Here We Go Again: U.S. Congress Reintroduces New Comprehensive Federal Privacy Law
With the bipartisan, bicameral proposed American Privacy Rights Act of 2024, the U.S. Congress seeks to adopt the first national personal data privacy and security law that would preempt comprehensive state privacy laws.
On April 7, 2024, Congress introduced the draft American Privacy Rights Act of 2024 ("APRA"). APRA would create a uniform personal data privacy and security legal standard. This national approach would alleviate compliance challenges arising from the current patchwork of state privacy laws that regulate the processing of personal information. Notably, the proposed law neither includes data breach notification provisions nor preempts state data breach notification laws.
Covered Entities and Covered Data
APRA would apply to "Covered Entities," defined as "any entity that determines the purposes and means of collecting, processing, retaining, or transferring covered data" and is subject to the FTC Act, is a common carrier, or is a nonprofit. Covered entities do not include government entities and their service providers, specified small businesses, and certain nonprofits. "Covered Data" would include information that identifies, is linked, or is reasonably linkable to an individual or device. APRA would not apply to deidentified data, publicly available information, and employee data.
Key Obligations
If adopted, APRA would:
- Prohibit covered entities from processing covered data unless "necessary, proportionate, and limited."
- Require "affirmative express consent" for transfers of sensitive data and processing of biometric data.
- Require covered entities and "Service Providers" to adopt reasonable data security practices, including vulnerability assessments and procedures for retention, disposal, training, and incident response.
- Require certain larger covered entities to designate a privacy and/or security officer.
AI Algorithms
APRA narrowly addresses AI, requiring covered entities to conduct impact assessments and design evaluations to identify and mitigate potential harms arising from AI algorithms. It would require notice and an opportunity to opt out of "consequential decisions" that rely on covered algorithms, like those involving housing or health care access.
Enforcement
APRA would establish an FTC bureau to implement its provisions and violations would constitute unfair or deceptive acts under the FTC Act. State attorneys general also could enforce APRA. APRA would create a private right of action and prohibit arbitration agreements for certain claims involving minors or resulting in substantial privacy harms.
Preemption
While APRA preempts state privacy laws that cover the same requirements, it expressly does not preempt state data breach notification laws and state privacy laws relating to employee, student, and health care privacy. APRA does not preempt certain federal laws relating to data privacy and protection, like the GLBA or HIPAA.
Considering its scope and impact, entities should carefully review APRA and monitor legislative developments for future impact and applicability.