How data minimization works under the American Privacy Rights Act (APRA)

The second serious attempt at a US federal privacy law, the American Privacy Rights Act (APRA), provides some strict rules around “data minimization”. Organizations covered by the law can only use “covered data” for a set of pre-determined purposes—if an activity’s not on the list, it’s effectively illegal. 

This article looks at how the APRA’s data minimization rule works for covered data, sensitive covered data, and biometric and genetic information. How does the general data minimization rule work for these types of data, and what “permitted purposes” are available for each? 

The general data minimization rule 

Let’s look at how data minimization applies to “covered data” – the broadest type of personal information defined by the APRA. 

The APRA applies a general data minimization rule and then provides a set of exceptions known as “permitted purposes”. 

In general, a covered entity or service provider may not “collect, process, retain, or transfer” covered data beyond what is “necessary, proportionate, and limited” to provide or maintain: 

• A specific product or service requested by an individual, including any associated routine administrative, operational, or account-servicing activity such as billing, shipping, delivery, storage, or accounting, or 
• A communication by the covered entity to the individual reasonably anticipated within the context of the relationship. 

This means that, by default, covered entities can only process covered data to provide services requested by the individual or deliver communications expected by the individual.  

“Process” means “any operation or set of operations performed on covered data”. So while ”processing” covers virtually everything. the APRA distinguishes other activities (to “collect”, “retain”, and “transfer”) in certain other contexts. 

Beyond these two types of activities, there are 15 other “permitted purposes,” which we’ll look at below. 

The general rule for sensitive covered data 

Now let’s look at “sensitive covered data”, a sub-type of covered data. The APRA includes a long list of types of covered data that are treated as “sensitive”. 

When it comes to sensitive covered data, a stricter data minimization rule applies when “transferring” it. 

To “transfer” data means to “disclose, release, share, disseminate, make available, sell, rent, or license” the data in any way, for “consideration of any kind” (i.e., for money or another benefit) or for any commercial purpose. 

Covered entities and service providers may not transfer covered data to a third party without express consent.  

Covered entities must also provide a clear, conspicuous, easy-to-use way to withdraw consent. 

But as with “regular” covered data, there are exceptions, which we’ll look at below. 

Additional protections for biometric and genetic information 

An even stricter data minimization rule applies to “biometric information” and “genetic information”. 

Covered entities and service providers may not collect, process, retain, or transfer biometric or genetic information without affirmative express consent. A covered entity must provide a way to withdraw consent. 

Note that this general rule applies to all ways of processing genetic or biometric information – not just “transferring” it, as is the case with sensitive covered data. 

Again, there are exceptions. 

Exceptions to the APRA’s data minimization rules: The ‘permitted purposes’ 

The APRA provides 15 “permitted purposes” – exceptions from the general data minimization rule. 

The permitted purposes apply differently depending on the type of data and the ways in which it is processed. 

• All 15 permitted purposes apply to “covered data”. 
• All the permitted purposes apply to “sensitive covered data” unless otherwise stated (for example, 14 and 15 don’t apply to sensitive covered data, and 13 doesn’t apply to health data). 
• Regarding biometric and genetic data, a covered entity or service provider may: 
• “Collect, process, or retain” (not transfer) biometric or genetic information as “essential” for permitted purposes 1-4 and 9-13. 
• “Transfer” biometric or genetic information to a third party as “essential” for purposes 2, 3, 4, 8, 9, 11, and 12. 

A covered entity or service provider may “collect, process, retain, or transfer” data for the following 15 permitted purposes if the processing (etc.) is “necessary, proportionate, and limited” to the purpose: 

1. To protect data security, protect against spam, and maintain networks and systems, including through diagnostics, debugging, and repairs. 

2. To comply with a legal obligation. 

3. To investigate, establish, prepare for, exercise, or defend “cognizable legal claims” on its own behalf. 

4. To transfer covered data to a law enforcement agency pursuant to a lawful process. 

5. To effectuate a product recall pursuant to state or Federal law, or to fulfill a warranty. 

6. To conduct market research. 

7. To process covered data into de-identified data, including to: 

     a. Develop or enhance the covered entity’s product or service 

     b. Conduct internal research or analytics to improve the covered entity’s product or service 

     c. Conduct a public or peer-reviewed scientific, historical, or statistical research project that is in the public interest and adheres to all relevant laws and regulations. 

8. To transfer assets to a third party in the context of a merger, acquisition, bankruptcy, or similar transaction if the covered entity provides each affected individual, in a reasonable time, with: 

     a. A notice describing the transfer, including the name of any entity receiving the individual’s covered data and its privacy policies; and      

     b. A reasonable opportunity to: 

              i. Withdraw any previously given consent, and 

             ii. Request the deletion of the covered data. 

9. For certain communications providers: To provide call location information. 

10. To “prevent, detect, protect against, investigate, or respond to” fraud or harassment, except where selling data to a government entity. 

11. To prevent (etc.) an ongoing or imminent network security or physical security incident. 

12. To prevent (etc.) an imminent or ongoing public safety incident, except where selling covered data to a government entity. 

13. Except for health data, to prevent (etc.) criminal activity, except where selling covered data to a government entity. 

14. Except for sensitive covered data, and only for covered data collected in accordance with the APRA, as necessary to provide first-party or contextual advertising. 

15. Except for sensitive covered data, and only for covered data collected in accordance with the APRA, to provide targeted advertising to an individual who has not opted out. 

Data minimization under the APRA: The upturning of US law? 

The APRA’s data minimization requirements are not how US law normally works. 

Most US laws enable companies to generally act freely by default, and then provide rules and prohibitions in specific areas. 

In contrast, the APRA says that companies may not process personal data at all, then provides a set of circumstances in which processing personal data is permitted. 

If the APRA passes, covered entities will need to comprehensively assess their data processing activities to ensure they comply with the law’s general data minimization rules or fall within an applicable permitted purpose.