Understanding the American Privacy Rights Act (APRA)

There has been a palpable sense of anticipation around federal data privacy legislation in the US. Therefore, when the American Privacy Rights Act draft was announced in April 2024, there were swift and comprehensive discussions surrounding it. The discussions were primarily related to its impact, enforcement, and how it addresses the existing state laws. Later on in May, a new version of the bill was introduced. This article aims to acquaint you with the latest draft of the APRA discussion.

Official text: APRA discussion draft

The Chairs of the House Committee on Energy and Commerce and the Senate Committee on Commerce, Science and Transportation announced a discussion draft of the American Privacy Rights Act at the beginning of this April. The bill shares commonalities with its predecessor the American Data Privacy and Protection Act (ADPPA) and emphasizes privacy by default principles such as data minimization and purpose limitation. It also enhances the scope of sensitive data protection. 

Like California’s CCPA, the draft of federal Privacy law provides consumers with a limited private right of action. It also applies to most non-profit organizations, but at the same time, excludes small businesses from its application. Even though the APRA supersedes state privacy laws, it retains enforcement power to the attorney generals.

The APRA draft grants its consumers privacy rights, such as the right to access, correct, and delete, along with the right to enforce it. Furthermore, It addresses technological advancements like artificial intelligence and regulates data brokers. The draft also imposes duties such as data minimization, transparency, and data security upon covered entities.

While reviewing the draft of the American federal privacy legislation, we will notice broader coverage than most US state privacy laws. The act applies to “covered entities,”  as explained below.

An entity is covered by the law if it determines the purpose and means of handling covered data (personal data) and:

• is subject to the Federal Trade Commission Act;
• is a common carrier subject to Title 2 of the Communications Act, 1934; or
• is an organization not organized to carry on business for its own or its members’ profit (non-profit organizations);
• Controls or is controlled by, is under common control, or shares branding with another covered entity.

The act also exempts the following from its applicability:

• Federal, state, tribal, or local government entities and the entities acting on its behalf as a service provider
• Small businesses
• An individual in a non-commercial context acting in their own direction
• The National Centre for missing and exploited children
• Certain non-profit organizations such as those with anti-fraud missions (not exempt from data security obligations)
• Service providers

What is a small business under the American Privacy Rights Act?

As already discussed, the APRA exempts small businesses from its applicability.

An entity or its affiliates will be considered a small business if in the preceding 3 years or since its establishment:

• its annual gross revenue is not more than the prescribed size standard (in dollars);
• it did not collect, process, transfer, or retain more than 200,000 individuals’ covered data for any purpose other than payment transactions for requested service.
• if it did not transfer covered data to third parties for revenue or anything of value except to initiate, render, bill for, finalize, complete, or complete the payment transaction for a requested product/service and to facilitate certain web analytics.

Despite APRA’s use of the term “covered data” instead of personal data, the intended idea is almost similar. 

The law defines covered data as “any information including sensitive covered data that identifies or is linked or reasonably linkable, alone or in combination with other information, to an individual or a device that identifies or is linked or reasonably linkable to 1 or more individuals”. Therefore in simpler words, it is any information that can identify an individual or a device linked to him.

What are the exemptions for covered data under the American Privacy Rights Act?

Similar to most US state privacy laws, the federal law also provides exemptions to certain entities. The following information would not fit in the definition of covered data:

• de-identified data
• employee information
• publicly available information
• inferences made from publicly available information without disclosing sensitive covered data or combined with covered data
• information in the collection of libraries, archives, or museums if any of the following conditions are satisfied:
  • the collection is available to the public including those who are not affiliated with the institution
  • has a public service mission
  • has trained staff or volunteers 
  • satisfies the licensing conditions of the materials and they are lawfully acquired

One of the significant features of the APRA is its expanded scope of sensitive covered data. In addition to several common categories of personal data, the federal privacy law accommodates new inclusions as well.

The following information is considered sensitive under the draft of the American Privacy Rights Act:

• Identifiers issued by the government that are not required to be displayed in public. For example: social security number or passport number
• Health-related information
• Genetic information
• Finance-related credentials such as account numbers, payment cards, or passwords.
• Biometric information
• Precise geolocation 
• Private communications or information identifying the individuals in the private communication, information contained in telephone bills, voice communications along with the information related to its transmission, and call details like duration and location (not applicable if the covered entity is an intended recipient of the communication).
• Unencrypted or unredacted account or device log-in credentials
• Sex-related information than what an individual reasonably expects to be disclosed
• Calendar information, address book information, phone or text logs, photos, audio recordings, or videos intended for private use.
• Media revealing the naked or undergarment-clad private area of an individual including photographs or videos
• Information that discloses the use of video viewing activity under section 713(b)(2) of the Communications Act of 1934 to a third party.
• Information collected by a covered entity that reveals an individual’s selected or requested video content (except for independent video measurements)
• Information revealing race, ethnicity, national origin, religion, or sex exceeding the reasonable expectation of the individual
• Online browsing activities across different websites and social media platforms
• Information of a known child (under 17 years of age)
• Any other covered data that is used to identify the above data types

In essence, affirmative express consent is an individual’s agreement that allows entities to use their covered data. Inaction or continued use of a service will not imply consent.

Under APRA, it is an affirmative action signifying the individual’s authorization for an act or service and is given in response to a request from the entity. Such consent requests must satisfy the following requirements:

• Provided in a clear and conspicuous standalone disclosure  
• Contains the specific purposes for which it is collected and also:
  • distinguishes between what is necessary to fulfill the requested service by the individual and for a different purpose,
  • clearly states the categories of covered data collected and maintained by the entity, and
  • is easy to understand and has prominent headings.

• Explains the rights related to consent
• Accessible by individuals with disabilities
• The covered entity must provide the request for authorization in every language that they offer a product or service to the individual.
• The option to withdraw consent must be as prominent as that of giving consent.

To highlight the impact of the law, here are the key takeaways from APRA:

Large data holders

The APRA differentiates a segment called large data holders within the entities and imposes additional obligations upon them. 

A large data holder is a covered entity having annual revenue above $250 million and handles the  following:

• covered data of more than 5,000,000 individuals/ 15,000,000 portable devices/ 35,000,000 connected devices capable of being linked to an individual.
• Sensitive data of more than 200,000 individuals/ 300,000 portable connected devices/ 700,000 connected devices capable of being linked to an individual.

Covered entities that transfer information such as personal mail, telephone numbers, etc to service providers are not considered large data holders.

Data minimization 

Limit the collection of covered data to what is required to provide/maintain:

• a specific product/service requested by the consumer
• an anticipated communication (except advertisement) between the covered entity and the consumer
• for permitted purposes such as data security, legal compliance, market research, product enhancement, etc.

Except for certain permitted purposes, do not collect or transfer biometric or genetic information data without the individual’s affirmative express consent. Furthermore, obtain consent before transferring sensitive data to third-party businesses. The covered entity must also provide a convenient method to withdraw consent.

Transparency 

Covered entities must provide privacy policies that give information about their data and security practices. The law requires large data holders to publish and retain their privacy policies for up to 10 years. They should also provide short-form notice of their privacy policy.

The privacy policy must disclose information such as the categories of data collected, the purpose of collection, the retention period, data security practices, and the policy’s effective date. It should also give relevant information regarding the rights of individuals and how to exercise them. 

The privacy policies must be publicly available and the entities must notify the individuals of any material changes if made.

Consumer/individual rights 

The following are rights granted by the APRA to individuals over their covered personal data:

• Right to access the covered data collected by entities, the name of the third parties to whom the covered data is transferred, source of collection, and the purpose of collection.

• Right to correct any inaccuracies or incompleteness in the information handled by the covered entity.

• Right to delete the covered data handled by entities.

• Right to obtain the covered data of the individual in a human-readable and portable format.

• Right to opt-out of data transfer to third parties, consequential decision-making by algorithms, and targeted advertising. The law also mandates the FTC to establish guidelines for a centralized mechanism such as global opt-out signals.

Interference with consumer rights

The act requires entities to avoid the usage of dark patterns to mislead consumers from exercising their rights or accessing any notices. This is also applicable when obtaining consent from consumers.

Non-retaliation

Covered entities may not discriminate against consumers for exercising their rights under the act. Charging higher prices or reducing the quality of products are some of the examples of discrimination. However, they can offer products at different prices or quality as a part of loyalty programs with the consumer’s express consent.

Data security

Entities that handle covered data must implement and maintain appropriate security measures. These measures must be proportionate to the data handled, and they must include the ability to anticipate risks and implement preventive and corrective measures, as well as criteria for data retention and disposal.

In addition, train your employees on data protection and have a good response mechanism to breaches.

Executive responsibility

All covered entities must designate at least one of their qualified employees as a privacy or data security officer. Whereas, a large data holder must designate both officers. They should also conduct privacy impact assessments every two years.

Service providers and third parties

APRA requires service providers to follow the covered entities’ instructions and strictly adhere to the contract between them. If the entity is found to violate the law, service providers must cease processing data on their behalf. They should also assist covered entities to fulfill consumer rights if required. Always maintain strict data security practices. Third parties can only process covered data for purposes specified in their privacy policies or with the consumer’s consent for sensitive data.

Data brokers

A data broker is a covered entity whose principal source of revenue is from the processing or transferring of covered data obtained from sources other than the concerned individual.

The principal source of revenue is either the revenue that constitutes 50% of total income or the revenue generated from the processing or transferring of covered data (collected from other sources than the individual) of more than 500,000 individuals.

First and foremost, they should maintain a publicly available website conveying that they are data brokers. Also, provide a clear notice mentioning their rights including opt-out and the methods to exercise them such as a link or any other tools. Such a notice should be accessible to disabled persons as well.

The law also places certain prohibitions on data brokers such as transferring the covered data for stalking or harassing individuals.

Pre-emption

As we know, APRA primarily focuses on unifying privacy laws across the United States. Therefore an important takeaway from the APRA discussion draft is that it pre-empts existing state laws relating to privacy. However, the law will also retain several categories of laws like consumer protection laws, laws dealing with the privacy of employees and students, breach notification laws, etc.

The COPPA regulations for protecting children’s privacy will continue to be in effect.

The act lays down a unique enforcement mechanism with the power shared at the federal, state, and individual levels.

The Federal Trade Commission will engage a new bureau and any violations under this act will be considered an unfair or deceptive practice and the penalties may go up to $10,000 for each violation. The state attorney generals, chief consumer protection officer, or other designated state officers will also have enforcement powers.

It is worth noting that consumers can file civil actions against covered entities for violating certain provisions. Courts may award compensation, injunctions, declaratory relief, and litigation costs.

Although APRA shares some similarities with its predecessor ADPPA, there are also some key differences. One major difference is that APRA has a broader definition of personal data than ADPPA. Additionally, the consent requirements for sensitive data are not the same. APRA only requires consent for transferring sensitive data, while ADPPA also requires consent for collecting and processing them.

Another difference is that APRA has provisions for consequential decision opt-out, which was not present in ADPPA. APRA also provides an additional six months for recognizing global opt-out compared to ADPPA.

Finally, when it comes to the private right of action, APRA allows civil actions for violation of certain provisions, in addition to breach. In contrast, ADPPA allows civil actions for any violations of the law