The American Privacy Rights Act: 5 Things You Need to Know

Two leading U.S. legislators have unveiled a bipartisan plan to enact the first comprehensive federal data privacy law.

The proposed American Privacy Rights Act (APRA) largely mirrors common themes in the patchwork of state data protection laws that have emerged while federal efforts have stalled. The APRA also has some notable parallels to the European Union’s General Data Protection Regulation (GDPR).

However, the APRA draft does not simply restate existing law: It seeks to create a new framework that incorporates, preempts or preserves various aspects of existing state law in addition to articulating new concepts.

The landmark legislation will significantly shift the landscape of U.S. privacy law if enacted, which is unlikely this year. Although it would in many ways simplify and harmonize privacy compliance, it would also create a variety of new obligations, change how privacy law is enforced and shift the boundaries of which entities and data are covered.

Here are five things companies should know:

1. The APRA would apply broadly

2. The APRA would impose restrictions on the use of sensitive covered data.

3. The APRA would have multiple means of enforcement, including a private right of action.

4. The APRA would preempt state law (with key exceptions).

5. The act would impose new requirements on covered entities and service providers.

The American Privacy Rights Act in More Detail

1. The APRA would apply broadly.

The APRA defines:

• “Covered entities” as any entity that, alone or jointly with others, determines the purposes and means of collecting, processing, retaining or transferring covered data and is subject to the Federal Trade Commission (FTC) Act, is a common carrier under the Communications Act of 1934 or a nonprofit organization. The act would also apply to entities that control, are controlled by, or are under common control with a covered entity. It would create additional obligations for “large data holders” and exempt small businesses.
• “Covered data” as information that identifies or is linked or reasonably linkable to an individual or a device that identifies or is linked or reasonably linkable to one or more individuals, such as a unique persistent identifier. The definition would exclude de-identified data; employee information; most publicly available information; certain non-sensitive inferences derived from public information and certain information held in a library, archive or museum collection.
• “Data brokers” as covered entities whose principal source of revenue is from processing or transferring covered data the entity did not directly collect from the individuals linked or linkable to such data. The act would subject data brokers to registration and notice requirements and prohibit them from marketing or advertising the access or transfer of covered data for the purposes of stalking or harassing another individual or engaging in fraud, identity theft or unfair or deceptive acts or practices, as well as from misrepresenting their own business practices.

2. The APRA would impose restrictions on the use of sensitive covered data.

In addition to obligations regarding covered data, the act would subject “sensitive covered data” to additional requirements. The APRA would require a covered entity to obtain an individual’s affirmative express consent prior to transferring the individual’s sensitive covered data to a third party, unless the information was transferred for a permitted purpose under the act.

“Sensitive covered data” would include a broad range of information, including government-issued identifiers; health information; genetic information; financial account and payment information; biometric information; precise geolocation information; private communications; log-in credentials; information revealing sexual behavior; calendar or address book information, phone or text logs, or photos, videos, or audio recordings intended for private use; photos and videos of an individual’s naked or undergarment-clad private areas; video programming viewing information; an individual’s race, ethnicity, national origin, religion, or sex in a manner inconsistent with a reasonable expectation of disclosure; an individual’s online activities over time and across websites or over time and on a high-impact social media site; information about a minor under the age of 17 and any other covered data that the FTC defines as sensitive covered data by rulemaking.

Notably, because the act would define an individual’s online activities over time and across websites as sensitive data, many advertising use cases may be considered sensitive covered data. Additionally, although the definition of a high-impact social media site would cover only the largest companies’ sites, all social media data collected on these websites would be considered sensitive covered data.

The act would provide additional protections for biometric information and genetic information. It would prohibit covered entities from collecting, processing or retaining biometric or genetic information without the affirmative express consent of the individual.

3. The APRA would have multiple means of enforcement, including a private right of action.

The APRA would authorize enforcement by the federal and state governments. The act would create an FTC bureau tasked with helping enforce violations of the act as unfair or deceptive acts or practices under the FTC Act.

The act would also empower state consumer protection officials, such as attorneys general, to enforce violations, provided they notify the FTC in advance. States would not be permitted to initiate actions when an FTC action is ongoing.

Significantly, the APRA would permit individuals to bring civil actions against covered entities for certain violations. In general, damages under this private right of action would be limited to actual damages plus attorney’s fees and litigation costs. However, the act includes carve-outs that would preserve additional damages under existing state laws (discussed below). The private right of action would go into effect six months after enactment of the APRA.

4. The APRA would preempt state law (with key exceptions).

Because the act is intended to establish a uniform national data privacy and data security standard, it would preempt state law. However, the act also enumerates extensive exceptions that would preserve provisions of state laws related to employee privacy, student privacy, data breach notifications and health privacy.

The APRA would also preserve several rights to statutory damages under state law. For example, in civil actions brought for violations related to biometric and genetic information in Illinois, the act would preserve relief set forth in the Illinois Biometric Information Privacy Act (BIPA) and Genetic Information Privacy Act (GIPA). The act would also preserve statutory damages for security breaches under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA). These rights would be preserved as the statutes read on January 1, 2024.

5. The act would impose new requirements on covered entities and service providers.

Many covered entity obligations under APRA are similar to existing state privacy laws, such as requirements to create a public-facing privacy notice and provide certain rights to consumers. However, unlike existing state privacy laws, the act would impose obligations on service providers, including those related to privacy notices and data minimization.

In addition, the APRA would introduce new obligations and prohibitions, including:

• Data Minimization: Covered entities and service providers would be prohibited from engaging in the collection, processing, retention or transfer of covered data beyond what is necessary, proportionate and limited to provide or maintain a specific product or service requested by the individual, or a communication reasonably anticipated within the context of the relationship or for a purpose other than one of 15 permitted purposes identified in the act.
• Dark Patterns: Covered entities would be prohibited from using dark patterns to divert an individual’s attention away from any APRA-required notice or to impair an individual’s ability to exercise a right under the act. Covered entities would also be prohibited from using dark patterns to obtain, infer or facilitate an individual’s consent for any action that requires consent under the act.
• Civil Rights: The APRA would prohibit covered entities and service providers from collecting, processing, retaining or transferring covered data in a discriminatory manner.
• Covered Algorithm Impact Assessment: Large data holders would have to complete annual impact assessments regarding the use of any “covered algorithm” in a manner that poses a “consequential risk of harm,” as defined under the act, to an individual or group of individuals. “Covered algorithm” would be defined as a computational process that makes a decision or facilitates human decision-making by using covered data. In addition, covered entities that knowingly develop a covered algorithm would be required to evaluate the design, structure and inputs of the algorithm, including any training data, to reduce the risk of these harms prior to deploying the algorithm.
• Covered Algorithm Notice: The act would require any entity that uses a covered algorithm to make a consequential decision to provide notice to individuals and an opportunity to opt out. Notably, this requirement extends beyond the entities otherwise covered by the act. A consequential decision would include a determination or offer related to an individual’s or a class of individuals’ access to or equal enjoyment of housing, employment, education enrollment or opportunity, healthcare, insurance or credit opportunities or access to or restrictions on using any place of public accommodation.
• Data Security: The APRA would require covered entities to establish, implement and maintain reasonable data security practices to protect the confidentiality, integrity and accessibility of covered data and protect against unauthorized access. In general, the act would require practices appropriate to the covered entity, the covered data and available safeguards. (The bill also outlines several minimum required practices, including vulnerability assessments, retention and disposal schedules and incident response plans.)
• Designation of Privacy and Data Security Officers: The act would require covered entities to designate one or more employees to serve as privacy or data security officers. Large data holders would be required to designate both a privacy officer and a security officer, both of whom would be required to submit annual certifications to the FTC.

What’s Next?

While the APRA addresses many of the criticisms of the American Data Privacy Protection Act (ADPPA), which was proposed two years ago and never enacted, challenging dynamics in Congress and the distraction of an election year make passage this year unlikely. Companies that may be covered by this comprehensive potential new law should monitor for developments as this process unfolds.

The Orrick team is actively monitoring developments and will publish further updates if and when the APRA is enacted. If you have questions about this law, reach out to the authors (Shannon Yavorsky, Heather Egan, Alyssa Wolfington, Cosmas Robless) or other members of the Orrick team.