On April 7, 2024, Sen. Maria Cantwell, chair of the Senate Commerce Committee, and Rep. Cathy McMorris Rodgers, chair of the House Energy and Commerce Committee, advanced a new federal privacy bill to the House floor titled the American Privacy Rights Act (APRA). Although it is not yet law, many observers are optimistic that the APRA will move forward due to its bipartisan support and the compromises it reaches on the issues of preemption and private rights of action, which have stalled prior federal privacy bills.
The APRA contains familiar themes that largely mirror comprehensive state privacy laws, including the rights it provides to individuals and the duties it imposes on Covered Entities. This article discusses key departures from state privacy laws and new concepts introduced by the APRA.
Covered Entities: The APRA would apply to all businesses that fall under the jurisdiction of the Federal Trade Commission (FTC), common carriers under the Communications Act of 1934 and most nonprofit organizations (collectively, Covered Entities). By contrast, many state privacy laws exempt nonprofits from their scope of covered businesses. The APRA would also apply to affiliates of Covered Entities and entities under common branding, as well as to businesses that process personal data on behalf of a Covered Entity (Service Providers).
Entity-Level Exemptions: Many small businesses, defined as those that generate less than $40 million in annual revenue, process the covered data of less than 200,000 consumers, and do not earn revenue from the transfer of covered data to third parties, would be exempt from compliance. Like most state privacy laws, government entities and their service providers would also be exempt. The APRA also provides an entity-level exemption for businesses already in compliance with certain federal laws like the Gramm-Leach-Bliley Act (GLBA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA). State privacy laws are mixed on whether to provide entity-level or data-level exemptions for entities covered by such federal laws.
Covered Data: The APRA follows most state privacy laws with a broad definition of Covered Data, including any information that “identifies or is linked or reasonably linkable, alone or in combination with other information, to an individual or a device that identifies or is linked or reasonably linkable to one or more individuals.” The APRA would exclude employee information, de-identified data and publicly available information. Only the California Consumer Privacy Act (CCPA) currently includes employee information in its scope of covered data.
Sensitive Data: The APRA’s definition of sensitive personal data includes most of the same categories that are already considered sensitive by state privacy laws, including government identifiers; health information; biometric information; genetic information; financial account and payment data; precise geolocation information; login credentials; and children’s personal data.
Like most state privacy laws, the APRA would also include an individual’s race, ethnicity, national origin, religion, and sex or sexual behavior as sensitive data. But unlike state privacy laws, the APRA only defines this information as sensitive when it is used in a manner inconsistent with the individual’s reasonable expectation of disclosure.
In a further departure from state law definitions of sensitive data, the APRA would also include private communications; calendar or address book data, phone logs, photos, and recordings for private use; any medium showing a naked or private area of an individual; video programming viewing information; online activities over time across third-party websites; online activities over time on a High-Impact Social Media Site; and other data the FTC defines as sensitive by rule. Only the CCPA currently considers private communications as sensitive data.
Large Data Holders are defined as Covered Entities or Service Providers that had gross revenues of over $250 million in the preceding calendar year and:
The term “connected device” means any electronic equipment capable of connecting to the internet. The term “portable connected device” generally refers to a smartphone, tablet, laptop, smartwatch, or similar portable device that can connect to the internet wirelessly.
The thresholds listed above exclude Covered Entities or Service Providers that solely process personal contact information, login information allowing access to the individual’s account with the Covered Entity or Service Provider, or payment information used solely to process an individual’s order for the Covered Entity’s or Service Provider’s goods or services.
Large Data Holders would be required to:
High-Impact Social Media Companies are defined as Covered Entities that:
All Covered Data that a High-Impact Social Media Company collects directly from its users’ online activities (i.e., first-party data) will be treated as sensitive data. As a result, High-Impact Social Media Companies will not be able to transfer first-party data collected from their users to third parties, such as for targeted advertising, without the express consent of the user. By contrast, most state privacy laws only require businesses to provide their users with notice and an opportunity to opt out of data transfers for targeted advertising.
Similar to Europe’s General Data Protection Regulation (GDPR) and other foreign privacy laws modeled after it, the APRA would require all Covered Entities to establish an internal role for either a data privacy officer or a data security officer. Large Data Holders must fill both roles. These officers must implement a data privacy and security program and facilitate their organization’s ongoing compliance with the APRA. No such requirements exist under state privacy laws.
The APRA would regulate the use of “covered algorithms,” defined as any computational process, including one derived from machine learning, statistics, or other data processing or artificial intelligence techniques, that makes decisions or facilitates human decision making by using Covered Data.
All Covered Entities that develop covered algorithms must evaluate their design, structure and inputs prior to deployment to mitigate potential harm to individuals, including those related to:
Additionally, Large Data Holders using covered algorithms must conduct annual impact assessments on such use and provide those assessments to both the FTC and the public.
The APRA provides multiple avenues of enforcement, including by:
The APRA expressly preserves an individual’s right to seek statutory damages under Illinois’ Biometric Information Privacy Act and Genetic Information Privacy Act for conduct occurring primarily in Illinois, as well as a California resident’s right to seek statutory damages under the CCPA for an action related to a data breach. Otherwise, the APRA would preempt existing comprehensive state privacy laws while preserving an enumerated list of older laws governing such topics as consumer protection, civil rights, wiretapping and eavesdropping, and existing privacy laws that govern certain sectors such as health care and education data.
We will continue to monitor the latest developments in this ongoing legislative movement. Please reach out to the Kramer Levin privacy team for additional assistance on how to comply with emerging privacy laws.