American Privacy Rights Act on the move with significant amendments

On 7 April 2024 the U.S. Senate Committee on Commerce, Science and Transportation Chair, Maria Cantwell, and Chair of the House Committee on Energy and Commerce, Cathy McMorris Rodgers, unveiled a surprise bipartisan draft of the new American Privacy Rights Act. The aim of this Act is to create a comprehensive federal level piece of privacy legislation for the US, to enable consistency and harmonisation across the existing patchwork of state laws, and to give individuals greater control over their own personal data. The APRA introduces rights for individuals residing in the United States and places obligations on organisations to safeguard the privacy of those individuals.

The lay of the land: The need for a harmonised federal privacy law

While the US continues to play "catch up" as one of the few developed countries in the world lacking comprehensive national privacy legislation, there have been several attempts and enormous efforts over the last few years to try to create and pass federal level privacy laws - until now the most recent being the American Data Privacy and Protection Act (ADPPA), which did not pass through the House when talks were stalled back in 2023. The current US data protection and privacy landscape therefore consists mainly of state level laws, most notably the Californian Consumer Privacy Act (CCPA), as well as sector specific federal legislation, such as the Children's Online Privacy Protection Rule ("COPPA") and the Health Insurance Portability and Accountability Act ("HIPAA"). During the last few years there has been a clear rise in individual states enacting their own personal data legislation at the state level to fill the void left by the lack of federal privacy law. By way of example, just this year new data protection laws will come into force in Texas, Florida, Oregon and Montana  and several other states will have their respective privacy laws apply in the coming years.

Transatlantic transfers of personal data from the EU to the US have long been fraught with issues, with a further challenge of the current EU-US Data Privacy Framework mechanism still likely in what some are touting "Schrems III" (see our post here). It is possible that a robust federal privacy law in the US will help demonstrate a greater regard to protection of individual's personal data and may slightly appease criticism around the adequacy of safeguards in the US in comparison to the EU benchmark - although given that APRA is intended just to protect personal information of individuals in the US (as opposed to EU citizens), it is unlikely to eradicate the criticism in full.

The APRA: Some key features

The APRA is a complex and comprehensive smorgasbord of provisions that will no doubt evolve throughout the legislative process. At a high level, some of the key features of the Act include:

• Pre-emptive application: At its core the APRA states it is intended to "establish a uniform national data privacy and data security standard" and, if adopted, it is expected to pre-empt many provisions of state-level privacy legislation – subject to certain exceptions, for example, consumer protection laws of general applicability and civil rights laws.
• Who is caught? The APRA is broad in scope and applies to 'covered entities' (namely those under the jurisdiction of the Federal Trade Commission (FTC), common carriers and nonprofit organisations - that determine the purposes and means of collecting, processing, retaining or transferring covered data). As well as organisations that process 'covered data' on behalf of those covered entities. The Act envisages certain exemptions including for certain small businesses and government entities and service providers.
• Greater obligations for higher risk 'covered entities': In an increasing trend that we are seeing across a range of pieces of digital regulation in the UK and Europe in particular (such as the UK Online Safety Act 2023 and the EU Digital Services Act (DSA)), the APRA incorporates a higher, more comprehensive tier of obligations that apply to a sub-set of higher risk / higher reach in-scope organisations (in addition to the baseline obligations elsewhere in the Act). The Act envisages that these additional obligations apply to both:
  • "high-impact social media companies" - with the eligibility criteria depending on global annual revenue, number of monthly active users and the primary use of the platform being to access or share user-generated content. Data collected by these entities is treated as "sensitive data" to which further restrictions apply (e.g. need for consent by a third party to process the first party's data including a user's online activities for targeted advertising); and
  • "large data holders" – again eligibility criteria broadly depends on the gross revenue of the in-scope entity, as well as the number of individuals' data that is collected, processed, retained or transferred. Additional obligations include transparency requirements.
• Private right of action: Whilst the APRA would establish an FTC bureau to enforce non-compliance, the Act also envisages a private right of action by individuals against organisations that act contrary to the individual's rights under the APRA. If this right remains, it could increase the risk of litigation against those in-scope of the Act, although given that individuals are required to provide an organisation with written notice before bringing a claim, this could allow entities to mitigate their liability risk by swiftly dealing with any such notice.
• Application to AI: Whilst there are a number of provisions within the APRA that will apply universally, including to the use of new technologies such as artificial intelligence (akin to the technology neutral nature of the GDPR), there are also certain provisions that specifically apply to artificial intelligence, such as additional obligations around the use of "covered algorithms" - perhaps a nod to the "automated decision making" restrictions under the GDPR and the recommender system restrictions under the EU DSA.

The APRA on the move

The first draft of APRA was updated relatively swiftly on 21 May 2024 to include several amendments, the most substantial change merging the Children and Teen's Online Privacy Protection Act 2.0 (so-called COPPA 2.0) into the Act - albeit with some omissions when compared to the COPPA 2.0 proposal that was previously before the Senate, a likely point of contention for those that championed the omitted protections in the stand alone COPPA 2.0 bill. Other topics that were amended in the new version include changes to handling of advertisements, data minimisation, obligations placed on smaller businesses and algorithmic impact assessments, as well as greater obligations on data brokers. The updated draft proceeded to the U.S. House Committee on Energy and Commerce Subcommittee on Data, Innovation and Commerce and was approved on 23 May. It will now advance to the full committee for consideration.

The "something old, something new" approach?

A number of the concepts in the APRA have a remarkable resemblance to its already existing global counterparts - most notably the GDPR. For example, definitions under the APRA such as "covered data", "covered entities", "individual", "process", "sensitive covered data" as well as "service provider" seem to find their match under the GDPR. What is even more interesting however is how the US legislator has decided to differ from and build on the predecessors.

Of particular note, the provisions seem to contain more than just a copy of the wording of the GDPR; many of them include both best practice formed over six years of enforcement of the GDPR (and similar legislation worldwide), as well as elements from other pieces of EU digital regulation (such as the DSA). Some of the alterations might also be seen as trying to fill the gaps; as an example, the APRA specifically covers matters such as dark patterns, targeted advertising and data brokers which are mainly covered by the European Data Protection Board's guidelines in Europe as well.

A good example of the Act's "something new, something old" approach can be found in the definitions. The APRA defines 'covered data' to include information that identifies or is linked or reasonably linkable, alone or in combination with other information, to an individual or a device that identifies or is linked or reasonably linkable to one or more individuals. In the GDPR the definition for 'personal data' is defined as any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Further clarification for the definitions under the GDPR can also be found in the recitals.

As we see above, there are basic elements the can be found in both definitions - such as the requirement that data is linked or linkable to an individual. However, one clear difference is that under the APRA the data must be reasonably linkable. While the definition of personal data under the GDPR is arguably a vast one and certain EU judgments might have narrowed the definition a little in certain cases, it seems that the US 'covered entity' term leaves room for more interpretation by using the word "reasonably" together with linkable. Another interesting point is that to be "covered data", the linked or linkable information can also be linked to a device, not only directly to an individual. While fact specific, it is arguable that the GDPR definition is likely to also cover the same data in most situations, that said, it is still interesting to see some of the "lessons learned" from six years of the GDPR seemingly incorporated in the Act.

Next steps

The APRA was warmly received at a legislative hearing on 17 April and despite having recently cleared its first hurdle by passing the first Subcommittee process, there is still a long way before the Act is enacted. Only time will tell whether it will end up becoming the first comprehensive federal wide law on protection of personal data and if so, what its final requirements will look like. That said, some of the key topics that have historically divided opinion, such as federal pre-emption rights and private right of action were not debated as part of those first Subcommittee discussions. Other areas that we  expect to be closely scrutinised as the Act processes include around the protection of children, handling of advertisements and data brokers. It is however clear that initiatives as both state and federal level do indicate an intention to create more holistic privacy and data protection legislation (at least for the current administration).