After years of fits and starts—including failed attempts to pass the American Data Privacy and Protection Act in 2022—Congress has renewed its attempt to nationalize privacy protections for American consumers with introduction of the American Privacy Rights Act (the “APRA” or “Act”).[1]  The APRA, a new bipartisan, bicameral proposal for comprehensive data protection legislation introduced by the House Committee on Energy and Commerce and the Senate Committee on Commerce, Science and Transportation in early April, is a direct response to a flurry of activity at the state level over the past few years and attempts to harmonize the resulting patchwork of privacy legislation that has created a burdensome and costly labyrinth of shifting compliance obligations for covered organizations that collect and process personal data.

Several core provisions of the APRA—including strict data minimization obligations; consent requirements for certain data transfers; and consumer rights of access, correction, deletion and portability and to opt-out of certain processing activities—parallel recently enacted foreign and state privacy laws, including those currently in effect in California, Colorado, Connecticut, Utah and Virginia. In establishing these protections for consumers nationwide, the APRA creates a comprehensive, and in some ways more restrictive, framework to serve as the U.S. counterpart to Europe’s General Data Protection Regulation (the “GDPR”) that adjusts—and in some respects expands—the compliance burden on organizations that collect and use personal data. Most notably, and as those following Congress’ efforts to bring federal privacy legislation to fruition will recall, the APRA addresses the two most contentious aspects of federal privacy legislation by broadly preempting state and local data privacy laws and providing consumers a private right of action for violations of their privacy rights. If enacted, the Act would come into effect 180 days after its passing.

Key Takeaways of the Act:

  1. Broad Preemption.  The Act as currently drafted contains broad preemption provisions that will largely do away with the patchwork of comprehensive privacy laws at the state level with some carve outs for certain state laws on discrete subjects related to privacy—notably, provisions of the California Consumer Privacy Act related to employee personal information are likely to remain in effect. 
  2. Consumer Private Right of Action.  In addition to enforcement by the FTC and state attorneys generals, individuals are provided with a private right of action that permits claims against covered entities for failures to comply with certain of the Act’s obligations.  Actions alleging substantial privacy harms or actions by a minor are prohibited from being subject to mandatory arbitration, and individuals can recover actual damages, injunctive relief, declaratory relief and reasonable attorney fees and costs.
  3. Strict Data Minimization Requirements.  In line with recent heightened regulatory scrutiny of organizations’ data collection practices, the Act imposes strict data minimization obligations, prohibiting the collection, processing, retention and transfer of personal data, unless such activity meets general data-minimization principles (e.g., such processing is necessary, proportionate and limited to a specific purpose) or one of fifteen (15) specific permitted purposes.
  4. Broad Coverage.  Unlike recently enacted state privacy laws, the APRA does not contain any revenue or processing thresholds when it comes to applicability—broadly applying instead to any entity that determines the means and purposes of processing covered data and is subject to the Federal Trade Commission’s (“FTC”) jurisdiction, as well as to non-profits and common carriers.  Large data holders, high impact social media companies and data brokers have heightened, bespoke obligations under the Act, and even small businesses are subject to the Act to the extent such businesses engage in data sales. Data covered by the Act includes any data that identifies or is linked or reasonably linkable to an individual or device, but does not include de-identified data, employee data or publicly available information, amongst other carve outs.
  5. Sensitive Data Transfers and Express Consent.  Affirmative express consent is required before sensitive data—which is defined far more broadly under the Act than any current state privacy law and includes any data related to individuals under the age of seventeen (17)—can be transferred to a third party, unless the transfer is necessary, proportionate and limited to one of the permitted purposes.  Additional considerations are required for transfers of biometric and genetic data.

Summary of the APRA

Applicability.  The Act broadly applies to covered entities that alone or jointly with others determine the purposes and means of collecting or processing covered data and (i) are subject to FTC jurisdiction, (ii) qualify a common carrier subject to Title II of the Communications Act of 1934 or (iii) are a non-profit organization. Affiliates who share common branding with a covered entity are also in scope, while small businesses[2], governments and their service providers, the National Center for Missing and Exploited Children and, except for data security obligations, fraud-fighting non-profits are excluded.  There are additional heightened requirements for large data holders[3], covered high-impact social media companies[4] and data brokers.

Covered Data. Covered data is defined as any information that identifies or is linked to or reasonably linkable to an individual or device, excluding (i) deidentified data[5], (ii) employee data, (iii) publicly available information, (iv) inferences made from multiple sources of publicly available information that do not meet the definition of sensitive covered data and are not combined with covered data and (v) information in a library, archive, or museum collection subject to specific limitations.  The Act contains an extremely expansive definition of publicly available information, which serves to significantly narrow the Act’s scope.  Specifically, in addition to defining publicly available information to include information from government records or made available to the general public via widely distributed media, the definition also includes an information lawfully made available from “a website or online service made available to all members of the public, for free or for a fee, including where all members of the public can log-in to the website or online service” provided that the individual to whom the information pertains did not restrict the information to a specific audience.

Sensitive covered data, the transfer of which requires affirmative opt-in consent unless expressly permitted under the Act, is a subset of covered data that generally includes any data relating to “covered minors” (i.e., individuals under the age of seventeen (17)), as well as government identifiers; health information; biometric information; genetic information; financial account and payment data; precise geolocation information; log-in credentials; private communications; information revealing sexual behavior; calendar or address book data, phone logs, photos and recordings for private use; any medium showing a naked or private area of an individual; video programming viewing information; an individual’s race, ethnicity, national origin, religion, or sex, in a manner inconsistent with a reasonable expectation of disclosure; online activities over time and across third party websites or over time on a high-impact social media company website or service[6]; and other data the FTC defines as sensitive covered data by rule.

Obligations of Entities Subject to the APRA.  Broadly speaking, covered entities are subject to the obligations and restrictions under the Act set forth below. Notably, while the APRA does not contain specific revenue or processing thresholds to determine the Act’s applicability, it does impose specific, heightened compliance obligations on certain types of covered entities (such as large data holders and covered high-impact social media companies) based on annual revenues or the volume of covered data processed thereby. 

  • Data Minimization.  The Act prescribes strict data minimization requirements, limiting covered entities’ (or the service providers acting on their behalf) ability to collect, process, retain or transfer any covered data (i) beyond what is necessary, proportionate and limited to provide or maintain a specific product or service requested by the consumer or to communicate with a consumer in a manner reasonably anticipated within the context of the relationship or (ii) for an expressly permitted purpose (e.g., data security, compliance with legal obligations, preventing fraud, de-identification of data for product or service development or improvement).  Furthermore, covered entities are expressly prohibited from transferring (i) any sensitive covered data or (ii) biometric or genetic information, in each case, to a third party without express affirmative consent unless expressly permitted by the Act. 
    • Business Transfers. Notably the transfer of covered data as an asset to a third party in the context of a business transaction or bankruptcy is also set forth as a permitted purpose under the Act; provided that the covered entities provides in a reasonable time prior to such transfer each affected individual with (a) a notice describing such transfer, including the name of entity receiving the individual’s data and its privacy policy and (b) a reasonable opportunity to withdraw any previously given consent or request deletion of their data.
  • Transparency.  In a deviation from current requirements under state privacy laws, not only would covered entities be required to provide publicly available privacy policies detailing their data processing and security practices, but service providers would now also incur such obligations as well.  The privacy policy must be made available in each language the covered entity or service provider provides a product or service and disclose (i) the categories of covered data collected, (ii) purposes for processing and (iii) to whom the information is transferred (including a list of any data broker transfers), as well as (iv) how consumers can exercise their privacy rights.  Material changes to a covered entity’s privacy policy—i.e., a change that would likely impact an individual’s decision to provide affirmative consent for or opt-out of the entity’s data processing—require advanced notice to consumers and the provision of a means to opt-out. Uniquely, privacy policies must also disclose whether any covered data is transferred to, processed in or otherwise accessible to a foreign adversary.
    • Large Data Holders. Large data holders must further provide all copies of their privacy policies for the previous ten (10) years, including a log of all material changes (excluding for versions that predate the Act), as well as provide a short-form notice of their policies to consumers not to exceed 500 words in length.
  • Consumer Rights.  Like state privacy laws, the Act provides consumers with rights to access, correct and delete their data, as well as rights to data portability.  With respect to opt-out rights, consumers have rights to opt-out of (i) transfers of non-sensitive covered data and (ii) use of their data for targeted advertising, in each case, made through an opt-out mechanism. Not later than two (2) years after the Act’s enactment the FTC is directed to establish requirements and technical specifications for a privacy protective, centralized mechanism (including global privacy signals, such as browser or device privacy settings and registries of identifiers) for individuals to exercise their opt-out rights.  In addition, covered entities are prohibited from retaliating against any individual for exercising their APRA rights, provided that covered entities may offer bona fide loyalty programs or market research opportunities upon receipt of opt-in consent from the individual. Finally, users must be provided an “easy-to-execute” means to withdraw any affirmative express consent provided (i.e., in connection with the processing of their sensitive covered data).
    • Dark Patterns. The Act further prohibits covered entities from using any dark patterns—i.e., a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making or choice—to  divert an individual’s attention from any required notice, impair the ability of any individual to exercise their rights or to obtain, infer or facilitate consent.
  • Data Security and Executive Responsibility. Covered entities and service providers would be required to implement and maintain reasonable data security practices to protect the confidentiality, integrity and accessibility of, and prevent unauthorized access to, covered data, taking into account the size and complexity of the relevant business and the context, volume and sensitivity of the data to be processed. Entities must routinely assess vulnerabilities and take preventative and corrective actions to mitigate any reasonably foreseeable internal or external risk to, or vulnerability of, covered data. Additionally, covered entities must designate a privacy or data security officer to implement and facilitate ongoing review of the entity’s data privacy and security program, while large data holders must further (i) designate both a privacy and separate data security officer, (ii) beginning one year after the Act’s enactment, file annual certifications by the entity’s chief executive officer and each of its privacy and data security officers to the FTC detailing its internal controls and internal reporting structures for compliance with the Act, (iii) conduct privacy impact assessments on a biennial basis and (iv) develop a program to educate and train employees, amongst other responsibilities.
  • Additional Service Provider and Third Party Obligations. In addition to the obligation to enter into data processing agreements discussed below, the Act places similar requirements on service providers as those existing under current state privacy legislation, including requirements to (i) refrain from collecting, processing or transferring covered data other than to the extent necessary and proportionate to provide a service requested by the covered entity or where the service provider has actual knowledge that the covered entity violated the Act with respect to such data, (ii) assist the covered entity in responding to consumers attempting to exercise their APRA-rights, (iii) upon request by the covered entity, make available the necessary information to demonstrative the service provider’s compliance with the Act, (iv) delete or return covered data, as determined by the covered entity, upon the end of provision of services unless retention is required by law, (v) engage other service providers only after exercising reasonable due diligence, providing notice to the covered entity and entering into a written contract satisfying the disclosing service provider’s obligations under the Act, (vi) develop, implement and maintain reasonable administrative, technical and physical safeguards to protect covered data and (vii) allow for and cooperate with reasonable audits by the covered entity.
    • Data Processing Agreements. Akin to the Article 28 requirements under the GDPR, the APRA mandates that covered entities and service providers enter into data processing agreements in order to establish a service provider relationship.  Such agreement governs the data processing procedures of the service provider with respect to any such data collection, processing or transfer performed on behalf of the covered entity or primary service provider and must clearly define the instructions for collecting, processing, retaining or transferring data, the nature, purpose and duration of the processing, the type of data subject to the processing and the rights and obligations of each party.  Finally, the contract must specifically prohibit the service provider from combining its own data with covered data it receives from or on behalf of another covered entity or person. Notably, not only must covered entities enter into contracts with their service providers, but are also required under the Act to conduct reasonable due diligence in selecting a service provider as well as when deciding to transfer covered data to a third party.
    • Third Party Processing Restrictions. The Act expressly prohibits third parties from processing the covered data transferred to it for any purpose other than (i) in the case of sensitive covered data, the processing purpose for which the consumer gave affirmative express consent or (ii) in the case of non-sensitive covered data, the processing purpose for which the third party made a disclosure in its privacy policy.
  • Data Brokers. Borrowing from the obligations imposed under the California Delete Act (previously discussed here), the APRA imposes a set of requirements on data brokers, including obligations to register with the FTC (which will be subsequently used to create a public-facing, searchable data broker registry) and maintain a publicly accessible website that contains a clear, conspicuous notice informing individuals that the entity is a data broker using language to be prescribed by the FTC.  The notice must further include a tool for individuals to exercise their individual controls and opt-out rights and a link to the FTC’s data broker registry website. The FTC is further directed to include a “Do Not Collect” mechanism on the data broker registry website that permits an individual to submit a request to all registered data brokers, subject to certain exceptions, that results in registered data brokers no longer collecting covered data related to such individual without the affirmative express consent of such individual.
  • Civil Rights and Covered Algorithms.  With respect to race gender, and other protected characteristics, the APRA would prohibit a covered entity or service provider from collecting, processing or transferring covered data “in a manner that discriminates in or otherwise makes unavailable the equal enjoyment of goods or services” on a discriminatory basis subject to certain exceptions such as using such data for self-testing by the covered entity to prevent or mitigate unlawful discrimination or diversifying an applicant, participant or customer pool.  An additional requirement for large data holders would align with restrictions on algorithmic decision-making introduced by the GDPR, pursuant to which large data holders that use covered algorithms in a manner that would pose a consequential risk of harm to an individual or group of individuals and uses such covered algorithm to collect, process or transfer covered data would be required to produce “algorithm impact assessments”.  The Act sets forth a list of prescriptive requirements for what must be included in such assessments, including detailed descriptions of the design process and methodologies, the data used by the covered algorithm, the steps taken to mitigate potential harms and an assessment of the necessity and proportionality of the covered algorithm in relation to its stated purpose.  Conversely, covered entities and service providers are only required to conduct such impact assessments where such entity knowingly develops a covered algorithm that is designed, solely or in part, to collect, process, or transfer covered data in furtherance of a consequential decision.  In each case, however, such assessments must (i) be submitted to the FTC for evaluation, (ii) upon request, be made available to Congress and (iii) be summarized and made publicly available.
    • Opt-Out Rights.  Any entity (not just covered entities as defined) that uses a covered algorithm to make or facilitate a consequential decision (e.g., related to access to or equal enjoyment of housing, employment, education enrollment or opportunity, healthcare, insurance or credit or use of or access to any place of public accommodation) must provide the relevant individual notice and an opportunity to opt-out of the designation.

Enforcement. Departing from the approach adopted by most states (other than California), the APRA permits consumers to file private lawsuits against covered entities that violate certain their APRA rights (e.g., failures to receive consent for transfers of sensitive data or collection or transfer of biometric or genetic data, failures to provide privacy notices or to permit consumers to exercise their privacy rights), pursuant to which they may recover actual damages, injunctive relief, declaratory relief and reasonable attorney fees and costs.[7]  Where injunctive relief or actual damages are sought, consumers must provide the covered entity with thirty (30) days’ written notice of the alleged violation[8], unless the alleged violation that resulted in a substantial privacy harm.[9] 

In addition to the private right of action, the APRA delegates primary enforcement authority to the FTC and permits state attorneys general, chief consumer protection officer and other state or federal offices authorized to enforce privacy or data security laws, including the California Privacy Protection Agency, to bring enforcement actions after notification to the FTC, subject to certain exclusions. The FTC is also provided the authority to promulgate regulations under a variety of provisions under the Act as well as tasked with establishing a new bureau comparable in nature to the existing bureaus within the FTC related to consumer protection and competition to assist the FTC in carrying out its duties under the Act.

Violations of the Act will be treated as violations of a rule defining an unfair or deceptive trade practice under the FTC Act, carrying a maximum civil penalty of $51,744 per violation.  Civil penalties obtain are to be deposited in the Privacy and Security Victims Relief Fund to provide redress, payment, compensation or other monetary relief to individuals affected by an APRA violation.  States may further seek  injunctive relief; civil penalties, damages, restitution, or other consumer compensation; attorneys’ fees and other litigation costs; and other relief, as appropriate. 

Preemption of State and Local Privacy Laws. The APRA would generally preempt states from adopting, maintaining or enforcing any law or regulation covered by provisions of the Act with the exception of an enumerated list of state laws, rendering moot most aspects of the privacy legislation recently passed at the state level.   Despite its wide-ranging preemptive effects, there are a few notable exceptions to the APRA’s broad preemption provisions, including privacy laws related to the protection of employee data (meaning the California Consumer Privacy Act would remain in effect with respect to employee data) as well as carve outs for certain state laws on discrete subjects related to privacy (e.g., provisions of laws that address privacy rights or other protections of students or student information, data breach notification laws, general consumer protection or civil rights laws).  Similarly, entities subject to and in compliance with other specified federal privacy laws, including the Gramm-Leach-Bliley Act and Health Insurance Portability and Accountability Act, or federal data security requirements shall be deemed in compliance with the related provisions of the APRA.

State law preemption under the APRA has drawn heavy criticism from legislators and consumer advocacy groups who have criticized Congress’ approach as creating a ceiling for individual privacy rights rather than a floor.  Opponents of state law preemption argue that the federal government is ill-equipped to quickly respond to technological advancements that impact consumer privacy as compared with the states, which are often better positioned to respond to rapid changes in the digital environment. On the other hand, small and medium businesses and large corporations from around the country have expressed support for the APRA’s broad preemption provisions, citing the untenable compliance obligations imposed by the current patchwork of privacy legislation.

Conclusion

Because of its nationwide scope and potential to preempt state law, the APRA would markedly change the regulatory framework for entities that collect and process data of U.S. individuals. However, given the APRA’s uncertain future, covered entities should continue to monitor legal developments at the federal and state levels.


[1] A copy of the discussion draft APRA can be found here.

[2] Defined as entities and their affiliates whose average annual gross revenue for the previous three (3) years did not exceed $40 million, that, on average did not process the covered data of more than 200,000 (excluding payment transactions) and that do not transfer covered data to third parties for value (i.e., entities that do not “sell” data).

[3] Covered entities or service providers that have $250 million or more in annual revenue; collect, process, retain, or transfer the covered data of more than 5 million individuals (or 15 million portable devices or 35 million connected devices that are linkable to an individual) or the sensitive data of more than 200,000 individuals (or 300,000 portable devices or 700,000 connected devices) subject to certain exemptions such as entities that collect, processor, retain or transfer personal mailing or email addresses, personal telephone numbers, log-in information or sellers of  the case of a covered entity that is a seller of goods or services (other than payment processors or platforms), credit, debit, or mobile payment information strictly necessary to initiate, render, bill for, finalize, complete, or otherwise facilitate payments for goods or services.

[4] Covered entities that provide any internet-accessible platform and generate $3 billion or more in global annual revenue, have 300 million global monthly active users and constitute an online product that is primarily used by individuals to access or share user-generated content.

[5] Similar to comprehensive state privacy laws passed to date, “de-identified data” is defined as information that cannot reasonably be used to infer or derive the identity of an individual, does not identify and is not linked or reasonably linkable to an individual or a device that identifies or is linked or reasonably linkable to such individual, regardless of whether the information is aggregated, if the relevant covered entity or service provider (i) takes reasonable physical, administrative, or technical measures to ensure that the information cannot, at any point, be used to re-identify any individual or device that identifies or is linked or reasonably linkable to an individual; (ii) publicly commits in a clear and conspicuous manner to: (A) process, retain, or transfer the information solely in a de-identified form without any reasonable means for re-identification; and (B) not attempt to re-identify the information with any individual or device that identifies or is linked or reasonably linkable to an individual; and (iii) contractually obligates any entity that receives the information from the covered entity or service provider to: (A) comply with all of the provisions of this paragraph/clauses (i) and (ii) with respect to the information; and (B) require that such contractual obligations be included contractually in all subsequent instances for which the data may be received.

[6] Notably, this would mean any browsing data on such platforms, even without cross-site tracking, would require affirmative consent for third party transfers.

[7] Notably, (i) California residents are further entitled to recover statutory damages consistent with the CCPA for an action related to a data breach and (ii) consumers may recover statutory damages consistent with Illinois’s Biometric Information Privacy Act and Genetic Information Privacy Act for an action involving a violation of the affirmative express consent provisions for biometric and genetic information where the conduct occurred substantially and primarily in Illinois.

[8] If a cure for the alleged violation is possible within thirty (30) days, and the entity in fact cures and provides written notice of such cure to the individual, an action for injunctive relief will not be permitted.

[9] Substantial privacy harms include financial harms of $10,000 or more and physical and mental harms that involve (i) treatment by a licensed health care provider, (ii) physical injury, (iii) highly offensive intrusions into the privacy expectations of a reasonable consumer or (iv) discrimination on the basis of a protected characteristic.