New draft legislation (APRA) has been announced designed to establish the US's first comprehensive data privacy law. This is a bipartisan bill with high-ranking support and is a step forward for companies and consumers hoping to reach a national standard on data privacy.
Key provisions include
- A private right of action for individuals to sue under many (though not all) of its provisions. It does not create statutory damages but allows for recovery of reasonable attorneys' fees and litigation costs. It also provides businesses with a 30-day "opportunity to cure" for actions that are brought against them for injunctive relief.
- Preemption provisions meaning that APRA would largely replace the patchwork of state privacy laws with a unified regime, save for a small carveout for remedies, which is seen as an olive branch to states like California who have historically opposed pre-emption. It also leave intact some state consumer protection and privacy laws such as some which are specifically focused on health data.
- Data minimisation standard. The collection, processing, retention and transfer of personal data can only be done if "necessary, proportionate and limited to" provisions or maintenance of a service or communication, or a specific permitted purpose, of which there are 15 including conducting market research, complying with legal obligations and protecting data security. Sensitive data requires "affirmative express consent" before transfer to a third party, unless it is necessary, proportionate and limited to one of the permitted purposes.
- There is a right to opt out of the transfer of covered data, covered algorithms, AI decisions and targeted advertising.
There are increased regulations on large data holders (an entity with at least $250M in annual revenue and which collects or processes the covered data of more than 5m individuals) including annual certification from the Federal Trade Commission (FTC) and designating a privacy officer and data security officer. Data brokers and the ad tech industry are also regulated.
Small businesses (under $40m in revenue and data of fewer than 200,000 consumers) are exempt when acting as covered entity (analogous to 'controllers' under EU GDPR) but not when acting as service provider (analogous to 'processors' under the EU GDPR) or when selling personal data. Employee information is also exempted but APRA would preserve state laws that apply to employees.
The FTC is encouraged to develop guidance, create a data broker registry and establish a new enforcement bureau.
Early objections have focussed on the proposed legislation creating barriers for start up companies, emboldening the FTC, increasing the chance of litigation with the private right of action and calls for the draft to be strengthened as regards children's privacy.
Despite these objections and the potential increased liability for companies, there is little doubt that APRA would be a positive step for consumers. There is still a way to go before APRA becomes law and it is worth noting that the previous effort (the American Data Privacy and Protection Act) lay dormant in congress for two years. That said, despite some disagreement on the finer details, APRA contains some notable departures from its predecessor and nods to previously dissenting parties which may just be enough to take it over the finish line.