American Privacy Rights Act (APRA) markup cancelled: Is the federal privacy bill dead?

Nobody expected an easy ride for the American Privacy Rights Act (APRA), the second serious attempt at passing a comprehensive federal privacy law in the US.  

But with bipartisan and bicameral support, compromises on key sticking points, and scores of states adopting their own privacy laws, some observers thought the bill might be in with a chance this time around. 

On 27 June, the APRA received a possible killing blow when a scheduled markup at the House Energy and Commerce Committee was cancelled at the last minute. So what happened, and should we forget about a federal privacy law for another few years? 

The American Privacy Rights Act

The APRA bears many similarities with its doomed predecessor, the American Data Privacy and Protection Act (ADPPA). 

Here are some of the APRA’s main features: 

• Individual rights to access, correct, and delete “covered data” (meaning the types of personal data covered by the APRA) and to export covered data in a portable format. 
• An obligation on the Federal Trade Commission (FTC) to create regulations requiring businesses to recognize Universal Opt Out Mechanisms (UOOMs) such as the Global Privacy Control (GPC) 
• A strict “data minimization” approach that prohibits the processing of covered data except where reasonably necessary for certain pre-determined activities. 
• A private right of action allowing individuals to sue businesses for violating certain parts of the law. 

Another important part of the law relates to its pre-emption of state privacy laws: Where federal and state law conflict or cover similar ground, which takes precedence?  

The APRA approached this issue by carving out certain types of state laws but generally pre-empting the many comprehensive state privacy laws that have passed since 2018. 

The APRA’s latest draft

In preparation for the scheduled markup session on 27 June, the APRA received a re-drafting that weakened certain provisions and (modestly) strengthened others. 

Here are some of the changes in the latest version of the APRA: 

• Certain sections on civil rights and algorithmic protections were removed, along with a right to opt out of “consequential” automated decisions. 
• Some advertising-related definitions were expanded to include contextual advertising, direct mail advertising, email advertising, and first-party advertising.  
• The term “online activity profile” was introduced as a type of sensitive data. 
• The law’s data minimization rules remain robust, with certain medical research now requiring affirmative express consent. 
• The draft included enhanced data protection for minors and some amendments to the Children’s Online Privacy Protection Act (COPPA). 

These changes were poorly received by certain civil rights groups but were intended to help the APRA gain support as it moved through the legislature. However, the approach appears not to have been sufficient to rescue the draft law. 

The cancelled markup

A House Committee markup provides an opportunity for lawmakers to scrutinize and amend a bill. Committee members can propose changes to the bill, rewrite parts of the law, and then vote on whether to report the amended bill to the full House chamber for consideration. 

The calling off of the 27 June markup was a serious blow to the APRA’s chances of becoming law. According to the International Association of Privacy Professionals (IAPP), Republican pushback against the APRA was the main reason for the session’s cancellation. 

House Speaker Mike Johnson and Majority Leader Steve Scalise reportedly held a meeting with Energy and Commerce Republican members, excluding key APRA supporters. Scalise expressed his reservations about the bill and discussed his efforts to intervene in the APRA’s drafting. 

Many Republicans, including Representative Buddy Carter, apparently voiced concerns about the bill’s private right of action, which they felt could negatively impact smaller businesses. 

Despite these challenges, Committee Chair Cathy McMorris Rodgers and Ranking Member Frank Pallone expressed their commitment to continuing to work on the bill and address the issues. 

The APRA is not necessarily dead, but its future is uncertain. The Committee faces a time crunch with the upcoming August recess and the November elections, which could limit the available time to address the bill’s issues and move it forward. 

In the meantime, privacy professionals have plenty of work to do complying with new laws at the state level.