Is Congress Ready to Pass a Federal Data Privacy Law?


Apr 25, 2024
post featured image

By: James M. Black II, Esq., Daniel J. Gershman, Esq., and Christopher Rivera

On April 7, 2024, a discussion draft of the American Privacy Rights Act (“APRA”) was introduced by two members of Congress: Cathy McMorris Rodgers, Chair of the House Committee on Energy and Commerce, and Maria Cantwell, Chair of the Senate Committee on Commerce, Science, and Transportation. The unveiling of APRA heralds a bipartisan commitment to solidify a federal standard for consumer privacy protections, aiming to supersede the various state laws that have emerged over recent years.

To date, twenty-four states have established their own data privacy laws with distinct standards. Among these, fourteen states, which include California, Colorado, Connecticut, New Jersey, and Virginia, have adopted more robust regulations specifically governing personal identifying information of consumers. The varied nature of these state-specific laws creates a complex regulatory landscape, posing a substantial challenge for businesses that must navigate the nuances between each set of rules. However, the APRA represents a significant shift in the trajectory of U.S. data privacy law and potentially provides a much-needed uniform standard.

Moreover, the APRA presents a more effective solution to the data privacy concerns targeted by Congress through the Protecting Americans from Foreign Adversary Controlled Applications Act, which aims to ban foreign owned social media platforms, such as TikTok. To read more about this topic please visit our previous blog post.

The Current Data Privacy Landscape

As explained above, the U.S. does not have a unified federal data privacy law. The federal data privacy landscape consists of various laws and regulations aimed at protecting various types of personal information across industries and demographics. The three key laws often referenced in this context are (a) the Health Insurance Portability and Accountability Act (HIPAA) enacted to set a standard for the protection of sensitive patient health information held by healthcare providers, health plans, and other entities that handle such information, (b) the Gramm-Leach-Bliley Act (GLBA), which requires banks, securities firms, insurance companies, and other financial institutions to explain their information-sharing practices to customers and to safeguard sensitive data, and (c) the Children's Online Privacy Protection Act (COPPA) which regulates the collection, use, and disclosure of personal information from children by the operators of websites and online services directed towards children under thirteen (13) years old.

The absence of a comprehensive federal data privacy law governing the collection and use of personal information across all industries, has left states to enact their own regulations, most prominently the CCPA and its successor, the CPRA, which provides California consumers with robust privacy rights. These rights include the ability for consumers to access, delete, and restrict the sale of their personal identifying information. In addition, these laws limit the use and disclosure of sensitive personal information. Similarly, regulations such as the Colorado Privacy Act, Delaware Personal Data Privacy Act, and New Hampshire Privacy Act offer consumers within the state boundaries the right to opt out of data processing for targeted advertising. Although these states share a common goal of enhancing consumer privacy, each one has established its own unique set of rules, resulting in a multifaceted matrix of standards in which similar principles are applied through different legal requirements.

On the international level, the GDPR sets an even higher standard for data privacy in the European Union, emphasizing transparency, security, and consumer control over personal identifying information. The GDPR is commonly referred to as the most robust data privacy regulation and grants expansive consumer rights. Alternatively, the EU-U.S. Data Privacy Framework is a voluntary program that provides a mechanism for companies to transfer personal identifying information from the EU to the U.S. in a privacy-protective manner consistent with applicable law. Even though companies are not required to participate in this program, failure to comply with the Framework may result in violations of the Federal Trade Commission’s prohibition on unfair and deceptive acts. To read more about compliance with the EU-U.S. Data Privacy Framework please visit our previous blog post.

Should the APRA fail to pass, U.S. businesses will continue to navigate a fragmented landscape of state laws without a cohesive federal standard, making compliance more complicated and potentially leaving gaps in consumer protections. Further, without a federal standard, the U.S. risks falling behind international requirements set by regulations such as the GDPR, potentially impacting international data flows and the global competitiveness of U.S. companies.

Overview of the Bill

The purpose of APRA is to provide consumer rights similar to the California Consumer Privacy Act (“CCPA”), California Privacy Rights Acts (“CPRA”) and the European Union’s General Data Protection Regulation (“GDPR”). The APRA would grant consumers more control over their personal identifying information, promote the approach of data minimization, and standardize data security protocols that compel businesses to implement and maintain robust measures that protect consumer data from cyber threats and unauthorized access.

Covered Data

The draft defines “Covered Data” as “information that identifies or is linked or reasonably linkable, alone or in combination with other information, to an individual or a device that identifies or is linked or reasonably linkable to one or more individuals.” This broad definition ensures that a wide range of consumer information, from basic identifiers to complex behavioral data, falls under the purview of the APRA's privacy protocols. Nonetheless, the APRA does provide certain exceptions, including de-identified information, and publicly available data.

In addition, the APRA pays particular attention to “Sensitive Covered Data,” a category of consumer information that requires heightened protections due to its intimate or critical nature. Such data includes, but is not limited to, government-issued identifiers, health details, biometric and genetic data, precise geolocation, and certain private communications. Sensitive Covered Data encompasses elements of an individual’s private life that, if misused, could lead to significant privacy invasions or discrimination. Hence, under the APRA, any transfer of such sensitive data is contingent on the explicit and express consent of the individual.

Covered Entities

The APRA delineates a specific criterion to determine which entities fall within its regulatory purview. To be considered a covered entity, a business must meet one or more of the following conditions:

  • Revenue-Based Qualification: Entities that generate an average revenue exceeding $40 million over the preceding three years, or an average of $40 million over the life of the business if it has been in existence for less than three years.
  • Data Processing Volume: Businesses that process the personal information of more than 200,000 individuals annually unless such processing is exclusively for providing a product or service explicitly requested by the customer.
  • Data Transfer for Value: Entities that transfer any personal information to third parties in exchange for revenue or other valuable consideration. This includes businesses that may not necessarily meet the large revenue criteria but still engage in significant data transactions that could impact consumer privacy.

In addition, the APRA contains specific exemptions and thresholds for smaller entities, recognizing the varying capabilities and risks presented by organizations of different sizes. In this way, the legislation imposes obligations that are proportionate to the level of privacy risk an entity's data practices pose to individuals.

Consumer Rights

Following the footsteps of state privacy laws such as the CCPA, CPRA and Europe’s GDPR, the APRA provides consumers with the following rights:

  • Access: The right to access covered data in a format that can be naturally read by a human. This right also allows consumers to access the names of any third parties or service providers that have received covered data from any covered entities along with the purpose of the transfer;
  • Correction: The right to correct any inaccuracies or incomplete information related to covered data;
  • Deletion: The right to delete covered data; and
  • Export: The right to export covered data to the extent technologically feasible.

Moreover, the APRA grants consumers the right to opt-out of transfers of non-sensitive covered data and the use of their personal information for targeted advertising. Under the APRA, the Federal Trade Commission (“FTC”) is directed to issue regulations that establish the requirements and technical specifications that covered entities must provide in order for consumers to exercise their opt-out rights.

Data Minimalization and Collection Practices

Data minimization is the principle of limiting the collection, processing, retention, and transfer of personal information to what is strictly necessary for the completion of specified services or functions. It calls for a departure from the expansive and often excessive data strategies of the past, constraining data practices to only what is required to serve the consumer's needs or to fulfill clear and permitted purposes.

APRA enforces this principle by prohibiting entities from indiscriminately amassing consumer data, instead requiring them to collect only what is essential to deliver a requested service or to perform a communication that a consumer might reasonably anticipate given their relationship with the service. Moreover, the legislation places additional restrictions on the collection and third-party transfer of sensitive data types, such as biometric or genetic information, insisting on affirmative express consent from the individual unless such collection or transfer falls within certain exceptions deemed permissible by the APRA.

These mandates align with the overarching goal of safeguarding consumer privacy by reducing the likelihood and potential impact of data breaches and misuse. The FTC is tasked with issuing guidance on adhering to data minimization principles, and enforcing prudent and minimized data practices.

Data Security Requirements

The APRA requires covered entities to establish, implement, and maintain robust data security practices that are appropriate to their size, the scope of their data processing activities, the volume and sensitivity of the data handled, and the current state of technology for protecting such data.

Specifically, the APRA dictates that these security measures must include the ability to assess vulnerabilities and mitigate any reasonably foreseeable risks to consumer data. This involves an ongoing process of identifying potential security gaps and implementing corrective actions to prevent data breaches. Furthermore, covered entities are required to ensure that their data security practices are continuously updated and refined in response to new threats and developments in security technology.

To ensure compliance, the APRA includes provisions for regular evaluation of the effectiveness of these security measures. Covered entities must demonstrate their commitment to data security by conducting periodic reviews and adjustments of their security protocols, ensuring that they remain robust against evolving cybersecurity threats. Additionally, the FTC is tasked with issuing regulations that clarify the specific requirements of these security measures, providing guidance to covered entities on how to effectively secure consumer data according to the mandates of the APRA.

Enforcement

The APRA designates multiple layers of enforcement authority. First, the FTC is authorized under the bill to treat violations as infringements against rules defining unfair or deceptive acts or practices. This positions the FTC to issue fines and enforce corrective actions by leveraging its established authority. To facilitate this, the APRA directs the FTC to create a new bureau or designate existing resources specifically for the oversight and enforcement of the APRA.

In addition, state attorney generals are granted the authority to enforce the APRA’s provisions. This allows for localized enforcement actions which are crucial given the varying impacts and contexts of data privacy violations across different states. State attorneys general can seek injunctions, civil penalties, and other legal remedies against entities that violate the provisions of the APRA, ensuring that enforcement is not only broad but also adaptable to specific state-level needs and concerns.

Lastly, the APRA introduces a private right of action, which allows consumers to seek legal redress against companies that fail to comply with the privacy standards set forth in the APRA. Consumers can sue for actual damages and seek injunctive and declaratory relief, which serves as a mechanism for individual accountability.

Going Forward

As it stands, the proposed bill has a long way to go before becoming law. The upcoming House Energy & Commerce Committee's scheduled hearing is the first crucial step. This forum will allow for in-depth discussions about the bill's impact and provide a platform for various stakeholders to voice support, concerns, or suggest refinements. Thereafter, the APRA must be formally introduced and debated by Congress. In which case, the bill will likely be amended before going to vote by both houses.

The APRA also arrives at a time when state legislatures are actively expanding their own privacy regulations. The hearing will likely touch upon how the APRA seeks to navigate the complex interplay between federal and state jurisdiction over privacy matters. The proposed legislation's path to becoming law is not guaranteed, with potential opposition and advocacy from various sectors and politicians.

Our team of attorneys understand the complexities involved in navigating data privacy regulations laws and encourage you to contact us if you are in need of assistance. Falcon Rappaport & Berkman is prepared to provide counsel regarding these issues and further guide you through the data compliance process. Contact our Corporate & Securities Practice Group at 516-599-0888 or by filling out the form below.

DISCLAIMER: This summary is not legal advice and does not create any attorney-client relationship.  This summary does not provide a definitive legal opinion for any factual situation. Before the firm can provide legal advice or opinion to any person or entity, the specific facts at issue must be reviewed by the firm.  Before an attorney-client relationship is formed, the firm must have a signed engagement letter with a client setting forth the Firm’s scope and terms of representation. The information contained herein is based upon the law at the time of publication.

Have Questions? Contact Us