In combing through a proposed or draft bill, privacy professionals naturally orient themselves by seeking out defined terms, scanning for the foundational and consequential definition of "personal data." Within the discussion draft of the latest effort to enact a national comprehensive privacy law, the American Privacy Rights Act, such a search comes up empty. APRA drafters have eschewed attaching the modifier "personal" to the elemental definition of the data it covers. Despite nominally departing from existing terminology found in existing privacy legislation, the APRA's definition of "covered data" draws heavily from privacy and data protection regimes in the states and abroad.
The definition
The APRA discussion draft defines "covered data" as "information that identifies or is linked or reasonably linkable, alone or in combination with other information, to an individual or a device that identifies or is linked or reasonably linkable to 1 or more individuals." At a basic level, this definition only slightly deviates from the terms "personal information" and "personal data" used in other U.S. state comprehensive privacy legislation, but further digging reveals important differences in scope.
Information linked or reasonably linkable to an individual
The requirement for covered data to be "linked or reasonably linkable" to an individual expands the scope from just data collected from or about one or more individuals to include data created that relates to one or more individuals. Likewise, any data that has a reasonable possibility of being linked in the future to an individual will also fit under the definition of covered data.
Comparing this definition to EU data protection law, personal data under the EU General Data Protection Regulation is defined as information "relating to an identified or identifiable natural person." Despite their similar but different verbiage, both definitions mark the outer bounds of what constitutes personal or covered data through a test of reasonableness.
Where the APRA's covered data must at the very least be "reasonably linkable" to an individual, whether data is personal under the GDPR is determined after accounting for "all means likely reasonably to be used by the controller … to identify the said person," according to Recital 26. Data that does not immediately appear personal or covered may become so if processing identifies or links it to an individual, but only so far as the means of processing likely to be used to identify or link to that individual are reasonable.
The covered data definition also leads to the inclusion of derived or inferred data, topics that have grown contentious given the extent to which many entities rely on new data created based on data previously collected, especially across the advertising technology and AI industries. Provided that such data is linked or reasonably linkable to an individual or device, alone or in combination with other data, it will likely be considered covered data under the APRA.
The extent to which technology enables entities to derive or infer sensitive personal data from personal and publicly available data has grown in recent years, a concern raised by a small number lawmakers at the state level. California Attorney General Rob Bonta opined the California Consumer Privacy Act confers protections to such inferences drawn from personal information. Thus far, the Oregon Consumer Privacy Act is the only other enacted state bill to follow suit.
Individuals
In the APRA, covered data is defined by reference to "individuals" instead of "consumers," the preferred term for many U.S. state laws, or "data subjects," as is the case with the GDPR and GDPR-style regulations. Accordingly, the APRA's applicability extends beyond the business-to-consumer context most state comprehensive laws focus on, broadening applicability to include nonprofit organizations.
It defines "individual" as "a natural person residing in the United States," which resembles similar residency requirements found in the definition of "consumer" in state laws, which only extend the requirement as far as their respective state borders. Contrast this provision with that of the "data subject" under the GDPR, which affords protections to "natural persons" universally, regardless of their country of residence or, indeed, their nationality, subject to the provisions of Article 3 on territorial scope.
Devices and multiple individuals
By noting covered data may relate "to 1 or more individuals," drafters aim to address situations in which an entity can plausibly argue data collected from a device — for example, from a desktop computer shared by family members — is not personal data because it does not relate to a singular natural person.
The EU and the majority of the 15-plus states implementing the Washington Privacy Act model do not account for such arguments, limiting their scope of personal data to that which relates to one person. California and Oregon lawmakers have worked to mitigate this issue by including information that relates to a particular "household," or group of cohabitating consumers who share common devices or services, in their bills scope. This approach prevents an entity from claiming it does not collect information from a particular individual because any person located at the residence could be using the device.
The APRA takes a similar approach, but includes information that relates to any group of individuals in its definitions, expanding beyond data that relates just to a consumer or household.
Exclusions and exemptions
Beyond the definition's nooks and crannies, the scope of covered data under the APRA runs up against the express and implied exclusions and exemptions that carve out broad categories of information from the bill's jurisdiction.
Publicly available information
The definition of "covered data" expressly excludes "publicly available information," a limitation often implemented by U.S. state legislatures concerned about their comprehensive privacy laws running into First Amendment protections. However, discourse around publicly available information has taken on new life following the explosive proliferation of generative AI models, many of which have been trained on information deemed publicly available by its providers.
Proponents of federal AI legislation have called for privacy legislation as precursor to AI regulation, so frameworks contained in the APRA may hold immense influence in subsequent conversations around whether and how training models make use of publicly available information.
As noted above, the APRA places limits on the publicly available information exclusion when data is derived "from publicly available information that reveals information about an individual that meets the definition of sensitive covered data," bringing certain data derived from publicly available information within its scope.
Employee information
Aligning with most comprehensive U.S. state privacy laws, covered data under APRA excludes "employee information." In those state laws, "employee information" is typically bifurcated into employment-related information — for example, information related to applications, terminations, payment or benefits — and business-to-business employee information — that is, commercial information used for due diligence or B2B sales contacts. California remains unique in not excluding either type of employee information, following the sunsetting of its employment and B2B exemptions in 2023.
The APRA exempts both categories but, in a shift away from state laws and the APRA predecessor, the American Data Privacy and Protection Act, affords a narrower B2B exemption only to publicly available "business contact information," or that which "is made available on a website or online service to all members of the public, including the name, position or title, business telephone number, business email address, or address of the employee." This minor rearrangement may be of consequence to covered entities with B2B sales and marketing divisions, as it could place restrictions around prospecting based on nonpublic information and similar information-gathering techniques.
Entity-level exemptions: Government, small businesses and certain nonprofits
Even data that would otherwise be covered may fall outside the APRA's scope if it is processed by an exempt entity. Coverage exemptions generally come in two forms: entity- or data-level. While determining which of these exemptions is which can be straightforward, their respective implications are not always as clear cut.
The above discussions all expressly concern certain types of data included or excluded under the definition of covered data, but entity-level exclusions can have a similar effect, albeit indirectly. What constitutes a "covered entity" under the APRA is left for future analysis, but entity-level exclusions do end up carving data out from the APRA's scope while it is handled by a certain entity.
As is universal across U.S. state laws, the APRA draft includes an entity-level exemption for government entities and their service providers. This removes large swathes of data from the APRA's scope, so long as it is collected, processed, retained or transferred by those entities.
The APRA's small business exclusion — which exempts businesses with under a rolling three-year average gross revenue of USD40 million, that handle the data of fewer than 200,000 individuals or that do not broker data — also serves to narrow the universe of data it regulates. So, too, does its exclusion of certain nonprofits focused on fraud and of the National Center for Missing and Exploited Children.
The APRA draft will likely undergo several rounds of scrutiny, but early analysis reveals the depths of the bill and its key differences with others across the U.S. and the world. The IAPP will continue to monitor these developments and provide insights and analysis with respect to what could end up as the most pivotal privacy legislation in American history.
