Weighing the Impacts of the American Privacy Rights Act of 2024

Earlier this month, U.S. House of Representative Cathy McMorris Rodgers (R-WA) and Senator Maria Cantwell (D-WA) unveiled a new bill: the American Privacy Rights Act of 2024 (APRA).  This bill is currently a discussion draft, intended to introduce a framework and solicit amendments.  Interestingly, this is a bicameral, bipartisan bill with both houses of Congress and both political parties involved—a fun civics class refresher!   

Déjà vu or Legislative Successor 

In 2022, Rep. Frank Pallone (D-NJ) introduced the American Data Privacy and Protection Act (ADPPA). This bill did not have a Senate sponsor and was opposed by several key legislative parties. Senator Cantwell and the California Privacy Protection Agency (CPPA) opposed the bill, viewing it as weaker than current state privacy laws. The California Congressional delegation was not willing to preempt their state law with a weaker federal standard. This bill’s disappointing history, however, provided important insights on the ‘needs’ of various stakeholders in privacy legislation, leading to the APRA we see today. Core portions of the APRA came directly from ADPPA. These apparent improvements have differentiated the bill enough to gain a Senate sponsor, making APRA much more of a successor than a re-tread of a previous failed bill.  

Looking Closer: What Does APRA Do? 

I want to highlight four core functions of APRA as it is currently written:  

1. Setting national data privacy and minimization standards, 
2. Preempting state laws, 
3. Enabling layered enforcement, and 
4. Directs executive action.

1. National Data Privacy and Minimization:

APRA introduces many of the key Data Privacy principles that we’ve seen in so many other jurisdictions.  These include:  

• Privacy rights (right to delete, transfer, change, etc.); 
• Data security obligations when businesses collect, process, retain, or transfer users’ data; and 
• Data minimization, which limits data uses to certain ‘permitted purposes’ and those necessary, proportionate, or limited to providing a product or service requested by an *  
  *Interestingly, the current draft’s ‘permitted purposes’ is narrower than GDPR.   

2. Preemption of State laws:

There are currently nearly 20 states with data privacy bills being proposed or under consideration, with more states advancing bills through the legislative process as this is being written (check out this map of state privacy laws from IAPP). The APRA largely preempts those bills and replaces their standards. This is certainly a potential relief for privacy professionals forced to adapt to a regularly shifting patchwork of state laws. Some states like California with existing robust privacy laws will theoretically shift enforcement to this federal statute, while other states will have the option to establish their own state bodies to enforce these standards and pursue enforcement actions as required.  

3. Layered Enforcement:

APRA can be enforced by the federal government, by states, and by individuals—this is known as an individual’s ‘private right of action’ or PRA.  The PRA can pursue actual damages, injunctive and declarator relief, and legal fees.  This PRA is, crucially, exempt from mandatory arbitration.  The ADPAA, conversely, had a two-year delay for PRA’s and did not exempt mandatory arbitration, contributing to its perceived weak enforcement attributes.  If passed, states can enforce this bill through enforcement agencies like the CPPA or suits from Attorneys General.  Finally, the FTC becomes the chief federal enforcement agency for data privacy, largely preempting the FCC’s involvement.  

4. FTC Directives:

As is typical for larger Congressional bills, APRA includes directives for the executive branch—specifically the Federal Trade Commission (FTC).  The FTC is directed to do several important things, including subsequent development of systems or standards.  In other words, Congress doesn’t specify all the details of some systems or standards but rather places an order and allows the FTC to figure out the nuts and bolts of how to operationalize the law.  Depending on the task, the FTC generally fulfills its duties by publishing a policy statement (as it did for biometrics last year) or by undertaking rulemaking under the Administrative Procedures Act—this can take time with ‘notice and comment’ periods.  I want to highlight a few important APRA measures: 

• Global Opt-Out: The FTC is directed to develop a standard mechanism for centralized consumer Opt-Out.  Think of this like the ‘one-click unsubscribe’ 
• Data Broker Registry: The FTC is directed to create a registry of data brokers and allow consumers to request the deletion of their data from these companies’ records.  Currently it does not direct an explicit single-step deletion request, but based on the 17 Congressional hearings that have taken place, this is a likely future  Think of as the ‘Do Not Call’ list for data brokers… but rather a ‘Do Not Collect and Sell my personal information’ list.  
• Sensitive Covered Data: The FTC is directed to create a rule for expanding this category of data.  This is good, considering that new types of technology and information may necessitate adding to the definition.  
• Algorithm Impact Assessments: APRA requires impact assessments to be conducted and published publicly for certain covered algorithms. The FTC is given the authority to determine covered algorithms and other requirements for these impact assessments.  
• Minimization Standards: The FTC is directed to publish guidance on the reasonably necessary and proportionate compliance requirements for data  This may prove to be a way to widen the ‘permitted purposes’ under the act though this may also occur as Congress amends this draft. 

Support and Opposition 

On April 17th the House held a hearing on “Legislative Solutions to Protect Kids Online and Ensure Americans’ Data Privacy Rights.”  This hearing presented nearly a dozen bills, many containing provisions akin to portions of the APRA.  House Committee members and all witnesses noted bipartisan support for a national privacy bill, yet there was considerable divergence on many technical issues.  Some appeared to be friendly in nature, pointing out areas for improvement or correction, with Rep. Schakowsky noting that the bill was, “not complete…it’s an ongoing effort.” 

Significant opposition to the bill, however, comes from the CPPA.  Less than a day before the hearing, the California agency released a statement letter on the APRA.  In it, CPPA noted California’s leading role in advancing privacy measures and noted some technical issues with APRA that fall short of CA’s legal framework.  They simply do not support a federal bill that preempts state privacy laws, “Strong federal protections do not have to come at the expense of the states.”  While some of the technical issues with APRA, such as the lack of single-step data broker deletion are likely to be corrected in Congress, the preemption is unlikely to change.  It remains to be seen if changes to the APRA discussion draft will be enough to overcome this opposition.  

Outlook: A (Doomed?) Vehicle to Advance Privacy Issues 

To advance, this bill would need to remain neutral on the partisan teeter-totter – not a small task—by earning the support of the ranking members (Rep. Pallone and Sen. Cruz).  While Rep. Pallone is likely to support APRA with changes, Sen. Cruz’s initial comments suggest hesitance. Rep. Rodgers retirement from the House in January means the bill will need a new Republican advocate to avoid becoming partisan—and suffering the fate of many partisan bills. Additionally, the bill certainly needs the at least tacit support of the CPPA—unlikely considering its most recent statement. While it is possible that amendments to the draft bill could earn CPPA and full bipartisan-bicameral support, there are, unfortunately, political realities in Washington that can complicate legislation.  Legislative efforts inherently involve political decisions and calculations extending beyond the subject matter; this bill will not be immune from such realities.    

But Wait!  Even if this bill fails, there are considerable positive results of its being proposed.   

1. First, the bill can increase awareness of privacy issues, both in the public and Congress, as media and public policy organizations discuss the bill.  
2. Second, just as the ADPPA’s failure identified certain statutory shortfalls and political considerations, APRA can further illuminate the positions of stakeholders in Washington so that, even if it fails, future legislative efforts might be better prepared.
3. Third, the bill underscores principles and legislative goals that are likely to be enacted in some fashion in the future, even if not in this large bill. The House subcommittee currently considering APRA is also hearing multiple smaller bills covering minimization, algorithms, and data brokers.  For example, the Data Elimination and Limiting Extensive Tracking and Exchange (DELETE) Act would establish a centralized system allowing individuals to ‘delete’ their data from all data brokers—this looks like a small portion of APRA in its own bill.  
4. Finally, it is also possible that even if legislation fails, the FTC could attempt rulemaking for some portions of these efforts, particularly those it can tie to its ‘unfair and deceptive business practices’ enforcement mission (e.g., the global opt-out standard). 

What Should You Do? 

This legislative process is messy, with overlapping bills and conflicting stakeholders.  If this is enough  to confound privacy professionals, businesses certainly have a difficult set of decisions.  Do we wait to change our policies and procedures to see if the bill becomes law? Or do we guess what Congress and the FTC will eventually put into force and plan accordingly? There is no perfect answer, yet embracing a holistic approach to data privacy and personal information protection and governance is always a prudent exercise.  This includes implementing Privacy by Design principles and reviewing the overall data privacy and protection program of your organization.  

A review should ensure that management processes and policies are in place for key risks such as data transfers, automated decision making, or use of data from protected classes—particularly children.  When appropriate, Assessments (PIA/DPIA, DTIA, etc.) should be current, reflecting the latest organizational information available and accessible.  These steps can ensure that your organization is prepared for changes in the law, reducing costly compliance and risk.  Myna is here to assist with ensuring your organization is prepared, and eager to help with your compliance challenges .  

What’s Next? 

We’re closely monitoring the APRA’s progress through the legislative process and its companion bills currently before the House Subcommittee on Innovation, Data, and Commerce. There are sure to be amendments and changes to the APRA in an attempt to garner support from key stakeholders. The waves created by the introduction of the APRA, both in policy and in the media, are sure to have impacts on businesses. Regardless of what those impacts are, Myna will be ready to help proactive clients quickly adjust to new statutory requirements and FTC obligations.  

For information on how Myna can help you with any or all these requirements, please contact Wills Catling, Director at Myna Partners at: william.catling@levelupconsult.com and we’d be happy to set up a consultation to hear about your program needs.