Yesterday was the summer solstice, the longest day of the year in the northern hemisphere. It certainly felt like it here in D.C., as policy wonks waited with bated breath for an updated version of the American Privacy Rights Act discussion draft. Just after 5 o’clock, as whispered rumors reached a crescendo, the draft arrived.
The loudest rumor by far concerned a section of the bill that has been vaunted by civil society ever since its inclusion in the American Data Privacy and Protection Act, a forebear of the APRA. The "civil rights and algorithms" section would have prohibited the use of personal data in a way that discriminates on the basis of protected characteristics, while requiring organizations to implement baseline AI governance practices.
The section has been fully deleted from the current draft of the bill. Also missing is its newer cousin, the "opt-out rights for consequential decisions" section, which had been designed to match those U.S. states that provide opt outs for automated decision-making. Other sections important to advocates — including data minimization, universal opt out and deletion mechanisms, a prohibition on dark patterns, and privacy by design requirements — remain intact.
It is too early to say with certainty why these deletions occurred, but that never stops beltway insiders from speculating. As one data point, at almost precisely the same moment as the updated draft of the APRA appeared, Politico went to press with a foreboding report revealing serious opposition to the prior version of the bill among Republican leadership in the House.
A more anodyne explanation: perhaps the Energy and Commerce committee is pulling the same move as the Grinch when he borrowed the Who family Christmas tree: taking it back to the shop to fix it up, with every intention of bringing it back later.
Another rumor was also proved true: it appears the ranking member of the committee, Rep. Frank Pallone, D-N.J., is signing on to this version of the bill. Pending confirmation that Sen. Maria Cantwell, D-Wash., remains in favor of the updated House draft, we could be looking at a so-called three-corners bill. Support from three of the four major leaders in the relevant committees will go far toward giving the bill a fighting chance.
The soon-to-be-introduced bill is expected to be scheduled for a markup session by the full House Energy and Commerce Committee next Thursday 27 June. It is possible in a markup to vote the bill out of committee, clearing it for consideration by the full House. Markups also frequently make use of a procedure known as an AINS, an "amendment in the nature of a substitute," which could involve another version of the bill. However, the AINS procedure only applies to introduced legislation. So far, the APRA remains only a discussion draft.
Of course, the updated draft includes a lot more than notable omissions. There are dozens of tweaks to the bill, showing again how serious the effort is to refine the proposal in response to stakeholder feedback from all sides.
Adtech clarifications
The much-debated targeted advertising definition in the APRA has received a fresh coat of paint in the updated draft. It now clearly includes retargeting as well as all advertisements delivered via "high-impact" social media platforms, except for ads for products and services of the platforms themselves. It excludes contextual advertising and first-party advertising, not precisely a change, but now much clearer as both have received new definitions in the discussion draft. There are also new definitions of "direct mail targeted advertising" and "email targeted advertising," which receive their own treatment in the draft.
Contextual advertising does not vary based on the identity of the individual recipient and must be presented based only on the following factors: "(i) the content of a webpage or online service; (ii) a specific request of the individual for information or feedback; or (iii) course geolocation information."
First-party advertising is based only on first-party data, that is data collected directly by the organization from the individual based on a visit to a physical or virtual property. For high-impact social media companies, first-party advertising can only relate to their own products or services. For everyone else, the definition includes any ad, so long as it is based solely on first-party data.
In theory, this all matters because targeted advertising is only allowed based on data "previously collected in accordance with" the data minimization restrictions of APRA, cannot be based on sensitive data, is prohibited from targeting minors under 17, and is further subject to a universal opt-out mechanism, allowing consumers to express a choice not to receive such advertising at all.
Somewhat confusingly. however, contextual advertising and first-party advertising are also subject to all these same restrictions, except for the universal opt-out mechanism and prohibition on advertising to minors. Contextual advertising appears to be allowed for minors, but first-party advertising is only allowed if it is age appropriate and is not based on any covered data other than minor status.
Youth privacy protections
Speaking of minors, the updated draft has been revitalized with references to minors and children, which were conspicuously absent in prior drafts, pending negotiation. Important for kids' privacy watchers, the draft reintroduces a knowledge standard with a minimum threshold of "knowledge fairly implied on the basis of objective circumstances" that a user is a child or teen. The U.S. Federal Trade Commission would issue regulations to clarify the operation of this new standard.
This will matter for the advertising restrictions, mentioned above. And, of course, personal data about minors under 17 is still treated as a sensitive category of data, requiring consent of one of 10 permitted purposes before it can be transferred. Consent requirements have been clarified, showing that parents must consent on behalf of children under 13 and may consent for teenagers, though teens are also allowed to provide their own consent.
Title II of the discussion draft is still labeled "COPPA 2.0." It has undergone a plethora of ministerial changes but appears to be substantively the same as before — an amendment to COPPA rather than a teen-focused bill. I previously wrote about the confusing difference between this incorporated version of COPPA 2.0 and the other bills by that name in the House and Senate.
Stricter rules for biometric and genetic data
The special requirements for biometric and genetic data have been further refined in the draft. Collecting such data would now require express consent, without exception. Consent is also needed to process and transfer such data, unless a more limited set of permitted purposes apply: warrants, legal claims, and other legal obligations. The prior draft included a longer set of permitted purposes. Special to this type of data is also a requirement that consent include reference to the retention period for the data.
These refinements may be designed to further align APRA's protections with those of the Illinois Biometric Information Privacy Act, which would be preempted by the bill.
More substance for the right to cure
The APRA would empower individual consumers to bring lawsuits against organizations based on violations of many of its substantive provisions. This private right of action is limited in a couple of ways, including providing for an opportunity for organizations to cure their defects.
Prior drafts of the APRA included a 30-day notice requirement, meaning that individuals would be required to notify an organization of a claim for actual damages 30 days before initiating legal action. The updated draft expands this to 60 days and further adds provisions clarifying that the required notice gives the organization an opportunity to settle with the individual and that legal actions can be dismissed immediately if individuals did not complete the notice step.
Importantly, the notice requirement and opportunity to cure still do not apply if the consumer brings certain actions for violations that result in "substantial privacy harm," as defined in the draft.
Online activity profiles are sensitive data
Opt-in consent or one of 10 permitted purposes will be required for the transfer of any "online activity profile." This is a pithier description of what was formerly called "information revealing the online activities of an individual over time and across websites."
The prior definition provided a bifurcated approach to this data, treating all data on a high-impact social media platform as sensitive data, while otherwise requiring cross-site data collection to qualify. It appears social media companies are not singled out anymore — at least in this provision — as "online activity profile" is also a newly defined term in the draft meaning "covered data that identifies the online activities of an individual (or a device linked or reasonably linkable to an individual) over time and across third party websites, online services, online applications, or mobile applications that do not share common branding, that is collected, processed, retained, or transferred for the purpose of evaluating, analyzing, or predicting the behaviors or characteristics of an individual."
Other tweaks
The discussion draft includes numerous minor, but likely impactful, changes. Here are a few notable tweaks:
- On-device data is now exempt from the definition of covered data.
- The volume threshold to qualify as a data broker has changed an "or" to an "and," making it clear that an organization does not qualify as a data broker simply by processing data but must also transfer it.
- Permitted purposes have been refined to more fully describe allowed medical research uses of personal data.
- Sensitive data types have been expanded to include military servicemember data, which aligns the bill with the new law prohibiting data brokers from transferring sensitive personal data to foreign adversary countries.
- Sensitive data has also been expanded by including any type of "electronic log" intended for private use as well as “neural data,” a term that is undefined.
- Parents are able to exercise data subject rights on behalf of their children under 13.
- The interaction between APRA and existing telecommunications laws and regulations has been refined and redrafted.
The APRA is still labeled as a discussion draft. It will need to be formally introduced before being voted out of committee, so more action is expected in short order.
Please send feedback, updates and other notable APRA tweaks to cobun@iapp.org.
Cobun Zweifel-Keegan, CIPP/US, CIPM, is a managing director for the IAPP in Washington, D.C.
