DATA PROTECTION
US House of Representatives released a draft of a bipartisan, bicameral federal privacy bill (the American Privacy Rights Act, or “APRA”).
On April 7, US House of Representatives member Cathy McMorris Rodgers (R-WA) and Senator Maria Cantwell (D-WA) released a draft of a bipartisan, bicameral federal privacy bill (the American Privacy Rights Act, or “APRA”), aimed at putting people in control of their own personal data and eliminating the patchwork of state laws by setting one national privacy standard. If adopted, the APRA would have broad pre-emptive effect over many provisions of state-level data privacy laws.
Proposed American Privacy Rights Act of 2024 seeks to establish national consumer data privacy rights, govern Artificial Intelligence and automated decision-making, impose additional obligations on high-impact social media companies and large data holders, supersede state privacy laws, and allow private right of action.
The APRA applies to businesses subject to the authority of the Federal Trade Commission (“FTC”), common carriers, and nonprofits (together, “Covered Entities”), along with businesses that process covered data on behalf of or at the direction of Covered Entities (“Service Providers”). The APRA would impose obligations on Covered Entities and Service Providers to minimize processing of covered data and apply reasonable data security measures. The APRA also seeks to impose heightened obligations on high-impact social media companies and large data holders.
Additionally, the APRA seeks to create uniform data privacy rights for all persons residing in the US. These rights include the rights to opt out of targeted advertising and to view, correct, export or delete their data. In trend with Europe’s data protection laws (the General Data Protection Regulation (“GDPR”) and Digital Services Act (“DSA”)) and some state privacy laws (e.g., the California Consumer Privacy Act (“CCPA”)), the APRA also requires Covered Entities and Service Providers to provide increased transparency by mandating the inclusion of specific information on data processing, retention, transfers to third parties, security practices, and consumers’ rights in their public facing privacy policies.
Proposed American Privacy Rights Act of 2024 seeks to establish national consumer data privacy rights, govern Artificial Intelligence and automated decision-making, impose additional obligations on high-impact social media companies and large data holders, supersede state privacy laws, and allow private right of action.
The APRA applies to businesses subject to the authority of the Federal Trade Commission (“FTC”), common carriers, and nonprofits (together, “Covered Entities”), along with businesses that process covered data on behalf of or at the direction of Covered Entities (“Service Providers”). The APRA would impose obligations on Covered Entities and Service Providers to minimize processing of covered data and apply reasonable data security measures. The APRA also seeks to impose heightened obligations on high-impact social media companies and large data holders.
Additionally, the APRA seeks to create uniform data privacy rights for all persons residing in the US. These rights include the rights to opt out of targeted advertising and to view, correct, export or delete their data. In trend with Europe’s data protection laws (the General Data Protection Regulation (“GDPR”) and Digital Services Act (“DSA”)) and some state privacy laws (e.g., the California Consumer Privacy Act (“CCPA”)), the APRA also requires Covered Entities and Service Providers to provide increased transparency by mandating the inclusion of specific information on data processing, retention, transfers to third parties, security practices, and consumers’ rights in their public facing privacy policies.
