On April 7th, 2024, US Representative Cathy Rogers and Senator Maria Cantwell announced the American Privacy Rights Act (APRA) of 2024, aimed at establishing comprehensive national data privacy and security standards in the US. This bipartisan, bicameral proposal is seen as a pivotal move to grant US citizens control over their personal information, including where it goes and who can sell it.

The act seeks to restrain large tech companies by banning them from tracking, predicting, and exploiting users' behaviors without consent. It aligns with global privacy concerns, positioning itself as a countermeasure to the EU's GDPR, and intends to set a new global standard for privacy protection. The legislation also emphasizes transparency, user rights for data management, and a unified national privacy standard to replace the current state-by-state approach, with enforcement powers granted to the FTC and state attorneys general.

While the current focus is on the "new regulation," it's important to recognize that it's actually an updated version of the 2022 draft. Our understanding of the American Privacy Rights Act (APRA) should consider both the original draft and the changes in the current version. Initially, the 2022 draft specifically aimed to prevent data transfer to countries like China and Russia. This has been modified in the final bill to generalize to "rival countries," reflecting APRA's key goal of bolstering domestic data security in the US, reducing data leaks in international competition, and enhancing national data protection.

Comparison with the 2022 Draft Data Privacy and Protection Law

Overall, the APRA Act retains many elements from the 2022 draft but introduces substantial systemic redesigns. It moves away from a chapter-based structure, opting instead for subsections that more logically group related definitions and regulations. This reorganization enriches the content by integrating the "duty of loyalty" throughout, aligning it closely with corresponding user rights and clarifying entity obligations.

The bill's structure primarily follows the sequence of entity obligations, user rights, and regulatory enforcement. It introduces new obligations for entities, such as preventing interference with user rights and prohibiting retaliation, alongside enhanced user privacy rights like an opt-out mechanism for decision-making algorithms. The government's role is also expanded with initiatives like a privacy-enhancing technology pilot program. Additionally, the bill addresses previous gaps and ambiguities with specific, marked updates in the text, clearly identifying new and revised sections to emphasize key changes.

Definitions

The APRA bill is released to protect privacy data generated and stored online or offline by businesses or organizations when providing goods and services, involving many fundamental concepts related to privacy protection. Clarifying these definitions is essential to understanding the APRA bill.

Entity: Refers to any entity that collects, processes, retains, or transmits regulated data and is subject to the Federal Trade Commission Act, including ordinary operators and certain non-profits. However, small businesses, government, entities working for the government, the National Center for Missing and Exploited Children (NCMEC), and non-profits fighting fraud (except for data security obligations) are excluded.

Small business: Defined as having an average annual gross revenue of less than $40 million over three years; collecting, processing, retaining, or transmitting less than 200,000 pieces of personal data annually (excluding temporary data like credit card swipes); and not deriving revenue from data transferred to third parties. Small businesses are not subject to the requirements of this bill.

Data: Refers to information that can alone or in combination with other information identify or be reasonably linked to an individual or a device, which in turn can be linked to one or more individuals.

Exception: Data does not include de-identified data, employee data, public information, information derived from publicly available sources that do not meet the definition of sensitive personal data and are not combined with data referred to by this law, and information from restricted collections of libraries, archives, or museums.

Data on devices: Limited to data stored under the individual's sole control and not processed or transmitted by relevant entities or service providers.

Publicly available information: Legally made available to the public. It does not include derived data that reveals sensitive data, biometric or genetic information, or data combined with publicly available information or obscene or non-consensually shared private images.

Sensitive data: Includes government identifiers; health information; biometric information; genetic information; financial account and payment data; precise geolocation information; login credentials; private communications; information revealing personal sexual activities; calendar or address book data, call logs, private photos, and recordings; media displaying naked or private body parts; video viewing information; information presented in a way that violates reasonable expectations of an individual's race, ethnicity, nationality, religion, or gender; records of online activities across third-party websites or influential social media sites; minor information; and other data defined as sensitive by the Federal Trade Commission (FTC).

Large data holder: A regulated entity that annually collects, processes, retains, or transmits regulated data on over 5 million individuals (or 15 million portable devices or 35 million network-connected devices associated with individuals) or sensitive data on over 200,000 individuals (or 300,000 portable devices or 700,000 network-connected devices).

Exception: Entities or service providers are not considered large data holders for merely collecting, processing, retaining, or transferring individual mailing or email addresses, personal phone numbers, account login information for accounts managed by related entities, or necessary mobile payment information obtained from selling goods.

Annual gross revenue: Refers to the total income obtained from all sources by the relevant entity or service provider in any form, without deducting any costs or expenses, including donations, gifts, grants, membership fees, other apportionments, investment income, and profits from selling real estate or personal property.

Substantial privacy harm: Economic loss of no less than $10,000 or has suffered mental, physical harm, serious privacy violation, or discrimination based on race, color, religion, ethnic ancestry, gender, or disability.

Targeted advertising: Online advertising displayed based on the known or anticipated preferences or interests associated with a person or device identified by unique identifiers. It does not include ads in response to specific information requests, first-party ads, contextual ads, or data processed for decision-making.

Dark pattern: Refers to a design or operation of a user interface that has a substantial effect of subverting or damaging the user’s autonomy, decision-making capacity, or choice.

Health information: Describes or reveals information about an individual's past, present, or future physical or mental health, disability, diagnosis, or health condition or treatment experiences, including precise geolocation information of these treatments.

Main Content of the APRA

1. Data Minimization

Limited Purpose for Providing Products or Services The APRA bill strictly specifies the reasons for entities to collect, process, retain, or transfer data. Entities can only do so within a necessary, appropriate, and limited scope for specific reasons such as:

Ensuring data security, spam prevention, and diagnosing, debugging, or repairing networks and systems.

Compliance with federal, state, local, or tribal laws not superseded by the APRA.

Legal claims by the entity itself.

Transferring data to federal, state, local, or tribal law enforcement under a lawful order, administrative subpoena, or other legal process.

Executing product recalls or warranties under state or federal law.

Conducting market research.

De-identifying data for internal research or analysis to improve products or services, and for lawful and public scientific, historical, or statistical research projects.

Providing advance notice to affected individuals and relevant information, including the names and privacy policies of other entities receiving personal data, along with the opportunity to revoke consent and delete personal data before asset transfers in mergers, acquisitions, bankruptcies, or similar transactions.

Providing location information by telecommunications carriers or mobile services, (non-)connected VoIP services.

Preventing, detecting, investigating, or addressing fraud or harassment, excluding selling relevant data to the government.

Preventing, detecting, mitigating, or addressing ongoing or imminent cybersecurity or physical security events, including intrusions, medical alerts, fire alarms, or access controls.

Preventing, detecting, mitigating, or addressing imminent or ongoing public safety incidents like mass casualty events, natural disasters, or national security incidents, excluding selling relevant data to the government.

Preventing, detecting, investigating, or addressing criminal activities, excluding selling data other than health information to the government.

Processing data for first-party or contextual advertising relevant to the individual, excluding sensitive data and previously legally collected data.

Processing or transferring data for targeted advertising for individuals who have not opted out, excluding sensitive data and previously legally collected data.

[New] Sensitive Data and Biometric Information The APRA bill adds extra protections for sensitive data and biometric information based on the 2022 draft. Any transfer of sensitive data or biometric information must first obtain explicit consent from the individual under the "minimization necessity principle." Additionally, the bill includes minor data within the sensitive data category, enhancing privacy protection for minors.

Explicit Consent: Transfer of sensitive information can only occur with explicit individual consent. For biometric and genetic information, there are legal exceptions to transfer without individual consent for the purposes listed above in points 2, 3, 4, 8, 9, 11, and 12.

Revocable: Individuals should be able to easily revoke their consent for the transfer of these types of information.

Retention Period for Biometric Information: Entities must adhere to the legal retention period for biometric information, which is either the period specified in the explicit consent or three years after the last interaction with the individual, whichever comes first.

2. Transparency of Privacy Policy

Content of the Privacy Policy The APRA bill requires entities and service providers to publicly disclose their privacy policies in a clear, conspicuous, non-misleading, readable, and accessible manner. Policies must detail data collection, processing, retention, and transfer activities, including the identity and contact information of the data controller, the names of service providers, third parties, or data brokers involved, and the reasons for data transfers. Policies must also outline the entity's data security measures, the effective date of the privacy policy, and whether data may be accessed by adversarial nations.

Access to and Opt-out of the Privacy Policy Privacy policies should be accessible to individuals with disabilities and easy to understand and obtain. For substantial or significant changes, entities must notify affected individuals in advance in a clear and conspicuous manner and provide a way to opt-out. For those who opt out, entities must cease processing or transferring their non-essential personal data. Additionally, entities must take all reasonable electronic measures to directly notify affected individuals in each available language.

Additional Transparency Requirements for Large Data Holders The APRA bill imposes stricter transparency requirements on large data holders than on general entities:

Large data holders must keep and publish a log of privacy policies and significant changes for ten years.

Large data holders must send concise, clear, conspicuous, non-misleading, readily accessible notifications disclosing individual rights and attracting attention, not exceeding 500 words. The minimum data disclosure level and notification template are to be issued by the committee

3. User Rights Guaranteed by Entities

Control over Personal Data

The APRA bill grants users control over their personal data, including the rights to access, delete, correct, and export personal data. Entities must verify the identity of the requester before these rights can be exercised to ensure the requester is the data subject or their authorized representative.

Frequency and Fees: Individuals can exercise their rights free of charge three times within 12 months; beyond that, entities may charge a reasonable fee.

[Change] Timing: The response time for large data holders or data brokers has been reduced from 45 days in the draft to 15 days, and for non-large data holders from 60 days to 30 days. Considering the number and complexity of requests, the response time may be extended once, but the individual must be notified of the extension and the reasons within the original response period.

Accessibility: Entities must ensure that persons with disabilities and users who speak different languages can access and use the data properly.

[Change] Exceptions Where Entities May Deny a Request The APRA bill has adjusted the exceptions from the draft, moving some potential exceptions to necessary and explanatory exceptions, and has also added exceptions for data on devices.

Necessary Exceptions—In the following cases, entities must deny or partially deny an individual's request:

Unable to verify the requester.

Exercising the right requires access to someone else’s sensitive data.

The data is involved in executing a search warrant, subpoena, or litigation hold issued to the entity.

Violates the entity’s ethical obligations.

Requests made with fraudulent intent.

Requests made to facilitate criminal activity.

Agreeing to the request would threaten data security.

Potential Exceptions—After providing sufficient explanation, entities may deny or partially deny an individual's request for:

Technical or cost reasons making fulfillment impossible, but a large number of requests does not constitute a technical impossibility.

The data requested for deletion is necessary for the fulfillment of a contract between the entity and the individual.

Requests to access or export the entity’s trade secrets.

Prevents the entity from keeping confidential records of individuals opting out.

Involves deleting data necessary for the regular operation of educational institutions like schools.

Explanatory Rules—This section does not require entities to:

Retain data collected from one-time transactions.

Re-identify data that has been de-identified.

Collect or retain any data linking an individual's requests to the data concerned.

Exceptions for Data on Devices—If the data involved in a request is entirely on a device and can be directly accessed by the individual, the entity may deny requests for access to, correction of, or deletion of such data.

Opt-Out Rights

Users have the right to refuse data transmission and opt out of targeted advertising.

[New] The APRA bill, compared to the 2022 draft, includes new provisions for a centralized consent and opt-out mechanism:

Defining opt-out preference signals: User interface should be friendly, descriptions clear, available in relevant languages, accessible to persons with disabilities, and not conflicting with other privacy settings of the individual.

Establishing a reasonable mechanism: Allows individuals to selectively opt out from certain entities without affecting their preference settings with others.

Neutral opt-out preference settings: The user interface may have at most two opt-out preference signal options to ensure neutrality.

[New] Consequential Decision Opt-Out The APRA bill introduces the right for individuals to enable or disable features similar to "personalized recommendations."

In general, entities using algorithms to make or assist decisions must:

Notify the individual: Allowing them to use the algorithm.

Provide choice: Give individuals the opportunity to choose whether to use the algorithm.

Respect individual choices: Adhere to the individual’s choice to opt out of using the algorithm.

Such notifications should be:

Clear, conspicuous, and non-misleading: Ensuring the notification is understandable and does not cause misunderstandings.

Provide meaningful information: Explain how the algorithm makes or facilitates decisions, including potential outcomes.

Multilingual: Notifications should be available in all languages used by the entity.

Accessible: Ensure that persons with disabilities can reasonably understand the notification content.

Definition of "Consequential Decision": In this section, a "consequential decision" refers to using the data covered by this law involving decisions or offers, including through advertising, related to: 1. An individual or a category of individuals obtaining or equally enjoying opportunities in housing, employment, education, healthcare, insurance, or credit; or 2. The use or restriction of the use of any public place.

Prohibition of Dark Patterns and Retaliation Against Users The APRA bill builds on the draft by adding requirements to prohibit entities from using "dark patterns" to distract users from privacy policies and change notifications, preventing entities from inducing decisions or hindering the exercise of rights during service provision. The bill also adds that entities conducting voluntary market research may offer different services and pricing.

[New] Prohibition of Dark Patterns: Relevant entities are prohibited from using "dark patterns" to divert an individual's attention from notifications required by this law, hinder the individual's exercise of any request or opt-out rights under this law, or directly obtain, infer, or guide individual consent for any action requiring autonomous consent under this law.

Autonomy of Individuals: Relevant entities may not limit an individual's exercise of rights under this regulation using any false, fictitious, fraudulent, or significantly misleading statements or representations.

Prohibition of Retaliation Through Services or Pricing

Relevant entities are prohibited from retaliating against individuals exercising their rights under this law by refusing to provide products or services, charging different prices or rates for products or services, or providing different quality levels of products or services.

[New] Exception: Non-high-impact social media companies or data brokers' relevant entities may offer goodwill loyalty programs or market research incentives to individuals, and may refuse to provide products or services if necessary.

4. Data Security and Protection Responsibilities of Entities

The APRA bill requires relevant entities to implement data security measures to protect the confidentiality, integrity, and accessibility of data and prevent unauthorized access. These measures must consider the following factors: the size and complexity of the entity, the nature and scope of data collection, processing, retention, or transfer, changes in business operations, the volume, nature, and sensitivity of the data, and the sophistication and limitations of administrative, technical, and physical safeguards.

At a minimum, data security measures should include:

Regular identification and evaluation of internal and external vulnerabilities with timely protective actions.

Implementation of preventive and corrective measures to reduce vulnerabilities and establish corresponding assessment mechanisms.

Management of information retention and disposal issues, such as destruction, permanent deletion, or other modifications of data required to be deleted by law, ensuring data is unrecoverable.

Conducting data protection training for employees.

Establishing response procedures for data security incidents.

In terms of internal management responsibility, all regulated entities must designate one or more employees as privacy or data security officers. Large data holders need to designate both a privacy officer and a data security officer and submit annual metrics reports to the FTC. These reports should include the number of access requests, deletion requests, applications for refusal of data transmission, requests to opt-out of targeted advertising, and the number of requests agreed upon by large data holders, as well as the average number of days taken to substantially respond to individual requests. These metrics should be publicly disclosed on privacy policies or publicly accessible websites by July 1 each year. Large data holders are also required to conduct a privacy impact assessment every two years.

5. Special Entities: Third Parties

Service Providers and Third Parties

Service Provider Responsibilities

Service providers must comply with the instructions of the relevant entities and assist them in fulfilling obligations under the APRA.

If a service provider becomes aware of any violations of the act by the relevant entity, they should cease their data practices.

When subcontracting other service providers to handle or retain data on behalf of the entity, service providers must choose appropriately and provide written notification under a lawful written contract.

Service providers must maintain the security and confidentiality of regulated data and accept assessments by independent evaluators.

Contractual Content Between Service Providers and Their Represented Entities

Contracts should govern the procedures for collecting, processing, retaining, or transferring data performed by the service provider on behalf of the entity.

Contracts should specify the instructions, nature, and purpose of collecting, processing, retaining, or transferring data, the type of data, the duration, and the rights and obligations of both parties.

Contracts should prohibit the waiver of legal duties by either party.

Contracts should prohibit unlawful data practices.

Except as required by law, contracts should prevent service providers from mixing data with data collected from other entities, service providers, or individuals.

Third-Party Responsibilities

Third parties may only process, retain, and transfer third-party non-sensitive data received from other entities, or process, retain, or transfer third-party sensitive data when individuals have explicitly consented to the transfer.

After due diligence, third parties may reasonably believe the representations made by the transferring entity regarding data disclosure, thus exempting them from the privacy policy obligations stipulated by this regulation.

[New] Interpretative Rules Added by the APRA

Continued Unlawful Conduct: If an entity transfers data to a service provider or third party without actual knowledge or reasonable suspicion of intentional violation of this law by the service provider or third party, the entity is not considered in violation of this law. If the entity knows and has reason to believe that the service provider or third party will violate this law, it should immediately stop transmitting data to them.

Past Unlawful Conduct: An entity that collects, processes, retains, or transfers data in accordance with this law is not considered unlawful if the entity receiving the data or acting on its behalf violates this law.

Due Diligence: Relevant entities must conduct due diligence when selecting service providers and deciding to transfer data to third parties. The FTC will issue due diligence guidance within two years.

Data Brokers: [Change] The APRA has redefined third-party data collectors as "data brokers" in the draft, but the core content remains unchanged.

Notification: Data brokers must establish and maintain a publicly accessible website. On this website and other mobile applications, they should place clear and prominent notices, including links to the data brokers' registration office website.

Prohibition: Data brokers are prohibited from accessing or transmitting data for purposes such as tracking harassment, committing fraud or theft, or distorting standard business practices within an industry.

Registration: Data brokers affecting 5,000 or more individuals annually must register by January 31 of the following year and offer a "Do Not Collect" mechanism at the time of registration. Data brokers are required to pay a $100 registration fee to the committee and provide legal name, primary address, email address, internet address, type of data, contact person’s name, monitoring phone, monitoring email address, website, and actual mailing address. Data brokers must also include links on their websites to facilitate individuals in exercising their rights.

"Do Not Collect" Mechanism: The committee will establish and maintain a searchable public registry of data brokers' registration information. This registry allows the public to search and identify data brokers and includes a mechanism for individuals to submit a "Do Not Collect" request to registered data brokers who are not acting as user reporting agencies, ensuring that data brokers no longer collect data related to that individual without their explicit consent, except when data brokers act as service providers. Data brokers that receive a "Do Not Collect" request must comply within 30 days unless they are aware that the individual has been convicted of crimes related to child abduction or sexual assault, or if the data collected is necessary for national or state sex offender registries or as part of a nonprofit national resource center and information exchange authorized by Congress to assist victims, families, child service professionals, and the public with missing and exploited children.

Penalties: Data brokers who violate regulations will be subject to civil penalties under subsections (l) and (m) of the Federal Trade Commission Act. Data brokers who fail to register as required will incur a fine of $100 per day, with an annual maximum of $10,000. Data brokers that fail to provide notifications as required will also face a daily fine of $100, not exceeding $10,000 annually.

6. [New] Privacy-Enhancing Technology Pilot Program

The APRA bill introduces a new privacy-enhancing technology pilot program that can last up to ten years. Entities voluntarily choose whether to join the program, which will be overseen by the FTC. The government will research and evaluate the program to develop new proposals for improving privacy protection and promoting the rapid development of privacy protection technologies.

Definition of Privacy-Enhancing Technology: Refers to any software or hardware solution, encryption algorithm, or other technology that extracts the value of information without compromising privacy and security, including technologies with capabilities similar to homomorphic encryption, differential privacy, zero-knowledge proofs, synthetic data generation, federated learning, and secure multi-party computation.

General Provisions: The commission should establish and implement a pilot program within one year of the enactment of this bill to encourage the private sector to use privacy-enhancing technologies to advance the applicability of this law.

Application Process: Entities wishing to participate in the pilot program should submit an application to the commission according to the timing, form, and method required by the commission, demonstrating the entity's capability to use privacy-enhancing technology for data security practices that meet or exceed the requirements of this law.

Liability Limitations: Any entity participating in the pilot program should:

Take any action under Sections 17 or 18 for violations of Section 9.

Have the right to a rebuttable presumption of compliance for individual lawsuits alleging data security breaches.

Ongoing Audits: The commission should continuously audit each entity participating in the pilot program to ensure adherence to the use and implementation of privacy-enhancing technology for data security.

If at any time the commission determines that a participating entity no longer adheres to the use of privacy-enhancing technology, the commission should revoke the entity's eligibility and the above liability limitations and notify the entity of this decision.

Remediation Opportunity: The entity has 180 days from the receipt of notification to remediate and must submit a remediation proposal to the commission. If the commission deems the remedial measures sufficient to address the deficiencies, it cannot revoke eligibility based on them.

Coordination: In implementing the pilot program, the commission should seek input from private, public, and academic stakeholders and consult with the Secretary of Commerce to develop ongoing participation in the public and private sectors, disseminating voluntary, consensus-based resources to increase the integration of privacy-enhancing technologies in data collection, sharing, and analysis in the public and private sectors.

Research and Reports by the United States Government Accountability Office:

Research: The Comptroller General of the United States (referred to as "Comptroller General" in this section) should conduct a study within three years of the enactment of this law to evaluate the progress of the pilot program, assess the use of privacy-enhancing technology by the commission, support the oversight of entity data security practices, propose improvements and promote work to protect privacy rights, and suggest improvements in communication and coordination between entities and the commission.

Preliminary Briefing: Within one year of the enactment of this law, the Comptroller General should brief the Senate Committee on Commerce, Science, and Transportation and the House Committee on Energy and Commerce on the preliminary results of the research conducted.

Final Report: 240 days after the preliminary briefing, the Comptroller General should submit a final report to the Senate Committee on Commerce, Science, and Transportation and the House Committee on Energy and Commerce, presenting the results of the research.

Termination: The commission should terminate the pilot program within ten years from the start date of the program.

Regulatory Analysis

What new obligations do businesses (referred to as entities in this law) have relative to the 2022 draft? The APRA bill stipulates that businesses must follow strict and exclusive reasons when collecting, processing, retaining, or transferring data, and must obtain individual consent before transferring sensitive and biometric information. Notably, the regulation classifies minors' information as sensitive, prohibiting its transfer without consent. The APRA sets the "applicable minor" age to under 17 years old, which is stricter than the current focus of most U.S. businesses on privacy compliance for children under 13. If the APRA bill is enacted, businesses will need to expand and adjust their compliance plans accordingly. The APRA bill also requires businesses to provide channels for users to exercise their rights to access, delete, modify, and export information. Additionally, businesses must offer an opt-out mechanism that allows users to opt out of "consequential decision" algorithms. Businesses are prohibited from using "dark patterns" to interfere with user rights and from retaliating against users.

Business Privacy Compliance: What do businesses need to do? According to the APRA bill, businesses need to publicize their privacy policies and notify users in advance of significant changes to ensure transparency of the privacy policy. Businesses should establish mechanisms for preventing and correcting data security risks and regularly assess and improve these mechanisms. Furthermore, businesses must appoint privacy and data security officers to ensure compliance with data processing. Large data holders face stricter requirements in terms of privacy policy transparency, verifying and facilitating user rights, internal management responsibilities, and submitting metric reports. These requirements include publishing privacy policies and annual transparency reports for the past ten years, appointing a privacy officer and a data security officer, and submitting metric reports. Large data holders also need to conduct audits and privacy impact assessments every two years; when artificial intelligence poses a significant risk of harm to specific groups, they must submit annual algorithm impact assessments to the FTC. Additionally, high-impact social media, data brokers, service providers, and third parties have specific obligations to comply with.

Other Resources: