At a time when no one expected progress on the U.S. federal privacy front, a new discussion draft for a comprehensive consumer privacy bill has emerged with bipartisan and bicameral support.
On Sunday 7 April, House Committee on Energy and Commerce Chair Cathy McMorris Rodgers, R-Wash., and Senate Committee on Commerce, Science and Transportation Chair Maria Cantwell, D-Wash. unveiled a discussion draft of the American Privacy Rights Act.
These two congressional leaders serve as the chairs of their respective committees in the House and Senate, which makes them key stakeholders for determining the outcome of any consumer-focused data protection legislation, such as the APRA. There are many steps to go before this discussion draft can become law, but its high-ranking, bipartisan support makes this bill worthy of more attention than other U.S. bills.
There is much for privacy professionals to unpack in this new draft bill, and many key stakeholders have already weighed in. The bill shares many common features with its predecessor, the American Data Privacy and Protection Act, mixed with language from Sen. Cantwell's prior privacy bill, the Consumer Online Privacy Rights Act. Nevertheless, the end result is distinct from both earlier drafts in a number of ways. Rather than focus on comparing the changes here, we have taken a fresh look at the APRA and identified some of the top operational impacts it would have if passed into law.
As of publication, the most recent version of the discussion draft is available here, with minor technical changes from the version shared earlier this week.
To understand the requirements, you must first become familiar with a couple of key terms. "Covered entities" are analogous to "controllers" under the EU General Data Protection Regulation, while "service providers" are analogous to "processors." Please see the IAPP APRA cheat sheet for a quick overview of which substantive requirements apply to different organizations.
- Broad scope, with a conditional exemption for small businesses
Unlike U.S. consumer protection laws and most state privacy laws, the APRA would apply to nonprofit organizations as well as commercial enterprises. It would also apply to common carriers under Title II of the Communications Act of 1934, which are otherwise regulated by the U.S. Federal Communications Commission. Instead, the U.S. Federal Trade Commission and state attorneys general are empowered to enforce this law against all entities within scope of its requirements.
Small businesses with less than USD40 million in revenue and data about less than 200,000 consumers are generally exempted from the draft requirements, though only when acting as covered entities — not service providers — and only insofar as they do not "transfer covered data to a third party in exchange for revenue or anything of value." This clause appears to bring any small business that sells the personal data of even a single individual within the APRA's scope.
Covered data is also broadly defined to include information that "identifies or is linked or reasonably linkable, alone or in combination with other information, to an individual or a device that identifies or is linked or reasonably linkable to 1 or more individuals." An individual means a person who is a resident of the U.S. Excluded from coverage is deidentified data, information in the collection of a library and inferences made from publicly available information, so long as they are not combined with covered data and do not reveal sensitive information.
Employee information is also exempted, but the APRA would preserve state laws that apply to employees.
Adopting the language from the ADPPA, the draft APRA would not apply to government entities or their service providers.
- Private right of action, preemption and FTC rulemaking
The most headline-grabbing aspect of the APRA is probably its inclusion of a private right of action, allowing individuals to sue under many, but not all, of its operative provisions. See the IAPP APRA cheat sheet for a quick look into which provisions are enforceable by individuals.
Notably, the APRA includes some limitations on arbitration agreements between companies and individuals, which could otherwise be used to avoid the PRA. The lack of such a provision in the ADPPA was a point of contention for Sen. Cantwell. As proposed, pre-dispute arbitration agreements would be invalid for minors and for all individuals if they can show a "substantial privacy harm."
A substantial privacy harm includes financial harms of USD10,000 or more and physical or mental harms, but only if they involve one of the listed cognizable injuries:
- Treatment by a licensed, credentialed or otherwise bona fide health care provider, hospital, community health center, clinic, hospice, or residential or outpatient facility for medical, mental health or addiction care.
- Physical injury.
- Highly offensive intrusion into the privacy expectations of a reasonable individual under the circumstances.
- Discrimination on the basis of race, color, religion, national origin, sex or disability.
Preemption, the goal of replacing the evolving patchwork of state laws with a single national standard, remains one of the primary motivating factors for many who seek the passage of a federal law. This historically contentious aspect of U.S. federal privacy discussions has also been further refined in the APRA, compared with its predecessor bills.
In general, the draft bill would have broad preemptive effect over comprehensive consumer privacy bills across the U.S. Though it would preempt state laws, it also would empower the same enforcers of those laws to instead enforce the APRA, including attorneys general as well as any "officer or office of the State authorized to enforce privacy or data security laws applicable to covered entities or service providers." This language seems designed to potentially preserve some authority for the California Privacy Protection Agency.
To help clarify the scope of preemption, the APRA also carves out many types of state laws that overlap with consumer privacy concerns, including those covering general consumer protection, employee privacy, student privacy, data breaches, civil rights and many other legal domains. These state laws would be unaffected by the APRA.
The FTC would be able to enforce the APRA in the same manner as it enforces a trade regulation rule, which would greatly expand its enforcement authority around privacy practices. The agency is also instructed to create a new privacy bureau, "comparable in structure, size, organization, and authority to the existing bureaus" of consumer protection and competition. Rulemaking authority is also enhanced under the draft bill, allowing the FTC to respond to future developments by clarifying certain aspects of the APRA.
- Data minimization by default
The APRA builds on the data minimization focus of its predecessor bills, creating a legal framework that is unprecedented in the U.S., except perhaps in state initiatives like the recently passed Maryland bill.
Whereas the U.S. has generally allowed for the unrestricted processing of personal data with defined exceptions, the data minimization approach flips the script. Generally, the collection, processing, retention and transfer of personal data would be prohibited under the APRA, unless it meets general data-minimization principles or a specific permitted purpose.
The general principle allows the processing of personal data if it is necessary, proportionate, and limited to provide or maintain a specific product or service requested by the individual or an anticipated communication to the individual.
The permitted purposes — 15 of them — are worthy of a close review. They include a wide range of purposes, from market research to contextual advertising to security and fraud prevention. Processing under a defined purpose must also be necessary, proportionate and limited to that purpose. The listed purposes include numerous exceptions and further restrictions that include or exclude only certain data types. For example, health information may not be used for the otherwise permitted purpose of investigating criminal activity.
- Many types of sensitive data and strong consent requirements
In addition to the above data-minimization requirements, sensitive data requires "affirmative express consent" before any transfer to a third party, unless the transfer is necessary, proportionate and limited to one of the permitted purposes. For biometric and genetic information, consent is also required before collecting, processing or retaining such data, although there are limited exceptions when the data is "essential" for a limited set of the permissible purposes.
Consent must be an affirmative act by an individual that "clearly communicates the individual's authorization for an act or practice." Neither inaction or simple continued use of a service without an affirmative act qualify as consent. In seeking consent, a covered entity must provide a "clear and conspicuous standalone disclosure" in clear, accessible language, including by individuals with disabilities. The disclosure must explain individuals' data rights, describe the categories of data involved in the request, and clearly distinguish between an act or practice "necessary to fulfill a request of the individual" and those for another purpose. Finally, "the option to refuse consent shall be at least as prominent as the option to accept, and the option to refuse consent shall take the same number of steps or fewer as the option to accept."
The APRA includes a list of sensitive covered data that is longer and far more detailed than any state privacy law, plus the ability for the FTC to expand the list through future rulemaking. Since every word matters, the full list of defined categories is reproduced below.
One notable omission: sexual orientation is not protected as sensitive data under this draft, retaining a deletion that occurred when the ADPPA passed out of committee. Other changes include adding "sex" to the list and retaining web browsing activity as sensitive "over time and across websites," but for "high-impact social media companies" no cross-site tracking is necessary to render browsing activity sensitive. All browsing data over time is sensitive for such services.
- A government-issued identifier, such as a social security number, passport number or driver's license number, that is not required by law to be displayed in public.
- Any information that describes or reveals the past, present or future physical health, mental health, disability, diagnosis, or health care condition or treatment of an individual.
- Genetic information.
- A financial account number, debit card number, credit card number, or any required security or access code, password, or credentials allowing access to any such account or card.
- Biometric information.
- Precise geolocation information.
- An individual's private communications, such as voicemails, emails, texts, direct messages or mail, or information identifying the parties to such communications, information contained in telephone bills, voice communications, and any information that pertains to the transmission of voice communications, including numbers called, numbers from which calls were placed, the time calls were made, call duration and location information of the parties to the call, unless the covered entity is an intended recipient of the communication.
- Account or device log-in credentials.
- Information revealing the sexual behavior of an individual in a manner inconsistent with the individual's reasonable expectation regarding disclosure of such information.
- Calendar information, address book information, phone or text logs, photos, audio recordings or videos intended for private use.
- A photograph, film, video recording or other similar medium that shows the naked or undergarment-clad private area of an individual.
- Information revealing the extent or content of any individual's access, viewing or other use of any video programming described in section 713(b)(2) of the Communications Act of 1934 (47 U.S.C. 613(h)(2)), including by a provider of broadcast television service, cable service, satellite service or streaming media service, but only with regard to the transfer of such information to a third party and excluding any such data used solely for transfers for independent video measurement.
- Information collected by a covered entity, that is not a provider of a service described in clause (xii), that reveals the video content requested or selected by an individual, excluding any such data used solely for transfers for independent video measurement.
- Information revealing an individual's race, ethnicity, national origin, religion or sex in a manner inconsistent with the individual's reasonable expectation regarding disclosure of such information.
- Information revealing an individual's online activities over time and across websites or online services that do not share common branding or over time on any website or online service operated by a covered high-impact social media company.
- Information about an individual who is a covered minor.
- Any other covered data collected, processed, retained or transferred for the purpose of identifying the data types described in clauses (i) through (xvi).
- Teen data deserves heightened protections
As seen above, personal data about minors under 17 years old is treated as sensitive data under the draft APRA, meaning consent would usually be required before such data could be transferred to third parties.
Other provisions from the ADPPA relating to minors are notably absent from this draft, including a ban on targeted advertising. However, given the early stage of the draft, this absence is likely to be adjusted through later changes. Most likely, the APRA would be combined with the existing Children and Teen Online Privacy Protection Act, known as COPPA 2.0, which has widespread support in the Senate and was just introduced in the House.
Close readers will also notice the absence of a knowledge standard in the discussion draft. Reading between the lines, this will also likely be adjusted as part of the process of merging the bill with COPPA 2.0.
- Opt-out rights, civil rights and AI governance requirements
The APRA includes brand new language providing for a right to opt out of the use of covered algorithms "to make or facilitate a consequential decision." Notably, this provision applies to all "entities," regardless of whether they meet the definitions of a covered entity or service provider.
The definition of covered algorithm has been slightly adjusted from the ADPPA's. It is now "a computational process, including one derived from machine learning, statistics, or other data processing or artificial intelligence techniques, that makes a decision or facilitates human decision-making by using covered data, which includes determining the provision of products or services or ranking, ordering, promoting, recommending, amplifying, or similarly determining the delivery or display of information to an individual."
Starting two years from the enactment of the law, any covered entity or service provider that "knowingly develops" a covered algorithm would be required to first "evaluate the design, structure, and inputs of the covered algorithm, including any training data used to develop the covered algorithm, to reduce the risk of the potential harms" related to a defined list including minors, important life events or disparate impacts.
Returning to opt outs, the APRA would also require covered entities to provide mechanisms for individuals to opt out of data transfers to third parties as well as targeted advertising. It would also build on state-level requirements for browsers and devices to implement universal opt-out mechanisms, subject to rules to be defined by the FTC.
Finally, the bill preserves the civil rights protections of the ADPPA. Whether through a covered algorithm or otherwise, the bill prohibits a covered entity or a service provider from collecting, processing, retaining or transferring covered data "in a manner that discriminates in or otherwise makes unavailable the equal enjoyment of goods or services on the basis of race, color, religion, national origin, sex, or disability."
- Special heightened requirements for certain entities
The bill does not just create requirements for "covered entities" and "service providers." It also defines a few special types of organization, which are subject to additional obligations.
"Large data holders," whether covered entities or service providers, are those with more than USD250 million in annual revenue that meet either of the following volume thresholds:
- Process the personal data of more than 5 million individuals, 15 million portable devices linkable to an individual and 35,000 connected devices linkable to an individual.
- Or process the sensitive personal data of 200,000 individuals, 300,000 portable devices linkable to an individual and 700,000 connected devices linkable to an individual.
In addition to all other applicable obligations, large data holders would be required to, among other things, do all of the following:
- Publish privacy policies from the past 10 years.
- Publish annual transparency reports about consumer requests.
- Empower a privacy officer and a security officer with mandated reporting lines.
- Conduct biennial audits and privacy impact assessments.
- Submit annual algorithm impact assessment to the FTC when AI poses a consequential risk of harm to defined groups or outcomes, including minors, major life events and disparate impacts.
A new category in this bill, "covered high-impact social media companies" are also subject to additional obligations. Platforms that are primarily used to "access or share user-generated content" would be subject to these rules if they make more than USD3 million in annual revenue and have more than 300,000 global monthly active users. Browsing data on such platforms is treated as sensitive data even without cross-site tracking, and targeted advertising is also defined differently for these entities.
Finally, specific obligations apply to data brokers, which are defined as a type of covered entity that either generates more than 50% of its revenue from processing or transferring covered data not collected directly from individuals or obtains revenue from the processing of such data on more than 5 million individuals.
Data brokers would be required to register on a list managed by the FTC. The APRA would also require the FTC to establish a centralized opt-out mechanism for registered data brokers. Once the mechanism is established, these entities would be required to honor "Do Not Collect" requests, stopping future collection of the requestor's personal data across data brokers.
- Executive responsibility and operational governance
The APRA would require each covered entity and service provider to designate a "qualified employee" to serve as a privacy officer or a data security officer. Large data holders need both types of senior officers and will be required to provide an annual certification to the FTC about their internal compliance controls and governance structures, which must also be signed by the organization's CEO or someone similar.
What do you think?
These are some of the top takeaways from the discussion draft of the APRA, but there is much more for privacy pros to unpack in the text, which is expected to evolve as legislators incorporate feedback.
The IAPP will be closely tracking these developments, and we would love to hear from you about any other impactful elements of the bill that we did not highlight above.