American privacy rights 2024 act

American Privacy Rights Act of 2024 – has GDPR finally crossed the Atlantic?

The draft American Privacy Rights Act (APRA), currently under review in the US, is set to revolutionise data protection across all states. The draft, released by the Senate Commerce Committee and the House Energy and Commerce Committee on 7 April 2024, aims to provide a unified legal framework for data protection and artificial intelligence (AI), and will significantly impact how Americans handle and use personal data if passed.

Like the state data protection laws, APRA frames itself as consumer protection legislation, but the definition of covered data (aka personal data) clearly includes all individuals, whether they are consumers or not. In this article, we will use “consumer” to mean individual, following the approach taken by the US commentators.

The primary legislation governing data protection in the EU is the well-known General Data Protection Regulation (GDPR). While the UK is no longer part of the EU, it retained the GDPR, with amendments called the “UK GDPR”.

Many of the proposed provisions in APRA appear to align with GDPR, and it seems EU legislation has significantly influenced the protection of personal information globally. APRA also seeks to govern the use of artificial intelligence (AI) and imposes strict regulations relating to the use of AI on large data holders.

Unpacking APRA with the GDPR framework in mind is vital to understanding how global businesses can benefit from existing compliance and the additional regulatory obligations they may have if they operate in the US. It also raises questions about whether the EU has anything to learn from the proposed law in the US.

APRA’s key objectives

APRA to build on previously unsuccessful federal legislation, the American Data Privacy and Protection Act (ADPPA), a bill proposed in 2022 which never became law. Its aims are:

  1. Protect consumer privacy by imposing strict rules about how and when companies can collect, store, and process personal data.
  2. Give consumers more control by requiring explicit and informed consent for their data to be collected and the right to access their data.
  3. Promote transparency by calling for organisations to provide clear and accessible information to consumers about their data privacy policies and practices.
  4. Hold organisations accountable by specifying compliance requirements and obliging them to notify consumers of data breaches promptly.
  5. Robust enforcement measures to encourage compliance by imposing fines and penalties.
  6. Harmonise US data protection laws and facilitate international trade by establishing clear guidelines regarding data management internationally.
  7. Encourage innovation by promoting safe and ethical data usage for AI technologies and adapting the law to ongoing technological developments.

Key provisions

 The key provisions proposed by APRA are:

Definitions

The types of organisations and data covered form the foundation of APRA. The key definitions in the Act are:

  • Covered entities: includes most individuals, commercial entities, and non-profits that manage personal data.
  • Covered data: includes any information that’s linked to an individual.
  • Sensitive covered data: includes government-issued identification, genetic and health information, financial information, precise location data, and information about minors under 17.
  • Large data holders: covered entities with over $250 million annual gross revenue.
  • Data brokers: entities whose primary source of revenue comes from processing or transferring personal data they did not collect directly from the individual.
Rights and responsibilities

The proposed legislation emphasises the rights of individuals and the obligations placed on covered entities, including:

  • Individuals’ rights to access and amend their covered data. Organisations would need to respond to such requests from users promptly (generally within 30 days).
  • The “data minimisation” requirement, meaning APRA would prevent organisations from collecting, storing, and processing covered data unless it is: “reasonably necessary and proportionate to provide a specific product or service requested by a consumer or to provide a communication anticipated in the context of the customer relationship.”
  •  The Act will list 15 accepted purposes for which data processing will be permitted (the equivalent to legal grounds of processing under GDPR), including market research and law enforcement.
  • Large data holders will be required to report annually to the Federal Trade Commission on their compliance with APRA and carry out privacy and algorithm impact assessments where they use AI technologies as part of their products and services.
FTC Enforcement

The Federal Trade Commission would have the authority to investigate and enforce APRA. The FTC would hold all paid fines in a separate fund and use this to compensate those affected by non-compliance.

Additionally, the FTC would work closely with covered entities to assist with compliance by issuing guidance and reviewing the policies developed by those organisations.

State and individual enforcement

APRA will allow state attorney generals to enforce the legislation on their residents’ behalf. Individuals will also be able to bring legal proceedings for breaches, including disclosing and using sensitive covered data without consent.

Pre-emption of state laws

In keeping with the objective of providing a unified legal framework, APRA states that it will take precedence over any conflicting state and/or sectoral laws passed. Alternatively, if state and/or sectoral laws provide more stringent regulations, such laws will apply alongside APRA, provided there is no conflict between them. There is also a list of exemptions from this pre-emption rule.

How will it become law?

After the draft Act has been discussed and reviewed, it will advance to a vote in both chambers of Congress, passing through the House of Representatives first. If it passes these votes, it will be sent to the president for signing into law. The chambers must reconcile discrepancies between each other’s proposed bills before passing them for enactment.

If APRA becomes law, its implementation will be lengthy and likely take around two years, reflecting the implementation period of GDPR and the US State-specific data protection laws. Federal agencies will need to develop detailed guidelines, while businesses will require time to adapt their operations to ensure compliance, determining whether they can leverage their existing compliance with state privacy laws to achieve APRA compliance.

Impact of the US election

Although APRA is a bipartisan proposal, the outcome of the US election this year will likely impact how and when it’s enacted.

Democrats tend to support stronger data privacy protections, so the proposed law will likely see a smoother legislative passage if they win both Congress chambers. They could also suggest additions to the draft Act to strengthen consumer protection further.

The Republican party largely favours a more comprehensive data protection law. Still, if they win, they may seek amendments to APRA to balance privacy protections with business interests, possibly removing some of the more business-unfriendly requirements.

If the election results in each party winning a chamber each, a divided government, both parties will likely need to compromise to balance consumer protection against effective business operations. This would probably slow the legislative process and delay the Bill’s enactment into law.

Impact on existing laws

 APRA aims to create uniformity, bringing together and improving the US’s data privacy laws. However, specific state and sectoral laws, such as generally applicable consumer protection laws, employee privacy, and student privacy, will be exempt from its pre-emptive powers. At this stage, it’s unclear if certain state privacy regulations will require added oversight from the FTC under APRA, but if so, this will create another level of compliance.

Many businesses have worked hard to comply with state laws and will be keen to leverage those efforts to align with APRA. Many of the bill’s proposed requirements expect to overlap with current compliance practices, so they should be well-placed to make the necessary adjustments. The implementation period will allow covered entities to make those adjustments, and the FTC will assist with compliance procedures.

It is hoped that the concept of a federal regulation with the right for state regulators to retain the authority to enforce laws within their jurisdictions will facilitate the implementation of APRA across the US. However, federal and state regulators must collaborate to ensure effective enforcement and avoid conflicts. States may also face resourcing issues, posing potential challenges in meeting federal standards.

APRA vs GDPR

APRA and GDPR represent significant legislative efforts to promote data privacy in an ever-evolving digital age. While the two have many similarities, they also have several notable differences. The tables below highlight the key comparisons between the two.

Similarities

●      Right to access and amend: individuals have the right to access and change the personal data held by organisations.

●      Right to erasure: individuals can ask that their data be deleted.

●      Consent: organisations must obtain explicit, informed consent from users before collecting and processing their data.

●      Transparency requirements: organisations must provide easily understandable and accessible information about how and why they process personal data. These notices must also detail the individual’s rights regarding their information.

●      Security: organisations must implement adequate security measures to protect personal data.

●      Compliance: organisations must be accountable to data protection authorities by conducting assessments and regularly updating them about their compliance.

●      Pre-empting state/national laws: any state or national laws passed that conflict with APRA or GDPR, respectively, will not be valid.

Differences

●      Scope: GDPR covers all organisations that handle EU citizens’ data, irrespective of where those organisations are established, whereas APRA only applies to businesses of a specific size. GDPR is, therefore, broader in its scope.

Legal basis: GDPR provides six lawful bases for data processing and eight further lawful bases for special category personal data. Whereas APRA sets out fifteen permitted purposes for data handling.

●      Penalties: fines for breaching GDPR can be up to €20 million or 4% of the organisation’s annual global turnover, whichever is higher. APRA proposes a maximum penalty of $10,000 for each violation.

●      Data protection authorities: under GDPR, independent data protection authorities (DPAs) are appointed in each EU member state to oversee regulatory enforcement. They then work together, appointing a lead regulator where multi-member state enforcement is needed. APRA intends to give enforcement authority to state agencies overseen by the FTC.

What does APRA mean for US and EU businesses and consumers?

If passed, APRA will significantly impact American businesses and consumers. Under APRA, covered entities must completely reassess their data privacy policies, which will involve substantial spending for many companies to ensure compliance. Businesses must adjust their daily operations per the data minimisation requirement, which will likely impact many organisations’ advertising and marketing operations, including using cookies and similar technologies for targeted advertising.

Consumers in the US will benefit from a new level of protection and security, which will likely increase confidence in business-to-consumer relationships. Individuals are likely to feel more empowered and in control of their data, particularly as they can take private legal action in certain circumstances.

However, APRA has the potential to impact personal data protection beyond the US. It is expected to impact certain EU businesses and residents for the following reasons:

  • While the EU has established its position as a leader in data protection laws, the introduction of APRA will likely influence later amendments to GDPR, as it represents a strict harmonised approach to data privacy.
  • EU businesses operating globally must consider the laws imposed by APRA and adjust their policies to ensure compliance when carrying out data transfers between the EU and the US. Whilst GDPR compliance will take EU businesses most of the way there, they will still need to be mindful of differences and the exemptions to the pre-emption rights of state and sectoral laws.
  • Better data privacy laws in the US could make data transfers between the EU and the US more straightforward and secure. However, this will need to be analysed and agreed to by the EU Commission and respected by country regulators. Even with the Data Privacy Framework in place, some German state data protection authorities are recommending that EU Standard Contractual Clauses should be put in place for EU US transfers. EU businesses will have more assurance that US laws provide sufficient consumer protection.
  • The ease of data transfers could lead to enhanced innovation and opportunities for EU businesses.

Conclusion

 The introduction of the GDPR in 2018 marked a notable shift towards enhanced privacy standards applicable across the whole of the EEA and set a high bar for data protection internationally. The GDPR’s positive impact extends beyond the EU. It serves as a guide for privacy legislation worldwide, as seen from its various similarities with existing US state privacy laws and now APRA.

APRA represents an important milestone in the US’s evolution of data privacy legislation. Its influences from GDPR reflect an increasing need for global harmonisation of data protection and privacy rights to facilitate easier and safer data transfers across borders.

As the US continues to develop this proposed law, it will undoubtedly need to engage in ongoing dialogue with global partners to ensure data privacy protections remain robust, effective, and adaptable. If the US decides to pass APRA, it will be fascinating to see how it impacts other global data protection laws.

Find out how TechLaB can help you reach your goals with our business-oriented, fast, innovative, multilingual yet detail oriented legal advice

Contact techlab

type your search

TechLaB – Technology Law Boutique: your one-stop shop for global legal services in technology.