn't passed yet, you should familiarize yourself with it as soon as possible to be ready for the first-ever US federal privacy law.

What is the American Privacy Rights Act?

Cathy McMorris Rodgers, the Chair of the House Energy and Commerce Committee, and Maria Cantwell, the Chair of the Senate Commerce, Science, and Transportation Committee, both from Washington, crafted the American Privacy Rights Act, proposing a broad range of new regulations. These regulations would control how companies handle, store, secure, and distribute the personal information they gather from consumers, both directly and through other methods.

Will APRA apply to my business?

APRA will not apply to all businesses. Like US state consumer privacy laws, which have applicability thresholds for applicability, so has the proposed federal privacy bill.

It will apply to all businesses subject to the Federal Trade Commission overview that meet all of the following:

• Have less than USD 40 million in annual revenue,
• Process at least 200,000 individuals' personal data, and
• Do not sell any personal data.

What is personal data under the APRA?

Personal data is defined as any piece of information that could identify an individual. This includes obvious data categories such as name, Social Security Number, email address, or biometric data. It also includes data that could indirectly identify someone, such as purchase behavior or social media behavior.

The proposed federal data protection law further defines sensitive personal information. The definition is expansive, encompassing biometric and health data, private communications, intimate imagery, video viewing activities, national origin, religion or sex, credentials, and more.

What compliance obligations does the APRA impose on companies?

The APRA prescribes some stricter requirements compared to the existing state privacy laws. In particular, it requires the following:

• Data minimization, or that the processed data must be the minimum amount of data needed and must 
• Data security measures
• Honoring consumer requests
• Honoring centralized opt-out mechanism requests like the Global Privacy Controls
• Not discriminate against consumers who exercise their rights
• Provide consumers with a privacy notice
• Collect consent for biometric data or the transfer of sensitive data
• Appoint a privacy or data security officer
• Conduct impact assessments in some cases
• Have written contracts with service providers, including instructions for processing.

Do we need consent for data collection?

Generally, consent is not required, but there are some exceptions.

Consent for data collection and processing is required for the collection or transfer of biometric data, as well as the transfer of any sensitive data.

In all other cases, the law relies on the opt-out principle. Businesses are free to process data until the user opts out under the prescribed circumstances.

Do we need a privacy policy under APRA?

A privacy policy is required under APRA. It has to contain the usual essential elements required by the state consumer data privacy laws, such as types of data processed, why it is processed, with whom it is shared, the data sold and to whom, consumer privacy rights, and others.

The APRA also requires data brokers to provide information about data transfers.

What are the APRA consumer data privacy rights?

All consumers throughout the United States have the rights to know, access, delete, opt-out, and data portability. These are the same rights present in the state laws, but the APRA takes a step further by granting them to all consumers around the country.

Businesses need to designate methods for receiving the requests and honoring them.

What is the opt-out right under the APRA?

All US consumers have the right to opt out of the sale of personal data or to opt out of targeted advertising. The proposed comprehensive privacy legislation aims to promote the opt-out right on a federal level and ensure that 

How does this privacy law regulate the use of algorithms that process personal data?

In the event that the processed data has any consequences for the consumer, such as whether they'll get employment or a loan, the business must show them a notice providing information about the use of the algorithm and the processing. The notice must also contain an opt-out mechanism.

On top of that, large data holders that use algorithms must conduct annual assessments of their algorithms.

American Privacy Rights Act vs. American Data Privacy and Protection Act

The proposed comprehensive privacy regulation on a federal level differs a bit from the previous one, the American Data Privacy and Protection Act.

The main differences are in scope and enforcement. If passed, the APRA will be enforced by the FTC, while the enforcement of the enforcement of the ADPPA  remains largely unclear. 

Moreover, the ADPPA has a broader scope in terms of the data it covers and includes both for-profit and nonprofit organizations. It also specifies more extensive protections for "sensitive covered data," which go beyond the provisions typically found in state laws and even the EU's GDPR.

The American Privacy Rights Act v. General Data Protection Regulation

The APRA differs a lot compared to the GDPR. Although they share many similarities, there are two major differences:

• The GDPR requires opt-in, while the APRA requires only opt-out. Europe prohibits data processing without a legal basis, particularly consent. In the US, it would be allowed as long as it was being processed for any of the purposes listed in the law.
• The GDPR applies to all businesses and protects data. The APRA applies only to some businesses and protects consumers.

When does APRA come into effect?

APRA will come into effect 180 days after passing the privacy bill in the legislative bodies. Since the legislation bodies have not yet passed it, the exact effective date remains unknown.

Who will enforce the comprehensive federal privacy bill?

We expect the Federal Trade Commission (FTC) to take over the enforcement of the APRA. Future changes may alter the complex proposed enforcement mechanisms.