A draft of the American Privacy Rights Act (APRA) was introduced in Congress on April 7, 2024, aiming to offer broad protections to everyone in the U.S. This bipartisan, bicameral effort is the second major attempt at creating a federal privacy law in the U.S. It’s similar to the European Union’s robust General Data Protection Regulation (GDPR), the strongest example of comprehensive data privacy law. Here’s what you need to know about it.
What are the goals of APRA?
Dozens of states in the U.S. have their own data privacy laws, with varying regulations, while some states have no such laws. On a federal level, there are a handful of laws that protect people’s privacy in specific situations, but there is no comprehensive privacy law that applies protections to everyone. Not only does this landscape leave large swaths of the population unprotected, but its complexity creates a challenge for businesses to stay compliant.
The APRA would supersede state laws. It represents a significant step towards a comprehensive federal privacy law in the U.S., aimed at giving all consumers more control over their personal data while simplifying compliance for businesses.
What are the key protections of APRA?
Consumer rights. The act grants consumers several rights concerning their personal data:
- Right to access: Consumers can access their data and know which third parties it has been shared with.
- Right to correct: Consumers can correct inaccurate or incomplete data.
- Right to delete: Consumers can request the deletion of their data.
- Right to data portability: Consumers can export their data to another service provider.
- Right to opt-out: Consumers can opt out of data transfers, targeted advertising, and the use of algorithms for significant decisions.
Data minimization. APRA mandates that companies only collect, process, and retain data necessary for providing services or for specific purposes outlined in the act. This includes strict rules on handling sensitive data like health information, biometric data, and precise geolocation information.
Transparency requirements. Companies must maintain clear and accessible privacy policies detailing their data practices. Large data holders have additional transparency obligations, including publishing previous versions of their privacy policies and metrics regarding consumer rights requests.
Data security. The act requires companies to implement reasonable data security practices to protect consumer data. This includes regular vulnerability assessments, incident response plans, and designating privacy and data security officers.
Enforcement mechanisms. APRA provides robust enforcement mechanisms, including a private right of action allowing individuals to sue for violations. It also empowers state attorneys general and the Federal Trade Commission (FTC) to enforce its provisions.
Civil rights protections. The act prohibits discriminatory use of personal data and requires companies to perform annual reviews of algorithms to ensure they do not harm or discriminate against individuals.
Does anyone oppose APRA?
There are criticisms of certain parts of APRA.
- Lack of comprehensive preemption. Some critics, including the U.S. Chamber of Commerce, argue that APRA fails to establish a single, national privacy standard. Instead, it allows states to impose additional requirements, leading to continued regulatory complexity and higher compliance costs for businesses.
- Private right of action. The inclusion of a private right of action in APRA is another contentious point. Critics believe this provision could lead to an increase in frivolous lawsuits, particularly harming small businesses.
- Exemptions and loopholes. Some privacy advocates are concerned about certain exemptions in the APRA, such as those for government contractors and de-identified data.
- Innovation and data use limitations. Not surprisingly, some criticism comes from the business and tech sectors, which argue that data minimization and opt-out requirements might stifle innovation.
- Loss of California’s CCPA. The California Privacy Protection Agency opposes APRA. The state’s own CCPA is the strongest privacy law in the country and would be replaced by APRA, which is seen as a weaker law.
What has to happen now?
APRA is only in the very early stages of the legislative process on its way to becoming law. It will likely undergo modifications before being brought to the House and Senate for voting. This process could take years.
Protect your privacy with the best VPN
30-day money-back guarantee
Enjoy a safer online experience with powerful privacy protection
What is a VPN?
Comments
I feel I’m seeing many abuses utilizing software products as a tool to misrepresent e businesses today. I live in the US and the state of IL. Can you assist me in the identification of groups or elected officials who can help the public be proactive in fighting for our rights? I realize the problem starts with our national and especially our state officials. I was reading about the national effort attempting to create APRA you wrote about and that it could be years before we will see anything acted on. From what I’m seeing we are falling off the edge now and we can’t wait years. Are there documents out there written by straight talking people instead of lawyers? I have taken personal action against specific companies that I feel are abusing us. It used to be a person could query things in YouTube to at least find a place to start. However, I feel the answers I am looking for will never be spoken there because they are among the abusers. Everyone keeps talking about security and using that word to define the problems we face. But, what I believe is happening is more about personal freedoms and the freedom of choice we are slowly being stripped of. Most people I speak to look like a deer in the headlights when I try to explain whats going on. Because it is an election year people think their parties can get us out of this problem but, both parties are at fault by not reacting to the problem sooner. I keep telling people CA has laws in place over 10 years now while states like IL have never adapted anything. I then ask them why do you think they responded to the problem so early? When there is no answer I add. Because the people designing the software knew they did not want to be subject to its abuses!