Review of the Proposed American Privacy Rights Act
Rep. Cathy McMorris Rodgers (R-WA) and Sen. Maria Cantwell (D-WA) reinvigorated the federal privacy debate on April 5, 2024 with the release of a discussion draft of their bipartisan, bicameral privacy bill, the American Privacy Rights Act (APRA). The bill immediately invited comparisons to the American Data Privacy and Protection Act (ADPPA), introduced by Reps. Frank Pallone (D-NJ) and Cathy McMorris Rodgers (R-WA) and Sen. Roger Wicker (R-MS) in 2022. The two bills share many similarities, reflecting years of compromise and a growing consensus on certain issues. As was the case with the ADPPA, the APRA is not without flaws. But if Congress makes privacy negotiations a priority for the rest of 2024, it could iron out those flaws and pass comprehensive federal privacy legislation that strikes the right balance, addressing concrete privacy harms without hindering innovation.
Consumer Rights and Consent Requirements
The APRA protects consumers’ covered data, defined as information that identifies an individual, is reasonably linked to an individual, or is reasonably linked to a device that identifies or is reasonably linked to an individual. Covered data does not include de-identified data, employee data, or publicly available information.
This covered data is further split into two categories: sensitive and non-sensitive. Sensitive covered data includes government-issued identifiers, health-related information, genetic information, financial information, biometric information, precise geolocation data, private communications, log-in credentials, sexual information, naked photos or recordings, minors’ data, and information revealing an individual’s race, ethnicity, national origin, religion, or sex. Biometric information is further defined as including fingerprints, voice prints, iris or retina scans, facial or hand mapping, and gait. Biometric information explicitly does not include photographs and audio or visual recordings.
The APRA would give consumers the right to access, correct, delete, or port their covered data. Consumers would also have the right to opt out of data transfers of non-sensitive covered data, targeted advertising, and the use of algorithms to make or facilitate consequential decisions. Data holders must obtain consumers’ affirmative, or opt-in, consent for data transfers of sensitive data to third parties. This two-tiered structure—opt out for some uses and opt in for others—reflects a compromise between the privacy rights of consumers and the benefits of data collection for innovation.
However, a separate provision in the APRA significantly undermines this compromise, instructing the Federal Trade Commission (FTC) to establish within 2 years of the APRA’s enactment a centralized opt-out mechanism that would allow consumers to opt out of all covered data transfers. This type of universal opt-out would likely encourage consumers to broadly restrict data sharing rather than use the more granular controls available to them by different data holders, without consideration for the societal implications of less data sharing. Most notably, a universal opt-out would shrink ad revenue for online services—news, apps, games, and more—that consumers get for free today. To make up for the loss in revenue, these services would then need to show more ads (but less relevant ones) or charge users fees for formerly free apps.
Data Holder Obligations
Under the APRA, in addition to providing certain rights for consumers, data holders face certain obligations. The first of these is data minimization, which requires organizations to collect no more data than is necessary to meet specific needs. Such requirements are popular in privacy legislation, even though they limit innovation by reducing access to data, limiting data sharing, and constraining the use of data.
The APRA’s transparency requirements for data holders include maintaining a privacy policy and providing users with notice of material changes to the privacy policy and the renewed option to opt out of data transfers. Within their privacy policy, data holders must disclose whether any covered data is transferred to, processed in, retained in, or otherwise accessible to a foreign adversary, a provision that is especially relevant given recent debate surrounding TikTok and China. In general, transparency requirements are beneficial because they give consumers more information about how their data is collected, stored, and used, which enables consumers to make informed decisions regarding their data.
The APRA also includes a prohibition on “dark patterns,” defined as a user interface designed to subvert or impair user autonomy. This terminology is borrowed from anti-technology activists who accuse tech companies of using behavioral psychology to design products that manipulate their users into performing actions that are contrary to their best interests, and leads to paternalistic data privacy laws and regulations. Moreover, the APRA’s definition of dark patterns is vague and subjective, complicating compliance for companies that want to avoid expensive litigation.
The APRA also includes civil rights protections, prohibiting data holders from collecting, processing, retaining, or transferring data in a way that discriminates based on race, color, religion, national origin, sex, or disability. This provision does not apply to companies self-testing in order to prevent or mitigate discrimination, diversifying an applicant or participant pool, or soliciting economic opportunities or benefits to underrepresented populations or members of protected classes. These exceptions demonstrate consideration for how accounting for certain protected characteristics could benefit consumers in certain instances.
Finally, the APRA prohibits data holders from retaliating against consumers for exercising any of the privacy rights enumerated in the bill by denying products or services, charging different prices or rates, or providing a different level of quality, with the exception of loyalty programs, incentives for participation in market research, or collection and processing of data necessary for the function of a product or service. This requirement would create a freeloader problem wherein users could still reap the benefits of data sharing even if they have opted out of their data being shared. For example, users would benefit from a free service that uses targeted advertising as a source of revenue even if they have opted out of targeted advertising.
Most of the other obligations the APRA would place on data holders are relatively non-controversial. These include “reasonable data security practices” to protect covered data from unauthorized access, hiring and retaining a privacy or data security officer, and exercising due diligence in selecting a service provider or deciding to transfer data to a third party.
In addition, the APRA places even more obligations on large data holders, defined as having an annual gross revenue of at least $250 million and processing the data of over 5 million individuals, 15 million portable connected devices, or 35 million connected devices or the sensitive data of over 200,000 individuals, 300,000 portable devices, or 700,000 connected devices. Large data holders must have one privacy officer and one data security officer, rather than combining the roles. They must also conduct biennial privacy impact assessments and annual algorithm impact assessments. There is a certain logic behind placing additional requirements on larger companies with large amounts of personal data, as ostensibly these companies have more resources to dedicate toward compliance. However, smaller companies have the potential to cause just as much harm to consumers as their larger counterparts, something lawmakers should consider when creating size-based requirements such as those in the APRA.
Data brokers, defined as covered entities whose principal source of revenue is derived from processing or transferring covered data that the entity did not directly collect from individuals, are also subject to additional requirements. They must maintain a publicly accessible website and register with the FTC or face fines of $100 per day up to $10,000. They must also comply with do not collect requests and are prohibited from advertising their services for the purposes of stalking, harassment, fraud, identity theft, or unfair or deceptive acts or practices.
Enforcement and Relation to Other Laws
The APRA gives enforcement power to the FTC and state attorneys general, consumer protection officers, and any other state officers authorized to enforce privacy or data security laws. It also includes a private right of action, allowing individuals to sue for violations of certain provisions of the APRA, mostly those regarding consumers’ privacy rights. The court may award injunctive and declaratory relief, as well as the sum of actual damages, attorney’s fees, and litigation costs. Data holders have a 30-day opportunity to cure, except in cases involving alleged substantial privacy harm. Pre-dispute arbitration agreements would also not be valid in cases of alleged substantial privacy harm or alleged privacy harm to minors.
These limitations on why an individual can sue and how much they can sue for will hopefully deter expensive, frivolous lawsuits, but leaving enforcement only to the relevant regulatory authorities would be the most cost-effective solution. The APRA’s private right of action also includes a carveout for BIPA violations, which have led to multiple multimillion-dollar lawsuits, and the CPRA’s private right of action for data breaches, which will drive costs up even higher.
The APRA would not change or affect the privacy rights and obligations outlined in existing federal legislation, such as the Children’s Online Privacy Protection Act (COPPA), the Health Insurance Portability and Accountability Act (HIPAA), and the Gramm-Leach-Bliley Act or Financial Services Modernization Act (FSMA). The APRA instructs the FTC to terminate its proposed rulemaking on “Commercial Surveillance and Data Security,” which could conflict with a federal privacy law.
The APRA would preempt state privacy laws, including the comprehensive data privacy laws passed so far in 15 states, but includes a long list of exceptions, including state laws governing consumer protection, civil rights, privacy rights of employees privacy rights of students, data breach notification, nonconsensual pornography, child sexual abuse material, financial information, electronic surveillance, spam, health information, and more. This fundamentally undermines the purpose of state preemption, which is intended to keep compliance costs and confusion low and ensure all Americans have equal data privacy protections.
Furthermore, the APRA includes provisions from California’s Consumer Privacy Act (CCPA) and Consumer Privacy Rights Act (CPRA) and Illinois’ Biometric Information Privacy Act (BIPA). These special carve-outs are clearly an attempt at compromise—and a result of backroom dealing—that gives certain states an unfair advantage over the many others that have passed privacy laws of their own.
How Congress Should Improve APRA
Congress should make reaching a compromise on comprehensive federal data privacy legislation a top priority for the remainder of 2024, starting by changing the most problematic aspects of the APRA. In many regards, the bill is a reasonable bipartisan compromise, though its draft language still has plenty of opportunities for fine-tuning and three provisions in particular that would have serious negative economic consequences if passed into law.
First, Congress should remove the APRA’s private right of action. The FTC and the states are more than capable of enforcing the APRA and protecting consumers without opening the doors to expensive litigation. Moreover, California and Illinois do not deserve to receive special treatment by having their private rights of action included in a federal privacy law, to the exclusion of all other states and at the great expense of the American economy.
Second, Congress should close the loopholes in the APRA’s preemption of state laws. The primary purpose of federal privacy legislation is to avoid a costly and confusing patchwork of state privacy legislation by setting a single national standard. Allowing states to legislate on niche data privacy and security issues instead of addressing those issues in a federal law directly contradicts that purpose.
Finally, Congress should not direct the FTC to create a centralized opt-out mechanism for consumers. The benefits and risks of data sharing vary greatly depending on who is collecting the data and how it is used. Rather than encouraging consumers to opt out of data sharing entirely, Congress should instead encourage them to take advantage of the diverse data-sharing economy, which has numerous immense benefits for society.
With these important changes, the APRA could be the grand privacy bargain America has been waiting—and waiting, and waiting—for.