New Federal Privacy Bill Draft Hits Congress

New Federal Privacy Bill Draft Hits Congress

Blog WilmerHale Privacy and Cybersecurity Law

On April 7, Representative Cathy McMorris Rodgers (R-Wash.), Chair of the U.S. House Committee on Energy and Commerce Chair, and Senator Maria Cantwell (D-Wash.), Chair of the Senate Committee on Commerce, Science and Transportation, announced new draft legislation designed to establish the United States’s first comprehensive data privacy law at the federal level, potentially resuscitating an effort that had been dormant in Congress for almost two years. The American Privacy Rights Act of 2024 (APRA) aims to establish the first ever federal standard for comprehensive data privacy and security regulation, recognizing individual data controls for consumers and related obligations across a wide range of corporations—including the right to opt out of targeted advertising and certain algorithms—and establishing additional requirements for significant stakeholders in the data landscape like data brokers and “large data holders.”

Generally, the APRA is modeled primarily after its predecessor, the American Data Privacy and Protection Act (ADPPA), which made it further in Congress than any previous comprehensive privacy bill by passing committee but ultimately failed to pass in the House. Like the ADPPA, this new proposed draft bill would establish a private right of action as a recourse for individuals and the preemption provision would largely replace the patchwork of state comprehensive privacy laws currently established with a unified federal regime (though the private right of action and preemption provisions in APRA are different compared to ADPPA). Beyond certain changes even to the core provisions, however, there are some additional key differences between the two proposals. The APRA creates a stricter data minimization requirement that applies to both covered entities and service providers—creating perhaps the first set of explicit limitations on how companies can process consumer data. In addition to the right to opt out of the transfer of covered data and targeted advertising, the APRA also establishes the right to opt out of covered algorithms and AI decisions. Under the APRA, a covered entity cannot mandate arbitration for “significant privacy harms,” which has been an issue Senator Cantwell has raised in previous federal bill discussions. Unlike the ADPPA, the current draft bill for APRA does not recognize heightened protections for minors (assumingly because there are already federal protections for child data through the Children’s Online Privacy Protection Rule). Finally, the APRA would terminate the current FTC rulemaking on commercial surveillance and data security.

EARLY OPPOSITION TO THE BILL

Despite the possibility of a bi-cameral, bi-partisan bill being able to move successfully through both chambers, voices of opposition or hesitancy have already started to emerge, even within a day of the data privacy proposal’s release. Senator Ted Cruz, R-Texas, the ranking member on the Senate Commerce Committee opposite Senator Cantwell, has shared that he generally does not support legislation that he asserts empowers Big Tech by imposing high regulatory requirements and barriers to entry for start-up companies, gives “unprecedented power” to the FTC, and emboldens trial lawyers with a private right of action. In a more supportive statement, Representative Franke Pallone, Jr. (D-NJ), the ranking member on the House Energy and Commerce Committee, lauded the bipartisan efforts on the bill but asserted it could be strengthened in some areas—in particular, children’s privacy.

The Executive Director of the California Privacy Protection Agency (CPPA), Ashkan Soltani, also released a statement against the APRA’s preemption provision that would limit states’ ability to legislate in space. A federal bill that preempts state privacy laws has long been a sticking point for California politicians and regulators and creates a substantial hurdle to gaining support from the Golden State legislators for any federal comprehensive privacy bill. As mentioned above, the House Committee on Energy and Commerce voted 53-2 to advance the ADPPA, a previous federal privacy bill, to a House floor vote. However, then-Speaker of the House Nancy Pelosi, D-Cal, never called the bill for a floor vote in order to remain aligned with other California leaders, like Governor Gavin Newsom, who opposed the bill and its preemption power.

WHAT DOES APRA MEAN FOR BUSINESSES?

While the chances of Congress passing a comprehensive federal privacy bill (in an election year nonetheless) seem slim, prior to this surprise development the chances were essentially non-existent.  The bipartisan nature of the bill (despite the opposition outlined above) is a positive sign for companies and consumers that are eventually hoping to reach a national standard on data privacy. There seems to be agreement in Congress that preemption is needed as a general matter. At the same time, APRA preemption (as it currently stands) is limited; it would not, for example, necessarily preempt health laws such as Washington’s My Health My Data Act or the Biometric Information Privacy Act, both of which are high risk for companies due to their private right of action provisions.

Companies should be aware that APRA goes further than most state comprehensive privacy laws in terms of the potential compliance obligations it creates and has meaningful enforcement mechanisms through both a private right of action and FTC enforcement. However, they may still deem a uniform national standard that preempts (most) state comprehensive privacy laws to be worth the trade-off, especially as more states continue to pass such laws and as newer state laws deviate from previously established models. Maryland’s newly passed comprehensive privacy law (which is still awaiting the governor’s signature), for example, creates data minimization requirements that go beyond what is required under the other laws. New Jersey’s law from earlier this year also has a rulemaking provision, which will create additional obligations for companies on top of the law’s statutory requirements. Companies should evaluate whether a single federal standard is worth pushing for given these active developments at the state level.

WHAT’S NEXT?

The release of the draft bill has generated a lot of early discussion ahead of its formal introduction on either side of Capitol Hill. The dates for the APRA bill to be formally introduced in either chamber have not been set yet. However, the bill is expected to go through regular order, which means that it would be introduced and marked up in committee before going to the House and Senate floors for a vote. Meanwhile, the bill’s two sponsors, Cantwell and Rodgers, are continuing to socialize and circulate the draft. On April 17, Rodgers and House Energy and Commerce Committee Ranking Member Frank Pallone, Jr., D-NJ, led a hearing for the Innovation, Data, and Commerce Subcommittee titled "Legislative Solutions to Protect Kids Online and Ensure Americans’ Data Privacy Rights." This hearing covered a number of privacy and online safety bills with APRA topping the list. Five of the six witnesses stated that the data minimization provisions were the most essential parts of the APRA but disagreed on issues like preemption and data broker regulations, illustrating that despite a general consensus of support for a federal privacy bill, there continues to be disagreement in the details.

In the rest of this post, we summarize notable provisions of the bill and highlight key takeaways for entities looking to understand their future privacy compliance obligations. We will continue to monitor this draft legislation as it circulates the halls of Capitol Hill and gets prepared for a formal introduction. To stay up to date on these updates and other privacy law developments, please subscribe to the WilmerHale Privacy and Cybersecurity Law Blog.

NOTABLE TAKEAWAYS

  • Creates a Private Right of Action: Like ADPPA, APRA creates a private right of action for many (but not all) of its operative provisions. For example, the private right of action would apply to the law’s data subject rights provisions but would not apply to all the data minimization and transparency requirements. Unlike ADPPA, the discussion draft of APRA does not include a delay for the private right of action to go into effect; those provisions would go into effect with the rest of the bill. In terms of relief, the law does not create statutory damages (but does allow for recovery of reasonable attorneys’ fees and litigation costs). It also provides businesses with an opportunity to cure for actions that are brought against them for injunctive relief.
  • Softens the Preemption Provision: One of the most controversial provisions in any federal privacy bill is whether it would preempt existing state laws. The APRA, like the ADPPA, does contain preemption provisions, which makes business compliance easier but stalls states’ ability to establish data protections above the federal standard. For this reason, states like California have historically opposed preemption. This proposed bill draft takes a small step toward acknowledging that tension by implementing a small preemption carveout for remedies. It also leaves intact a number of state consumer protection and privacy laws outside of the comprehensive privacy laws (such as privacy laws specifically focused on health data and Illinois’s Biometric Information Privacy Act (BIPA)).
  • Strict Data Minimization Standard: APRA states that covered entities and service providers operating on their behalf are prohibited from collecting, processing, retaining, and transferring personal data unless they meet the data minimization principle of “necessary, proportionate, and limited to” to provision or maintenance of a service or communication, or a specific permitted purpose. This language is stricter than what is currently required for companies under current state comprehensive privacy laws. Additionally, the bill recognizes 15 permitted purposes for data collection, processing, retention, and/or transferring. These permitted purposes include:
    •  Protecting data security;
    • Complying with legal obligations and responding to lawful warrants; 
    • Conducting market research;
    • Transferring assets to a third party in the course of a merger, bankruptcy, or similar transaction;
    • Processing data to provide first party or contextual advertising if covered data (excluding sensitive covered data) was lawfully collected; and
    • Processing or transferring data to provide targeted advertising if covered data excluding sensitive covered data) was lawfully collected from an individual who had not opted out.
  • Establishes Other Mechanisms of Enforcement: Although much of the current focus is on the APRA’s private right of action, the proposed bill draft also empowers other actors in the privacy space as well. In addition to individuals, the FTC and state AGs have the authority to enforce the Act’s provisions. The proposed bill also directs the FTC to promulgate rules, develop guidelines, create a data broker registry, and establish a new enforcement bureau. All these different mechanisms likely mean a strong privacy regime for consumers, but a landscape of liability for covered entities.
  • Establishes Regulations for the Data Broker and Ad Tech Industry. Limitations on secondary uses of data and direct obligations for data brokers are sprinkled throughout the APRA. To start, “information revealing an individual’s online activities over time and across websites” is included in the definition of “sensitive covered information” that receives heightened protections. The bill also recognizes a consumer’s right to opt out of the transfer of their covered data and the right to opt out of targeted advertising. It requires the implementation of a universal opt-out preference mechanism. Finally, the bill contains a section dedicated to data brokers, where it details obligations like maintaining a public website, publishing a notice explaining how to opt-out, and registering annually with the FTC.
  • Focuses Regulations on Large Data Holders: Another category of entities that will have to navigate many additional obligations and requirements under the APRA are large data holders, defined as “a covered entity that has $250M in annual revenue and collects or processes the covered data of more than 5M individuals.” Extra requirements for this covered entity subcategory include: designating a privacy officer and a data security officer, annually certifying to the FTC regarding certain compliance practices, and annually conducting an algorithm impact assessment if it uses a covered algorithm that “poses a consequential risk of harm,” and biennially conducting privacy impact assessments.
  • Necessitates Quick Implementation: The Act would take effect 180 days after it is passed—a very short runway for covered companies to come into compliance. The FTC is directed to issue guidance regarding consumer opt out rights, service provider due diligence, and civil rights and algorithms within 2 years of enactment. There is no stated timeline for the rulemaking process.

SUMMARY OF KEY PROVISIONS

The takeaways discussed above were drawn from key provisions in the APRA, detailed here:

  • Definitions:
    • Covered Data: The bill’s definition for “covered data” is broad and similar to definitions in other comprehensive privacy laws. Covered data is generally “information that identifies or is linked or reasonably linkable” and excludes categories of data like employee information, publicly available information, and inferences made from publicly available information.
    • Covered entity: The bill’s definition for “covered entity” includes most non-profits. Small businesses ($40M or less in annual revenue and/or collects and processes the data of fewer than 200,000 individuals) are still excluded from the bill’s scope. However, there is an exception for a business that sells data, like a data broker, which would always be in scope regardless of size.
    • Large Data Holder: The bill carries over the term “large data holder” from the ADPPA, defining it as a covered entity that has $250M in annual revenue and collects or processes the covered data of more than 5M individuals. These large data holders are subject to more requirements.
    • Sensitive Covered Data: The bill’s definition of “sensitive covered data” is quite broad and includes information such as calendar or address book data, consumer health data, and “information revealing an individual’s online activities over time and across websites… that do not share common branding.”
    • Substantial Privacy Harm: The bill introduces a new term, “substantial privacy harm,” which is defined as a financial harm of $10,000 or more, an “alleged physical or mental harm to an individual” in a healthcare setting, a “highly offensive intrusion” into an individual’s reasonably expectation of harm, or discrimination on the basis of protected characteristics.
  • Exemptions: Like most comprehensive privacy laws, APRA exempts state, city, and political subdivision entities. In addition to that, the bill provides a list of entities that would be considered in compliance with the APRA if their information is governed by other laws and they are compliant with those other laws, such as financial institutions subject to the Gramm-Leach Bliley Act (GLBA); covered entities and business governed by the Health Insurance Portability and Accountability Act (HIPAA); information governed by the Fair Credit Reporting Act (FCRA); and information governed by the Family Educational Rights and Privacy Act (FERPA). Notably, APRA only creates information-level exemptions for these federal laws; it does not create entity-wide exemptions that exist under some of the state privacy laws.
  • Privacy Notices: Under the “Transparency” section, covered entities and service providers provide consumers with a publicly available privacy policy that includes details about what personal data is collected and what third parties, service providers, and data brokers it is shared with. Entities must also have a “prominent” description of how consumers may exercise their individual controls and opt-out rights
    • The bill requires that the policy is accessible (both to consumers with disabilities and consumers who speak another language). It also adds an additional obligation that large data holders must provide a short form notice of their policies. 
  • Consumer Controls and Opt-Out Data Rights: The bill creates rights for consumers, including: the right to access, correct, delete, and export their data. It also requires that a covered entity provide individuals with “a clear and conspicuous means” to opt out of the transfer of covered data and also targeted advertising, if applicable.
    • The bill charges the FTC and Secretary of Commerce with ensuring that a universal opt-out mechanism, like a global privacy signal, will become available to individuals within 2 years of enactment of the Act.
  • Data Security: Covered entities and service providers must implement “reasonable data security practices” that are proportional to the size and complexity of the entity, the volume of data, and the sensitivity of the data involved.
  • Requirements for Large Data Holders: Large data holders must designate two separate individuals to be a privacy officer and a data security officer. They must annually certify to the FTC that the large data holder maintains controls and reporting structures that comply with the Act. Large Data Holders also must biennially conduct privacy impact assessments that are “reasonable and proportional in scope” to the nature and volume of the data and risks.
  • Data Broker Regulation: A data broker must maintain a public website that includes a “clear, conspicuous, not misleading” notice to consumers about how to exercise their opt out rights.
    • The bill also establishes a data broker registry maintained by the FTC and available to the public.
  • Civil Rights and Algorithms: The bill mandates that covered data cannot be collected, processed, retained, or transferred in a way that discriminates on the basis of protected characteristics like race, religion, sex, or disability. Large data holders must annually conduct an algorithm impact assessment if it uses a covered algorithm that “poses a consequential risk of harm.” Other covered entities or service providers must also evaluate the design, structure, and inputs of an algorithm to reduce risks of potential harms before deployment.
    • Individuals should also be provided with a “clear, conspicuous, and not misleading” notice if their data is used in a covered algorithm that makes or facilitates a consequential decision. They also have the right to opt out of such use of the algorithm.
  • Privacy-Enhancing Pilot Program: The bill establishes a pilot program run by the FTC to “encourage private sector use of privacy-enhancing technology.” There is a “rebuttable presumption” that a participating covered entity is in compliance with the data security requirements of the Act.
  • FTC Rulemaking Authority: Rather than delegating a general rulemaking authority to the FTC, the bill apportions out the rulemaking authority and directives to develop guidelines by sections within the bill. Under the APRA, the FTC would promulgate rules for the requirements of a universal opt-out mechanism, for “additional permissive exceptions” needed for consumer data control rights, large data holder algorithmic impact assessments, and for proportional data security practices. The Commission could issue guidance on requirements relating to provisions such as data minimization standards, consumer data control rights, vendor due diligence for covered entities, a data broker’s mandated website, and/or opt-out rights for covered algorithms of consequential decisions.
  • Private Right of Action and Other Enforcement Levers: The bill establishes a private right of action for individuals to file private lawsuits when their rights under the bill are violated. In addition, the bill empowers the FTC with primary enforcement authority, although state attorneys general would have the authority to enforce the law as well. The bill directs the FTC to establish a new bureau, which would look similar to its Bureaus of Enforcement and Competition.
  • A Limited Compromise to Preemption: Although the patchwork of state laws would be preempted by the bill, the APRA does propose very limited carveouts for remedies. Specifically, it recognizes the ability for individuals to recover the under Illinois’s BIPA, Illinois’s Genetic Information Privacy Act (GINA), and the California Privacy Rights Act (CPRA) actions, even if the substance of the laws would be preempted.
  • Cure Period: An individual can only bring an action for injunctive relief under the Act if they provide entities with a 30-day cure period before initiating the lawsuit.
  • Effective Date: The Act would take effect 180 days after it is passed.

 

Authors

More from this series

Notice

Unless you are an existing client, before communicating with WilmerHale by e-mail (or otherwise), please read the Disclaimer referenced by this link.(The Disclaimer is also accessible from the opening of this website). As noted therein, until you have received from us a written statement that we represent you in a particular manner (an "engagement letter") you should not send to us any confidential information about any such matter. After we have undertaken representation of you concerning a matter, you will be our client, and we may thereafter exchange confidential information freely.

Thank you for your interest in WilmerHale.