US Rep. Introduce the American Privacy Rights Act of 2024 to Establish Comprehensive Data Privacy and Security Standards

US Rep. Introduce the American Privacy Rights Act of 2024 to Establish Comprehensive Data Privacy and Security Standards

Jenny Li
Jenny Li April 17, 2024

On April 7th, 2024, US Representative Cathy Rogers and Senator Maria Cantwell announced the American Privacy Rights Act (APRA) of 2024, aimed at establishing comprehensive national data privacy and security standards in the US. This bipartisan, bicameral proposal is seen as a pivotal move to grant US citizens control over their personal information, including where it goes and who can sell it.

The act seeks to restrain large tech companies by banning them from tracking, predicting, and exploiting users’ behaviors without consent. It aligns with global privacy concerns, positioning itself as a countermeasure to the EU’s GDPR, and intends to set a new global standard for privacy protection. The legislation also emphasizes transparency, user rights for data management, and a unified national privacy standard to replace the current state-by-state approach, with enforcement powers granted to the FTC and state attorneys general.

While the current focus is on the “new regulation,” it’s important to recognize that it’s actually an updated version of the 2022 draft. Our understanding of the American Privacy Rights Act (APRA) should consider both the original draft and the changes in the current version. Initially, the 2022 draft specifically aimed to prevent data transfer to countries like China and Russia. This has been modified in the final bill to generalize to “rival countries,” reflecting APRA’s key goal of bolstering domestic data security in the US, reducing data leaks in international competition, and enhancing national data protection.

Comparison with the 2022 Draft Data Privacy and Protection Law

Overall, the APRA Act retains many elements from the 2022 draft but introduces substantial systemic redesigns. It moves away from a chapter-based structure, opting instead for subsections that more logically group related definitions and regulations. This reorganization enriches the content by integrating the “duty of loyalty” throughout, aligning it closely with corresponding user rights and clarifying entity obligations.

The bill’s structure primarily follows the sequence of entity obligations, user rights, and regulatory enforcement. It introduces new obligations for entities, such as preventing interference with user rights and prohibiting retaliation, alongside enhanced user privacy rights like an opt-out mechanism for decision-making algorithms. The government’s role is also expanded with initiatives like a privacy-enhancing technology pilot program. Additionally, the bill addresses previous gaps and ambiguities with specific, marked updates in the text, clearly identifying new and revised sections to emphasize key changes.

Definitions

The APRA bill is released to protect privacy data generated and stored online or offline by businesses or organizations when providing goods and services, involving many fundamental concepts related to privacy protection. Clarifying these definitions is essential to understanding the APRA bill.

Entity: Refers to any entity that collects, processes, retains, or transmits regulated data and is subject to the Federal Trade Commission Act, including ordinary operators and certain non-profits. However, small businesses, government, entities working for the government, the National Center for Missing and Exploited Children (NCMEC), and non-profits fighting fraud (except for data security obligations) are excluded.

Small business: Defined as having an average annual gross revenue of less than $40 million over three years; collecting, processing, retaining, or transmitting less than 200,000 pieces of personal data annually (excluding temporary data like credit card swipes); and not deriving revenue from data transferred to third parties. Small businesses are not subject to the requirements of this bill.

Data: Refers to information that can alone or in combination with other information identify or be reasonably linked to an individual or a device, which in turn can be linked to one or more individuals.

Exception: Data does not include de-identified data, employee data, public information, information derived from publicly available sources that do not meet the definition of sensitive personal data and are not combined with data referred to by this law, and information from restricted collections of libraries, archives, or museums.

Data on devices: Limited to data stored under the individual’s sole control and not processed or transmitted by relevant entities or service providers.

Publicly available information: Legally made available to the public. It does not include derived data that reveals sensitive data, biometric or genetic information, or data combined with publicly available information or obscene or non-consensually shared private images.

Sensitive data: Includes government identifiers; health information; biometric information; genetic information; financial account and payment data; precise geolocation information; login credentials; private communications; information revealing personal sexual activities; calendar or address book data, call logs, private photos, and recordings; media displaying naked or private body parts; video viewing information; information presented in a way that violates reasonable expectations of an individual’s race, ethnicity, nationality, religion, or gender; records of online activities across third-party websites or influential social media sites; minor information; and other data defined as sensitive by the Federal Trade Commission (FTC).

Large data holder: A regulated entity that annually collects, processes, retains, or transmits regulated data on over 5 million individuals (or 15 million portable devices or 35 million network-connected devices associated with individuals) or sensitive data on over 200,000 individuals (or 300,000 portable devices or 700,000 network-connected devices).

Exception: Entities or service providers are not considered large data holders for merely collecting, processing, retaining, or transferring individual mailing or email addresses, personal phone numbers, account login information for accounts managed by related entities, or necessary mobile payment information obtained from selling goods.

Annual gross revenue: Refers to the total income obtained from all sources by the relevant entity or service provider in any form, without deducting any costs or expenses, including donations, gifts, grants, membership fees, other apportionments, investment income, and profits from selling real estate or personal property.

Substantial privacy harm: Economic loss of no less than $10,000 or has suffered mental, physical harm, serious privacy violation, or discrimination based on race, color, religion, ethnic ancestry, gender, or disability.

Targeted advertising: Online advertising displayed based on the known or anticipated preferences or interests associated with a person or device identified by unique identifiers. It does not include ads in response to specific information requests, first-party ads, contextual ads, or data processed for decision-making.

Dark pattern: Refers to a design or operation of a user interface that has a substantial effect of subverting or damaging the user’s autonomy, decision-making capacity, or choice.

Health information: Describes or reveals information about an individual’s past, present, or future physical or mental health, disability, diagnosis, or health condition or treatment experiences, including precise geolocation information of these treatments.

Main Content of the APRA

1. Data Minimization

2. Transparency of Privacy Policy

3. User Rights Guaranteed by Entities

  1. An individual or a category of individuals obtaining or equally enjoying opportunities in housing, employment, education, healthcare, insurance, or credit; or
  2. The use or restriction of the use of any public place.

4. Data Security and Protection Responsibilities of Entities

The APRA bill requires relevant entities to implement data security measures to protect the confidentiality, integrity, and accessibility of data and prevent unauthorized access. These measures must consider the following factors: the size and complexity of the entity, the nature and scope of data collection, processing, retention, or transfer, changes in business operations, the volume, nature, and sensitivity of the data, and the sophistication and limitations of administrative, technical, and physical safeguards.

At a minimum, data security measures should include:

  1. Regular identification and evaluation of internal and external vulnerabilities with timely protective actions.
  2. Implementation of preventive and corrective measures to reduce vulnerabilities and establish corresponding assessment mechanisms.
  3. Management of information retention and disposal issues, such as destruction, permanent deletion, or other modifications of data required to be deleted by law, ensuring data is unrecoverable.
  4. Conducting data protection training for employees.
  5. Establishing response procedures for data security incidents.

In terms of internal management responsibility, all regulated entities must designate one or more employees as privacy or data security officers. Large data holders need to designate both a privacy officer and a data security officer and submit annual metrics reports to the FTC. These reports should include the number of access requests, deletion requests, applications for refusal of data transmission, requests to opt-out of targeted advertising, and the number of requests agreed upon by large data holders, as well as the average number of days taken to substantially respond to individual requests. These metrics should be publicly disclosed on privacy policies or publicly accessible websites by July 1 each year. Large data holders are also required to conduct a privacy impact assessment every two years.

5. Special Entities: Third Parties

6. [New] Privacy-Enhancing Technology Pilot Program

The APRA bill introduces a new privacy-enhancing technology pilot program that can last up to ten years. Entities voluntarily choose whether to join the program, which will be overseen by the FTC. The government will research and evaluate the program to develop new proposals for improving privacy protection and promoting the rapid development of privacy protection technologies.

Regulatory Analysis

  1. What new obligations do businesses (referred to as entities in this law) have relative to the 2022 draft? The APRA bill stipulates that businesses must follow strict and exclusive reasons when collecting, processing, retaining, or transferring data, and must obtain individual consent before transferring sensitive and biometric information. Notably, the regulation classifies minors’ information as sensitive, prohibiting its transfer without consent. The APRA sets the “applicable minor” age to under 17 years old, which is stricter than the current focus of most U.S. businesses on privacy compliance for children under 13. If the APRA bill is enacted, businesses will need to expand and adjust their compliance plans accordingly. The APRA bill also requires businesses to provide channels for users to exercise their rights to access, delete, modify, and export information. Additionally, businesses must offer an opt-out mechanism that allows users to opt out of “consequential decision” algorithms. Businesses are prohibited from using “dark patterns” to interfere with user rights and from retaliating against users.
  2. Business Privacy Compliance: What do businesses need to do? According to the APRA bill, businesses need to publicize their privacy policies and notify users in advance of significant changes to ensure transparency of the privacy policy. Businesses should establish mechanisms for preventing and correcting data security risks and regularly assess and improve these mechanisms. Furthermore, businesses must appoint privacy and data security officers to ensure compliance with data processing. Large data holders face stricter requirements in terms of privacy policy transparency, verifying and facilitating user rights, internal management responsibilities, and submitting metric reports. These requirements include publishing privacy policies and annual transparency reports for the past ten years, appointing a privacy officer and a data security officer, and submitting metric reports. Large data holders also need to conduct audits and privacy impact assessments every two years; when artificial intelligence poses a significant risk of harm to specific groups, they must submit annual algorithm impact assessments to the FTC. Additionally, high-impact social media, data brokers, service providers, and third parties have specific obligations to comply with.

Other Resources:

Start Your Compliance Journey !

Contact security and privacy veterans at Kaamel

https://kaamel.com
info@kaamel.com
340 E Middlefield Rd, Mountain View, CA 94043
AICPA Drata
© 2024 Kaamel Inc. All rights reserved.