American Privacy Rights Act 2024 Unveiled
On April 7, 2024, U.S. Representative Cathy Rodgers and U.S. Senator Maria Cantwell unveiled the American Privacy Rights Act 2024. In particular, Rodgers and Cantwell stated: “this bipartisan, bicameral draft legislation is the best opportunity we’ve had in decades to establish a national data privacy and security standard that gives people the right to control their personal information.“
Definitions & Scope
The bill defines ‘covered data’ as information that identifies or is linked or reasonably linkable, alone or in combination with other information, to an individual or a device that identifies or is linked or reasonably linkable to one or more individuals.
A ‘covered entity’ means:
- an entity that, alone, or jointly with others, determines the purposes and means of collecting, processing, retaining, or transferring covered data and:
- is subject to the Federal Trade Commission Act (FTC Act);
- is a common carrier subject to Title II of the Communications Act; or
- certain non-profit organizations; and
- includes any entity that controls, is controlled by, is under common control with, or shares common branding with another covered entity.
A ‘covered entity’ does not include:
- a Federal, State, Tribal, territorial, or local government entity; or
- entities that are collecting, processing, retaining, or transferring covered data on behalf of an above entity;
- a small business;
- The National Center for Missing and Exploited Children; or
- a non-profit organization whose primary mission is to prevent, investigate, or deter fraud.
Principles of Processing
The bill highlights principles of personal data processing, including data minimization, and transparency. Specifically, on data minimization, the bill details greater protections for sensitive, biometric, and genetic information, with affirmative express consent required for the transfer of sensitive information to third parties. Likewise, regarding transparency, the bill stipulates that covered entities must publish an easily readable, and readily accessible privacy policy on data collection, processing, retention, and transfer activities. Covered entities are also required to establish, implement, and maintain reasonable data security practices to protect the confidentiality, integrity, and accessibility of covered data, and protect covered data against unauthorized access.
Consumer Rights
In addition, the bill provides for consumer rights including the right to access, correct, delete, and data portability. The bill also notes the right to opt out of covered data transfers and targeted advertising, alongside a centralized mechanism for consent to and opting out from data transfers and targeted advertising. Entities that use a covered algorithm to make or facilitate a consequential decision must provide notice to individuals subject to the covered algorithm, and an opportunity for the individual to opt out of the use of the covered algorithm.
Obligations
Covered entities are required to designate privacy or data security officers, with different requirements applicable to large data holders. Large data holders are also specifically required to conduct a privacy impact assessment. Large data holders must also conduct an algorithm impact assessment two years after the enactment of the bill, the contents of which are detailed by the bill. Service providers specifically must adhere to the instructions of covered entities, pursuant to a contract concluded between them. Third parties must not process, retain, or transfer third-party data for a purpose other than that for which the covered entity or service provider made a disclosure.
Meanwhile, data brokers are subject to a series of requirements and prohibitions on advertising or marketing the access to or transfer of covered data, or misrepresenting their business practices. Notably, the bill details that the Federal Trade Commission (FTC) will establish a data broker registry under the bill.
Enforcement
The bill positions the FTC as responsible for enforcing its provisions, namely by a bureau established within the FTC, and that violations of the bill will be considered an unfair or deceptive act or practices pursuant to the FTC Act. However, the bill clarifies that a state Attorney General, the chief consumer protection officer of a state, or an officer or office of the state authorized to enforce privacy or data security laws may also bring a civil action. Notably, the bill provides that consumers may file private lawsuits against entities that violate their rights under the bill.
With regard to state privacy legislation, the bill expressly states that its purposes are to establish a uniform national data privacy and data security standard, and expressly preempts state laws.
However, the bill provides that it does not preempt state laws, rules, regulations, or requirements applicable to:
- consumer protection laws of general applicability, such as laws regulating deceptive, unfair, or unconscionable practices;
- civil rights laws;
- provisions of laws that address the privacy rights or other protections of employees or employee information;
- provisions of laws that address the privacy rights or other protections of students or student information; and
- provisions of laws that address data breach notification requirements.
Entities that comply with federal privacy laws including the Gramm-Leach-Bliley Act (GLBA) and Health Insurance Portability and Accountability Act (HIPAA) are considered to be compliant with the provisions of the bill where the above legislation applies.