One bill to rule them all? Unraveling the new American Privacy Rights Act (APRA)
Posted: April 9, 2024
In a time when digital footprints permeate every aspect of our lives, the United States finds itself at a crucial crossroads concerning online privacy and data protection.
The imminent debate over the American Privacy Rights Act (APRA) underscores the nation’s recognition of the necessity to empower individuals with control over their personal information.
As the APRA gains bipartisan support and takes a step closer to moving forward, it heralds a pivotal moment in shaping the landscape of online privacy.
4 key things to know about the APRA:
- APRA emphasizes empowering individuals with control over their personal information, making informed consent a fundamental consumer right.
- Users will have to be given the option of opting out of targeted advertising and Big Tech companies will have to disclose when a user’s data is given to third parties.
- The bill would preempt state privacy laws, including California, Illinois and Washington
- To aid enforcement, the US Federal Trade Commission (FTC) will create a new bureau specifically for data privacy if this act is passed.
What does the APRA seek to legislate?
As nearly two years have passed since the previous attempt to bring in federal-level privacy legislation, the proposed APRA represents a change in thinking in the US approach to data privacy, mirroring global trends towards comprehensive legislative frameworks. Spearheaded by cross-party efforts, the bill seeks to regulate the collection, retention, and utilization of consumer data by corporations.
The act, if passed, will help alleviate the difficulties faced over the current “patchwork” of state-by-state data legislation, by providing a single cohesive protective act for all Americans.
Central to its provisions is the empowerment of users to exercise informed consent, enabling them to opt out of targeted advertising and exert control over their digital footprint.
At the heart of the APRA lies the principle of consent — the cornerstone of ethical data practices. By affording users the right to view, correct, download, or delete their data, the bill epitomizes a proactive stance towards safeguarding individual autonomy in the digital realm.
Moreover, the establishment of a national registry of data brokers underscores the imperative to enhance transparency and accountability in data transactions, ensuring that consent remains sacrosanct.
House Energy and Commerce Committee Chair Cathy McMorris Rodgers aptly characterizes the APRA as a watershed moment in reining in the unchecked practices of Big Tech.
By curbing the pervasive surveillance and exploitation of user behavior for commercial gains, the bill reaffirms the primacy of consent as a stronghold against corporate overreach. However, challenges persist, particularly regarding the harmonization of federal and state regulations, and the delineation of enforcement mechanisms.
U.S. House Committee on Energy and Commerce Chair Cathy McMorris Rodgers said:
“Online privacy protections shouldn’t differ across state lines. What we see is a patchwork of state laws developing, and this draft that Sen. Cantwell and I have agreed to will establish privacy protections that are stronger than any state law on the books.”
How does it differ from other privacy laws?
Drawing inspiration from California’s pioneering privacy law, California Consumer Privacy Act (CCPA), the APRA incorporates provisions that empower individuals to seek recourse in cases of data breaches.
This inclusion of a private right of action not only underscores the bill’s commitment to consumer protection but also underscores the role of consent as a legal safeguard against privacy infringements.
Furthermore, the bill’s expansive scope encompasses a broad spectrum of personal data, ensuring comprehensive protection across digital platforms.
There are also inevitably similarities between the APRA and Europe’s General Data Protection Regulation (GDPR). The APRA mimics the GDPR when it comes to covered data, defining it as information that identifies, is linked, or is reasonably linkable to an individual or device.
However, there are differences between the two, particularly by how the APRA defines sensitive information.
The APRA has moved to include data that reveals an individual’s online activity over time across websites or services that do not share common branding, or an online service covered by a ‘high-impact social media company’.
This is an entirely new term – defined as covered entities that host user-generated content, generate $3 billion or more in global annual revenue, or service more than 300 million monthly users.
How will the APRA be enforced?
The APRA outlines enforcement responsibilities for three key entities: the Federal Trade Commission (FTC), state attorneys general, and individual consumers.
The FTC is instructed to establish a new bureau, similar to its existing Bureaus of Enforcement and Competition, to oversee compliance with the APRA.
Violations of the law would be treated as breaches of regulations prohibiting unfair or deceptive practices, as outlined in the FTC Act. Additionally, the APRA mandates the creation of a Privacy and Security Victims Relief Fund to facilitate compensation for affected consumers. The FTC is also obligated to provide regular reports to Congress detailing its enforcement efforts and administrative actions related to the Act.
Notably, the APRA effectively ends the FTC’s authority to establish rules concerning commercial surveillance and data security, a responsibility the FTC assumed due to the absence of a comprehensive federal privacy law.
Furthermore, the APRA grants authority to state attorneys general, chief consumer protection officers, and other state officials to enforce its provisions in federal district court. They are empowered to pursue various legal remedies, including injunctions, civil penalties, damages, restitution, and consumer compensation. Prior to initiating legal action under the APRA, state attorneys general must notify the FTC.
Importantly, the APRA grants consumers the right to initiate private lawsuits against entities covered by the law for violations of their privacy rights. This enforcement avenue, favored by Democratic supporters of the proposal, allows for lawsuits seeking actual damages, injunctive relief, declaratory relief, and reimbursement of reasonable legal fees and expenses.
The APRA also addresses specific state laws regarding privacy rights. For instance, individuals in Illinois can seek statutory damages for violations involving the unauthorized use of biometric and genetic information in accordance with Illinois’s BIPA. Similarly, California residents can claim statutory damages for data breaches under California’s CCPA. Covered entities are given the opportunity to rectify violations when injunctive relief is sought, and written notification is required for actions seeking actual damages, except for cases involving significant privacy harm.
What’s next for the APRA?
While the APRA marks a significant step towards fortifying online privacy rights, its journey through Congress remains fraught with uncertainties. As lawmakers engage in deliberations and seek feedback, the bill stands as a testament to the evolving discourse surrounding consent and data sovereignty. Its passage would signify a resounding victory for individual autonomy in an increasingly digitized world.
The American Privacy Rights Act epitomizes the imperative to preserve consent as a cornerstone of online privacy in the United States. By championing transparency, accountability, and user empowerment, the bill heralds a new era of digital governance rooted in ethical data practices.
As the nation continues to grapple with evolving technology and data, the APRA stands as a beacon of hope, reaffirming the fundamental principle that consent is not just a privilege but a right that must be upheld and protected.
Access our latest research report: Privacy beyond borders
Unlock valuable insights by downloading our latest global research report
Cassie delved into the intricacies of cross-border user experiences, weaving together the diverse regulatory environments shaping digital interactions worldwide. Our study spans consumer preferences across the US, UK, EU, and Canada, shedding light on how privacy laws influence global user dynamics. Our findings uncover not only consumer awareness of regional privacy regulations but also the nuanced variations in privacy concerns across different regions…