Insights

PUBBanner_SOCIALHereWeGoAgainUSCongressRe

Here We Go Again: U.S. Congress Reintroduces New Comprehensive Federal Privacy Law

With the bipartisan, bicameral proposed American Privacy Rights Act of 2024, the U.S. Congress seeks to adopt the first national personal data privacy and security law that would preempt comprehensive state privacy laws.

On April 7, 2024, Congress introduced the draft American Privacy Rights Act of 2024 ("APRA"). APRA would create a uniform personal data privacy and security legal standard. This national approach would alleviate compliance challenges arising from the current patchwork of state privacy laws that regulate the processing of personal information. Notably, the proposed law neither includes data breach notification provisions nor preempts state data breach notification laws.

Covered Entities and Covered Data 

APRA would apply to "Covered Entities," defined as "any entity that determines the purposes and means of collecting, processing, retaining, or transferring covered data" and is subject to the FTC Act, is a common carrier, or is a nonprofit. Covered entities do not include government entities and their service providers, specified small businesses, and certain nonprofits. "Covered Data" would include information that identifies, is linked, or is reasonably linkable to an individual or device. APRA would not apply to deidentified data, publicly available information, and employee data.

Key Obligations

If adopted, APRA would:

  • Prohibit covered entities from processing covered data unless "necessary, proportionate, and limited."
  • Require "affirmative express consent" for transfers of sensitive data and processing of biometric data.
  • Require covered entities and "Service Providers" to adopt reasonable data security practices, including vulnerability assessments and procedures for retention, disposal, training, and incident response.
  • Require certain larger covered entities to designate a privacy and/or security officer.

AI Algorithms

APRA narrowly addresses AI, requiring covered entities to conduct impact assessments and design evaluations to identify and mitigate potential harms arising from AI algorithms. It would require notice and an opportunity to opt out of "consequential decisions" that rely on covered algorithms, like those involving housing or health care access.

Enforcement

APRA would establish an FTC bureau to implement its provisions and violations would constitute unfair or deceptive acts under the FTC Act. State attorneys general also could enforce APRA. APRA would create a private right of action and prohibit arbitration agreements for certain claims involving minors or resulting in substantial privacy harms.

Preemption

While APRA preempts state privacy laws that cover the same requirements, it expressly does not preempt state data breach notification laws and state privacy laws relating to employee, student, and health care privacy. APRA does not preempt certain federal laws relating to data privacy and protection, like the GLBA or HIPAA.

Considering its scope and impact, entities should carefully review APRA and monitor legislative developments for future impact and applicability.

Insights by Jones Day should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request permission to reprint or reuse any of our Insights, please use our “Contact Us” form, which can be found on our website at www.jonesday.com. This Insight is not intended to create, and neither publication nor receipt of it constitutes, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.