On April 7, 2024, nearly two years after Congress’s last attempt to pass a national data privacy law, Senator Maria Canwell, chair of the Senate Commerce Committee, and Rep. Cathy McMorris Rodgers, Chair of the House Energy and Commerce Committee, unveiled the American Privacy Rights Act of 2024 (the “Act”). With an increasing number of states creating a national patchwork of somewhat inconsistent data privacy laws, this bipartisan, bicameral draft legislation was designed to create a nationwide data privacy and security standard and ensure that privacy laws do not differ from state to state.
What are the Specifics of the Proposed American Privacy Rights Act of 2024?
The Act’s authors’ stated goals were to make privacy a consumer right and to give consumers the ability to enforce that right. If enacted, it would achieve those goals by requiring businesses to, among other things:
- Be transparent about how they use consumer data
- Not collect, process, retain, or transfer users’ data beyond what is necessary to provide the product or service for which the data was obtained
- Allow users to access, correct, delete, and export their data
- Allow users to opt out of targeted advertising and data transfers (selling or otherwise trading in users’ personal information)
- Not transfer sensitive personal information (such as social security or driver’s license numbers, health care information, biometric information, photos, and other information users would ordinarily consider to be private) without a person’s opt-in consent
- Maintain publicly available privacy policies which include details such as categories of data collected, processed, and retained; the reasons for data processing; and how users can exercise their rights, such as the right to delete and the right to opt-out of certain actions.
- Establish data security practices that are proportionate to the entity’s size
- Appoint one or more employees to serve as privacy or data security officers
- Register with the Federal Trade Commission (the “FTC”) as a data broker (if a business’s primary source of revenue is derived from the personal data of individuals who did not provide the business their information, or if the business processed or transferred information of more than 5,000,000 individuals over the preceding year) and, if a business is a data broker, maintain a website that identifies the entity as a data broker and that includes links for individuals to exercise their opt-out and other rights
- Allow individuals to opt-out of having an algorithm factor into consequential decisions relating to housing, employment, insurance, credit, education, and other matters.
Which Businesses Would Be Impacted?
The Act defines three categories of entities and has different requirements for each:
- Small Businesses: The Act generally exempts companies which earn less than $40 million per year in revenue from its requirements. However, even businesses which earn less than $40 million per year in revenue must comply with many of the Act’s provisions if they collect, process, retain, or transfer personal data of 200,000 or more individuals, or if they earn revenue from transferring personal data of individuals to third parties.
- Covered Entities: The Act applies to most entities which determine “the purpose and means of collecting, processing, retaining, or transferring” personal data of individuals. There are exceptions, such as for small businesses, as well as for governments and certain nonprofits.
- Large Data Holders: The Act defines “Large Data Holders” as entities which earn $250 million or more in annual revenue and which collect, process, retain, or transfer the personal data of more than 5 million individuals or the sensitive personal data of more than 200,000 individuals. Large Data Holders have additional requirements under the Act, such as designating both a privacy and data security officer, conducting privacy impact assessments, and filing annual certifications with the FTC.
How Will It Be Enforced?
If enacted, the Act may be enforced by the FTC (which may promulgate regulations to apply certain elements of the Act), state Attorneys General, and by individual users filing private lawsuits against entities alleged to have violated their rights under the Act.
What Happens Next and What Are the Chances of Passage?
Unlike the American Data Privacy Protection Act, which was introduced in 2022, the American Privacy Rights Act of 2024 has support from relevant committee chairs in both the House and the Senate. In fact, Sen. Cantwell and Rep. McMorris Rodgers used concerns about the 2022 legislation as a starting point for negotiations which formed the basis for the Act. Numerous observers agree with Rep. McMorris Rodgers’s statement that this is the “best opportunity we’ve had in years, almost two decades, to actually establish a national data privacy and security standard.” However, since the Act is still in its infancy, changes can be expected as it works its way through the legislative process. The first step is a hearing in the House Energy and Commerce Committee’s Subcommittee on Innovation, Data, And Commerce on April 17, 2024.
The Rhoades McKee Technology Transactions, Privacy, and Cybersecurity Team will continue to monitor the status of the proposed American Privacy Rights Act of 2024 and is available to answer any questions you have about state and federal data laws, rules, and regulations.
More Publications