A Closer Look at the American Privacy Rights Act 2024

The unveiling of the American Privacy Rights Act 2024 by U.S. Representative Cathy Rodgers and U.S. Senator Maria Cantwell on April 7, 2024, marks a watershed moment in the quest for digital privacy. With its comprehensive approach encompassing the definition of covered data, the establishment of processing principles, and the protection of consumer rights, this draft legislation is a significant stride towards fortifying privacy safeguards in our interconnected world. Among the cornerstone elements of the legislations are:

Designed by Freepik

1) Definitions

  • Some of the important definitions provided in this legislation include:
  • A) Covered Entity:
    • A covered entity is an entity that, independently or in partnership with other entities, determines the purpose and manner of collecting, processing, retaining, or transferring covered data and is subject to the FTC Act, is a common carrier under Title II of the FCC Act, or is a non-profit organization. It also includes any entity that controls, exercises control over, or shares common branding with another covered entity.
    • Excluded from this definition are
      • Federal, state, tribal, territorial, or local government entities;Entities collecting, processing, storing, or transferring covered data on behalf of an entity;Small businesses;The National Center for Missing and Exploited Children; or
      • Non-profit organizations whose primary purpose is the prevention, investigation, or deterrence of fraud.
  • B) Covered Data:
    • The term “covered data” means information that identifies or is linked or reasonably linkable, alone or in combination with other information, to an individual or a device that identifies or is linked or reasonably linkable to one or more individuals.
  • This term does not include
    • De-identified data;
    • Employee information;
    • Publicly available information and inferences made solely from multiple independent sources of publicly available information (that do not reveal information about an individual and are not combined with covered data); or
    • Information in the collection of a library, archive, or museum subject to certain limitations.
  • C) Sensitive Covered Data:
    • This definition includes specific forms of covered data ranging from health, biometric, and genetic information to government identifiers and private communications.
  • D) Large Data Holder:
    • This term refers to a covered entity or service provider that has an annual gross revenue of not less than $250 million and collects, processes, stores, or transfers:
      • The covered data of more than 5 million individuals; or 15 million portable connected devices; or 35 million connected devices that can be linked to an individual; or
      • The sensitive covered data of more than 200,000 individuals; or 300,000 portable connected devices; or 700,000 connected devices that can be linked to an individual.
  • Information in the collection of a library, archive, or museum subject to certain limitations.

2) Obligations of service providers:

  • The Bill delineates certain criteria for vendor management, that involve:
    • Following the directives of a covered entity;  
    • Supporting covered entities in meeting their responsibilities concerning consumer rights;
    • Providing the covered entity with essential information to demonstrate compliance with the Bill’s stipulations;
    • Establishing, executing, and upholding reasonable administrative, technical, and physical safeguards to uphold the security and confidentiality of processed covered data; and
    • Promptly deleting or returning all covered data following the termination of service provision.

3) Principles of data processing:

  • The legislation prohibits service providers and/or covered entities from collecting, processing, storing, and transferring covered data for purposes other than the permitted purpose or beyond what is necessary and proportionate to provide or maintain a product or service. Examples of permissible purposes include data security, fraud prevention, harassment prevention, de-identification of data, and compliance with legal requirements.
  • The bill prohibits the collection, processing, retention, or transfer of covered data in a manner that discriminates based on race, color, religion, national origin, sex, or disability.
  • Some of the major principles of data processing highlighted in the legislation include –
  • Consent:
    • The bill mandates explicit consent for the transfer of sensitive information to third parties, as well as for the collection, processing, and retention of such data.
    • The bill provides that biometric or genetic information should not be retained beyond the purpose for which consent was provided, or within 3 years of the individual’s last interaction with the covered entity or service provider, whichever occurs first.
    • The bill also states that a covered entity has to provide an individual with an easy-to-use way to withdraw consent, and that the method must be the same as that used for providing consent.
  • Transparency:
    • Covered entities and service providers are required to make their privacy policy publicly available and easily accessible providing a detailed and accurate representation of their activities concerning data collection, processing, retention and transfer. Some of the content which such policies must highlight include:
      • the purposes of processing;
      • categories of data used;
      • description of data security practices; and
      • an explanation of how an individual can exercise their rights.
    • The bill mandates additional transparency requirements for large data holders, requiring the retention and publication of every previous version of their privacy policy for at least 10 years on their website. Moreover, they must maintain a publicly accessible log on their website, detailing any significant changes made to the policy over this decade-long period.
  • Data security practices:
    • Covered entities and service providers must actively establish, implement, and maintain data security practices to prevent unauthorized access to data and safeguard its integrity and confidentiality.
    • These practices entail conducting vulnerability assessments, training employees, responding to incidents, and managing information retention and disposal.
  • Prohibition of use of dark patterns:
    • Covered entities are prohibited from using dark patterns to divert attention from required notices, impair individuals’ ability to exercise rights under the Bill, or obtain, infer, facilitate consent for actions requiring consent.

4) Designate officers:

  • Covered entities and service providers need to designate at least one qualified employee as a privacy or data security officer who will be responsible for implementing data privacy and data security programs to protect the data and ensure legal compliance.
  • Large data holders must designate one qualified employee as a privacy officer and one qualified employee as a data security officer, in addition to adopting internal reporting structures. Additionally, the CEO, along with such officers, must annually certify to the FTC that they maintain:
    • internal controls reasonably designed to comply with the Bill; and
    • internal reporting structures ensuring that such certifying officers are involved in, and responsible for, decisions that impact their compliance with the Bill.
  • Privacy Impact Assessments (PIAs):
    • Large data holders must conduct documented PIAs within one year of the bill’s enactment or one year from the entity’s designation as a large data holder, and biennially thereafter. These PIAs should evaluate potential risks associated with the collection, retention, processing, and transfer of covered data.
  • Covered Algorithmic Impact Assessments:
    • Large data holders using covered algorithms that may pose significant risks to individuals or groups, and employing them for collecting, processing, or transferring covered data, must conduct an assessment of the algorithm’s impact within two years of the bill’s enactment and annually thereafter.

6) Consumer rights:

  • Consumers are given the following rights under the bill:
    • The right to access specific individual covered data, including the name of third parties or service providers to whom the data is transferred, categories of sources used for data collection, and the purpose of data transfer.
    • The right to correct and delete covered data, applicable to both covered entities and service providers, with third parties or service providers to be notified of correction or deletion requests.
    • The right to data portability, requiring covered data to be exported in a format readable by humans and in a portable, structured, interoperable, and machine-readable format, except where releasing derived data would expose trade secrets or other confidential information.
    • The right to opt-out of transfers of non-sensitive covered data and targeted advertising. Entities using covered algorithms for consequential decisions must notify individuals and offer the opportunity to opt-out.
  • The bill prohibits covered entities from retaliating against individuals for exercising their rights, such as denying or adjusting prices. However, entities can offer loyalty programs, incentives for market research, or refuse service where collecting and processing covered data is essential.
  • The bill also outlines exceptions where covered entities are not required to comply with consumer requests, such as when the covered entity cannot verify the individual making the request is the individual whose covered data is the subject of the requests or an individual authorized to make the request; or when fulfilling the request requires access to another individual’s sensitive covered data.

7) Data Brokers:

  • Under the bill, data brokers must maintain a public website identifying themselves and offering tools for individuals to manage their controls and opt-out rights, as well as a link to the FTC’s data broker registry website. The website must also be easily accessible for individuals with disabilities.
  • Data brokers are prohibited from advertising data for stalking or fraudulent purposes and from misrepresenting their business practices.
  • The bill mandates the FTC to establish a data broker registry, requiring data brokers affecting the data of 5,000 or more individuals to register annually. The registry must include a “do not collect” mechanism for consumers.

8) Enforcement:

  • The bill tasks the FTC with enforcing its provisions, requiring the establishment of a bureau within the FTC within one year of the bill’s enactment. Violations will be treated as unfair and deceptive practices under FTC regulations.
  • The bill authorizes the FTC to approve compliance guidelines for handling covered data applicable to covered entities, excluding large data holders or data brokers.
  • State Attorneys General, chief consumer protection officers of states, or designated state officers are given the authority to enforce privacy or data security laws, and can bring civil actions under specific circumstances.
  • The bill allows consumers to file private lawsuits against entities that violate their rights under the bill.
  • While the bill aims to establish a national data privacy and security standard, it does not preempt certain state laws, rules, regulations, or requirements, including general consumer protection laws, civil rights laws, contracts or tort law, and provisions of law addressing employee or student privacy rights, and data breach notification requirements.
  • Moreover, entities complying with federal privacy laws like the Gramm-Leach-Bliley Act (GLBA), Health Insurance Portability and Accountability Act (HIPAA), Fair Credit Report Act (FCRA), and Family Educational Rights and Privacy Act (FERPA), are deemed compliant with the bill’s provisions where applicable.
  • The Bill also states that it does not relieve or change any obligation under the Children’s Online Privacy Protection Act (COPPA).

As the discussion draft progresses through scrutiny, it embodies the hopes of countless individuals striving for enhanced autonomy in the digital realm. While the bill champions crucial principles and protections, it encounters hurdles concerning enforceability and potential regulatory complexities. The bill may also pose challenges to technological innovation and raise concerns about the practicality of compliance for companies with a presence in different jurisdictions. Additionally, its preemptive approach to state privacy laws raises concerns regarding federal-state dynamics in data privacy regulation.

However, anchored by a steadfast commitment to consumer rights, the American Privacy Rights Act stands as a beacon of accountability and transparency in setting privacy and security standards. With ongoing scrutiny and adaptation, it holds the potential to tackle these challenges and foster a more equitable and secure digital landscape.

You can access the bill by following this link.  

Looking for guidance on your AI implementation journey?

Connect with Ajay Mago or any member of EM3’s Artificial Intelligence practice for professional support. 

Ajay Mago, EM3 Law

Ajay Mago, Managing Partner at Maxson Mago & Macaulay, LLP (EM3 Law LLP).

Disclaimer: This publication is for information purposes only and should not be construed as legal advice or a substitute for legal counsel. This information is not intended to create an attorney-client relationship. Do not send us any unsolicited confidential information unless and until a formal attorney-client relationship has been established. EM3 Law is under no duty of confidentiality to persons sending unsolicited messages, e-mails, mail, facsimiles and/or any other information by any other means to our firm or attorneys prior to the formal establishment of such relationship. The views and opinions expressed herein are those of the author(s) and do not necessarily reflect the views of the firm.  

Leave a Reply

Discover more from EM3 Law Blog

Subscribe now to keep reading and get access to the full archive.

Continue reading