In April, Senator Maria Cantwell and Representative Cathy McMorris Rodgers co-sponsored a comprehensive national consumer privacy law, the American Privacy Rights Act (APRA). ARPA builds on a 2022 bill called the American Data Privacy Protection Act (ADPPA).
With the exception of state-level consumer protection laws, employee privacy laws, student privacy statutes and data breach notification laws, APRA would replace the 17 comprehensive consumer privacy laws currently enacted by various states with one national standard.
Unless one of the exemptions discussed below applies, any company or organization that decides how covered data is collected, processed, kept, or shared would be fall under the new law’s ambit, as long as the company is either: (1) subject to the Federal Trade Commission Act; (2) a common carrier subject to Title II of the Communications Act; or (3) a non-profit.
Exemptions for these Privacy Law Provisions
The current version of APRA includes exempts small businesses making $40 million or less per year on average over the last three years that collect data from fewer than 200,000 individuals, and do not sell the data they collect.
APRA would exempt data that complies with the Gramm-Leach-Bliley Act (GLBA). However, APRA does not clarify if it will override state GLBA laws, which might result in some organizations having to follow both state GLBA laws and the new federal rules under APRA, adding an extra layer of compliance and oversight by the Federal Trade Commission (FTC).
Privacy Law Protections
The APRA would set limits on the types of data companies can collect and use, similar to the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). It introduces several privacy rights for consumers. "Covered data" includes any information that can identify or be linked to an individual or device, excluding deidentified data, employee data, or publicly available information.
Consumer Rights
As with the CCPA and CPRA, consumers would have the right to access, correct, and delete their data, and to opt-out of targeted advertising and data sales. Additionally, APRA would require companies to get explicit consent from consumers before sharing sensitive data with third parties and provide an easy way for consumers to withdraw this consent.
Opt-In vs. Opt-Out
Unlike the CCPA/CPRA, which requires businesses to provide an "opt-out" link for limiting the use of sensitive personal information, APRA's "opt-in" requirement creates a stricter standard for businesses that would require them to secure consumers’ affirmative consent before collecting their data.
Enforcement Mechanisms
If passed, the American Privacy Rights Act (APRA), a key aspect of Privacy Law, would be primarily enforced by the FTC, which would be required to establish a new bureau dedicated to APRA enforcement within a year of the statute’s enactment. State attorneys general and other state officers would also have the authority to enforce APRA in federal court, expanding the reach of Privacy Law at both the federal and state levels.
The current version of APRA includes a private right of action, a significant feature in Privacy Law, allowing individuals to sue entities that violate their privacy rights. They may seek actual damages, injunctive relief, declaratory relief, and reasonable attorney fees and costs. However, the statute imposes a 30-day period before a lawsuit can be filed, giving prospective defendants an opportunity to rectify violations—unless the violation involves substantial privacy harm, where this grace period does not apply.
State Attorney General Objections
The APRA faces a number of hurdles to overcome before being enacted into law, one of which is a surprising objection from 15 attorneys general representing those states that have enacted their own privacy laws. In a May 8, 2024, letter sent by California Attorney General Rob Bonta and signed by 14 other state AGs, they urged Congress not to pass a version of the APRA that would preempt state consumer privacy laws.
The letter criticizes a provision in the draft APRA that would prevent states from enforcing their own privacy laws, arguing that it would undermine stronger state laws already in place in 17 states. Bonta emphasized that states are better equipped to adapt to new technology and protect consumer privacy, advocating for federal legislation that allows for more rigorous state laws.
The Future of Privacy Law
Regardless of whether the APRA is ever enacted, businesses should rigorously evaluate their data collection, processing, sharing, and selling practices to ensure compliance with current state laws, which continue to evolve.
For example, California's Consumer Privacy Protection Agency is holding statewide sessions to discuss proposed regulations on automated decision-making technology, risk assessments, and cybersecurity audits, aiming to gather public feedback before formal rulemaking begins.